Black Hat USA Registration Black Hat USA Registration Black Hat USA Briefings Black Hat USA Briefings Black Hat USA Training Black Hat USA Training Black Hat USA Schedule Black Hat USA Schedule Black Hat USA Sponsors Black Hat USA Sponsors Black Hat  USA Special Events Black Hat  USA Special Events Black Hat USA Venue Black Hat USA Venue







Turbo Talks



Day One Keynote July 31


Presented by

Gen. Alexander

Presented by

Brian Muirhead



A Practical Attack against MDM Solutions

Spyphones are surveillance tools surreptitiously planted on a users handheld device. While malicious mobile applications mainly phone fraud applications distributed through common application channels - target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.

How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

A Tale of One Software Bypass of Windows 8 Secure Boot

Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

Above My Pay Grade: Cyber Response at the National Level

Incident response is usually a deeply technical forensic investigation and mitigation for an individual organization. But for incidents that are not merely cyber crime but truly national security events, such as large-scale disruptive attacks that could be acts of war by another nation, the process is completely dissimilar, needing a different kind of thinking.

This talk will discuss exactly how, detailing the flow of national security incident response in the United States using the scenario of a major attack on the finance sector. The response starts at individual banks and exchanges, through the public-private sector information sharing processes (like FS-ISAC). Treasury handles the financial side of the crisis while DHS tackles the technical. If needed, the incident can be escalated to the military and president especially if the incident becomes especially disruptive or destructive. The talk examines this flow and the actions and decisions within the national security apparatus, concluding with the pros and cons of this approach and comparing it to the process in other key countries.

Presented by

Jason Healey

Android: one root to own them all

This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.

Presented by

Jeff Forristal

BinaryPig - Scalable Malware Analytics in Hadoop

Over the past 2.5 years Endgame received 20M samples of malware equating to roughly 9.5 TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10M samples in the last quarter of 2012 [1]. Its total corpus is estimated to be about 100M samples. VirusTotal receives between 300k and 600k unique files per day, and of those roughly one-third to half are positively identified as malware [2].

This huge volume of malware offers both challenges and opportunities for security research especially applied machine learning. Endgame performs static analysis on malware in order to extract feature sets used for performing large-scale machine learning. Since malware research has traditionally been the domain of reverse engineers, most existing malware analysis tools were designed to process single binaries or multiple binaries on a single computer and are unprepared to confront terabytes of malware simultaneously. There is no easy way for security researchers to apply static analysis techniques at scale; companies and individuals that want to pursue this path are forced to create their own solutions.

Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset.

To address this problem, we will present our open framework, BinaryPig, as well as some example uses of this technology to perform a multiyear, multi-terabyte, multimillion-sample malware census. This framework is built over Apache Hadoop, Apache Pig, and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware.

In addition, we will demonstrate the results of our exploration and the techniques used to derive these results. The framework, analysis modules, and some example applications will be released as open source (Apache 2.0 License) at Blackhat. ches/240006702/mcafeecloseto100knewmalwaresamplesperdayinq2.html as of 4/9/2013

BIOS Security

In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.

We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.

Black-Box Assessment of Pseudorandom Algorithms

Last year at Black Hat, Argyros and Kiayias devastated all things pseudorandom in open-source PHP applications. This year, we're bringing PRNG attacks to the masses.

We'll point out flaws in many of the most common non-cryptographic pseudorandom number generators (PRNGs) and examine how to identify a PRNG based on a black-box analysis of application output. In many cases, most or all of the PRNG's internal state can be recovered, enabling determination of past output and prediction of future output. We'll present algorithms that run many orders of magnitude faster than a brute-force search, including reversing and seeking the PRNG stream in constant time. Finally, of course, we'll demonstrate everything and give away our tool so that you can perform the attacks during your own assessments.

BlackBerryOS 10 from a security perspective

BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.

This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?

Presented by

Ralf-Philipp Weinmann

Bluetooth Smart: The Good, The Bad, The Ugly, and The Fix!

Bluetooth Smart, AKA Bluetooth Low Energy (BTLE), is a new modulation mode and link-layer packet format defined in Bluetooth 4.0. A new class of low-power devices and high-end smartphones are already on the market using this protocol. Applications include everything from fitness devices to wireless door locks. The Good: Bluetooth Smart is well-designed and good at what it does. We explain its workings from the PHY layer (raw RF) all the way to the application layer. The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools. The Fix: We implement Elliptic Curve Diffie-Hellman to exchange a key in-band. This backward-compatible fix renders the protocol secure against passive eavesdroppers.

Presented by

Mike Ryan

Bochspwn: Identifying 0-days via System-wide Memory Access Pattern Analysis

Throughout the last two decades, the field of automated vulnerability discovery has evolved into the advanced state we have today: effective dynamic analysis is achieved with a plethora of complex, privately developed fuzzers dedicated to specific products, file formats or protocols, with source code and binary-level static analysis slowly catching up, yet already proving useful in specific scenarios. Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers. Considering the current impact of ring-0 security on the overall system security posture and number of kernel-specific bug classes, we would like to propose a novel, dynamic approach to locating subtle kernel security flaws that would likely otherwise remain unnoticed for years.

The presentation will introduce the concept of identifying vulnerabilities in operating systems’ kernels by employing dynamic CPU-level instrumentation over a live system session, on the example of using memory access patterns to extract information about potential race conditions in interacting with user-mode memory. We will discuss several different ways to implement the idea, with special emphasis on the “Bochspwn” project we developed last year and successfully used to discover around 50 local elevation of privilege vulnerabilities in the Windows kernel so far, with many of them already addressed in the ms13-016, ms13-017, ms13-031 and ms13-036 security bulletins. The tool itself will be open-sourced during the conference, thus allowing a wider audience to test and further develop the approach. - Detecting Bugs Using Decompilation and Data Flow Analysis

Bugwise is a free online web service at to perform static analysis of binary executables to detect software bugs and vulnerabilities. It detects bugs using a combination of decompilation to recover high level information, and data flow analysis to discover issues such as use-after-frees and double frees. Bugwise has been developed over the past several years and is implemented as a series of modules in a greater system that performs other binary analysis tasks such as malware detection. This entire system consists of more than 100,000 lines of C++ code and a scalable load balanced multi-node Amazon EC2 cluster. In this talk, I will explain how Bugwise works. The system is still in the development stage but has successfully found a number of real bugs and vulnerabilities in Debian Linux. This includes double free, use-after-free, and over 50 getenv(,strcpy) bugs statically found from scanning the entire Debian repository.

Presented by

Silvio Cesare

Buying into the Bias: Why Vulnerability Statistics Suck

Academic researchers, journalists, security vendors, software vendors, and other enterprising... uh... enterprises often analyze vulnerability statistics using large repositories of vulnerability data, such as CVE, OSVDB, and others. These stats are claimed to demonstrate trends in disclosure, such as the number or type of vulnerabilities, or their relative severity. Worse, they are often (mis)used to compare competing products to assess which one offers the best security.

Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending.

As maintainers of two well-known vulnerability information repositories, we're sick of hearing about sloppy research after it's been released, and we're not going to take it any more.

We will give concrete examples of the misuses and abuses of vulnerability statistics over the years, revealing which studies do it right (rather, the least wrong), and how to judge future claims so that you can make better decisions based on these "studies." We will cover all the kinds of documented and undocumented bias that can exist in a vulnerability data source; how variations in counting hurt comparative analyses; and all the ways that vulnerability information is observed, cataloged, and annotated.

Steve will provide vendor-neutral, friendly, supportive suggestions to the industry. Jericho will do no such thing.

Combating the Insider Threat at the FBI: Real World Lessons Learned

What do T.S. Eliot, Puxatony Phil, eugenics, DLP, crowdsourcing, black swans, and narcissism have in common? They are all key concepts for an effective insider threat program. Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade. The talk will provide insight on how our nation's premier law enforcement agency is detecting and deterring insider threat using a variety of techniques and technologies. This session will provide unique lessons learned from building a real world, operational insider threat monitoring and response program.

Presented by

Patrick Reidy

Compromising Industrial Facilities From 40 Miles Away

The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks have enabled these companies to reduce implementation, maintenance, and equipment costs and enhance personal safety by enabling new topologies for remote monitoring and administration in hazardous locations.

However, the manner in which sensor networks handle and control cryptographic keys is very different from the way in which they are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task.

In this presentation, we review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. We also demonstrate some attacks that exploit key distribution vulnerabilities, which we recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies.

An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers. A remotely and wirelessly exploitable memory corruption bug could disable all the sensor nodes and forever shut down an entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified. This can lead to unexpected, harmful, and dangerous consequences.

CreepyDOL: Cheap, Distributed Stalking

Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors, who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.

Presented by

Brendan O'Connor

Defending Networks with Incomplete Information: A Machine Learning Approach

Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response.

Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.

On this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.

Presented by

Alexandre Pinto

Dissecting CSRF Attacks & Countermeasures

Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately.

The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives.

Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Storage Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.

End-to-End Analysis of a Domain Generating Algorithm Malware Family

Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices.

The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. This presentation will bring to light how this malware is tied to an underground campaign that has been active for at least the past six years.

Presented by

Jason Geffner

Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)

Government requirements, new business cases, and consumer behavioral changes drive energy market players to improve the overall management of energy infrastructures.

While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability, and privacy.

Nations absolutely recognize the criticality of the energy infrastructure for their economic and political stability. Therefore, various initiatives to ensure reliability and availability of their energy infrastructures are being driven at nation as well as at nation union levels. In order to contribute to the evaluation of national cyber security risks, the author decided to conduct a security analysis in the field of smart energy.

Utilities have started to introduce new field device technology - smart meters. As the name implies, smart meters do support many more use cases than any old conventional electricity meter did. Not only does the new generation of meters support fine granular remote data reading, but it also facilitates remote load control or remote software updates. Hence, to build a secure advanced metering infrastructure (AMI), communication protocols must support bi-directional data transmission and protect meter data and control commands in transit.

Therefore, analysis of smart metering protocols is of great interest. The work presented has analyzed the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure.

The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication.

Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys.

Following that, the availability and reliability of the smart grid or at least parts of it may not be guaranteed.

Presented by

Cyrill Brunschwiler

Exploiting Network Surveillance Cameras Like a Hollywood Hacker

This talk will examine 0-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.

Additionally, a proof-of-concept attack will be demonstrated in which a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.

Presented by

Craig Heffner

Evading deep inspection for fun and shell

Whether you have a Next Generation Firewall, an IPS, IDS, or a BDS, the security provided by these devices depends on their capability to perform robust TCP/IP reassembly. If this fails, the device can be bypassed. We researched the TCP/IP reassembly capabilities of security boxes and found that their detection can be evaded or pierced through with evasions that apply to the IP & TCP layers. The TCP reassembly capabilities of most security boxes are still poor. Instead of doing proper TCP reassembly, many of the analyzed boxes try to prevent attacks by anomaly detection, for example, by blocking small TCP segments. However, blocking small segments leads to false positives, so this kind of blocking strategy cannot be applied to real traffic without the false positive risk. We also found evasions that allowed the attack to succeed without any logs in the security box, even if all signatures were set to block.

The Factoring Dead: Preparing for the Cryptopocalypse

The last several years has seen an explosion of practical exploitation of widespread cryptographic weaknesses, such as BEAST, CRIME, Lucky 13 and the RC4 bias vulnerabilities. The invention of these techniques requires a lot of hard work, deep knowledge and the ability to generate a pithy acronym, but rarely involves the use of a completely unknown weakness. Cryptography researchers have known about the existence of compression oracles, RC4 biases and problems with CBC mode for years, but the general information security community has been unaware of these dangers until fully working exploits were demonstrated.

In this talk, the speakers will explain the latest breakthroughs in the academic crypto community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the latest breakthroughs in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. We will explain the basic theories behind RSA and the state-of-the-art in large numbering factoring, and how several recent papers may point the way to massive improvements in this area.

The talk will then switch to the practical aspects of the doomsday scenario, and will answer the question "What happens the day after RSA is broken?" We will point out the many obvious and hidden uses of RSA and related algorithms and outline how software engineers and security teams can operate in a post-RSA world. We will also discuss the results of our survey of popular products and software, and point out the ways in which individuals can prepare for the zombi^H^H^H crypto apocalypse.

Fact and Fiction: Defending your Medical Devices

In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this brought much needed attention to the issue, it has also uncovered a great deal of misinformation. This talk is going to tackle those confusing and controversial topics. What’s the reality of patching a medical device? Is it safe to run anti-virus protection on them? You’ll find out in this talk. This presentation will outline a framework on how vendors, buyers, and administrators of medical devices can bring substantive changes in the security of these devices. This talk will also have the unique element of discussing a medical device software bug that InGuardians uncovered. This bug will be discussed in detail and replicated live on stage. InGuardians has worked closely with the FDA on properly documenting and submitting this through their tracking system. This will be covered in full detail so other researchers will know how to properly disclose bugs and vulnerabilities.

Presented by

Jay Radcliffe

Fully Arbitrary 802.3 Packet Injection: Maximizing the Ethernet Attack Surface

It is generally assumed that crafting arbitrary, and sniffing, Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) have historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released.

This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored.

We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.

Funderbolt: Adventures in Thunderbolt DMA Attacks

Intel's Thunderbolt allows for high-speed data transfers for a variety of peripherals including high-resolution high-bandwidth graphics displays, all using the same physical connection. This convenience comes at a bit of a cost: an external port into your computer's bus and possibly memory! Thunderbolt ports appear on high-end laptops like the MacBook Pro, but also increasingly on PC hardware, and on newer desktop and server motherboards. This proprietary technology is undocumented but problems with it could potentially undermine the privacy and security of users.

This talk chronicles process of exploring these risks through a practical exercise in reverse engineering. Experience the tribulations with reversing Thunderbolt chips, understand the attack strategies for exploiting DMA and see the pitfalls one encounters along the way, while gaining a deeper understanding of the risks of this new feature.

Presented by

Russ Sevinsky

Hacking like in the Movies: Visualizing Page Tables for Local Exploitation

A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for:

  • Windows 8 on x86_64
  • Windows 8 RT on ARMv7
  • Linux 3.8 on x86_64
  • Linux 3.4 on ARMv7 alias Android 4.2
  • XNU on x86_64 alias OS X
  • XNU on ARMv7 alias iOS

Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures.

By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses.

To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android <= 4.0.x generic user-space ASLR bypass. For those interested in actually owning targets, we will show an Android 4.2.2 generic user-space ASLR bypass that also affects other latest Linux/ARM kernels.

Hacking, Surveilling, and Deceiving victims on Smart TV

Smart TVs sold over 80,000,000 units around the world in 2012. This next generation "smart" platform is becoming more and more popular. On the other hand, we hardly see security research on Smart TVs. This presentation will cover vulnerabilities we've found on the platform.

You can imagine that Smart TVs have almost the exact same attack vectors that PC and Smart Phones have. Also, Smart TVs have interesting new attack surface such as the remote controller. We'll talk about attack points for Smart TV platform and cover security bugs we discovered. This talk will mostly focus on what attackers can do on a hacked Smart TV.

For example, expensive Smart TVs have many hardware devices like a Camera or Mic which, if remotely controlled, means bad guys can spy remotely without you knowing. Even more, it is possible to make Smart TVs monitor you 24/7 even though users turn off their TV, meaning #1984 could be done.

In addition, we'll point out a difference of viewpoint on leaked information type among PC, Smart Phone and Smart TV. Lastly, we'll give demo of live remote surveillance cam, which is sent to attacker's server at this talk.

This talk is an extended version of one, which I gave at CANSECWEST. It will demonstrate a spoofed news story on a hacked Smart TV and possibly TVshing (Smart TV edition of phishing.)

Presented by

SeungJin 'Beist' Lee

Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory

In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications. The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide peristent files on your devices and how you would go about discovering them. The project also considers how typical forensic software interacts with NAND devices and how those tools can be subverted. Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed (Hint: your current tools probably don't work as well as you would like to believe).

Presented by

Josh 'm0nk' Thomas

Home Invasion v2.0 - Attacking Network-Controlled Hardware

A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before.

Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you're going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.

Honey, I’m home!! - Hacking Z-Wave Home Automation Systems

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.

Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.

The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.

Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

Hot Knives Through Butter: Bypassing Automated Analysis Systems

Diamonds are girl’s best friend, prime numbers are mathematician’s best friend and automated analysis systems (AAS) are AV researcher’s best friend. Unfortunately, this fact is known by malware authors and hence techniques to evade automated analysis system are not only becoming an integral part of APT, but also many infamous malwares have resurrected and are using techniques to bypass the automated analysis system to stay under the radar.

The infamous Khelios botnet was claimed to be dead in 2011 and got resurrected . To evade the automated analysis system one of the sample aka Trojan Nap found in 2013, was employing SleepEx() API with a 10 minutes time out. Since automated analysis systems are set to execute a sample within a given time frame ,which is in seconds, by employing an extended sleep call, it could prevent an AAS from capturing its behavior. The sample also made a call to the undocumented API NtDelayExecution() for performing an extended sleep calls.

As per the report from Mandiant, infamous RAT Poison IVY has extensively been used in the targeted attacks and appeared to have been abandoned in 2008. Trojan UpClicker, reported in December 2012, a wrapper around Poison IVY, employs SetWindowsHookEX() API to hide its malicious activity. By sending 0EH as parameter to the function, the malicious code only gets activated when the left mouse button is clicked and released. Since in AAS there is no human interaction, the code remains dormant bypassing the AAS.

