Black Hat Abu Dhabi 2010 //MEDIA ARCHIVES

Emirates Palace, Abu Dhabi • Nov 8 - 11 2010

white paper document

audio recording

video recording


source material

Keynote Speaker // Peiter "Mudge" Zatko

Day 1 Keynote


Kay Een

NCIS Child Exploitation Investigations and Operations

This presentation will cover current trends related to Child Exploitation via the Internet and investigative methodology to proactively identify perpetrators. Presenter will also discuss preparation and inititation of CE operations, training and obstacles of conducting CE investigations..


Blitzableiter - Securing Adobe Flash

The talk presents a simple but effective approach for securing Adobe Flash content before using it. The security threats presented by Flash movies are discussed, as well as their inner workings that allow such attacks to happen. Some of those details will make you laugh, some will make you wince. Based on the properties discussed, the idea behind the defense approach will be presented, as well as the code implementing it and the results of using it in the real world.

The Grugq

Base Jumping: Attacking GSM Base Station Systems and Mobile Phone Base Bands

Recent technological advances have placed GSM tools within the reach of today's security researchers and hackers. It is finally possible to directly explore the lowest levels of the GSM stack.

This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface.

The primary technological focus of this talk is on the exposed interfaces between the GSM networks and users. This covers the base station system—the network components which communicate with mobile phones—and the base band—the component of the mobile phone which communicates with the network.

During the talk the two main components of the attack system will be demoed - malicious basestations and malicious basebands. The base station enables fuzzing mobile phone basebands, as well as other attacks. The baseband is used to test GSM network equipment for flaws, as well as exploit backend systems.

Trust us, you'll want to turn off your phone for the duration of this talk!

Lukas Grunwald

RFID Enabled Passports and Government ID Documents

This presentation is showing some risk of the use of "Insecure" RFID implementation on Passports and Government ID Documents for Automatic Immigration (E-Gates) as well how easy a identity could be stolen.

A overview of already existing electronic ID will be given, as well new work of the new German eID with Multi-Usage for Government, Legal as well private use for Parking-Meters, home Banking as well e-commerce.

Robert Hansen

HTTPS Can Byte Me

HTTPS was created to protect confidentiality and prove integrity of content passed over the web. It has essentially become the de-facto standard for internet commerce transport security. Over the years a number of exploits have attacked the principle, underlying PKI infrastructure and overall design of HTTPS. This presentation will drive another nail in the HTTPS coffin through a number of new exploitation techniques leveraging man-in-the-middle attacks; the goal of which is to break confidentiality and integrity of HTTPS traffic. The impact of these flaws suggests a need for changes in the ways we protect the transmission of data online.

Christopher Hoff

CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity

Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities. This "abstraction distraction" has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.

The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity -- protecting the stuff that matters most in the first place. The problem is that we're unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.

We're going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this "new world order" and what your options are in making sustainable security design decisions.

Barnaby Jack

Jackpotting Automated Teller Machines Redux

The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.

I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

Babak Javadi

Owning the Unknown: Applying Lockpicking Fundamentals to Unknown Security Models

In recent years, there has been a great deal of talk regarding lockpicking methods and methodology with specific regard to mechanical locks and newer electro-mechanical lock designs. However, often times too much focus is applied to specific components in a security model. Instead of evaluating an entire system, Security Engineers are patching specific components within their organization. Lock cylinders are replaced with hardened high security counterparts, sensors are upgraded, and software patches are applied, but both commercial and government facilities remain vulnerable. Stressing the system in unconventional ways can result in information leakage, Denial of Service, and complete failure to thwart intruders. This briefing will discuss how fundamentals that guide lockpicking can be applied to almost any physical security model, and how the same design oversight that has plagued the lock industry for centuries still affects security as a whole today.

Dan Kaminsky


Introducing the Domain Key Infrastructure X509 based PKI failed. We know this. But it's still seen as the best way to distribute trust. Can we do better? Yes we can. DNSSEC has the potential to revolutionize authentication -- if it can be shown to be operationally viable. Put simply, it's either cheap and easy, or it's more of the same. In this talk, I am going to show DNSSEC deployed in minutes. I'm going to show cross-organizational federated OpenSSH. I'm going to demonstrate upgrading OpenSSL derived apps to DKI with nothing but a single command line preload. And, finally, I'm going to show end to end secure email that isn't operationally impossible to actually use -- and will work, worldwide.

Lavakumar Kuppan

Attacking with HTML5

HTML5 is a set of powerful features aimed at moving the web applications closer to existing desktop applications in terms of user experience and features. HTML5 is no more just the technology of the future as many believe, it is available right now in almost all modern browsers. Though the widespread use of HTML5 by websites is still a few years away, the abuse of these features is already possible.

Web developers and users assume that just because their site does not implement any HTML5 features they are unaffected. Also a large section of the internet community believes that HTML5 is only about stunning graphics and video streaming. This talk will show how these assumptions are completely contrary to reality.

