Briefings - March 27 & 28

All Briefings and Trainings will be presented in English

white paper






Let's Fix the Mess

Forty-five years ago the Arpanet came into existence, connecting computers with permanent, leased lines. Within a few years multiple networks were interconnected to form today's Internet. Billions of users, trillions of dollars of commerce and a new “flat” world emerged. Two of the less attractive consequences of the explosive growth were the myriad security problems and the wrangling over Internet governance issues.

Dr. Crocker will talk a bit about the early history, particularly the creation of the Requests for Comments and the positive impact the open approach had on technology development, and then focus on current activities, both positive and negative. Security technologies such as DNSSEC and rPKI hold some promise of improving the game, but they are but a small sample of what needs to be done.

Meanwhile, a variety of policy issues permeate the security arena. He'll also talk briefly about ICANN, what it does, and, perhaps more important, what it doesn't do.

Dr. Crocker will close with a challenge to the Black Hat community.

Presented by

Dr. Steve Crocker


Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts

Homes and offices inspired by concept of Internet of Things (IoT) are here and so are the related high impact attack vectors. Your next-door lock, sprinkler system, light bulb, pet feeder, door sensor, thermostat, and baby monitor are likely to be vulnerable to attack. Remotely.

In this talk, we will break open emerging home automation products to build a solid threat model and see actual examples of vulnerabilities: from how an attacker can remotely cause blackout at your home (or your high-rise condo or office) and exploit various physical sensors that you will come to depend on. These aren't vulnerabilities you can just patch with a software update.

This talk will cover demonstration of vulnerabilities that can cause a sustained blackout by malicious malware, design issues that can lead to spying from baby monitors, and the remote shut off of electronic devices in the home.

We know the implications of critical infrastructure vulnerabilities that are based on traditional protocols. It is time to talk about next-generation infrastructure that is destined to empower our future and our safety.

Presented by

Nitesh Dhanjani

Advanced JPEG Steganography and Detection

We will dive deep into the JPEG algorithm and then explore numerous published hiding techniques, explained in plain English (as opposed to Ph.D. mathematical lingo). Some techniques are extremely difficult to detect, while others have high capacity (15% to 30%). You will be amazed at how much data can be hidden in a JPEG with almost no visible change (and ZERO quality degradation), even when comparing images side by side. Then, we'll discuss several approaches to automated detection. We will demonstrate detection against the techniques applied. The entire talk is sprinkled with images and live demonstrations. Finally, I will present a customized implementation with full cryptography and detection mitigation. Best of all, you get the program to use yourself - this will be fun!

Presented by

John Ortiz

AIS Exposed. Understanding Vulnerabilities and Attacks 2.0

Automatic Identification System (AIS) is a promoted standard and implementation for vessels traffic safety and monitoring. With more than 400,000 installations worldwide, AIS is currently mandatory for commercial vessels and a de-facto solution for leisure crafts since 2006. In our research on AIS, we identified numerous vulnerabilities and problems affecting both the implementation of AIS services, that collect/provide access to AIS data, and the foundations of the AIS protocol used in radio-frequency (RF) communications. Our concerns affect all AIS transponders deployed on ships worldwide. This talk is divided in two parts: We first introduce the audience to AIS and the problems that we identified, and then we disclose and discuss a series of novel 2.0 vulnerabilities and attacks.

Presented by

Marco Balduzzi

Beyond 'Check The Box': Powering Intrusion Investigations

Many organizations have implemented robust security tool suites and “checked the box” on security logging standards. Yet many of these same organizations have not considered how these tools would effectively support an incident investigation effort.

This presentation begins by outlining a typical intrusion investigation process. It then presents a series of scenarios where investigators need the capability to rapidly obtain information from the environment to further their investigation. Each scenario will contain a case study and present recommended technical and process prerequisites.

Presented by

Jim Aldridge

Building Trojan Hardware at Home

How much do you trust the hardware shipped to your office or purchased at the local computer store. It may surprise you how easy it can be to change hardware into a Trojan. This presentation will show attendees how they can change computer peripherals from around the house into an attack platform. The great thing is you don't need a great understanding of hardware to leverage this attack.

