white paper






  • The Art of Cyberwar

    The establishment of U.S. Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. Computers are now both a weapon and a target. Future wars may even be fought over the ownership of IT infrastructure. Therefore, national security thinkers must find a way to incorporate cyber attack and defense into military doctrine as soon as possible. The world’s most influential military treatise is Sun Tzu’s Art of War. Its wisdom has survived myriad revolutions in technology and human conflict, and future cyber commanders will find Sun Tzu’s guidance beneficial. However, this presentation will also consider 10 revolutionary aspects of cyber war that will be difficult to fit into military doctrine.

    • Environment
    • Proliferation
    • Proximity
    • Unpredictability
    • Advantage
    • Flexibility
    • Attribution
    • Quiet
    • Subjectivity
    • Morality
    Presented By:
    Kenneth Geers

  • The Art Of Exploiting Logical Flaws in Web Apps

    In last 5 or so years we have seen a rapid demand for web application security testing. At times, security testers gets blinded by the traditional input validation flaws such as Cross Site Scripting or SQL Injection and can at times ignore the most critical part of the pentest which is assessing for logical flaws. Often logical flaws are seen/referred as just parameter manipulation using a MiTM tool, but the reality is that the logical flaws is all about understanding what the application does and then testing the logic. Over the years we have identified some insane logical flaws and we have decided to recreate some of our best logical flaw hacks so that others can learn from these. Some of these hacks will make you giggle, some might make you laugh and some will blow your mind off. These logical flaws are difficult to find and living in the world of automated web app testing tools, it reiterates the fact that running a web app scanner can never be the same as a manual pentest. The 1 hour talk will give people enough pointers on how to identify logical flaws or where to look for these.

  • Attacking Odata

    OData is a new data access protocol that is being adopted by many major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been publically explored in terms of security. This presentation dissects the OData protocol and explores the potential areas of weakness. I’ll give an attack and penetration testing perspective of OData and release a new Ruby based tool that can be used to create OData fuzzing templates.

    This talk assumes no prior OData knowledge and makes the OData penetration testing concepts easy to understand. The approach is to start with a single read URI, just like a black box penetration test and builds on concepts. OData attack and penetration testing aspects will be discussed along with OData concepts and potentially unique OData vulnerabilities that may come into play with OData implementations. A new Ruby based tool to generate OData fuzzing templates will also be released. Additionally, OData assessment tool Oyedata will be demonstrated.

    Presented By:
    Gursev Singh Kalra

  • Breaking and Fixing the Smart Grid

    The Smart Grid brings greater benefits for utilities and customer alike, however these benefits come at a cost from a security perspective. Unlike the over-hyped messages we usually hear from the media, the sky is NOT falling. However, just like any other technology, the systems and devices that make up the Smart Grid will have weaknesses and vulnerabilities. It is important for us to understand these vulnerabilities, how they can be attacked, and what we need to do to defend against those attacks. This presentation will explore a methodology that Electric Utilities can use to perform penetration testing on their equipment to identify and remediate vulnerabilities before they are exploited by the bad guys.

    Presented By:
    Justin Searle

  • Cash is King: Who’s Wearing Your Crown?

    Show me the money. If hackers were able to manipulate the world’s accounting systems, governments and corporations would be in a frenzy. Guess what? Hackers can…and will. In this presentation we describe manipulating the major financial accounting systems used by corporations large and small to show the importance of good information security and accounting controls. In this talk we will identify ways to manipulate accounting systems for financial gain demonstrating real world mass accounting systems fraud. We will also identify information security and accounting controls needed to detect these types of attacks. Through our research we’ve identified a multiple ways to manipulate accounting data and misappropriate funds. Our research will provide attendees with a new outlook on the importance of information security and back end accounting controls and how tightly they are linked. We concentrated our research on middle tier accounting systems used by SMBs and large corporations.

    Presented By:
    Tom Eston
    Brett Kimmell

  • Cybercrime Kill Chain vs. Effectiveness of Defense Layers

    Cybercriminals persistently challenge the security of organizations through the rapid implementation of diverse attack methodologies, state of the art malware, and innovative evasion techniques. In response organizations deploy and rely on multiple layers of diverse security technologies. This talk examines the attackers' kill chain and the measured effectiveness of typical defense technologies such as Next Generation Firewalls, Intrusion Prevention Systems IPS, Antivirus/Malware Detection, and browsers internal protection. Empirical data on the effectiveness of security products derived from NSS Labs harsh real world testing is presented together with a live demonstration of successful evasion of malware detection. We find a considerable gap of protection levels within/and across different security product groups. The presentation will be backed up with a paper to be made available to Blackhat attendees.