This presentation will show how existing 'HTML4' sites can be attacked using HTML5 features in a number of interesting ways. Then we look at how it is possible to use the browser to perform attacks that were once thought to require code execution outside the sandbox. Finally we look at an attack where the attacker is not interested in the victim's data or a shell on the machine but is instead after something that might perhaps even be legal to steal!

Zane Lackey, Don Bailey

Mobile Phony: Why You Can’t Trust Mobile Phone Networks For Critical Infrastructure

This presentation will cover the inherent flaws in the mobile telephony network that affect everything from mobile phones and handheld devices to GSM enabled infrastructure technology. In addition to being severe in nature, telephony threats vary widely in both scope and potential. Examples will be given that demonstrate how malicious individuals can intercept phone calls, track user locations, potentially forge software updates, or directly compromise mobile devices.

Organizations must integrate the risks and potential mitigations into their threat model in order to maintain an appropriate level of confidentiality, integrity, and availability to the critical systems they support and operate. This lecture will help identify the risks to the organization in order to give security officers an opportunity to build clear and thorough augmentations to their threat model.

Adam Laurie

RFID Security

RFID is being heralded as the answer to many security problems, such as access control, vending, biometric identification etc., etc., but how effective is it really? In particular, the world is moving towards heavier reliance on this technology for international travel controls, specifically in e-passports and e-borders. In a recent case, 'cloned' UK passports were used by foreign intelligence agents to gain access to another country for the purpose of carrying out an assassination. How effective would e-passports have been in preventing this kind of misuse? This talk will look at the details of the ICAO 9303 Machine Readable Travel Document standard, and discuss what safeguards and improvements it provides, and whether they would have been of any benefit in this case.

David Litchfield

Database Forensics


Moxie Marlinspike

Changing Threats To Privacy: From TIA To Google

A lot has changed since discussions around digital privacy began. The security community won the war for strong cryptography, anonymous darknets have been successfully deployed, and much of the communications infrastructure has been decentralized. These strategies were carefully conceived while planning for the most dystopian visions of the future imaginable, and yet somehow they've fallen short of delivering us from the most pernicious privacy threats today. Rather than a centralized state-backed database of all our movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.


Building Android Sandcastles in Android's Sandbox

The well-known way of breaking out of the Android sandbox is using a recent local Linux kernel exploit for privilege escalation. However, why always pick on Linus in Ring-0 when there is so much more to explore in user mode. Join me in a fascinating journey through Android's sandbox implementation with a lot of IPC endpoints, Services, Content providers, Serialisation, Permissions, Activities and much more, all scattered through multiple processes with different privilege levels. From a single point of entry we will build our majestic sandcastle in Android's sandbox, spanning multiple processes to hopefully obtain the holy grail of Android permissions: android.permission.INSTALL_PACKAGES

Karsten Nohl

Attacking Phone Privacy

Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented.

Laurent Oudot

Extrusion and Web Hacking

This technical talk will focus on web attackers and how they try to handle extrusion issues. Indeed, when intruders get an illegal access on a web resource, it might become complex for them to keep a stealth and remote control without being caught. They usually try to create easy channels that allow them to get the very best from their target. But sometimes, they need to improve those concepts, especially against a hardened or monitored network. Based on real technical examples, we will describe how web attackers can anonymously talk to web backdoors, either by playing with HTTP issues or by finding secret paths to bounce out of DMZ (cover channels, etc). For this presentation to be accurate, we will also propose solutions, so that the defenders might detect or contain those attacks on their sensitive networks.

Laurent Oudot

Malware Attribution for Fun, Fame, Profit and War?

Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe. Of perhaps most note - stuxnet has dominated much of the information security media since it's public acknowledgment in July 2010. Multiple schools of thought have emerged, casting speculation over the identities of those responsible for the authorship and operalization of what some suggest is the most advanced piece of malware observed in the public domain. Nation state? Organized crime? Disgruntled vendor employee? This talk will take a close look at what we really know about this mysterious culmination of bits, closely analyzing some of the popular hypothesis, and identify others which have perhaps not drawn as much momentum. As a basis for our analysis, we will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over in long term.

Jonathan Pollet, Joe Cummins

Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

SCADA Systems control the generation, transmission, and distribution of electric power, and Smart Meters are now being installed to measure and report on the usage of power. While these systems have in the past been mostly isolated systems, with little if no connectivity to external networks, there are many business and consumer issuing driving both of these technologies to being opened to external networks and the Internet.

Over the past 10 years, we have performed over 100 security assessments on SCADA, EMS, DCS, AMI, and Smart Grid systems. We have compiled very interesting statistics regarding where the vulnerabilities in these systems are typically found, and how these vulnerabilities can be exploited. Of course, we can not disclose any specific exploits that will allow you to steal power from your neighbors, but we can give away enough meat in this session to expose common vulnerabilities at the device, protocol, application, host, and network layers.

