Black Hat, checkin' in. We're eagerly counting the days until our Vegas arrival...or at least, a script on our desktop is. We're putting the final touches on the last round of acceptances and hope to have the full schedule out soon. When we do, you'll hear about it right here.
But until then, hopefully a quick look at three just-announced briefings will slake your thirst, quiet your discord, or satisfy the conditions of another relevant metaphor of your choosing.
Microsoft Exchange is often a necessary evil, and Peter Hannay will show us just how distressingly easy it can be to make it do a little evil yourself. It turns out that the protocol through which Exchange enforces policies on remote clients provides very little security, leaving the clients open to attacks. Hannay will show you how to impersonate an Exchange server and, with a simple script, erase all data on remote devices. Expect proofof-concept code for both iOS and Android.
The ubiquitous payment terminals and "pin pads" found in stores worldwide are just as vulnerable as any other systems when it comes to handling user input. And as Chip and Pin replaces magnetic stripe cards, they're handling more and more complex info from untrusted sources, such as the EMV protocol used by major payment smart-cards. Add in the fact that these terminals all talk via Ethernet, GPRS, Wi-Fi or landline, and the attack surface is vast. Nils and Rafael Dominguez Vega will demonstrate how to use memory corruption vulnerabilities to gain code execution on the terminals, and show how this might profit an attacker - no purchase required.
Don't tell the TSA, but air traffic control systems and other air-related technologies are on the verge of a long-in-coming upgrade in both capability and sophistication. As ever, these newfound opportunities for innovation and enhanced performance come hand-in-hand with potentially dangerous new security exploits. In this briefing, Andrei Costin will examine the new Automatic Dependent Surveillance - Broadcast (ADS-B) tech from a practical angle and explain the techniques potential attackers could use to open new attack surfaces in air traffic control systems.