  • Droid Exploitation Saga

    In this talk, we will be discussing about the recent trends in Android Security Exploitation, as well as we will be carrying out all the possible attacks using a framework which we've designed called as Android Framework for Exploitation.

    We will show how easy it could get to break into any Android Device, either using any exploit, or creating a malware using AFE. Also, in case the malware gets detected by any of the anti malwares, you 'll have the option to make it Fully Undetectable again and again, using the framework.

    The things you would be able to steal with the help of AFE-created malwares, aren't limited to Contacts, Call Logs or Text messages, but you could also steal the application specific information (contained within the database files or saved using Content Providers).

    We will be covering each topic with live demonstrations and will also discuss the case studies of vulnerabilities in some of the most popular android applications.

    Presented By:
    Aditya Gupta
    Subho Halder

  • The Endless Game, Fighting Against Kelihos Botnet

    Kelihos is still alive even after the 2nd take down action, building its p2p infrastructure and sending spam again. It bounced back after 2nd take down operation in couple of hours. In the recent Kelihos build, it implemented a brand new custom encryption algorithm(270+ layer custom encryption) and remove the BitCoin mining function. This raises numerous questions:Did it survive in the 2nd task down operation? How did it evolve? Is there any changes in its infrastructure? Why did it remove the BitCoin mining function? What are the new functionality added in it? Is the Kelihos p2p infrastructure used by itself only?

    In this presentation, I will attempt to shed light on those interrogations after examining the latest Kelihos bot, from its p2p protocol and encryption schemes to the working mechanisms, reveal another P2P botnet which involved in the Kelihos' p2p infrastructure and the mystery on how Kelihos could bounce back again and again via the discovery of Kelihos' hidden servers.

    Presented By:
    Kyle Yang

  • Enterprise malware, there is always a way. DNS/DNSSEC

    DNS is an essential protocol used in almost any enterprise network around the world. Many corporate IT environments rely on DNS in order to facilitate the most critical business processes. This is the reason why more often than not, this protocol is simply allowed through every network. Most IDS and IPS deployments do not enforce strict rules against DNS malformed, strange or abnormal packets. These conditions are perfect for those who wish to control botnets, deploy remote access or execute covert “under the radar” corporate espionage with advanced malware and confidential data exfiltration. In this last case, sensitive networks that would not be targeted using usual methods are critically exposed - if the attacker uses a Remote Administration Tool (RAT) that takes advantage of DNS protocol and some other juicy tricks – and if the RAT uses DNSSEC for the data leakage process, the end result is a stealthy & deadly weapon. The talk will encompass a full demonstration of this new attack tool capabilities, including how to build your own expansion modules in python.

    Presented By:
    Alberto Garcia Illera

  • HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits

    HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise. In this paper and talk we are going to walk through these new architectures, attack surface and possible threats. Here are the top 10 threats which we are going to cover in detail with real life examples and demos.

    Presented By:
    Shreeraj Shah

  • Huawei Router Security

    Huawei routers are no longer devices only seen in China. Entire countries run their Internet infrastructure exclusively on these products and established tier 1 ISPs make increasing use of them. However, very little is known of Huawei's Versatile Routing Platform (VRP) and its security. This presentation will introduce the architecture, special properties of VRP configurations and services as well as how to reverse engineer the OS. The presentation will give an all-around view into the security of VRP based equipment.

    Presented By:
    Felix 'FX' Lindner

  • Introducing the Smartphone Pentest Framework

    When many people hear Smartphone Pentest Framework they think this tool lets you run attack tools from a smartphone. Instead this tool lets you assess the security posture of smartphone devices. As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.

    Presented By:
    Georgia Weidman

  • Inspection of Windows Phone applications

    The market share of Windows Phone devices continues to grow and so grows the number of WP applications: from simple games and social apps to complex business apps. WP security model is considered to be secure; nevertheless, the application themselves may have potential vulnerabilities.

    In this presentation, we want to show the techniques we use to analyze the security of WP applications. We will introduce a new tool that makes analysis much easier. This tools allows using both static and dynamic (code instrumentation) techniques. In fact, it is an environment for WP application analysis. We will also show on real examples how to find vulnerabilities with this tool and exploit them.