Tiffany Rad

International Cyber Jurisdiction: “Kill Switching”

Cyberspace, Cyber Criminal Prosecution & Jurisdiction Hopping Concepts of sovereignty, freedom, privacy and intellectual property become amorphous when discussing territories that only exists as far as the Internet connects. When a cyber crime is committed in a country in which the electronic communication did not originate, there is difficulty prosecuting the crime without being able to physically apprehend a subject that is virtually within -- and physically without -- a country's boarders. Similarly, a technique called jurisdiction hopping can be used to place assets in a diverse, but accessible, web of countries in which that content may be legal in the hosting country, but is not in the country in which it is accessed. Lastly, if the U.S. attempts to isolate damage by "kill switching" parts of the Internet, how will this affect critical infrastructure such as water, electricity and electronic funds transfers? Under what authority can it be done? This presentation will discuss the types of international laws and treaties that may be cited in the event of extradition of cyber criminals, legal and geographic challenges – such as new sovereign nations -- to jurisdiction hopping and the authority with which the U.S. may "kill switch" the Internet.

Our most popular phone technologies use decade-old proprietary cryptography. GSM's 64bit A5/1 cipher, for instance, is vulnerable to time memory trade-offs but commercial cracking hardware costs hundreds of thousands of dollars. We discuss how cryptographic improvements and the power of the community created an open GSM decrypt solution that runs on commodity hardware. Besides GSM we discuss weaknesses in DECT cordless phones. The talk concludes with an overview of mitigation steps for GSM and DECT in response to our research, some of which are already being implemented.

Stephen A. Ridley

Escaping the Sandbox

As many have predicted, 2010 will be the “Year of the Sandbox”. We will probably see many Commercial Off-The- Shelf (COTS) products using these sand-boxing technologies in the very near future starting this year.

This presentation will discuss and demonstrate practical techniques for the evasion and escape of “Sand-boxing” technologies. Many techniques have been discussed but only vaguely at popular security conferences. Very little *actual* code and demonstrations have been performed. This presentation will consist mostly of demonstrations and review of actual code. I believe that most technical security talks these days don’t need to be longer than 20 minutes, so I only want to use my time to talk about real things and demonstrate real tools. I will demonstrate tools and techniques using Chromium and custom written “sandbox” examples. Some such subversion techniques discussed will be:

  • Injecting Interpreters into Sandboxes to test from the inside out
  • Using Kernel Mode debuggers to assist you (token exchange, IO, handle creation, IPC) windbg scripts incl.
  • Token Sniping/Stealing (whatever you call it)
  • Token inspection tools (includes a .h’d and dll’d version of Matt Conover’s dumptoken.c modified to include more Native API helpers)
  • Handle Sniping/Stealing (whatever you call it)
  • User32 Messaging tricks (no, not just SetWindowsHook ;-)

None of these above techniques in this talk will be without example code or demonstrations! In addition to the above, this presentation will try to “fill in the gaps” where there seems to be a lot of vagaries around tokens and DACLs. Additionally I will talk about some of the practical considerations that makes deploying a sandbox with COTS products impractical on WindowsXP. There will be some other “goodies” that were also discovered in the course of this research such as: how to detect kernel mode debuggers from userspace, how userspace debugging works under the hood, (yet) undisclosed Chrome bugs, etc. I will also talk a bit about some areas of interest I wish to focus on in the future regarding these topics.

Ivan Ristic

State of SSL on the Internet: 2010 Survey, Results and Conclusions

SSL (TLS) is the technology that protects the Internet, but very little is actually known about its usage in real-life. How are the many Internet SSL servers configured? Which CA certificates do they use? Which protocols and cipher suites are supported? Answers to even these basic questions were either unavailable, or restricted to the small number of organizations who could afford to fund such research.

In this talk we will present the first results of the SSL Survey project, which is the most comprehensive SSL and TLS server configuration survey ever undertaken. By using the deep assessment technology developed at SSL Labs for over a year, we scan and analyze every SSL server on the Internet. In this talk, we will present the assessment methodology, the rationale, as well as the results. The findings will be made freely available to the public. In addition, we will also share the raw data with qualified security researchers.

As a bonus, during the talk we will also unveil an updated version of the free online SSL assessment tool, which uses the same assessment technology as the SSL survey itself. SSL Labs (, funded by Qualys, is a research effort that focuses on SSL and TLS. Its other projects include: SSL threat model, passive SSL fingerprinting, SSL client capability database, SSL server capability database, and SSL usage tracking.

Sensepost (Dominic White)

Lifting the Fog

Cloud services continue to proliferate and new users continue to flock, in a clear demonstration that cloud computing is more than simply a flash-in-the-pan. Coupled with this rapid evolution of services are protection mechanisms for the services, which often lag. Last year we highlighted weaknesses in the cloud model and demonstrated a number of vulnerabilities in large cloud providers. In this talk, we examine a particular technology underlying the scalability of many cloud applications, namely memcached. We discuss the possibility of memcached mining which would be a natural exploitation path once a vulnerability inside a cloud application is discovered and will demonstrate this with a new tool aimed at discovering and mining memcached servers.

Chris Tarnovsky

Semiconductor Security Awareness, Today and Yesterday

Walk through various countermeasures that have been found and overcome in various devices. Will include currently not-hacked-to-date devices from Satellite TV (DTV/Dish Network). To include a walk through the latest security layers put in place on today's technology. Will also discuss commonly found devices to consumers like AVR8, AVR32, MSP430F, PIC, etc.