Black Hat Abu Dhabi 2011 //Briefings

Emirates Palace, Abu Dhabi

Training December 12 - 13 // Briefings December 14 - 15


white paper document





Keynote Speaker

General (Ret.) Michael Hayden

Cyber Security and Cyber Threats in a Changing World


Jean-Philippe Aumasson

Cryptanalysis vs. Reality

It is commonplace to argue that academic cryptanalysis---whose "attacks" literally take billions of years to complete---has no relevance whatsoever to actual security, for real-world failures of crypto are most often due to:

  • Side-channel leakage (padding oracle attacks, etc.)
  • Attacks on the implementation (key extraction through fault attacks, etc.)
  • Complete bypass (after theft of keys à la DigiNotar, etc.)

Nevertheless, a number of new cryptanalytic attacks have appeared these last years with various degrees of sophistication and of objectives, from complex key-recovery attacks to efficient-yet-cryptical "distinguishingers". To better understand the risk (or absence thereof), this talk will go through technical subtleties of state-of-the-art cryptanalysis research, which we'll illustrate with concrete field examples. The topics discussed include related-key attacks, cube attacks, the real security of AES, the case of pay-TV encryption, or the risk of using SHA-1, SHA-2, or the future SHA-3. Finally, we will present a recent attempt to bridge theory and practice, with an introduction to leakage-resilient cryptography.

Jamal Bandukwala

Fun with Google Custom Searches: Intelligence, Secrets and Leaks

Traditional Google searches can generate millions of results many of which are not relevant to what a user is looking for and when a user searches for items with various advanced operators they are still limited to searching one site at a time. This means that an individual can have to peruse through several different pages of sometimes questionable quality looking for relevant and usable information.

My custom searches allow a user to peruse multiple relevant sources at the same time. I have put together three different custom searches/ engines; each of these searches goes through different types of online sources/ content and consequently provides different types of information/ intelligence. My presentation goes over each of these custom searches and provides examples of the type of information one can obtain from them and also examines how they can be used both in an offensive manner (ie. attacks) and defensively as well.

One can find everything from credit card numbers to passport information and even do things like interrupt travel plans and take over identities. Additionally you can also find significant information on various individuals even if they do not have their own presence online; this can allow an attacker to craft a much more convincing attack to get the information they need.

It would appear that the custom search engine owner/ creator and the individual using the searches are both only limited by the content in the search engine and their imagination. The possibilities on what you can find with the appropriate search are endless.

Brad Barker

Force Multipliers on the Modern Battlefield

In today's business environment, communication tools have made fast-paced business environment incredibly efficient as more early adopters of technology solutions conduct business at the speed of thought. No longer are we more likely to succeed based on where we live or work, "the cloud" levels the playing field.

We will describe in case studies, the evolution of the use of the cloud from the Mumbai attacks to the drug cartels use of social networking IP trace routing, geo-tagging to identify victims in the process of target selection. Also discussed will be the same methods of operation used to identify private individuals, corporations, government entities in ways it will be very difficult to defend and the difficulty involved in preventing them.

Ken Baylor

Financial Armageddon? Inside the Zeus and SpyEye Tidal Wave

Financial malware is causing banks to lose hundreds of millions of dollars per year. This presentation will showcase Zeus and SpyEye's capabilities (on PCs and mobile platforms) and threats to the global Financial industry. A Zeus botnet will be created live, and begin recruiting bots.

Christiaan Beek

Taming Worms, RATs, Dragons and More!

Over years the use of malware has dramatically changed. Ranging from programmers exploring the malicious possibilities of their programming code, copycats trying to combine code snippets, to organized crime and governments using custom made malware for their purposes. Where financial gratification is the main drive for cybercrime, it seems that the hunger for secrets and intellectual property is taking over. Some examples of cases are: Operation Aurora, Night-Dragon and recently Shady-RAT.

These are examples of investigations that started with the detection of unknown customized malware, hiding on corporate networks and ended in large investigations regarding Data Loss. So how is it possible that this malware was undetected? How can you detect hidden malware on your network using open-source tools, what patterns to look for? What countermeasures can you take? How to build a layered malware defense to keep unknown malware out of your network.

In my talk I will give some demo's how you can use Wireshark to investigate networkdata for traces of malware, how to filter for suspicious connections.