I have created a special hardware attack platform called The Glitch. It is a small reprogrammable multipurpose device designed specifically for security testing. As part of its functionality, it has been designed to embed in existing hardware; making it a unique attack vector.

In addition to modifying hardware, attendees will also learn about threats from modified firmware. The ever-growing open source community loves to create/modify existing firmware on embedded devices. We will briefly discuss the impact of modified firmware as a staging point inside a corporate network.

Presented by

JP Dunning

Comprehensive Virtual Appliance Detection

Our talk is about how to detect virtual appliance environments with script and binary. The purpose of the detection is to evade those defense methods that are based on virtual machines.

Virtual machines and virtualization technology play a critical role in virtual appliances to enable dynamic and parallel sample analysis. Methods for detecting virtual machines and sandboxes have been previously discussed but mostly at the operating system level. The talk focuses on a comprehensive set of techniques that range from the OS level to application level, and to web scripts that can detect virtual appliance from the environment running within the browser.

The talk will cover the techniques that detect different virtualization models, from popular virtual machine such as KVM/QEMU, VMware, and XEN, to light weight bare-metal hypervisor, such as ESX. The talk will also cover different detection techniques from using native code to device fingerprints.

The detection of virtual appliance could aid the attack side by enabling stealthy rootkit and malware, as well as malicious sites that evade VM based detection such the virtual execution engines. The comprehensive list of virtual appliance detection methods can also help the malware detection and defense side by alerting them the constraints and limitations of VM based solutions.

Presented by

Kang Li & Xiaoning Li

Disasters in the Making: How I Torture Open Government Data Systems for Fun, Profit, and Time Travel

"I'm from the government and I'm here to help you" takes on a sinister new meaning as jurisdictions around the world stumble over each other to 'set the people's data free'. New York City now has an Open Data Law and boasts in subway ads that 'our apps are whiz kid certified' (i.e. third party), which of course translates to 'we didn't pay for them, and don't blame us if somebody got it wrong and the bus don't come.' This session reports on my (and other people's) research aimed at prying out data that you're probably not supposed to have from Open Government Systems around the world. Recent findings from the Asia Pacific region are included.

"Torturing" a number of systems using off-the-shelf data analytic tools, and a bit of basic techno-wizardry (without breaking any laws), yielded some fascinating and unexpected information. Which union was shilling for political contributions for which candidate? Who has the most expensive home in town? Did a politician's wife vote for her own husband? An illustration of a shady "secondary industry" based on mining Open Government data will also be presented.

There are ways to build these systems well, and examples will be presented of the transformation from "terrible" to "not so bad." Applying classic computer science and accounting principles like 'least privilege' and 'segregation of duties' the presentation will suggest some ways to have our Open Data cake without letting data snoopers eat too much of it.

Presented by

Tom Keenan

Discovering Debug Interfaces with the JTAGulator

On-chip debug interfaces can provide chip-level control of a hardware device and are a primary attack vector to extract program code/data, modify memory contents, or affect device operation on the fly. Depending on the complexity of the target device, manually locating debug connections can be a difficult and time-consuming task, sometimes requiring physical destruction or modification of the device.

In this session, Joe will present the JTAGulator, an open source hardware tool that assists in identifying on-chip debug interfaces from test points, vias, or components pads on a circuit board. He will discuss traditional hardware reverse engineering methods, details of JTAG and UART functionality, and how JTAGulator can simplify the task of discovering such interfaces. JTAGulators and target hardware will be available for hands-on experimentation by attendees.

Presented by

Joe Grand

Diving Into IE 10's Enhanced Protected Mode Sandbox

With the release of Internet Explorer 10 in Windows 8, an improved version of IE's Protected Mode sandbox, called Enhanced Protected Mode (EPM), was introduced. With the use of the new AppContainer process isolation mechanism introduced in Windows 8, EPM aims to further limit the impact of a successful IE compromise by limiting both read and write access and limiting the capabilities of the sandboxed IE process.

As with other new security features integrated in widely deployed software, it is just prudent to look at how EPM works internally and also evaluate its effectiveness. This presentation aims to provide both by delving deep into the internals and assessing the security of IE 10's Enhanced Protected Mode sandbox.