  • Legal Aspects of Cyberspace Operations - Hacking Back, Active Response and More

    The past year has seen a lot of articles and briefings on active defense and “legally” hacking back both from computer network defenders and their attorneys. And if the area of computer network attack and cyber warfare weren’t already being discussed in great length, the release of the draft “Tallinn Manual” on cyber warfare now joins an area where legal scholars are trying very hard to make their marks on this community. We will discuss the legal issues associated with these topics and as always, this presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.

    Presented By:
    Robert Clark

  • Lessons from the History of Cyber Conflict

    Even in its earliest history, cyberspace had disruptions, caused by malicious actors, which have gone beyond being mere technical or criminal problems. These cyber conflicts exist in the overlap of national security and cybersecurity, where nations and non-state groups use offensive and defensive cyber capabilities to attack, defend, and spy on each other, typically for political or other national security purposes. Yet these decades of cyber history have been forgotten, ignored as irrelevant, even as a crush of new personnel storms into the field.

    Our study (which will result in the first history book of cyber conflict) has mined a rich vein of lessons which contradict much of the popular beliefs about cyber conflict, including:

    • 1. Cyber conflict has changed only gradually over time, making historical lessons especially relevant (though usually ignored).
    • 2. The probability and consequence of disruptive cyber conflicts has been hyped while the impact of cyber espionage is consistently under-appreciated.
    • 3. The most commonly held views of strategically important cyber conflicts are so distant from their fundamental nature as to constitute myth.

    This presentation will examine each of these assertions along with the practical consequences for nations and security companies. As just one point, cyber conflict is fast but by no means at the “speed of light” or even “network speed.” The focus of the US cyber community on this single mistaken point means it will likely over-invest in capabilities and doctrine to automatically counterattack against surprise attacks. Rules of engagement will allow ever-lower levels to shoot back without seeking authorization, a relaxation of the rules which may not be in the long-term US economic or military interest.

    Presented By:
    Jason Healey

  • Malicious URI Resolving in PDFs

    Attacks by PDFs are most often done from inside PDFs themselves, they are so subject to shape detection. Now, imagine that the malicious content is not in the PDF opened by the victim. In fact, using internal legitimate Adobe mechanisms to do so can be advantageous for an attacker. Submitting forms allows these possibilities. It is not like the well known method URI, it is better. It allows an attacker to greatly expand his panel of attacks from a PDF.

    Basically, the purpose of this paper is to show that the simple use of an HTTP request from a PDF can be a pretty good vector for an attacker. Furthermore, this paper deals about how it can be relatively easy to reuse some web browsers vulnerabilities from PDFs. In addition to that, we found out a new way to determine the Adobe Reader's version of the victim even before any malicious action.

    This paper will begin by a short description of Adobe Reader network mechanisms and the security related. Then, this paper will deal about some new weaknesses discovered about the URL Security Manager of Internet Explorer. Finally, two attack scenarios will be detailed. The first scenario is an example about the use of risky JavaScript functions in Internet Explorer from a PDF. The second scenario shows a new way to use vulnerabilities exploits in PDFs. It is a strategic way of attacking that emphasizes the collection of information before the attack itself.

    Presented By:
    Valentin Hamon

  • Over-the-Air Cross-platform Infection for Breaking mTAN-based Online Banking Authentication

    We present a novel stealthy cross-platform infection attack in WiFi networks. Our attack has high impact on two-factor authentication schemes that make use of mobile phones. In particular, we apply our attack to break mTAN authentication, one of the most used scheme for online banking worldwide (Europe, US, China). We present the design and implementation of the online banking Trojan which spreads over the WiFi network from the user's PC to her mobile phone and automatically pairs these devices.

    When paired, the host and the mobile malware deliver to the attacker authentication secrets which allow her to successfully authenticate against the online-banking portal and perform financial transactions in the name of the user. Our attack is stealthy compared to the known banking Trojans ZeuS/ZitMo and SpyEye/Spitmo, as it does not rely on phishing or naïve user behavior for malware spreading and pairing.

    Our reference implementation targets Windows PCs and Android based smartphones, although our attack is not platform specific. To achieve cross-platform infection, we applied and adapted attack techniques such as remote code execution, privilege escalation, GOT overwriting, DLL injection and function hooking. Our attack can be implemented by knowledgeable attackers and calls for re-thinking of security measures deployed for protection of online transactions by banks.

  • Poking Servers with Facebook (and other Web Applications)

    Many web applications provide functionality to pull data from other websites for various reasons. Using user specified URLs, web applications can be made to fetch image files, download XML feeds from remote servers and in the case of Mozilla, text based manifest files as well. This functionality can be abused by making crafted queries using the vulnerable web application as a proxy to attack other remote servers. Attacks arising via this abuse of functionality are named as Cross Site Port Attacks.