PushDo, yet another infamous malware, checks the build number of windows OS. Once it has determined the build number of windows OS. It finds a pointer to PspCreateProcessNotify() API routine to deregister all the callbacks. Once the callbacks have been deregistered, the malware can create or delete processes, bypassing process monitoring module of AAS.

Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used GetLocalTime() API to activate itself on March 20th 2013 at 2:00 P.M. If the sample is executed in an AAS before the 20th March 2013, it will not get executed and evades AAS.

UpClicker, PushDo, Hastati, Nap are some of the resurrected advanced malware and/or APT which are using anti evasion techniques to evade detections from AAS.

In first part of the presentation we provide an exhaustive list of techniques, API’s and the code segments from the APT and active malware, which are being used to bypass the AAS. We will also have live demonstration of some of the anti-analysis techniques, which have emerged in the recent past.

In the next part of the presentation we provide an in-depth, technical analysis of the Automated Analysis System technologies available today focusing on computer security aspect. It will provide a comparison framework for different technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we also explore each of the major commercially available automated analysis system flavors and evaluate their ability to stand against these evasions. We will present an architectural decomposition of automated analysis systems to highlight its advantages and limitations, and historical view on how fast Anti-AAS techniques have been evolved so rapidly recently. This will kick start the conversation on how new vectors that are likely to be used by sophisticated malware to actively target AAS in the future.

Presented by

Abhishek Singh
Zheng Bu

HOW CVSS is DOSsing YOUR PATCHING POLICY (and wasting your money)

CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"

How to Build a SpyPhone

Learn how to build an Android SpyPhone service that can be injected into any application. The presentation will feature a live demonstration of how phones can be tracked and operated from a Web based command and control server and a demonstration of how to inject the SpyPhone service into any Android application. The presentation will also cover the APIs used to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected.

Presented by

Kevin McNamee

How to Grow a TREE (Taint-enabled Reverse Engineering Environment) From CBASS (Cross-platform Binary Automated Symbolic-execution System)

Binary analysis techniques from academic research have been introduced into the reverse engineering community as well as research labs that are equipped with lots of computing power. Some program analyses using these techniques have even begun to show up in hacker conferences. But significant limitations remain:

  • No practical toolset delivers analyses of binary programs across multiple platforms (like x86, ARM, MIPS, PowerPC etc.);
  • No practical toolset scales to real-world large programs and automates all aspects of highly sophisticated tasks like vulnerability analysis and exploit generation;
  • No practical toolset runs on a typical engineer’s laptop or integrates seamlessly with any popular reverse engineering environment. Interested reverse engineers must switch back and forth between their familiar tool environment and some Dynamic Binary Instrumentation (DBI) environment (like PIN) or full system emulator (like QEMU).

In this talk, we will present our solution to these limitations. We will explain the Cross-platform Binary Automated Symbolic-execution System (CBASS) that we developed and demonstrate one of its interactive applications: an IDA based Taint-enabled Reverse Engineering Environment (TREE). TREE can deliver program analysis techniques (taint analysis, dynamic slicing, symbolic execution and constraint solving) into the reverse engineer’s hands now. Binary analysis and its security applications have been extensively researched, mainly in the context of a single instruction set architecture (predominantly x86) and popular desktop operating systems (Linux or Windows). CBASS performs its binary analysis on a common Intermediate Representation (IR) rather than on the native Instruction Set Architecture (ISA) of any program. This thin layer allows our powerful analysis tools to work on cross-platform binary applications.

While CBASS supports both automated and interactive security applications, TREE supports a subset of these capabilities but from with an IDA Pro plug-in. TREE provides useful interactive visualizations of the results of on-demand binary analysis. Symbolic execution and concolic execution (concrete-symbolic execution) are fundamental techniques used in binary analysis; but they are plagued by the exponential path explosion problem. Solving this problem requires vigorous path pruning algorithms and highly parallel computing infrastructure (like clouds). Neither of these is typically available to a reverse engineer. TREE solves this problem by helping the reverse engineer prioritize path execution through an interactive and intuitive visual representation of the results of on-demand analysis of what inputs and instruction sequences led to the crash site or other suspicious path, leverage path constraints and SMT solver to negate tainted branch condition for a new, unexplored path. The details of the taint analysis, dynamic slicing and path constraint solving mechanisms are transparent to reverse engineer.

Utilizing the existing IDA Pro debugging infrastructure, TREE can automate trace generation from diversified target platforms, including kernel mode tracing for Windows. To our surprise, despite the fact that IDA Pro debugging API has been around for a long time, there has been no serious effort to automate trace collection for extensible binary analysis, particularly for kernel mode tracing. Our work has directly contributed to two bug fixes in the latest IDA Pro patches (IDA 6.4.130206). Our presentation will feature several case studies of using TREE to analyze real world vulnerabilities.

Hunting the Shadows: In Depth Analysis of Escalated APT Attacks

APT attacks are a new emerging threat and have made headlines in recent years. However, we have yet to see full-scale assessment of targeted attack operations. Taiwan has been a long term target for these cyber-attacks due to its highly developed network infrastructure and sensitive political position. We had a unique chance to monitor, detect, investigate, and mitigate a large number of attacks on government and private sector companies. This presentation will introduce our results of a joint research between Xecure-Lab and Academia Sinica on targeted attack operations across the Taiwan Strait. We have developed a fully automated system, XecScan 2.0 ( equipped with unique dynamic (sandbox) and static malicious software forensics technology to analyze nature and behavior of malicious binaries and document exploits. The system performs real-time APT classification and associates the analyzed content with existing knowledge base. In our experiments, the XecScan system has analyzed and successfully identified more than 12,000 APT emails, which include APT Malware and Document Exploits. With this presentation we will also analyze and group the samples from the recent Mandiant APT1(61398) Report and will compare the relationships between APT1 samples to the samples discovered in Taiwan and discuss the history behind APT1 Hacker activities. During this presentation we will release a free, publicly accessible portal to our collaborative APT classification platform and access to the XecScan 2.0 APIs.

I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.

This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.

The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.

During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks, and explain how we were able to clone a mobile device without physical access.

Implantable Medical Devices: Hacking Humans

In 2006 approximately 350,000 pacemakers and 173,000 ICD's (Implantable Cardioverter Defibrillators) were implanted in the US alone. 2006 was an important year, as that's when the FDA began approving fully wireless based devices. Today there are well over 3 million pacemakers and over 1.7 million ICD's in use.

This talk will focus on the security of wireless implantable medical devices. I will discuss how these devices operate and communicate and the security shortcomings of the current protocols. Our internal research software will be revealed that utilizes a common bedside transmitter to scan for, and interrogate individual medical implants.

I will also discuss ideas manufacturers can implement to improve the security of these devices.

Presented by

Barnaby Jack

Is that a government in your network or are you just happy to see me?

Defense and military network operations center around the age-old game: establishing long-term footholds deep inside a network. In this talk, we will discuss specific techniques and tactics observed while providing defensive incident response services to organizations compromised by foreign intelligence and defense agencies. The discussion will also incorporate the release and open-sourcing of several private projects used to identify pass-the-hash/impersonation attacks, including: a set of network monitoring daemons known as breachbox, part of which was funded by DARPA's Cyber Fast Track program; and an open-source tool and blueprint to help trojanize your own network to monitor and detect adversarial activity.

Presented by

Eric Fiterman

Java Every-Days: Exploiting Software Running on 3 Billion Devices

Over the last three years, Oracle Java has become the exploit author's best friend, and why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program. We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component. Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.

Javascript Static Security Analysis made easy with JSPrime

Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps.

But the problem is, many developers practice in-secure coding which leads to many clients side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A javascript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat.

I would like to highlight some of the interesting features of the tool below:

  • JS Library Aware Source & Sinks
    • Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.
  • Variable & Function Tracing
    • This feature is a part of our code flow analysis algorithm
  • Variable & Function Scope Aware analysis
    • This feature is a part of our code flow analysis algorithm
  • Known filter function aware
  • OOP & Protoype Compliant
  • Minimum False Positive alerts
  • Supports minified javascript
  • Blazing fast performance
  • Point and Click :-) (my personal favorite)

Upcoming features:

Just-In-Time Code Reuse: The more things change, the more they stay the same

Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today's platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets-- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.

Presented by

Kevin Snow
Lucas Davi

KickaaS Defense with Cloud and Software Defined Security

While everyone else is busy spreading uneducated FUD on the supposed insecurity of cloud computing, the reality is cloud computing, and it's foundational technologies, bring tools to the table security pros previously could only dream of. Virtualization, segregation, and isolation are now defaults, not hard-to-achieve end states. Security is decoupled and abstracted from infrastructure, enabling levels of granularity and control nearly impossible with traditional architectures. APIs bind it all together, powering insanely effective security automation and intelligence.

