Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.
Cyber professionals are, rightly, usually technical experts and understand their trade from the bottom up. However, this has lead to significant confusion when they must interact with national security, which is driven from the top down. Perhaps nowhere is this more evident than in cyber response, the actions taken after the detection of a malicious cyber incident. In the cyber field, incident response implies a deeply technical forensic investigation of individual computers and network traffic to determine exactly which bits and bytes interacted with which hardware to implement specific evil intent. Those with the "big picture" understand the larger framework of how a business would organize a total response, such as engaging the legal, media and investment relations teams. Almost none of this is applicable to cyber response for incidents that are not merely cyber crime but those which truly are national security events, such as large-scale disruptive attacks that could be acts of war by another nation. Response within the White House, Pentagon and Cabinet departments are of course informed by the technical details. But after some point, the response rapidly ceases to be "cyber" and it is treated like any other national security crisis. This talk will examine the flow of incident response, using a finance-sector scenario, starting from individual banks and exchanges, through the public-private sector information sharing processes. After that, the response branches. The finance sector leadership and the Treasury Department handle the financial aspects of the crisis, such as ensuring the overall health of the banking system. The other branch leads to the Department of Homeland Security, which will assess the incident from a cyber perspective. At DHS and the White House, decision makers and experts from other departments can be involved through a relatively well-understood interagency process. If needed, response can be escalated rapidly through the White House Situation Room to the President himself. The talk will conclude with the pros and cons of this system. For example, while the system is very flexible, since it follows normal national security escalation paths, if a future cyber conflict where sufficiently widespread, sustained or fast-moving, it could result in paralyzed process. The process should still be a model, as other nations such as China lack any similar process, meaning their response could be fragmented, a very dangerous situation.
This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.
In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.
We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.
Bluetooth Smart, AKA Bluetooth Low Energy (BTLE), is a new modulation mode and link-layer packet format defined in Bluetooth 4.0. A new class of low-power devices and high-end smartphones are already on the market using this protocol. Applications include everything from fitness devices to wireless door locks. The Good: Bluetooth Smart is well-designed and good at what it does. We explain its workings from the PHY layer (raw RF) all the way to the application layer. The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools. The Fix: We implement Elliptic Curve Diffie-Hellman to exchange a key in-band. This backward-compatible fix renders the protocol secure against passive eavesdroppers.
What do T.S. Eliot, Puxatony Phil, eugenics, DLP, crowdsourcing, black swans, and narcissism have in common? They are all key concepts for an effective insider threat program. Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade. The talk will provide insight on how our nation's premier law enforcement agency is detecting and deterring insider threat using a variety of techniques and technologies. This session will provide unique lessons learned from building a real world, operational insider threat monitoring and response program.
In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications. The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide peristent files on your devices and how you would go about discovering them. The project also considers how typical forensic software interacts with NAND devices and how those tools can be subverted. Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed (Hint: your current tools probably don't work as well as you would like to believe).
CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?
Learn how to build an Android SpyPhone service that can be injected into any application. The presentation will feature a live demonstration of how phones can be tracked and operated from a Web based command and control server and a demonstration of how to inject the SpyPhone service into any Android application. The presentation will also cover the APIs used to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected.
Binary analysis techniques from academic research have been introduced into the reverse engineering community as well as research labs that are equipped with lots of computing power. Some program analyses using these techniques have even begun to show up in hacker conferences. But significant limitations remain:
In this talk, we will present our solution to these limitations. We will explain the Cross-platform Binary Automated Symbolic-execution System (CBASS) that we developed and demonstrate one of its interactive applications: an IDA based Taint-enabled Reverse Engineering Environment (TREE). TREE can deliver program analysis techniques (taint analysis, dynamic slicing, symbolic execution and constraint solving) into the reverse engineer’s hands now. Binary analysis and its security applications have been extensively researched, mainly in the context of a single instruction set architecture (predominantly x86) and popular desktop operating systems (Linux or Windows). CBASS performs its binary analysis on a common Intermediate Representation (IR) rather than on the native Instruction Set Architecture (ISA) of any program. This thin layer allows our powerful analysis tools to work on cross-platform binary applications.