The first part of this presentation will focus on the inner workings of the EPM sandbox where topics such as the sandbox restrictions in place, the inter-process communication mechanism in use, the services exposed by the higher-privileged broker process, and more are discussed. The second part of this presentation will cover the security aspect of the EPM sandbox where its limitations are assessed and potential avenues for sandbox escape are discussed.

Finally, in the end of the presentation, an EPM sandbox escape exploit will be demonstrated. The details of the underlying vulnerability, including the thought process that went through in discovering it will also be discussed.

Presented by

Mark Vincent Yason

Dude, WTF in My CAN!  

In our previous presentation, we learned how did the security in some car ECUs work, and we demonstrated how it could be bypassed to modify their internal parameters, and even to recover a bricked ECU. All of this was done over K-Line, a protocol that was used on all vehicles up to 2010. This time, we will go one step further, introducing the security existing in modern CAN bus enabled vehicles, and of course, how it can be bypassed. We will show a custom made tool that costs less than $20 to build and that is able to access the CAN bus system, giving the possibility of taking control over a CAN enabled vehicle remotely just by hooking four wires.

Besides this, we will talk about a very interesting topic, car forensics, giving an overview of the current situation of this field. A demonstration will be done that will show how the gathered data can be used for legal purposes, and the project for a tool to extract and parse this information will be introduced.

I Know You Want Me - Unplugging PlugX

PlugX is one of the most notorious RAT used for targeted attacks and the author still extends its implementation aggressively.

So far, some excellent malware researchers published reports about PlugX's behavior and decryption of important binaries like config data. The information included in PlugX config can be used for identifying attacker groups, but parsing the configs of many specimens is tough work because the config has more than one version, and the algorithm for decrypting it also changes due to the author's continual update.

This presentation shows the result of an approach categorizing PlugX variants based on detailed analysis of config data and code. The result seems to indicate multiple attacker groups using common information such as C2 hostname/IP, installed service name, config size, debug string, characteristic double word value, and so on.

I will also introduce the latest variant with several anti-reversing techniques.

The Inner Workings of Mobile Cross-Platform Technologies

New Apps are being published every week, dreaming to become the new hot App, where short development time and low costs are crucial. Many of these Apps are developed with their respective native platform technologies, however, a new tendency is to use cross-platform technologies with the spirit of developing once and run on multiple platforms to save time and keep low costs. But how is security and privacy affected with all these technologies mixing?

This presentation digs under the hood of current top mobile cross-platform technologies such as PhoneGap, Corona, RhoMobile, Xamarin and MoSync that uses HTML5, .NET, C++ and scripting languages to write Apps that run on multiple platforms (iOS, Android, Windows Phone, etc.).

We will cover how to reverse engineer and audit these kinds of Apps, using static and dynamic tools and techniques differently from native Apps, to understand how they work and to uncover bugs.

Many of the popular games are being developed with these kinds of technologies, so if you are a mobile auditor or a game cracker this talk will get you going on how to hack these Apps. Be ready to read code!

Presented by

Simon Roses Femerling

JS Suicide: Using JavaScript Security Features to Kill JS Security

JavaScript today has a presence in almost every single website across the Internet. Aggressive research is in progress in the security community to come up with better security features in JavaScript everyday. Unfortunately, many security features of JS are a double-edged sword. In this presentation, we will show how some of the security features in JavaScript can be used maliciously by an attacker to kill other security features in any website. More specifically, we will see how the sandboxing features of ECMAScript 5 can break and make security in modern day applications. We also take a few real world examples like OWASP CSRFGUARD and use some of the major security features of JS to bypass CSRF protection offered by this OWASP library in many different ways.

Presented by

Ahamed Nafeez

The Machines That Betrayed Their Masters

The devices we carry betray us to those who want to invade our privacy by emitting uniquely identifiable signals. The most common example is the wireless signals emitted by your mobile phone (even whilst tucked safely into your pocket). Such signals may be used to track you, or be used toward more malicious intent.