    Cross Site Port Attacks (XSPA) occur when a web application attempts to connect to user supplied URLs and does not validate backend responses received from the remote server. An attacker can abuse this functionality to send crafted queries to attack external Internet facing servers, intranet devices and the web server itself using the advertised functionality of the vulnerable web application. The responses, in certain cases, can be studied to identify service availability (port status, banners etc.)

    In this paper we will see how commonly available functionality in most web applications can be abused by attackers to port scan intranet and external Internet facing servers, fingerprint internal network aware services, perform banner grabbing, identify web application frameworks, exploit vulnerable programs, run code on reachable machines, exploit web application vulnerabilities listening on internal networks, read local files using the file protocol and much more. XSPA has been discovered with Facebook, where it was possible to port scan any Internet facing server using Facebook’s IP addresses. Consecutively, XSPA was also discovered in several other prominent web applications on the Internet, including Google, Apigee, StatMyWeb,,, Pinterest, Yahoo, Adobe Omniture and several others. We will take a look at the vulnerabilities that were present in the above mentioned web applications that could be used to launch attacks and perform port scans on remote servers and intranet devices using predefined functionality.

    Presented By:
    Riyaz Walikar

  • Power Analysis Attacks for Cheapskates

    Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often have at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board & open-source Python tools for doing the capture. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work.

    Presented By:
    Colin O'Flynn

  • Practical Security Testing for LTE Networks

    New high speed mobile data services are being rolled out every month with a large proportion of these being based on the 3GPP Long Term Evolution (LTE) standards.

    One of the fundamental changes between LTE networks and those used previously is the use of IP for all communications between back-end components. This is primarily to improve scalability and increase the flexibility available to network operators, but does that have a security related cost?

    Over the past 12 months MWR have worked with a number of major vendors and operators to identify how we can ensure that these environments are implemented securely. This has been based on extensive testing of a number of LTE implementations, each using different vendor equipment and set-up in slightly different ways. This experience has enabled us to develop practical and tested advice on how to implement and more importantly how to test the implementation of a LTE environment.

    This talk will provide an overview of an LTE network and more importantly how it can be tested to ensure it is secure. From this talk the audience will take away a better understanding of LTE deployments, how they could be attacked and how we can gain assurances about their security using some of the latest thinking in this space.

    Presented By:
    Martyn Ruks

  • Quantifying Maliciousness in Alexa Top-Ranked Domains

    Many people assume that it is safe to visit popular, long-lived websites. While anecdotal examples of popular website compromises (e.g.,, contradict this expectation, there exist few comprehensive studies that attempt to systematically quantify maliciousness in top-ranked sites.

    To address this gap in understanding, my presentation details the design and results of long-running experiments that identify maliciousness in popular websites in a vulnerability and exploit-independent manner. To perform experimentation, I created a scalable URL analysis system that forces a browser within a sterile virtual machine to visit a given site, then examines the network-level actions of the VM to determine whether a drive-by download occurred. As input to this system, I provided the Alexa top 25,000 most popular domains each day in what became a series of month-long studies.

    In combination with reverse engineering parts of the Alexa rankings system, detailed analysis of the results yields cause for concern. My findings show that each month, millions of users are served malicious content from just tens of popular websites, and at least one million users are successfully compromised. In addition to an assessment of the experimentation results (e.g., use of Java or ad networks in drive-by downloads), my presentation will coincide with release of the raw data collected to promote a better understanding of this issue.

    Presented By:
    Paul Royal

  • Reverse and Simulate your Enemy Botnet C&C

    Have you ever been staring for nights at binary or hexadecimal data flows extracted from an USB channel ? Don't you remember yourself searching for some patterns and similarities in this mess of zeros and ones grabbed from a binary configuration file ? How long did it take you to find an 16bits decimal size field last time you reversed an IPC communication protocol ?

    Did you know you were not alone and that among them, Rob Savoye (@ FOSDEM-08) and Drew Fisher (@ 28C3) have already reported the main difficulties of the RE operations. Both of them called for the creation of a tool which would help experts in their work.

    After 2 years of intensive researches, we are pleased to present our results. A tool that facilitates the analysis of binary flows, finds relations between segments of data, deduces data types and formats, infers the state machine and other few little things, including fuzzing and simulating implementations of undocumented protocols.

    Released under GPLv3, Netzob is (to our knowledge) the most advanced available tool that helps reversers and security evaluators/auditors in their work on undocumented protocols.