Evolution of iOS Data Protection and iPhone Forensics: from iPhoneOS to iOS 5

iOS 5 is the latest and most advanced mobile OS from Apple. Besides tweaking UI and UX, Apple has made some changes to Data Protection mechanisms that were introduced in iOS 4. Those changes provide better security for users, but they also impose additional hurdles for mobile phone forensic process.

This talk will provide detailed discussion of iOS Data Protection, focusing on both technical description of defenses and on circumventing certain protections to provide forensic access to the data stored on the iOS devices. iOS versions from iOS 3 (iPhoneOS 3) to iOS 5 will be covered.

Francesca Bosco

Cybercrime and Organized Crime

The opportunities granted by the Internet have transformed many legitimate business ventures by streamlining their operations, increasing the range of transactions that can be pursued, and alleviating costs. Unfortunately, criminals have also discovered that the Internet can provide them with novel illicit business opportunities and multiplier benefits.

The "underside" of the Internet involves not only fraud, theft of service and paedophile rings but also drug trafficking and traditional criminal organizations who are keen to exploit their new resources. In the virtual world, as in the real world, most criminal activities are initiated by individuals or small groups best understood as "disorganized crime", yet organized crime is exploiting the many benefits that the Internet can provide them, and that already established cybercriminals are actively or passively working with traditional organized crime structures to augment their operations. All of this poses a serious threat, and needs to be recognized by both the public and private sectors.

Robert Clark

Legal Aspects of Cybersecurity

The presentation is a year in review of important legal issues involving cybersecurity, computer network operations and the Internet. As always the agenda is driven by current up-to-the-minute releases of current issues and judicial opinions. We begin with an overview of the legal aspects of computer network security and defense and then move into court cases from the past year. Presently the topics focus on: special-skill sentence enhancement for computer crimes; limitations on searches of computers; encryption of computers and self-incrimination; and, interception of wi-fi. Each legal area will contain a brief overview of the legal standards involved and then an analysis on how the recent court cases have interpreted these standards and what the future effects may be. The year in review will include all the case citations accompanied by a short paragraph identifying their relevance.

Attendees will get an understanding of the hot legal topics in computer network security. Past presentations have shown, much of what is taken away is audience driven in response to their questions and the subsequent discussion. And, as always, I try to impress upon computer security professionals the importance of working closely with their legal counsel early and often, and explaining the technical aspects of computer security to their attorneys at a third grade level so my profession can understand it and then turn around and explain it to a judge or jury at a first grade level.

Anthony Desnos + Geoffroy Gueguen

Android : From Reversing to Decompilation

This talk deals with Android's bytecode analysis. The Android system is now widespread, and lots of applications are developed each days. These applications are mostly written in Java, though it is now possible to do some calls to binaries or shared libraries. To be executed on the DVM (Dalvik Virtual Machine) the Java source code (.java files) is translated into Java bytecode (.class files) and then a tool named `dx' is used to convert them into the DVM (or Dex) format (these are the .dex files). Such a conversion is needed as the DVM is a register-based machine whereas the JVM is a stack-based one, and as such they have different opcodes.

Due to the nature of the bytecode, its reversing is somewhat easier than machine code. Indeed, unlike machine code, (Dalvik) bytecode contains semantics information (e.g types of objects) that allows us to do a better analysis. We can get useful details on variables, fields, methods... We can create signatures for a method, or we can use the android permissions to see where a specific one is used in an application. The analysis part allows us to extract the control flow graph (which is composed of basic blocks, and which cannot be modified dynamically due to the virtual machine) which is used to reverse the different possibles executions of an application.

Furthermore, we have implemented new algorithms to calculate the similarity distance between two applications, a useful information to know if your application has been stolen from the android market. It's also possible to use similarity to do `diffing' of Android applications is useful to see patches of bugs or insertion of evil code, this is why we have developed a combination of techniques to quickly see the differences between two applications. Moreover it's interesting to have the ability to manipulate in a simple way all these new formats (APK, DEX, Dalvik bytecode, Android's binary xml) to automate testing directly in a program or in a specific interpreter. Though some closed-source decompilers exist for Java as well as for Android applications, their effectiveness is somewhat limited (unreadable, don't compile...).

