Europe 2014: An Ounce of Prevention
Some say defense is the best offense. This week we turn to the flipside of last week's nasty exploits, with a quartet of Black Hat Europe 2014 Briefings that, while often using new attack disclosures as a launching-off point, also focus on prevention and mitigation. Or in one case, making your compiled code completely freakin' inscrutable.
As Apple's "goto fail" bug showed, SSL validation checks can be thwarted by simple coding errors, with grave consequences. How many other programs, especially mobile apps, fail to fully validate server certificates they trust? Thomas Brandstetter decided to put this to the test, developing SVF (SSL Validation Fuzzer) and to streamline certificate validation check testing. In SSL Validation Checking vs. Go(ing) to Fail he'll take you through the results, ultimately showing that these SVF-type checks could be a valuable test for anyone wanting to test an app's susceptibility to man-in-the-middle attacks.
Amazon Web Services (AWS) is billed as an amazing secure cloud service provider, but the manicured forests can give way to dark jungle as you migrate existing applications to the AWS Cloud, or design new ones exclusively for AWS. Bringing a Machete to the Amazon will explore the advent of "full stack" vulnerabilities on AWS and how they create many pitfalls when migrating to and operating in AWS. You'll also see the debut of a free tool that can assess AWS applications, map out the interactions between infrastructure and code, and help provide clarity -- bringing a machete to the Amazon Cloud.
Fun-fact about C++: It contains a Turing-complete sub-language executed at compile time. It's called C++ template metaprogramming, and is close to functional programming. In C++11 Metaprogramming Applied to Software Obfuscation, Sebastien Andrivet will show how to use this hidden language to generate, at compile time, obfuscated code. He'll also introduce randomness to generate polymorphic code and give concrete examples like encryption of string literals and obfuscation of calls using infinite compile-time-generated state machines.
Session identifiers are pretty well guarded these days, but what about passwords stored in web browsers? A bad idea? Of course, and Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers will demonstrate why storing passwords in a browser is downright irresponsible. In short, a successful XSS attack can be leveraged to read and leak password data inserted by the browser. The presenters will share the results of their wide-ranging survey of all major browsers to find out which ones are vulnerable, and share recommendations on how to protect against these attacks.
Intrigued? We hope so! Head on over to Black Hat Europe 2014's registration page to get your attendance plans in order.