  • Security Impacts of Abusing IPv6 Extension Headers

    In 6th June of 2012, during the so called IPv6 world launch day, major ISPs, significant companies around the world, home networking equipment manufacturers (including but not limited to, Akamai, AT&T, Cisco, Facebook, Google, Microsoft Bing, Yahoo!, and other) enabled IPv6 for their products and services permanently, while more are expected to follow. But, are we really ready for this major transition from a security perspective? IPv6 introduces new features and capabilities not limited to the IPv6 huge address space. One of them is the introduction of the IPv6 Extension Headers. In this paper, it will be shown that the abuse of IPv6 Extension Headers in a way not predicted by the corresponding RFCs can lead to significant security impacts. During our experiments, the effectiveness of some of the most popular Operating Systems (Windows 7/2008, several Linuces, the latest FreeBSD and OpenBSD) on handling various malformed IPv6 datagrams is examined. As it will be shown, the abuse of the IPv6 Extension Headers creates new attack vectors which can be exploited for various purposes, such as for evading IDS, for creating covert channels by hiding data into Extension headers, etc. During our tests, the effectiveness of two of the most popular IDS against these attacks is also examined and several ways for evading them at the IP level are shown. As it is demonstrated, the launch of any type of attack at the IP layer or above (from port scanning to SQLi attacks) without being detected can be achieved by abusing IPv6 Extension headers “properly”. Finally, specific countermeasures that should be taken to handle such situations are also proposed.

    Presented By:
    Antonios Atlasis

  • Social Engineering Threats and Countermeasures In An Overly Connected World

    In this presentation, two-time winner of the Defcon Social Engineering CTF competition, Shane MacDougall, will examine how many of the techniques used by national intelligence agencies and corporate intelligence units have been adopted by social engineers to create devastatingly effective attacks.

    Social engineering is rapidly becoming one of the hot topics in information security, which is curious since it has been an oft-used attack vector for decades (technically centuries). But what are the most effective social engineering attacks, and how can an enterprise protect itself? This presentation will discuss new tools being utilized by attackers, and will include a breakdown of the speaker’s last two victories at the Defcon SECTF.

    Especially effective OSINT resources, combined with well-designed gambits and pre-texts will be discussed, along with effective, field-proven countermeasures. By the end of the session, participants will have learned of the OSINT world that exists outside of the Maltego-driven paradigm.

    We will also discuss (and hopefully demo) ShmoozeKit – a realtime pre-text generator package being developed by the presenter.

    Presented By:
    Shane MacDougall

  • Stealing from Thieves: Breaking IonCube VM to Reverse Exploit Kits

    Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware. These kits are sold on the black market, where prices typically range from several hundred to over a couple thousand dollars. It is also becoming quite common to rent hosted exploit kits. Because of this, a competitive market has emerged with numerous players, including many different authors. Appearing several years ago, MPack was one of the first examples of this type of ‘tool’. This was followed shortly after by ICE-Pack, Fire-Pack and a variety of others. Today’s well-known exploit kits are, for example, Eleonore, the YES Exploit Pack, and Crimepack.

    In order to protect their exploit kits, cyber criminals are using solutions that convert source code to byte code (virtualized and obfuscated), which is then encoded and passed to a loader that can then be delivered via a PHP web page. Purchased exploit kits are further protected through the use of strict licensing that restricts copying and redistribution.

    In this talk, I will discuss how ionCube copy protection is used to protect exploit kits. I will also demonstrate how to break that protection in order to recover the exploit kit source code, as well as identify which IP Addresses are tied to a particular exploit kit license.

    Presented By:
    Mohamed Saher

  • Targeted Intrusion Remediation: Lessons From The Front Lines

    Successfully remediating a targeted intrusion generally requires a different approach from that applied to non-targeted threats. Regardless of the remediation actions enacted by victim organizations, experience has shown that such threats will continue to target certain organizations. In order to be successful against these types of threats, organizations must change the way they think about remediation. This presentation outlines a model to guide tactical and strategic security planning by focusing efforts on the following three goals:

    • Inhibit attacker’s activities.
    • Enhance visibility to detect indicators of compromise.
    • Enhance the security team’s ability to effectively and rapidly respond to intrusions.
    Presented By:
    Jim Aldridge

  • UI Redressing Attacks on Android Devices

    In this presentation, we describe novel high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from desktop- to mobile- browser field. Our main contribution is a demonstration of a browserless tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, one can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. To protect against this attack, we introduce a concept of a security layer that catches all tap-jacking attempts before they can reach home screen/arbitrary applications.

    Presented By:
    Marcus Niemietz