There are other ways to retrieve the Java source code of an application from the bytecode, for instance some people use a software which transform Dex bytecode into Java bytecode and then combined this with a regular Java decompiler. But the resulting code looks more like an obfuscated version which does not compile than real source code. That's why we have developed a new decompiler which uses only Dalvik bytecode to create an original Java source code. We present a new open-source tool (Androguard) written in Python (and some parts of C language) which help the reversing of Android applications, as well as a technique we use to build a decompiler.

Joshua Drake

Exploiting Memory Corruption Vulnerabilities in the Java Runtime

The Oracle (previously Sun) Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.

Nelson Elhage

Virtualization Under Attack: Breaking out of KVM

KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.

We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.

Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.

DongJoo Ha + SangMyung Choi + TaeHyung Kim + Seungyoun Han

Check Your Zombie Devices! : Analysis of the DDoS Cyber Terrorism Against the Country and Future Attacks on Various Devices

A Distributed Denial-of-Service(DDoS), one of the simplest and most powerful cyber attacks is a big problem nowadays. It has existed since the past, but now attackers can give greater damage to their target due to the development of more effective attack techniques and the propagation of high-speed internet and so on.

Especially DDoS attack is now getting a huge problem because the unspecified individuals(called zombie PCs) are used in loading malicious codes while attacking a single site or system. DDoS attack is directly related to targeted companies, institutions and even governments, security companies and users as well.

Plus, there is a possibility of running malicious code onto many other types of electronic devices such as smart phones, game consoles, home appliances and even cars. Therefore a new type of DDos attack might be seen in various places.

In this presentation, we will figure out the large-scale DDoS attacks occurred in Korea(July 2009, March 2011) with detailed analysis and reverse tracking and how defenders(Korean institutions and security companies) coped with the attack. WE WILL NOT MENTION WHO THE ATTACKER IS.

Also we will show the new type of DDoS attacks (by PC, smart phone, game console and so on) through demonstration. In this demonstration, we will handle the mechanism of DDos attacks including the type of attack, damage and preparation stage as well.

Finally, we will suggest a solution of this problem.

*IMPORTANT* This presentation tries not to include boring stuff. It will be fun with easy explanation and interesting demonstration.

Barnaby Jack

Life Threatening Vulnerabilities

Diabetes currently affects 285 million people worldwide which is 6.4% of the population. This number is expected to reach 438 million by the year 2030.

Many diabetics are looking to technology to treat their disease and insulin pumps provide a convenient alternative to manual insulin injections.

All modern insulin pumps support some form of wireless communication. Thanks to this wireless capability, a remote attack surface exists.

The topic of insulin pump security may sound familiar to some. At Black Hat USA 2011, Jay Radcliffe who is himself a diabetic reviewed the security of his own pump. Jay revealed that the communication protocol used by the pump does not implement encryption.

His finding could potentially allow replay attacks if you were in the vicinity of a diabetic during a legitimate transmission. Jay was able to issue commands to his own pump, but he required the serial number of the device which is used as authentication.

In this talk, I will walk through the process I took to find a critical remote vulnerability in the Medtronic line of insulin pumps, the most widely used insulin pumps in the US. In a live but controlled environment, I will demonstrate software which leverages this vulnerability to locate any insulin pump within a 300 foot radius, and issue commands to the pump - including the ability to dispense a full reservoir ofinsulin.

No prior knowledge of the pumps serial isrequired.

Rich Lundeen + Jesse Ou + Travis Rhodes

New Ways I'm Going to Hack Your Web App

Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn't even the hard part, it's keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90's RFCs and 2010's HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let's never talk about that again. Ever.

Take Facebook, Office 365, MSN, and Wordpress. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we'll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks.

Thomas Mackenzie + Ryan Jones

Stealth Attacks - Detection and Investigation

Meticulous attackers can subvert audit controls to the point where a compromise is almost undetectable. We look at the tools and techniques which can be used by attackers to minimise evidence left behind and propose a novel strategy for managing this issue.

Fully identifying the method and impact of a data compromise is heavily reliant on the forensic information available to investigators. Commonly this is dependent on having logs for the compromised period. However, in the cases where an attacker has taken steps to reduce their footprint on the system, investigations can be more challenging.

We explore the various evidential sources which are commonly used to identify the extent and method of a web application compromise. We then discuss an attack which, due to its nature, is more complicated to identify and understand. The presentation will draw together the techniques used in investigating a data compromise and create an attack which is designed to completely compromise the web server while leaving the least amount of evidence on the system.