While CBASS supports both automated and interactive security applications, TREE supports a subset of these capabilities but from with an IDA Pro plug-in. TREE provides useful interactive visualizations of the results of on-demand binary analysis. Symbolic execution and concolic execution (concrete-symbolic execution) are fundamental techniques used in binary analysis; but they are plagued by the exponential path explosion problem. Solving this problem requires vigorous path pruning algorithms and highly parallel computing infrastructure (like clouds). Neither of these is typically available to a reverse engineer. TREE solves this problem by helping the reverse engineer prioritize path execution through an interactive and intuitive visual representation of the results of on-demand analysis of what inputs and instruction sequences led to the crash site or other suspicious path, leverage path constraints and SMT solver to negate tainted branch condition for a new, unexplored path. The details of the taint analysis, dynamic slicing and path constraint solving mechanisms are transparent to reverse engineer.
Utilizing the existing IDA Pro debugging infrastructure, TREE can automate trace generation from diversified target platforms, including kernel mode tracing for Windows. To our surprise, despite the fact that IDA Pro debugging API has been around for a long time, there has been no serious effort to automate trace collection for extensible binary analysis, particularly for kernel mode tracing. Our work has directly contributed to two bug fixes in the latest IDA Pro patches (IDA 6.4.130206). Our presentation will feature several case studies of using TREE to analyze real world vulnerabilities.
APT attacks are a new emerging threat and have made headlines in recent years. However, we have yet to see full-scale assessment of targeted attack operations. Taiwan has been a long term target for these cyber-attacks due to its highly developed network infrastructure and sensitive political position. We had a unique chance to monitor, detect, investigate, and mitigate a large number of attacks on government and private sector companies. This presentation will introduce our results of a joint research between Xecure-Lab and Academia Sinica on targeted attack operations across the Taiwan Strait. We have developed a fully automated system, XecScan 2.0 (http://scan.xecure-lab.com) equipped with unique dynamic (sandbox) and static malicious software forensics technology to analyze nature and behavior of malicious binaries and document exploits. The system performs real-time APT classification and associates the analyzed content with existing knowledge base. In our experiments, the XecScan system has analyzed and successfully identified more than 12,000 APT emails, which include APT Malware and Document Exploits. With this presentation we will also analyze and group the samples from the recent Mandiant APT1(61398) Report and will compare the relationships between APT1 samples to the samples discovered in Taiwan and discuss the history behind APT1 Hacker activities. During this presentation we will release a free, publicly accessible portal to our collaborative APT classification platform and access to the XecScan 2.0 APIs.
I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.
This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.
The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.
During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks, and explain how we were able to clone a mobile device without physical access.
Over the last three years, Oracle Java has become the exploit author's best friend, and why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program. We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component. Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.
Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today's platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets-- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.
36 million home & office security systems reside in the U.S., and they are all vulnerable. This is not your grandpa’s talk on physical security; this talk is about bypassing home and office digital physical security systems, from simple door sensors to intercepting signals and even the keypad before it can alert the authorities. All the methods presented are for covert entry and leave no physical sign of entry or compromise. If you are interested in bettering your skills as a pen tester or just want to know how break into an office like a Hollywood spy this is the talk for you. Come join us to see live demos of what the security companies never want you to see.
Exploiting and rootkitting ARM-based devices gets more and more interesting. This talk will focus on the exploitation of TEEs (Trusted Execution Environments) running in ARM TrustZone to hide a TrustZone-based-rootkit (Presented at Black Hat EU 2013).
Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
Some vulnerabilities just can't be patched. Pass-The-Hash attacks against Windows enterprises are still successful and are more popular than ever. Since the PTH-Suite was released at Black Hat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the shortcomings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker's lateral movement in your enterprise.
Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often has at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board, open-source Python tools for doing the capture, and open-source example attacks. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work.
UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.
To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality:
Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.
SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Little is known about their security beyond manufacturer claims.
Besides SIM cards’ main purpose of identifying subscribers, most of them provide programmable Java runtimes. Based on this flexibility, SIM cards are poised to become an easily extensible trust anchor for otherwise untrusted smartphones, embedded devices, and cars.
The protection pretense of SIM cards is based on the understanding that they have never been exploited. This talk ends this myth of unbreakable SIM cards and illustrates that the cards -- like any other computing system -- are plagued by implementation and configuration bugs.