This session will present practical techniques to leverage cloud computing and API-driven Software Defined Security to build stronger, more resilient, and more responsive defenses than aren't even close to possible with traditional infrastructure. We'll show what works today, including technical demonstrations, and tell you what to expect once security vendors wake up and really start riding the wave.

Presented by

Rich Mogull

Lawful Access Panel

Protecting yourself, your network and your users when the FBI or NSA knocks:

When you get a National Security Letter, no one can hear you scream. Being served with a search warrant for a criminal investigation can be scary enough, but national security investigations can be downright Kafkaesque. You probably won't be allowed to tell anyone about it. And they may ask for more than just user data, such as for backdoor access or to install special monitoring hardware or software deep inside your network. This panel will bring together a range of expertise on the perils of secret "lawful intercepts" in today's networks. We'll discuss the technical risks of surveillance architectures, the legal and technical defenses against over-broad or invasive searches, and actual experiences fighting against secret surveillance orders.

Legal Aspects of Full Spectrum Computer Network (Active) Defense

Full spectrum computer network (active) defense mean more than simply “hacking back.” We’ve seen a lot of this issue lately. Orin Kerr and Stewart Baker had a lengthy debate about it online. New companies with some high visibility players claim they are providing “active defense” services to their clients. But all-in-all, what does this really mean? And why is it that when you go to your attorneys, they say a flat out, “No.”

This presentation examines the entire legal regime surrounding full spectrum computer network (active) defense. It delves into those areas that are easily legal and looks at the controversial issues surrounding others. As such we will discuss technology and sensors (ECPA and the service provider exception); information control and management (DRM); and, “active defense” focusing on – honeypot, beacons, deception (say hello to my little friend the Security and Exchange Commission); open source business intelligence gathering (CFAA, economic espionage; theft of trade secrets); trace back and retrieval of stolen data (CFAA).

Past presentations have shown much of what is taken away is audience driven in response to their questions and the subsequent discussion. And, as always, I try to impress upon computer security professionals the importance of working closely with their legal counsel early and often, and of course “Clark’s Law” - explain the technical aspects of computer security to your attorneys at a third grade level so they can understand it and then turn around and explain it to a judge or jury at a first grade level.

Presented by

Robert Clark

Legal Considerations for Cellular Research

The security of mobile communications is becoming increasingly critical, prompting security researchers to focus their attention on vulnerabilities in cellular systems. Researchers need to fully understand the legal ramifications of interacting with specialized hardware, cellular communications, and the restrictions imposed by service providers. This briefing will provide a legal overview of what a researcher should keep in mind when investigating mobile communications, technologies, and networks. We will cover legal issues raised by end user license agreements, jailrooting or rooting devices, and intercepting communications.

Lessons from Surviving a 300Gbps Denial of Service Attack

On Saturday, March 23, 2013, a distributed denial of service (DDoS) attack against Spamhaus that had been growing for weeks culminated with over 300 Gigabits per second of attack traffic targeting the anti-spam organization's network. At that point it became the largest such attack ever reported in history — at least 4x the size of the attacks that crippled US banks just a few months earlier. The attackers launched the full range DDoS methods at Spamhaus — simultaneously targeting Layer 3, Layer 4, and Layer 7. Spamhaus has given us permission to tell the full, behind-the-scenes story of what happened, show how the attacks were launched, outline the techniques the attackers used, and detail how was able to stay online throughout. While the Spamhaus story has a happy ending, the massive DDoS exposed key vulnerabilities throughout the Internet that we will need address if the network is to survive the next, inevitably larger, attack.

Presented by

Matthew Prince

Let's get physical: Breaking home security systems and bypassing buildings controls

36 million home & office security systems reside in the U.S., and they are all vulnerable. This is not your grandpa’s talk on physical security; this talk is about bypassing home and office digital physical security systems, from simple door sensors to intercepting signals and even the keypad before it can alert the authorities. All the methods presented are for covert entry and leave no physical sign of entry or compromise. If you are interested in bettering your skills as a pen tester or just want to know how break into an office like a Hollywood spy this is the talk for you. Come join us to see live demos of what the security companies never want you to see.

Presented by

Drew Porter
Stephen Smith

Mactans: Injecting Malware into iOS Devices via Malicious Chargers

Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.

In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.

To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.

Mainframes: The Past Will Come Back to Haunt You

From governments to military, airlines to banks, the mainframe is alive and well and touches you in everything you do. The security community that's tasked with reviewing the security on mainframes, though, actually knows very little about these beasts. Be it a lack of access by the security community or the false notion that mainframes are dead, there is a distinct gap between the IT security world and the mainframe world. Mainframes in the IT security community are talked about in whispered hushed tones in the back alleys. Neither knowing if they're as secure as IBM (and mainframers) claim or if they're ripe with configuration problems ready to be exploited. This talk will remove some of the mystery surrounding the mainframe, breaking down that 'legacy wall.' Discussing how security is implemented on the mainframe (including where to find configuration files), how to access it, simple networking and configuration commands, file structure etc. will be presented at this session.

Presented by

Philip Young

Maltego Tungsten as a collaborative attack platform

Maltego has always been a strong favorite for pre-attack intelligence gathering - be that for social engineering, doxing or for infrastructure mapping. Indeed it's earned its rightful place in the Kali Linux top 10 tools.

For as long as we can remember we at Paterva were annoyed that Maltego lacked the ability to share intelligence effectively. Up to now the only way to share graphs was to send the actual files around. This is all about to change - with Maltego Tungsten. The Tungsten release (at BlackHat) allows multiple users to share graphs in real time. This creates interesting opportunities and new workflows - suddenly we can have a team of analysts and/or pen testers working together in real time and on the same goal. Be it profiling (or 'doxing') a human target or attacking a network - with real time graph sharing we now have a platform where information can be safely (and anonymously) shared as it happens.

The other lacking aspect of Maltego was real bite. In the past we purposely stayed away from all out attack - concentrating rather on info gathering. In this talk we'll also show how to integrate Maltego with industry standard attack tools. This will range from infrastructure attacks, web platform attack and remote Trojans to social engineering as well as denial of service.

Combine human intelligence, machines (introduced in Radium release) and real time collaboration with these powerful transforms and wait... oh noes...we've created a monster!!

Million Browser Botnet

Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.

With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.

Multiplexed Wired Attack Surfaces

Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.

OptiROP: hunting for ROP gadgets in style

Return-Oriented-Programming (ROP) is the fundamental technique to bypass the widely-used DEP-based exploitation mitigation. Unfortunately, available tools that can help to find ROP gadgets mainly rely on syntactic searching. This method proves to be in inefficient, time-consuming and makes the process of developing ROP-based shellcode pretty frustrated for exploitation writers.

This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. OptiROP supports input binary of all executable formats (PE/ELF/Mach-O) on x86 & x86_64 architectures. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver, parallel processing and some heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.

In case where no suitable gadget is found, OptiROP tries to pick and chain available gadgets to create a sequence of gadgets satisfying the input requirements. This significantly eases the hard job of shellcode writers, so they can focus their time on other tedious parts of the exploitation process.

Our talk will entertain the audience with some live demo, so they can see how OptiROP generates gadgets in reality.

Presented by

Nguyen Anh Quynh

Out of Control: Demonstrating SCADA device exploitation

America’s next great oil and gas boom is here: the United States is on track to become the world’s top oil producer by 2020. New wells require new pipelines to distribute their bounty. These oil and gas pipelines crisscross the country carrying volatile fluids through densely populated areas. What runs these pipelines? How are they controlled? What happens when the process goes out of control?

Presented by

Eric Forner
Brian Meixell

The Outer Limits: Hacking the Samsung Smart TV

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling the transmission.

"Smart" TVs are becoming more and more common. Samsung and other vendors such as Sony and LG have sold more than a hundred million Smart TVs in the last few years. During this talk, Aaron Grattafiori and Josh Yavor will discuss the Samsung SmartTV design, attack surfaces and overall insecurity of the platform. A short discussion of the current application stack, TV operating system and other details will be provided to help set the stage for details of significant flaws found within the Samsung SmartTV application architecture, APIs and current applications.

A number of vulnerabilities will be explored and demonstrated which allow malicious developers or remotely hijacked applications (such as the web browser or social media applications) to take complete control of the TV, steal accounts stored within it and install a userland rootkit. Exploitation of these vulnerabilities also provides the ability for an attacker to use the front-facing video camera or built-in microphone for spying and surveillance as well as facilitate access to local network for continued exploitation. This talk will also discuss methods to bypass what (meager) security protections exist and put forth several worst case scenarios (TV worm anyone?).

Concluding this talk, Aaron and Josh will discuss what has been fixed by Samsung and discuss what overall weaknesses should be avoided by future "Smart" platforms. Video demos of exploits and userland rootkits will be provided.