This talk will discuss the process the author has gone through to build a resilient, modular, reliable, distributed, tracking framework - originally spawned as a PoC tool in 2012 by the name 'Snoopy'. The dog is back, and with more bite - looking beyond just Wi-Fi. Also, he's now airborne via a quadcopter.

Presented by

Glenn Wilkinson

OFFENSIVE: Exploiting DNS Servers Changes

In a context of offensive security research, I identified that there are many vulnerabilities that let someone to change DNS servers of an objective. Additionally, there is always a recent history about main DNS servers hacked (WhatsApp, Qatar's, etc). On the other hand, there are tools or techniques to exploit these effectively, with the usual needs in offensive operations, secrecy and effectiveness. This is a talk useful for Phishers, hackers and LEAs.

Presented by

Leonardo Nve

Owning a Building: Exploiting Access Control and Facility Management Systems

Modern facilities (such as corporate headquarters) are marvels of engineering. These buildings employ numerous embedded and software systems to help ensure convenience, efficiency, and even security. The door that unlocks after you swipe your badge is managed by an access control system. The lights and even power to your building are managed by a facility management system. These invisible embedded and software systems make modern life in the corporate headquarters convenient and comfortable. What if someone were to take over these systems? Join us as we demonstrate what can happen when these systems are compromised. We'll cover various vulnerabilities that exist in access control systems, facility management systems, and other systems that support modern buildings. We'll show real examples of how these systems can be exploited to unlock the front door to your corporate headquarters, disrupt business operations, and even shut the lights off in your building.

Presented by

Billy Rios

PDF Attack: A Journey From the Exploit Kit to the Shellcode

"PDF Attack: A Journey From the Exploit Kit to the Shellcode" is a workshop to show how to analyze obfuscated JavaScript code from an Exploit Kit page, extract the exploits used and analyze them. Nowadays, it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple JavaScript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software, very useful in pentesting. The last version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so it means that this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make the analysis more difficult.

Presented by

Jose Miguel Esparza

Persist It: Using and Abusing Microsoft's Fix It Patches  

Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. A common Fix It patch type used to prevent exploitation is the previously undocumented In Memory Fix It. This research first focuses on analyzing these in-memory patches. By extracting information from them researchers are able to better understand the vulnerabilities that Microsoft intended to patch. The research then focuses on reverse engineering the patches and using this information to provide the ability to create patches which can be used to maintain persistence on a system.

Presented by

Jon Erickson

Privacy-by-Design for the Security Practitioner

Privacy-by-Design (PbD) has become the de facto standard, regulatory-approved approach towards addressing privacy concerns with products and services. PbD is a strategy where privacy concerns are brought into the design of products rather than tacked onto the end. Because privacy has a relative lack of experienced specialists and because of its close relationship to security, privacy often becomes the responsibility of the security practitioner.

While a security practitioner already has much of the necessary background to do privacy, there are some aspects of privacy that may be less familiar. The main technical difference is that in security, the information transmitted to the attacker should often have no semantic content. For instance, if a user is sending another party a bit of information or storing a bit of information on a device, the attacker is supposed to not be able to guess with more than 50% accuracy whether the bit is 1 or 0. In other words, assuming appropriate security controls, the attacker is completely frozen out and, in a rigorous sense, has no knowledge about the user's data. With privacy, the adversary often has some of the user's data with full awareness and consent.

This brings about several difficulties. First, how do you describe the data collected to the user? For security, the null dataset is easy to understand. When the dataset is not null, describing the data collected becomes an issue, and the consent also becomes a problem. Second, what can the privacy adversary infer about the released data? These inferences are often unclear to the user. The inference problem is compounded by the auxiliary knowledge of the attacker, i.e. what other data the attacker knows about the user or in general. The user often does not understand the extent of this knowledge. The inference problem, what it is possible to deduce with what certainty, is central to privacy. Hence, that is why, while the lingua franca of security is cryptography, the lingua franca of privacy is statistics, machine learning, and data mining.

This talk presents a privacy crash course aimed at security specialists and includes tips and recommendations for doing Privacy-by-Design.

