Keynotes • Summit • Workshops


presented by

Ethan Zuckerman

presented by

Derrik de Kerkhove


A Different Kind of Crypto: Crypto Algorithms Designed for Payload Obfuscation

With signature-based anti-virus, many times payloads are encrypted. However, people often use standard algorithms such as AES. This is not necessarily the best way to hide a payload, as these algorithms can generate their own signatures -- thanks to some predictable behavior like permutation tables. The goal with payload obfuscation, however, is not to encrypt data (as the cleartext payload will be decrypted at some point), but it is to hide the payload. Therefore, we have taken other crypto methods and are going to show how they can be more effective at evasion. We are also going to talk about dynamic generation of various crypto algorithms to generate polymorphic payload crypters.

presented by

Chris Hodges &  Parker Schmitt

A Song of Hashes and Dumps: What I've Learned From Cracking .br Passwords

We do a lot of password cracking these days. Hashes from owned systems pop out frequently on Pastebin and Twitter, and it is not uncommon to find a nice SQL injection that allows you to dump the entire login table from a web application. However, we still use the same old wordlists and rules.

During a security conference last year, a slide caught my eye: something like, "using RockYou and the best64 rule you can crack 50% of the passwords." So, I decided to see how that worksfor Brazilian passwords.

This presentation provides a fresh view on password cracking research by:

  • Exchange experiences through showing positive results, drawbacks, failures, and challenges while cracking passwords from .br domains;
  • Testing the performance of some popular wordlists againts different scenarios;
  • Identifying patterns and behavior of users while choosing their passwords, beyond 'qwerty';
  • Providing tools, scripts, rules, and wordlists to aid in cracking Brazilian passwords but useful for any language.

presented by

Daniel Marques

Applying Military Deception to Neutralize Metasploit Post-Exploitation

After a successful exploitation, one of the most significant steps in attacking a system is post-exploitation. If post-exploitation activities are confined with the better cycle of observe-orient-decide-act, further attacks will be more difficult. We built a python script, MetDEC, based on the ideas of spotting metasploit payloads and applying a concept of military deception to detect, mislead, and neutralize metasploit post-exploitation activities.

presented by

Pornsook Kornkitichai

Bypassing the Secure Desktop Protections

The Secure Desktop is a feature of Windows API that creates a separated desktop to run programs/processes. This feature doesn't allow processes or programs running in other desktops to capture keystrokes or screen.

The Secure Desktop's primary difference from the User Desktop is that only trusted processes running as SYSTEM are allowed to run here (i.e. nothing running at the user'sprivilege level) and the path to get to the Secure Desktop from the User Desktop must also be trusted through the entire chain.

Because of the main feature provided by the Secure Desktop, a lot of applications are developed using this protection, trying to avoid malwares to interact with the user input (KeyLoggers) or screen (ScreenLoggers) and that way providing a secure environment for that application, where the main objective is protecting the final user from those well-known attacks.

Like every feature, if it isn't well implemented, it can provide a fake security sensation. If an application is running in a secure desktop, using some tricks, an attacker is able to "escape the sandbox" and run malicious programs into the secure desktop where this approach will bypass the "Desktop Isolation Protection," allowing those malicious programs to capture the keystrokes or screen.

The main goal of this talk is to present some real world examples that use secure desktop and show how to sniff the keystrokes or screen capture in the secured desktops, bypassing the main feature of Windows secure desktop. We will also discuss some possible solutions/workarounds that developers can apply into their software to avoid our attack.

DeviceDisEnabler: A Lightweight Hypervisor Which Hides Devices to Protect Cyber Espionage and Tampering

Current computers have lots of rich devices, but the devices may be used by attackers. Video cameras and microphones make it easy to communicate; yet they also make it easy to conduct cyber espionage. GPS is used to track the location of the user remotely and interfaces of Bluetooth, Wi-Fi, and USB become the path of information leakage and remote attack.

presented by

Kuniyasu Suzaki

Evasion of High-End IPS Devices in the Age of IPv6

IPv6-era is here, whetheryou already use it or if you continue to ignore it. However, even in the last case, this does not mean that your "nodes"(end-hosts, networking devices, security devices) are not already pre-configured with IPv6 connectivity - at least to some extent. At the same time, ARIN states that they are currently in phase three of a 4-phased "IPv4 CountdownPlan,"being already down to about 0.9/8s in aggregate. On the other hand, RIPE NCC has reached its last /8 IPv4 address space quite some time ago.

What IPv6 does not forgive, for sure, is the lack of security awareness. Several times in the past it has been shown that this "new" layer-3 protocol, apart from the huge address space and other new functionalities, brings with it several security issues. In this paper, it will be shown that significant security issues still remain unsolved. Specifically, three different but novel techniques will be presented that allow attackers to exploit even a really minor detail in the design of the IPv6 protocol, to make security devices like high-end commercial IDPS devices completely blind. These techniques allow the attackers to launch any kind of attack against their targets - from port scanning to SQLi - while remaining undetected. After presenting detailed analysis of the attacks and the corresponding exploitation results against IDPS devices, potential security implications to other security devices, like firewalls, will be examined. Finally, specific mitigation techniques will be proposed, both short-term and long-term, in order to protect your network from them.

presented by

Rafael Schaefer

Lost in Translation

We all know English has been the universal language for several years now. Companies have been offering their security products and assessment tools in different countries. Most of these products might have GUI interface, configuration wizards, and reporting capabilities in different languages to support their global customer base. But, at the end of the day, what is under the hood ends up being the same, no matter what language a given product has been configured for.