Owning the Routing Table - Part II

The holy grail of routing attacks is owning the routing table of a router. In this work we present a powerful OSPF attack that exploit a newly discovered ambiguity of the OSPF protocol -- the most popular routing protocol inside autonomous systems (AS). The attack allows an attacker who gained control over just a single router in an AS to control the routing tables of all other routers in that AS. The attack may be utilized to induce black holes, network cuts or longer routes in order to facilitate DoS of the routing domain or to gain access to information flows which otherwise the attacker had no access to. The attack can also be used to easily DoS a victim router using a single packet. A multi-vendor effort is now under way to fix this vulnerability which currently inflict many of today's OSPF routers. This work is a sequel to the work "Owning the Routing Table" we presented at Black Hat USA 2011.

This is a joint work with Eitan Menahem, Yuval Elovici and Ariel Waizel of Telekom Innovation Laboratories at Ben Gurion University.

Presented by

Gabi Nakibly

Pass the Hash and Other Credential Theft and Reuse: Mitigating the risk of Lateral Movement and Privilege Escalation

Pass the Hash (PtH) has become one of the most widespread attacks affecting our customers and many of our customers have made it their top priority to address these attacks. In response, Microsoft has assembled a workgroup to investigate effective and practical mitigations that could be used now as well as future platform modifications. This presentation will cover the problem of credential theft and re-use, focusing on Pass-the-Hash attacks as an example, and discuss Microsoft’s recommended mitigations. The presenters are members of the workgroup: Patrick Jungles of the Trustworthy Computing group and Mark Simos of the Cybersecurity Services team.

Pass-The-Hash 2: The Admin's Revenge

Some vulnerabilities just can't be patched. Pass-The-Hash attacks against Windows enterprises are still successful and are more popular than ever. Since the PTH-Suite was released at Black Hat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the shortcomings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker's lateral movement in your enterprise.

Pixel Perfect Timing Attacks with HTML5

Maybe you’ve heard it before - HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and dangerous side effects.

In this presentation, I’ll introduce a number of new techniques that use JavaScript-based timing attacks to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.

Presented by

Paul Stone

Post Exploitation Operations with Cloud Synchronization Services

Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files on every device. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely.

Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed.

We released the DropSmack tool at Blackhat EU. This showed enterprise defenders the risks posed by cloud synchronization software and gave pen testers a new toy to play with (you can bet that pen testers weren’t the only ones who noticed). In response to feedback from the original presentation, DropSmack has been improved to deal with some of the unique operational challenges posed by synchronization environments. In particular, we added the ability to work with more synchronization services automatically.

In this talk, we’ll demonstrate how DropSmack v2 works and explain how to deploy it in an operational environment. We’ll look at some of the countermeasures to these attacks, including the encryption of synchronized files by third party software. Additionally, we’ll investigate the potential of using so-called “next generation firewalls” to defeat DropSmack.

You’ll also learn about the issues of credential storage in the context of cloud synchronization services. Several synchronization applications also use insecure authentication methods. We’ll highlight these applications so you know what works, what doesn’t, and what you should run (not walk) away from. You’ll learn about post-exploitation activities you can accomplish when your freshly compromised target is running a cloud synchronization product.

Finally, we’ll demonstrate the steps you need to follow to steal credentials for the products that store them. Why would you want to steal stored credentials for a cloud synchronization service you ask? After all, any files that have been synchronized to the cloud must already on the machine you just compromised, right? Not necessarily. You’ll learn a variety of nasty things you can do with the cloud synchronization service portals that you may never have considered.,/

If you’re a network defender, you’ll leave this talk with a new appreciation of the risks posed by cloud synchronization services (and a nauseous feeling if you have them in your environment). If you are a penetration tester, you’ll leave with a new bag of tricks. Either way, a fun time is sure to be had by all.

Presented by

Jacob Williams

Power Analysis Attacks for Cheapskates

Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often has at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board, open-source Python tools for doing the capture, and open-source example attacks. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work.

Presented by

Colin O'Flynn

Predicting Susceptibility to Social Bots on Twitter

Are some Twitter users more naturally predisposed to interacting with social bots and can social bot creators exploit this knowledge to increase the odds of getting a response?

Social bots are growing more intelligent, moving beyond simple reposts of boilerplate ad content to attempt to engage with users and then exploit this trust to promote a product or agenda. While much research has focused on how to identify such bots in the process of spam detection, less research has looked at the other side of the question—detecting users likely to be fooled by bots. This talk provides a summary of research and developments in the social bots arms race before sharing results of our experiment examining user susceptibility.

We find that a users’ Klout score, friends count, and followers count are most predictive of whether a user will interact with a bot, and that the Random Forest algorithm produces the best classifier, when used in conjunction with appropriate feature ranking algorithms. With this knowledge, social bot creators could significantly reduce the chance of targeting users who are unlikely to interact.

Users displaying higher levels of extraversion were more likely to interact with our social bots. This may have implications for eLearning based awareness training as users higher in extraversion have been shown to perform better when they have great control of the learning environment.

Overall, these results show promise for helping understand which users are most vulnerable to social bots.

Presented by

Chris Sumner
Randall Wald

Press ROOT to continue: Detecting OSX and Windows bootkits with RDFU

UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared.

To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality:

  • Sniffing FileVault passwords (sniffing keys while booting)
  • Privilege escalation (to root)
  • Hiding PIDs, files, and directories with selected patterns

Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions

Embedded systems are everywhere, from TVs to aircraft, printers to weapons control systems. As a security researcher when you are faced with one of these “black boxes” to test, sometime in-situ, it is difficult to know where to start. However, if there is a USB port on the device there is useful information that can be gained. This talk is about using techniques to analyze USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed and devices supported. The talk will also cover some of the more significant challenges faced by researchers attempting to exploit USB vulnerabilities using a Windows 8 USB bug recently discovered by the presenter (MS13-027) as an example.

Presented by

Andy Davis

RFID Hacking: Live Free or RFID Hard

Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance on how RFID proximity badge systems work. We’ll cover what you’ll need to build out your own RFID physical penetration toolkit, and how to easily use an Arduino microcontroller to weaponize commercial RFID badge readers – turning them into custom, long range RFID hacking tools.

This presentation will NOT weigh you down with theoretical details, discussions of radio frequencies and modulation schemes, or talk of inductive coupling. It WILL serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID proximity badge information to gain unauthorized access to buildings and other secure areas. Schematics and Arduino code will be released, and 100 lucky audience members will receive a custom PCB they can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use (such as badge cloning). This solution will allow you to read cards from up to 3 feet away, a significant improvement over the few centimeter range of common RFID hacking tools.

Some of the topics we will explore are:

  • Overview of best RFID hacking tools available to get for your toolkit
  • Stealing RFID proximity badge info from unsuspecting passers-by
  • Replaying RFID badge info and creating fake cloned cards
  • Brute-forcing higher privileged badge numbers to gain data center access
  • Attacking badge readers and controllers directly
  • Planting PwnPlugs, Raspberry Pis, and similar devices as physical backdoors to maintain internal network access
  • Creating custom RFID hacking tools using the Arduino
  • Defending yourself from RFID hacking threats

This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the physical penetration testing field.

Presented by

Fran Brown

Rooting SIM cards

SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Little is known about their security beyond manufacturer claims.

Besides SIM cards’ main purpose of identifying subscribers, most of them provide programmable Java runtimes. Based on this flexibility, SIM cards are poised to become an easily extensible trust anchor for otherwise untrusted smartphones, embedded devices, and cars.

The protection pretense of SIM cards is based on the understanding that they have never been exploited. This talk ends this myth of unbreakable SIM cards and illustrates that the cards -- like any other computing system -- are plagued by implementation and configuration bugs.

Presented by

Karsten Nohl

The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

These attackers had a plan, they acted upon their plan, and they were successful. In my first presentation, given at Black Hat EU in 2013, I covered a robust ICS honeynet that I developed, and who was really attacking them. In this talk, I cover many of the same concepts, but I go several steps further- profiling the attackers that exploited my ICS honeynet.

This talk will profile, provide intelligence, and list actors that attacked my ICS honeypot environment. This talk will also feature a demo of the attackers in progress, exfiltrating perceived sensitive data. In addition, I will discuss in greater detail how I geo-located these individuals, and tracked their movements, operations, and attacks.

Some of the findings are truly surprising and substantial, and my not be what you think they are. This talk will release brand new statistics and attack details seen nowhere else in the ICS community.

Presented by

Kyle Wilhoit

Smashing The Font Scaler Engine in Windows Kernel

The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode.

In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc.

Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing.

Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.