Presented by

Richard Chow

SAP, Credit Cards, and the Bird That Knows Too Much

SAP applications build the business backbone of the largest organizations in the world. In this presentation, exploits will be shown manipulating a business process to extract critical payment and credit card data out of the business backbone. Follow the bird and enjoy tweets of data that will interest you.

Presented by

Ertunga Arsal

Say It Ain't So - An Implementation of Deniable Encryption

We are interested in the ability to lie convincingly about the contents of an encrypted file, a variation of "deniable encryption" from the cryptography literature. A reasonable scenario may involve a businessman traveling through dangerous territory with sensitive documents, who, if kidnapped or under duress, wants to be able to convincingly lie to his kidnappers about the contents of his documents.

We will thus release a tool that allows users to encrypt a text in such a way that it can be decrypted not just to the original text (using the correct key), but also to other possible texts (using decoy keys). For example, with one key, the text might decrypt to "Don't cry for me Argentina", but with the right key, it would decrypt to "Don't try to meet Angelina."

Presented by

Ari Trachtenberg

Scan All the Things - Project Sonar  

Over the past year, the Rapid7 Labs team has conducted large-scale analysis on the data coming out of the Critical.IO and Internet Census 2012 scanning projects. This revealed a number of widespread security issues and painted a gloomy picture of an Internet rife with insecurity. The problem is, this isn't news, and the situation continues to get worse. Rapid7 Labs believes the only way to make meaningful progress is through data sharing and collaboration across the security community as a whole. As a result, we launched Project Sonar and urged the community to get involved with the research and analysis effort. To make this easier, we highlight various free tools and share a huge amount of our own research data for analysis on a regular basis in cooperation with the University of Michigan and their website.

We've seen in the last year that Internet-wide surveys became easier to conduct with better tools and also need significantly less resources to accomplish. Previous research like the EFF observatory reveal are of great benefit for the general community and would have even bigger impact if conducted on a regular basis.

Visibility into the evolution of Internet protocols, devices and vulnerabilities is essential to improve the security of the Internet as a whole. Large-scale Internet scanning provides the necessary datasets to prioritize research, gain statistics and hard evidence on risks and vulnerability exposure. Examples of this are the UPnP vulnerability research published by Rapid7 after gathering Internet-wide exposure data and the high amount of misconfigured and vulnerable Serial Port Server devices connected to the Internet.

This talk presents the history of Internet scanning and its motivations, explains the required tools and resources for conducting Internet-wide surveys and shows the vulnerability research and exposure statistics gathered so far. The data analysis possibilities will be demoed and thus enable the audience to engage in the project in order to find data on their own assets or participate in the analysis effort.

Presented by

Mark Schloesser

Solutum Cumulus Mediocris

Hosted payment gateways may offer an instant PCI compliance option for enterprises of any size. These solutions usually concede flow control between the merchant website and payment gateway to the end user's browser. This is a flawed design and leaves the merchant account highly exposed. In addition to traditional price manipulation and replay attacks, it can allow an attacker to hijack their API access. Once the account has been hijacked, the attacker can bypass payment forge payment received notifications or even issue refunds. In this presentation, I will demonstrate how using GPU clusters and cloud computing can allow an attacker to hijack merchant accounts in a short timeframe.

Presented by

Eldar Marcussen

Tomorrow's News is Today's Intel: Journalists as Targets and Compromise Vectors

In today's threat landscape, targeted intrusion by government actors is something faced not only by other nation-states, but also by corporate entities, activists, dissidents, and journalists. While the technology industry has started to come to grips with security requirements in a time of persistent threats, journalists and media organizations are only just now waking up to these hazards.

This talk will cover the range of attacks being carried out and examine the attacker motivation, effectiveness, and how tradecraft varies by geographical origin. From initial exploitation vectors, covering 0day-bearing documents, targeted spear-phishing and watering hole attacks to implants both custom nation-state designed and commercial, we will use specific case studies of actual compromises to illustrate the pervasiveness with which the 4th estate is being compromised.