Incident readiness specialists can often recommend that verbose logging is put in place. Logging such as full http request and response logging fits the bill for the investigator but by their nature these logs have serious drawbacks for the day to day management of the server; large storage requirements, incidental storage of sensitive data and performance issues are common problems.

We suggest a new approach, restricting access or logging anomalies at the framework level. By blending the information gained at the framework level with automated application profiling techniques we can create heavily targeted logs bespoke to the specific application. This can be implemented for all applications regardless of whether source code is available. This method gives us the best chance of keeping logging to an absolute minimum whilst ensuring that techniques used to minimise forensic evidence left by an attack are unsuccessful.

Federico Maggi + Stefano Zanero + Alberto Volpatto

iSnoop: How to Steal Secrets From Touchscreen Devices

Spying on a person is an easy and effective method to obtain sensitive informations, even when the victim is well protected against common digital attacks. Modern mobile devices allow people to perform some information sensitive actions in unsafe places, where anyone could easily observe the victim while typing. What if your mobile phone has a cool touchscreen interface that gives you graphical feedback as you type (iPhone, Android, BlackBerry Torch)? Does it make shoulder surfing easier or, worse, automatable?

We believe so, and to demonstrate it, we developed a practical shoulder surfing attack that automatically reconstructs the sequence of keystrokes by aiming a camera at the target touchscreen while the victim is typing. Our attack exploits feedback such as magnified keys, often appearing in predictable positions. This feedback mechanism has been adopted by the top three touchscreen vendors (Apple iOS, Google Android, RIM BlackBerry); in newer version of these mobile OSs, the user has no way to disable it. To demonstrate the effectiveness of our approach, we implemented it against the iPhone (the most popular one), but it can be easily adapted to similar devices with minor modifications.

Our attack takes into account that, in real-world scenarios, both the victim's device and attacker's spying camera are not standing in fixed positions. To compensate their movements and misalignments, our system detects and rectifies the target screen before identifying keystokes. By doing that, we are able to automatically recognize up to 97.07% of the keystrokes, with as low as 1.15% errors and an average processing speed that makes it a fast and quasi-real-time alternative to shoulder surfing.

Nikhil Mittal

Kautilya: Teensy Beyond Shell

As hackers, we have been exploiting the inherent trust by Operating System on Human Interface Devices for some time now. Teensy is a USB Micro-controller; a device which can act as a Human Interface Device when connected to a computer and is able to do the job pre-programmed in it.

Many interesting things have been done using Teensy as a keyboard. We have mostly seen shells, many types of them. It is time we start looking at Teensy as a pentesting device capable of doing much more than popping shells. Introducing Kautilya, a toolkit which can be used to perform various pre-exploitation and post-exploitation activities. Kautilya aims on easing the use of attack vectors which traditionally require human intervention but can be automated using Teensy. Kautilya contains some nice customizable payloads which may be used for enumeration, info gathering, disabling countermeasures, keylogging and using Operating System against itself for much more. The talk will be full of live demonstrations.

Katie Moussouris

From Redmond with Love!

In 2008, people thought we'd lost our minds when we announced three strategic programs: sharing vulnerability information in our products before there was an update (MAPP), finding vulnerabilities in third party products (MSVR), and predicting which vulnerabilities would get reliably exploited in a short timeframe (Exploitability Index). Well, it's 2011 and we haven't stopped coming up with crazy ideas. Come see Katie Moussouris explain what we've been up to. Katie is head of Microsoft's Security Community Outreach and Strategy team.

Tsukasa Oi

Yet Another Android Rootkit - /Protecting/System/Is/Not/Enough/

Android devices have been repeatedly hacked for root privileges. Sometimes by malware authors, and sometimes by users themselves. This is because if someone gains root privileges, he or she can gain control of the parts of the system which are most useful for attackers (and for users as well). But this is not the end of the story - we need a bit more knowledge to gain much privilege inside the Android application system.

On the other hand, some Japanese Android smartphones have an extra Linux Security Module (LSM) to prevent these rooting issues and protect the system from being overwritten. But because of Android's security weaknesses and incomplete LSM protection, the Android application system can still be taken over by exploitation.

This presentation explains what we can/cannot do if we gain root privileges on an Android device, and introduces a new kind of Android rootkit. This rootkit needs only root privileges (no kernel-mode, no ptrace) and bypasses all existing security modules. This fact implies the possibility of advanced Android malware.