It's become commonplace for security reporters and providers of security technologies to find themselves targets of hackers' wrath, especially when they put criminal activity under the spotlight. Earlier this year, Brian Krebs had done some work to expose a "booter" service. Like other public security figures, he found himself the target of repeated DDoS attacks. In Brian's case, this culminated in a "SWATting" attack -- a surprise visit by dozens of heavily armed police at his front door. Research on "booter" services reveals a relatively unsophisticated, but high-profit criminal community of DDoS-for-hire web sites that are capable of considerable impact. They operate under legal auspices, leveraging legitimate DDoS protection services. Anyone with an axe to grind and a small amount of money can hire one of these services to have virtually any person or web site knocked off the Internet. As an indicator of how mainstream these services have become, most of them accept payment via Paypal. This talk will delve into the recent proliferation of these malicious commercial DDoS services, and reveal what's been learned about their surreptitious functioning, exposing the proprietors behind these illicit services, and what is known about their targets and their thousands of paying customers. Emphasis will be placed on detailing the vulnerabilities present in most booter sites, and the lessons we can draw about how targets of these attacks can defend themselves.

Presented by

Brian Krebs
Lance James

SSL, gone in 30 seconds - a BREACH beyond CRIME

In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.

Stepping P3wns: Adventures in full-spectrum embedded exploitation (and defense!)

Our presentation focuses on two live demonstrations of exploitation and defense of a wide array of ubiquitous networked embedded devices like printers, phones and routers.

The first demonstration will feature a proof-of-concept embedded worm capable of stealthy, autonomous polyspecies propagation. This PoC worm will feature at least one* 0-day vulnerability on Cisco IP phones as well as several embedded device vulnerabilities previously disclosed by the authors. We will demonstrate how an attacker can gain stealthy and persistent access to the victim network via multiple remote initial attack vectors against routers and printers. Once inside, we will show how the attacker can use other embedded devices as stepping-stones to compromise significant portions of the victim network without ever needing to compromise the general-purpose computers residing on the network. Our PoC worm is capable of network reconnaissance, manual full-mesh propagation between IP phones, network printers and common networking equipment. Finally, we will demonstrate fully autonomous reconnaissance and exploitation of all embedded devices on the demo network.

The second demonstration showcases host-based embedded defense techniques, called Symbiotes, developed by the authors at Columbia University under support from DARPA’s Cyber Fast Track and CRASH programs, as well as IARPA’s STONESOUP and DHS’s S&T Research programs. The Symbiote, is an OS and vendor agnostic host-based defense designed specifically for proprietary embedded systems. We will demonstrate the automated injection of Software Symbiotes into each vulnerable embedded device presented during the first demonstration. We then repeat all attack scenarios presented in the first demo against Symbiote defended devices to demonstrate real-time detection, alerting and mitigation of all malicious embedded implants used by our PoC worm. Lastly, we demonstrate the scalability and integration of Symbiote detection and alerting mechanisms into existing enterprise endpoint protection systems like Symantec End Point.

Over the past two years we have discovered vulnerabilities in and and developed exploits for several embedded system. 2011 had not only the version agnostic Cisco IOS rootkit (“Killing the Myth of Cisco IOS Diversity”, Black Hat USA), but also the HP RFU vulnerability (“Print Me if You Dare”, 28C3). In 2012 we presented the Cisco IP phone kernel vulnerability (“Hacking Cisco Phones”, 29C3) . While each exploit focused on one device, we posited polyspecies malware propagation in which a device of one type could be used to exploit a device of a completely different type. In this presentation, we demonstrate an HP printer being used to exploit two different Cisco IP phones (which includes a yet-to-be-disclosed privilege escalation exploit in the 8900/9900 series). We may throw in a fourth yet-to-be-named device just for good measure. We then take the same devices on the same network and install host-based defense to detect or prevent the same exploits.

Teridian SoC Exploitation: Exploration of harvard architecture smart grid systems

The Teridian 8051 based chips are found in a variety of places in daily life, from the smart energy grid to smart cards and pin-pads. While the most prominent placement in the US is currently the metrology and power measurement side of a smart meters, the 8051 core is ubiquitous in embedded devices. They are additionally found in power distribution automation (the backend power shoveling inside your utility) and home automation (monitoring energy usage and changing configuration of appliances and similar in the home).

The Teridian System-on-a-Chip platform wraps a complete system around a modified 8051 core, with additional features for chip security to block debug functionality and external access to memory. Additionally, the Harvard architecture design sets relatively rigid barriers between code and data (as opposed to x86/64), which presents an unintentional security barrier, somewhat similar to robust hardware DEP on x86/64 platforms.

In this talk, we will quickly cover architecture and system overviews, then dive into exploitation scenarios with techniques to attack Harvard architecture systems and code security implementations. End state results include pathways to gain coveted binary images of firmware and resident code execution.

TLS 'secrets'

SSL and TLS have become the de-facto standards for transport-layer encryption. In recent years, many vulnerabilities have been uncovered in both the standards, their implementation and the way people configure and use them. This talk is exploring in details a lesser-known and much less talked about part of the standard which breaks some of the security properties one would expect. A tool allowing for forensic recovery of plaintext (even when PFS ciphers are in use) will be released.

Town Hall Meeting: CFAA Reform Strategy

Aaron Swartz, a brilliant computer programmer and activist, committed suicide in January. At the time of his passing, Aaron was facing criminal charges carrying the possibility of decades in prison based on his use of the MIT campus network to download millions of journal articles from a database of academic scholarship.

Aaron's death has prompted a vigorous public debate about the factors that contributed to his tragedy, including the many problems with the Computer Fraud and Abuse Act, including its vague language and harsh penalty scheme. The information security community has an important role to play in educating and persuading lawmakers to reform this dangerous law. In this town hall meeting, join activists involved in CFAA reform efforts to discuss how you can get involved in the public debate around CFAA reform and strategize about how to have the most impact.

Presented by

Kurt Opsahl


Despite the fact that UART has been around FOREVER and is actually frequently used by vulnerability researchers in the hardware space, it has not been discussed as a dedicated topic on its own. This talk is intended to fill that gap. We will provide an overview of what UART is, the tools that exist to work with it and provide examples of why a security researcher should care. We will also explore why UART is a powerful friend for anyone who likes to repurpose hardware. We will also provide BKMs for companies building products that include UART to decrease the likelihood it will be used against them.

Universal DDoS Mitigation Bypass

Today's commercial DDoS mitigation technologies employ many different techniques for identifying DDoS traffics and blocking these threats. Common techniques range from basic malformed traffic check, to traffic profiling and rate limiting, to traffic source verification and so on, with captive redirection utilizing Javascript- or CAPTCHA-based authentications being the most effective by far. However, in our research weaknesses were found in each and every such technique.

We rolled all our exploits into a PoC attack tool, giving it near-perfect DDoS mitigation bypass capability against all existing commercial DDoS mitigation solutions. The ramification is huge because for vast majority of web sites, these mitigation solutions stand as their last line of defense, having this last line breached can expose these web sites' backend to devastating damages.

We have surveyed extensively the entire range of DDoS mitigation technologies available on the market today, uncovering the countermeasure techniques they employ, how they work and how to defeat each of them. Essentially bypass is achieved through emulating legit traffic characteristics. Afterwards our attack tool is introduced to demonstrate how all these exploits can be brought together to execute a "combo attack" to bypass all layers of protection in order to gain access to the backend.

To coincide with the publication of this talk, our highly effective _attack_tool_will_be_made_freely_available_. The effectiveness of this tool is illustrated via testing results against specific DDoS mitigation products and popular web sites known to be protected by specific technologies. To conclude our research, a next-gen mitigation technique is also proposed as a countermeasure against our attack methodology.


Every day we produce tons of digital breadcrumbs through our activities in online services – from social networks, photo sharing, mailing lists, online forums and blogs to more specialized tools, such as commits to open source projects, music listening services and travel schedules. These have long been known to provide useful information when profiling a target for social engineering purposes, especially due to the frantic pace and often uncensored way at which we generate such content.

Our talk takes a tool-oriented approach to these profiling activities. By using data mining techniques combined with natural language processing, we can determine patterns in the way a user interacts with other users, his usual choice of vocabulary and phrasing, the friends/colleagues he most frequently communicates with as well as the topics discussed with them. By consuming publicly available data, using both official APIs and scraping web pages, our profile can be used to validate how close forged content is to actual target-generated data.

We will discuss the indexing of unstructured content, including issues such as the legal and technical implications of using official APIs versus scraping, how to build user relationship graphs and how to add temporal references to the collected data.

We will also release a tool that automates the data mining and natural language processing (NLP) of unstructured information available on public data sources, as well as comparing user created content against a generated profile using various criteria, including:

  • Network of friends/colleagues;
  • Frequency of communication with friends/colleagues;
  • Shared interests between target and friends/colleagues;
  • Hobbies and personal activities;
  • Upcoming and past trips;
  • Frequency of use of verbs;
  • Frequency of use of adjectives;
  • Frequency of use of nouns;
  • Average number of words per sentence or paragraph.