UI Redressing Attacks on Android Devices Revisited

In this presentation, we describe high-impact user interface attacks on Android-based mobile devices, additionally focusing on showcasing the possible mitigation techniques for such attacks. We discuss which UI redressing attacks can be transferred from the desktop- to the mobile-browser field. Our main contribution is a demonstration of a browser less tap-jacking attack, which greatly enriches the impact of previous work on this matter. With this technique, we can perform unauthorized home screen navigation and attempt actions like (premium number) phone calls without having been granted appropriate privileges. We will show, with an 0day, how an attacker can install applications in the background though it should be fixed by Google in Android v4.

Presented by

Marcus Niemietz

Ultimate Dom Based XSS Detection Scanner on Cloud

As more and more rich interactive web applications are based on the HTML5's new capabilities by introducing native methods to improve user interactive experiences, XSS still ranks among as the top 3 vulnerabilities in the web application. There is a growing trend to one of its type - DOM-based XSS with the shift to the HTML5. However, due to the client nature of DOM-based XSS, there is no effective way to detect it in the open community. This work implemented tainted checking into the JavaScriptCore JavaScript engine and WebKit browser render engine. We modified String object by adding a tainted attribute to all DOM input interface, propagating this tainted attribute through all the String operations and detecting it at the DOM output interface. If the output was tainted, then we claimed the web application is DOM-based XSS vulnerable. By harnessing the power of PhantomJS, a headless browser for automation, we developed an ultimate DOM-based XSS detection scanner and a cloud infrastructure scanning our target products actively. It successfully caught production DOM-based XSS issues and reported back to us.

Presented by

Nera W. C. Liu & Albert Yu

USB Attacks Need Physical Access Right? Not Any More...

For a number of years I have been interested in USB host security, which can only be comprehensively tested using a combination of software and bespoke hardware to emulate various USB devices. After developing several different approaches to testing USB (which I've publicly discussed at various conferences), I have identified over 100 bugs covering all the major operating systems. The response from the vendors has often been along these lines: "thank you for the bug, but as you need physical access to plug in your rogue device, the impact is actually quite low." However, due to recent advances in a number of remoting technologies, USB attacks can now be launched over a network. The talk will describe how these technologies work, the resulting impact on the world of USB bugs and show a live demo remotely triggering a USB kernel bug in Windows 2012 server.

Presented by

Andy Davis

You Can't See Me: A Mac OS X Rootkit Uses the Tricks You Haven't Known Yet

Attacking Mac OS X has become a trend as we see more and more malware with advanced attack techniques on Mac OS X. In order to gain persistent control and avoid detection, malware have started to adopt rootkit tricks.

We will quickly review existing rootkit on Mac OS X, including both user and kernel mode, and approaches to detect them. In the major part of the presentation, we will disclose several new and advanced rootkit techniques by digging into more kernel objects and data structures. And we will demonstrate how to evade existing detection and memory forensics tools, such as Volatility.

Not only hiding things, tricks to gaining permission will also be discussed. It is not necessary to be root to get into kernel. Also, we will introduce techniques to start rootkit, special ways to load kernel modules, and anti-tracing techniques.

The techniques we introduced have been tested on Mac OS X 10.9. There are new security features to verify 3rd party kernel modules in OS X 10.9, and we will tell you how we bypass.

Z:\Make Troy\, Not War: Case Study of the Wiper APT in Korea, and Beyond

On March 20th, 2013, shortly after 2PM, several South Korean financial institutions and TV networks were impacted by unknown malware, which wiped all the data off their computer hard drives before force-rebooting them, thereby sending them into the limbs.

That coordinated melt down was due to several dormant viruses, later deemed "Wiper", pre-set by their makers to wake up at 2pm. Much was speculated regarding how those were planted in the targeted networks in the first place. In this paper, we lift the lid on the initial infection vector: The targeted infrastructures were running a security management server, to coordinate patching policies across the corporate network from a central point. We demonstrate how the attackers compromised this server, and made it dispatch malicious updates to the computers under its rule.

We then examine several samples of Wiper used in the attack, and go through the relationships between them; at this point, we show that based on some distinctive characteristics, and the coding style of their author(s), they have ties to other APT cases, some of which we could trace back to 2009.

Based on the connections established above, we end by examining attribution hypotheses.

Presented by

Kyle Yang