It's become commonplace for security reporters and providers of security technologies to find themselves targets of hackers' wrath, especially when they put criminal activity under the spotlight. Earlier this year, Brian Krebs had done some work to expose a "booter" service. Like other public security figures, he found himself the target of repeated DDoS attacks. In Brian's case, this culminated in a "SWATting" attack -- a surprise visit by dozens of heavily armed police at his front door. Research on "booter" services reveals a relatively unsophisticated, but high-profit criminal community of DDoS-for-hire web sites that are capable of considerable impact. They operate under legal auspices, leveraging legitimate DDoS protection services. Anyone with an axe to grind and a small amount of money can hire one of these services to have virtually any person or web site knocked off the Internet. As an indicator of how mainstream these services have become, most of them accept payment via Paypal. This talk will delve into the recent proliferation of these malicious commercial DDoS services, and reveal what's been learned about their surreptitious functioning, exposing the proprietors behind these illicit services, and what is known about their targets and their thousands of paying customers. Emphasis will be placed on detailing the vulnerabilities present in most booter sites, and the lessons we can draw about how targets of these attacks can defend themselves.
In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.
We believe that flaws in network protocols will not be discovered unless physical layer communication tapping solutions are made available to security researchers. In order to have confidence in our communication media we need the ability to monitor and modify the packets transferred on the wire. 802.11 network monitoring allowed the flaws in WEP and WPA to be exposed, Bluetooth Low Energy monitoring has shown problems in the key exchange protocol, but we are often more trusting of wired connections. Project Daisho is an attempt to fix that trust by allowing researchers to investigate wired protocols using existing software tools wherever possible. Daisho is an open source, extensible, modular network tap for wired communication media such as gigabit Ethernet, HDMI connections, and USB 3.0 connections. All aspects of the project are open source, including the hardware designs, software and FPGA cores. The project is producing the first open source USB 3.0 FPGA core.
On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.
In this session, Joe will introduce the JTAGulator, an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces.
This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. Building on that, we'll show code building on the existing testing framework of Burp suite and its Ruby interface Buby to make requests to APIs using the functionality we've exposed through the scripting to find differing responses to similar requests, and identifying potential weak points. We'll conclude with several case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.
Aggressive data collection practices by cell providers have sparked new FCC interest in closing regulatory gaps in consumer privacy protection. Tensions exist between consumers and carriers, as well as between regulatory agencies. This talk will explore the current landscape from a technical as well as regulatory perspective and examine how it may change in the near future.
The security posture of an application is directly proportional to the amount of information that is known about the application. Although the advantages of analytics from a data science perspective are well known and well documented, the advantages of analytics from a web application security perspective are neither well known nor well documented. How can we, as web application security practitioners, take advantage of big data stacks to improve the security posture of our applications? This talk will dive into the ways that big data analytics can be taken advantage of to create effective defenses for web applications today. We'll outline the fundamental problems that can and should be solved with big data and outline the classes of security mechanisms that simply, based on their nature, cannot be solved with big data. Once an understanding of the domain is established, we'll explore several specific examples that outline how one security team uses big data every day to solve hard, interesting problems and create a safer experience for its users.
We revisit UI security attacks (such as clickjacking) from a perceptual perspective and identify novel attacks. Our perceptual view on UI security attacks helps identify new attacks on UI security. We develop ﬁve attacks that bypass current defenses. Our attacks are powerful with a 100% success rate in some cases. However, they only scratch the surface of possible perceptual attacks on UI integrity, and we posit that a number of attacks are possible with a comprehensive study of human perception. Finally, we argue that, due to the complex nature of human perception, defending against such attacks is challenging and requires further research taking user perception and new computer vision techniques into account.
The CIA is no more technologically sophisticated than your average American, and as a result, has suffered serious and embarrassing operational failures.
This is a rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job.
In 2005, news organizations around the world reported that an Italian court had signed arrest warrants for 26 Americans in connection with an extraordinary rendition of a Muslim cleric. At the heart of the case was the stunning lack of OPSEC the team of spies used while they surveilled and then snatched their target off the streets of Milan.
The incident, known as the Italian Job inside the CIA, became an international scandal and caused global outrage. What very few people ever understood was that the CIA's top spies were laughably uneducated about cell phone technology and ignorant of the electronic fingerprints left behind.
The story would be startling, though old, if not for the fact that eight years after the debacle in Milan, history repeated itself.
In 2011, an entire CIA network of Lebanese informants was busted by Hezbollah. The reason: cell phone OPSEC failures. After receiving a warning from Mossad, who had lost their network a year earlier the same way, the CIA dismissed Hezbollah's ability to run analytic software on raw cell phone traffic. But they did. And with a little effort, the CIA's network of spies, as well as their own officers, were identified one by one.
This is the true story of American Intelligence's Keystone Kops.
We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.