Virtual Deobfuscator - a DARPA Cyber Fast Track funded effort

While there has been a lot research done on automatically reverse engineering of virtualization obfuscators, there has been no approach that did not require a lot of man-hours identifying the bytecode (static approaches) or a complete recreation of the bytecode back to original source form (dynamic approaches). The tool I created, Virtual Deobfuscator, will require no static man-hours reversing for the bytecode location or how the VM interpreter works, and will recreate instructions nearly equivalent to the original instructions.

Presented by

Jason Raber

What's on the Wire? Physical Layer Tapping with Project Daisho

We believe that flaws in network protocols will not be discovered unless physical layer communication tapping solutions are made available to security researchers. In order to have confidence in our communication media we need the ability to monitor and modify the packets transferred on the wire. 802.11 network monitoring allowed the flaws in WEP and WPA to be exposed, Bluetooth Low Energy monitoring has shown problems in the key exchange protocol, but we are often more trusting of wired connections. Project Daisho is an attempt to fix that trust by allowing researchers to investigate wired protocols using existing software tools wherever possible. Daisho is an open source, extensible, modular network tap for wired communication media such as gigabit Ethernet, HDMI connections, and USB 3.0 connections. All aspects of the project are open source, including the hardware designs, software and FPGA cores. The project is producing the first open source USB 3.0 FPGA core.

What Security Researchers Need to Know About Anti-Hacking Law

The federal anti-hacking law, the Computer Fraud and Abuse Act, is infamous for its broad language and tough penalties, and has been used in recent years to bring heavy-handed charges against targets like Andrew Auernheimer (aka Weev) and Aaron Swartz. This presentation will explain why the CFAA is such a dangerous tool in the hands of overzealous prosecutors. I'll survey some of the legal precedents most relevant to the infosec community, including cases on port scanning, violating website terms of use, and designing tools capable of bypassing technical access controls. I'll also explain the prosecution against Weev in depth and discuss its greater implications for security researchers. Finally, I'll discuss what security professionals can learn from these cases to reduce the potential for legal trouble.

Presented by

Marcia Hofmann

With BIGDATA comes BIG responsibility: Practical exploiting of MDX injections

Let’s take a look into the place where critical data is stored for further analytics afterwards. It’s Business Warehouse (BW) and Big Data. Classic online transaction processing systems (OLTP) are not quite suitable to process big data, so they were replaced by OLAP with its multi-dimensional structures. This technology is present in almost all Business Intelligence applications including key vendors like Microsoft, Oracle, and SAP. All the critical corporate data in one place, well… isn’t it a sweet target for an attacker?

The OLAP technology has brought a lot of new terms and concepts into the world: OLAP cube, measures, dimensions, XMLA, and the MDX language, which is used for requests to multi-dimensional data structures. In today’s Business Intelligence (BI) marketplace, most OLAP servers and almost all BI clients talk in MDX. This talk will describe in detail all the entities of this technology and especially the MDX request language. The talk will also feature an overview of possible MDX-related attacks as well as an overview of code injection, data retrieval and update vectors.

Moreover, I will show some examples of the systems that can be exploited by MDX-related vulnerabilities, their system-related differences, post-exploitation vectors, and a cheat-sheet with a tool for simplifying MDX Injections.

') UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques’)%00

This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also demonstrate these techniques on both open-source and commercial firewalls and present the ALPHA version of a framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack.

Many of the techniques that will be presented were created by Roberto Salgado and are currently some of the fastest methods of extracting information from a database through SQL Injections. Roberto will demonstrate how to reduce the amount of time it takes to exploit a SQL Injection by over a third of the time it would normally take. He will also demonstrate why firewalls and intrusion detection systems are not the ultimate solution to security and why other measurements should also be implemented.

Presented by

Roberto Salgado



Do-It-Yourself Cellular IDS

For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.

We leveraged commercial Home Node-Bs ("femtocells") to create a 3G cellular network sniffer without needing to reimplement the UMTS or CDMA2000 protocol stacks. Inside a Faraday cage, we connected smartphones to modified femtocells running Linux distributions and redirected traffic to a Snort instance. Then we captured traffic from infected phones and showed how Snort was able to detect and alert upon malicious traffic. We also wrote our own CDMA protocol dissector in order to better analyze CDMA traffic.

Embedded Devices Security and Firmware Reverse Engineering

Embedded devices have become the "usual presence" in the network of (m)any household(s), SOHO, enterprise or critical infrastructure.

The preached Internet of Things promises to "gazillion"uple their number and heterogeneity in the next few years.

However, embedded devices are becoming lately the "usual suspects" in security breaches and security advisories and thus become the "Achilles' heel" of one's overall infrastructure security.

An important aspect is that embedded devices run on what's commonly known as firmwares.

To understand how to secure embedded devices, one needs to understand their firmware and how it works.

This workshop aims at presenting a quick-start at how to inspect firmwares and a hands-on presentation with exercises on real firmwares from a security analysis standpoint.

JTAGulator: Assisted discovery of on-chip debug interfaces

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

In this session, Joe will introduce the JTAGulator, an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces.

Presented by

Joe Grand

Methodologies for Hacking Embedded Security Appliances

Security appliances, for everything from firewalls to encrypted SAN devices are a dime a dozen these days. Vendors are throwing jargon into everything they possibly can to make the consumer believe they have the top-of-line device, with every possible feature a person could want. Everyone has heard the sales pitches, but does anyone really take the time to verify the claims, or understand how those devices function?

We’ll go in-depth on the methods we use in breaking down hardened security appliances for analysis, using real world examples where possible. We hope to point out possible failure points within the construction of a security device, so as to better educate purchasers and producers on why products fail. We’ll analyze methods of key management, cryptographic implementation, system recovery, tamper detection, interfaces, and much more.

Presented by

Rob Bathurst
Mark Carey

Mo Malware Mo Problems - Cuckoo Sandbox to the rescue

Cuckoo Sandbox is a widely used open-source project for automated dynamic malware analysis. It takes malicious documents or URLs as input and provides both high-level overview reports as well as detailed API call traces of the activities observed inside a virtual machine. The project was founded by Claudio Guarnieri and is mainly developed by four developers in their free time and during weekends. Cuckoo Sandbox distinguishes from other solutions thanks to its modular design and flexible customization features. Because of this unique emphasis several large IT corporations and security companies run Cuckoo Sandbox to analyze malware samples on a daily basis and it’s often placed alongside with traditional perimeter security products as an added weapon to incident response and security teams’ arsenals. Being open-source, it also empowers independent and academic security researchers to use a full-fledged malware analysis sandbox freely.

For the latest available version we saw more than 8000 downloads and a few hundred constantly running deployments with enabled update-checks. This community also contributes to the project in various forms such as setup instructions, code contributions, behavioral signatures, feature requests and usability feedback and is actively engaged in conversations over mailing lists and IRC.

The development team already presented about the project and conducted trainings on several occasions. However due to a wealth of new features and increased development effort, the project is growing and becoming more stable and capable in the recent times. For this reason we want to host a workshop that we designed from scratch with a completely new approach. It will showcase the tool, contain several challenging hands-on exercises with interesting malware samples and explain customization possibilities again with examples that attendees can try. Additionally in this presentation we cover our new VM-introspection based analysis module for the first time. We intend to release it as an alternative to our userland hooking based approach in order to evade malware trying to detect us. So in the future, users can use several analysis methods and compare results to pinpoint evasion techniques.

The audience can interact and participate to the workshop with just a web browser and an SSH client.

Network Forensics: Sudden Death Workshop

Test your Network Forensics-fu in this deadly workshop. Participants will receive a brand new release of the Network Forensics workstation and packet captures containing VoIP, streaming video, IRC traffic, proprietary protocols, TLS-encrypted traffic, Android application traffic, and more.

Wireshark won't save you in this battle royale! Competitors will have to:

  • Reverse engineer a proprietary protocol to uncover a secret document
  • Manually extract a streaming video from a VLC session
  • Carve a telephone call out of SIP traffic
  • Crack TLS-encrypted Facebook traffic from a mobile phone session to capture the suspect's location
  • Beat every other network forensic expert to the solution

The fastest network forensics expert wins! Rounds are timed, and the first person to solve each round wins a prize. Solutions will be reviewed during the workshop. You get to keep the evidence and Network Forensic workstation image.

PDF Attack: A Journey from the Exploit Kit to the shellcode

PDF Attack: A journey from the Exploit Kit to the shellcode is a workshop to show how to analyze obfuscated Javascript code from an Exploit Kit page, extract the exploits used, and analyze them. Nowadays it is possible to use automated tools to extract URLs and binaries but it is also important to know how to do it manually to not to miss a detail. We will focus on PDF documents mostly, starting from a simple Javascript Hello World document and ending with a real file used by a fresh Exploit Kit. This workshop will also include exercises to modify malicious PDF files and obfuscate them to try to bypass AV software; very useful in pentesting. The latest version of peepdf (included in REMnux, BackTrack and Kali Linux) will be used to accomplish these tasks, so this presentation covers the latest tricks used by cybercriminals like using new filters and encryption to make analysis more difficult.