With this in mind, we have started performing some tests with both attack and defense tools used/sold globally, and problems have been found. The great majority of these tools, internally, only "speak" the English language. When a target system -- protected or analyzed by these products -- is not configured to work in the English language, answering to queries or providing error messages in any foreign language, these security products will actually end up falling short in their basic functionalities - from detecting attacks to failures in applications.

As proof-of-concept, we have created two testing environments, one in English and the other in our native language, Portuguese. We ran known open source and commercial-scanning tools against these two environments. The end results were somewhat scary -- the detection rate for the environment in Portuguese was up to 75% lower than the one in English. The same happened to some defense/protection tools in the same environments.

This issue could lead to many problems. From an offensive side, allowing attackers not only to infiltrate a system but also use a possible language change in a target system in order to improve post-exploitation capabilities, or, from a defensive side, âavoid❠the detection of certain vulnerabilities, amongst other implications.

This talk will not demonstrate any new bypass techniques, but will be showing attack examples in real environments that are protected by products that have the problem previously described.

Stay Out of the Kitchen: A DLP Security Bake-Off

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass -- or worse.

This talk will discuss our research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

presented by

Zach Lanier &  Kelly Lum

Yet Another Android Security Feature

Recent years have brought a dramatic rise of mobile exploitation techniques and one of the most difficult to defeat is kernel-level exploitation, which in many cases result in privilege escalation. Android exploitation is frequently executed through the abuse of kernel-level vulnerabilities, which are used to root the smartphone or to conduct unauthorized actions by malicious applications. Based on this main modus operandi, a new feature was developed for the Android Kernel to monitor specific locations in the filesystem and drop processes system call execution, once a privilege escalation action is detected. The new feature should not compromise user experience and performance.

presented by

Breno Pinto &  Felipe Boeira


Hacking Mifare Classic Cards

The MIFARE Classic is one of the most used, contactless cards in the world. It wascreated by NXP Semiconductors and uses RFID communication. The industry has been using this card in access control systems deployed in buildings, as well as in public transportation as a ticket replacement. In 2008, two groups of researchers, conducting their work almost independently, performed the card communication protocol and Crypto-1 cipher reverse engineering, uncovering several security weaknesses, which has dismissed the card's reputation. As a consequence, malicious users might clone this card in a couple of seconds. Since then, the MIFARE Classic has been highly exposed on the media. This workshop is intended to present the card features, the main types of attack, workarounds to control them and, as much as possible, keeping the system secure. As proof-of-concept, we will show how to dump and clone MIFAREclassic cards with equipment costing less than $100.

iOS Forensics With Open-Source Tools

This workshop is for attendees who want to become familiar with current state-of-the-art techniques in iOS forensics. The focus will be on data extraction and we will try to limit ourselves to open-source or freely available tools. Both jail broken and non-jail broken devices will be covered.

I will walk you through all required theoretical background and we will then run the hands-on exercises.

  • Introduction to digital forensics
  • Introduction to iOS security
  • How iOS data protection works?
  • How passcode works?
  • Various acquisition methods, their pros and cons
  • Logical
  • Filesystem
  • Physical
  • NAND
  • Making sense of acquired data
  • iCloud rorensics

It will help if you bring a laptop running OS X and an iOS device running anything prior to iOS 8.

presented by

Andrey Belenko

IPv6 Attacks and Defenses - A Hands-on Workshop

IPv6 deployment is rising every single day. According to the statistics and trends of the Internet Society, "2013 marked the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years." At the same time, ARIN states that they are currently in phase four of their "IPv4 Countdown Plan", while RIPE has reached its last /8 IPv4 address space quite some time ago. So, "this time it is for real." Moreover, most of the operating systems, network, and security devices (like firewalls, IDS, etc.) come with IPv6 pre-enabled. Are we ready for the IPv6-era from a security perspective?

In this workshop, various attack methods that "exploit" IPv6 design and implementation security issues will be discussed. These issues, due to their nature, affect several modern and prestigious operating systems as well as network and security devices. We willexplain and demonstrate how you can exploit IPv6-specific features for pen-testing IPv6 systems and networks. First, all the required theory regarding the changes that IPv6 brings with it and how it affects security will be presented. Then, it will be explained and demonstrated how to launch most of the known IPv6 attacks. More advanced attacks will also be presented, as well as ways of fuzzing the protocol implementation against various systems and security devices. Finally, mitigation techniques to protect your IPv6 infrastructure from these attacks will be discussed.

Only by knowing the potential IPv6 security issues shall we be able to protect it effectively. The acquired knowledge will be valuable both to penetration testers who want to test IPv6 networks as well as to network and security engineers who want to effectively protect their IPv6 networks.

Reverse Engineering Payment Malwares

Recent news has shown that malware targeting payment data, such as point-of-sales environments, has become a real issue causing hundreds of millions in loss with fraud and data theft. But why are we still so vulnerable to this type of threat after all the current security standards and how are these criminals making so much money out of it? The payment ecosystem involves a lot of different players, technologies, and standards. This creates some gray areas that end up being exploited by targeted malware attacks.

In this workshop, we intend to briefly cover the payment environment from a technology perspective, showing security gaps and attack vectors that malware can exploit in order to successfully obtain payment data. We'll also demonstrate the process of reverse engineering payment malware giving special attention to techniques the malware uses specifically for stealing card holder data in payment environments. This includes methods like RAM and disk scrapping, POS tampering, magnetic stripe reading, and others.

presented by

Thiago Musa &  Ygor Parreira