John Ortiz

Introduction to More Advanced Steganography

Steganography has advanced tremendously in the last few years and simple concepts have even been presented on mainstream TV. However, more sophisticated techniques are less well-known and may be overlooked by forensic analysts and even Steganalysis software.

This presentation will showcase several more advanced (and some unpublished) steganographic techniques, some with a very high data hiding capacities. One technique successfully hides 15% to 20% of data in a jpeg and YOU can't tell! That means your 8 MB jpeg image may contain 1.6 MB of covert data! An audio CD contains about 700 MB of data – even a modest 1% capacity allows for 7 MB of data.

The presentation embeds working demonstrations of several steganographic software programs so YOU can decide the effectiveness for yourself. Can you see or hear it? Will it be flagged by Steganalysis programs? We shall see … or not!

Vivek Ramachandran

WORKSHOP: Advanced Wi-Fi Security Penetration Testing

This workshop will provide a highly technical and in-depth treatment of Wi-Fi security. The emphasis will be to provide the participants with a deep understanding of the principles behind various attacks and not just a quick how-to guide on publicly available tools. We will start our journey with the very basics by dissecting WLAN packet headers with Wireshark, then graduate to the next level by cracking WEP, WPA/WPA2 and then move on to real life challenges like orchestrating Man-in-the-Middle attacks and taking on the live Wi-Fi CTF!

Amol Sarwate

SCADA Security - Why Is It So Hard?

This talk will present technical security challenges faced by organizations that have SCADA or control systems installations. The presentation will take a packet level dive into SCADA protocols and provide examples of attacks . It will also showcase examples of security controls for attack mitigation and introduce a new open-source tool to help identify and inventory SCADA systems.

Russell Spitler

Software Security Goes Mobile

Mobile devices and the risk posed by vulnerabilities in the software that runs them are proliferating. This talk scrutinizes challenges faced in securing mobile apps and contrasts them with legacy software security initiatives. We discuss how outsourcing confounds security efforts, how the mobile app lifecycle makes risk a hot potato, and conclude with the top mobile threats and how to avoid them.

Chris Sumner + Adrian M + Alison Byers

Determining Personality Traits & Privacy Concerns from Facebook Activity

This study explored the extent to which it is possible to predict personality traits and privacy concerns based on Facebook use.

This was done by comparing the 'Big Five' personality traits with Facebook usage, activities and language use. Results show that there are some significant correlations between an individual's personality type,their Facebook activity and their level of concern about privacy. However, the practical significance of these correlations is relatively low. This means that making meaningful conclusions about people or taking decisions that will affect their lives on the basis of Facebook activity may therefore be problematic and error prone . These findings support and extend previous research in online social networks by showing that Facebook activity can provide limited clues to an individual's personality. However, further research into social media use is critical to ensure that the practical and ethical implications of drawing conclusions about personal information embedded in social media sites are better understood.

This talk discusses online activity, personality types and privacy concerns in relation to a range of topics including marketing, pre-employment screening and susceptibility to crime such as phishing and confidence fraud.

Michael Sutton

Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers

Today, everything from television sets to photocopiers have an IP address and an embedded web server (EWS) for device administration. Need to record a show? Start the DVR with a mobile app. Want a digital copy of a previously photocopied document? No problem. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed.

Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever.

The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location.

Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. Additionally, we'll unveil the latest iteration of brEWS, a free EWS scanner and crowd sourcing initiative designed to build a global database of EWS fingerprinting data. Traditional security scanners largely ignore EWSs and gathering appropriate fingerprinting data is a challenge as most reside on LANs where external scanning is not an option. As such, we're issuing a call to arms to collectively gather and share this information.

Peleus Uhley

Advanced Persistent Response

It has been an interesting 18 months for the Flash Player team to say the least. With a change in the threat landscape, multiple zero-day attacks and increasing scrutiny from the security community and the public, we have had to rapidly scale our security efforts to adjust to the new challenges. In the process, we have been provided with a unique insight into the targets and methodologies of malicious hackers. This presentation will discuss the different types of attacks we have seen, our analysis of what the attacks say about the threat landscape, and how the technical analysis influenced our security strategy. We will also share the lessons that we've learned in the process of responding to these threats.