Presented by

Jose Miguel Esparza

Practical Pentesting of ERPs and Business Applications

Today, the whole business of a company depends on enterprise business applications. They are big systems that store and process all the critical data of companies. Any information an attacker might want, be it a cybercriminal, industrial spy or competitor, is stored here. This information can include financial, customer or public relations, intellectual property, personally identifiable information, and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s business application and cause significant damage to the business. There are many types of those applications: ERPs, CRMs, SRMs, ESBs. Unfortunately, there is still very little information about the security of those systems, especially how to pentest them.

During our work on OWASP-EAS subproject, we gathered top 10 critical areas (similar to most of the business applications), so we will present a solid approach for pentesting those types of systems. We will look at 3 different systems from top business application vendors: SAP, Oracle and Microsoft, and show how to pentest them using our cheatsheets that will be released for BlackHat as well as a free tool: ERPScan Pentesting Tool.


Turbo Talks

Abusing Web APIs Through Scripted Android Applications

This will be a presentation focused on abusing web application APIs through the use of associated Android apps. We'll demonstrate using the JVM based scripting language JRuby to load, modify, and run code from targeted APKs in an easily scriptable way. We'll leverage this to demonstrate attacks against web APIs that have reduced their security requirements in order to allow for a more frictionless mobile experience, such as removing the need for captchas, email validation, and other usage restrictions. Building on that, we'll show code building on the existing testing framework of Burp suite and its Ruby interface Buby to make requests to APIs using the functionality we've exposed through the scripting to find differing responses to similar requests, and identifying potential weak points. We'll conclude with several case studies of popular apps demonstrating private key retrieval, arbitrary unlimited account creation on a social network, and locating and using custom cryptographic routines in our own scripts without the need to understand their implementation.

Presented by

Daniel Peck

Beyond the Application: Cellular Privacy Regulation Space

Aggressive data collection practices by cell providers have sparked new FCC interest in closing regulatory gaps in consumer privacy protection. Tensions exist between consumers and carriers, as well as between regulatory agencies. This talk will explore the current landscape from a technical as well as regulatory perspective and examine how it may change in the near future.

Presented by

Christie Dudley

Big Data for Web Application Security

The security posture of an application is directly proportional to the amount of information that is known about the application. Although the advantages of analytics from a data science perspective are well known and well documented, the advantages of analytics from a web application security perspective are neither well known nor well documented. How can we, as web application security practitioners, take advantage of big data stacks to improve the security posture of our applications? This talk will dive into the ways that big data analytics can be taken advantage of to create effective defenses for web applications today. We'll outline the fundamental problems that can and should be solved with big data and outline the classes of security mechanisms that simply, based on their nature, cannot be solved with big data. Once an understanding of the domain is established, we'll explore several specific examples that outline how one security team uses big data every day to solve hard, interesting problems and create a safer experience for its users.

Presented by

Mike Arpaia
Kyle Barry

Clickjacking Revisited: A Perceptual View of UI Security

We revisit UI security attacks (such as clickjacking) from a perceptual perspective and argue that limitations of human perception make UI security difficult to achieve. We develop five novel attacks that go beyond current UI security defenses. Our attacks are powerful with a 100% success rate in one case. However, they only scratch the surface of possible perceptual attacks on UI security. We discuss possible defenses against our perceptual attacks and find that possible defenses either have an unacceptable usability cost or do not provide a comprehensive defense. Finally, we posit that a number of attacks are possible with a more comprehensive study of human perception.

Presented by

Devdatta Akhawe

CMX: IEEE Clean File Metadata Exchange

False positives are a huge problem in the security space. Organizations can spend more time and engineering on reducing FPs than on detecting new malware. Whitelists can help, but there are difficulties with these. Many organizations will not permit the exchange of files for copyright reasons. 3rd party developers must deal with multiple security vendors to get their software whitelisted.

CMX is a system being operated by IEEE. 3rd party software developers can submit metadata for their applications to a single portal. Security vendor subscribers can then pull -- in realtime -- all the metadata being pushed into the system. Since only metadata is being exchanged, there are no copyright problems.

This system will greatly simplify the maintenance of global whitelists.

Presented by

Mark Kennedy
Igor Muttik

CrowdSource: An Open Source, Crowd Trained Machine Learning Model for Malware Capability Detection

Due to the exploding number of unique malware binaries on the Internet and the slow process required for manually analyzing these binaries, security practitioners today have only limited visibility into the functionality implemented by the global population of malware. To date little work has been focused explicitly on quickly and automatically detecting the broad range of high level malware functionality such as the ability of malware to take screenshots, communicate via IRC, or surreptitiously operate users’ webcams.

To address this gap, we debut CrowdSource, an open source machine learning based reverse engineering tool. CrowdSource approaches the problem of malware capability identification in a novel way, by training a malware capability detection engine on millions of technical documents from the web. Our intuition for this approach is that malware reverse engineers already rely heavily on the web “crowd” (performing web searches to discover the purpose of obscure function calls and byte strings, for example), so automated approaches, using the tools of machine learning, should also take advantage of this rich and as of yet untapped data source.

As a novel malware capability detection approach, CrowdSource does the following:

  1. Generates a list of detected software capabilities for novel malware samples (such as the ability of malware to communicate via a particular protocol, perform a given data exfiltration activity, or load a device driver);
  2. Provides traceable output for capability detections by including “citations” to the web technical documents that detections are based on;
  3. Provides probabilistic malware capability detections when appropriate: e.g., system output may read, “given the following web documents as evidence, it is 80% likely the sample uses IRC as a C2 channel, and 70% likely that it also encrypts this traffic.”

CrowdSource is funded under the DARPA Cyber Fast Track initiative, is being developed by the machine learning and malware analysis group at Invincea Labs and is scheduled for beta, open source release to the security community this October. In this presentation we will give complete details on our algorithm for CrowdSource as it stands, including compelling results that demonstrate that CrowdSource can already rapidly reverse engineer a variety of currently active malware variants.

Presented by

Joshua Saxe

Denial of Service as a Service - asymmetrical warfare at its finest

Imagine being DDOS'd repeatedly with up to 10Gbps of traffic on a daily basis. Your logs are useless (when your systems are even able to collect data). How do you stop the attacks? Crippling Distributed Denial of Service “As a Service” or DDoSaaS (tm) attacks can be done with $200 lifetime memberships against the largest organizations around - and almost impossible to stop. Asymmetrical warfare at its finest.

The presentation will focus on an investigation that was done in 2013 regarding a large DDOS attack against a regional ISP in Quebec, Canada. The DDOS attack affected tens of thousand of citizens including municipal 911 services (don't ask) to chicken farmers.

We'll talk about the investigative techniques (including social engineering) that were used to track down the suspect and the eventual arrest.

Presented by

Robert Masse

Denying service to DDOS protection services

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.

Presented by

Allison Nixon

Detecting Vulnerabilities in Virtual Devices Using Conformance Testing -- "Turning Old Hardware into Gold"

Virtual devices are key building blocks of virtual machines. Any flaws or vulnerabilities in a virtual device directly threaten the security of the whole virtual machine. In this talk, we will present our experience detecting bugs in virtual devices by comparing a virtual device to its physical counterpart.

Since the device drivers in a guest operating system assume the virtual devices behave the same as the physical devices, any diverging behavior could potentially cause problems for the device drivers and threaten the security of the guest operating system and the virtual machine platform. We compared the QEMU/KVM virtual implementations of the e1000 and eepro100 to their physical counterparts and found multiple bugs in each, one of which was confirmed to affect guest OS security, leading to CVE-2012-6075.

Our talk will cover the basic idea of using virtual and physical device comparison for fuzzing virtual devices, and additionally describe the observability of each device type, methods for capturing device events and states, and methods for comparing between them with only partial state information. We will explain each of these steps using the real examples that led to our discovery of bugs in the e1000 and eepro100 virtual devices. We expect this talk to attract a traditional OS security audience as well as people interested in new testing methods for cloud environments.

Presented by

Kang Li
Michael Contreras

Malicious File for Exploiting Forensic Software

Commercial forensic software such as EnCase, FTK and X-Ways Forensics adopts the same library component for viewing file content. If the library component is exploitable, lots of forensic investigators are exposed to risks like malware infection and freeze of the software by checking crafted malicious files.

This presentation introduces anti-forensic techniques exploiting vulnerabilities of the component embedded in forensic software. Specifically, I show one malicious file can trigger arbitrary code execution on multiple forensic software products. The exploitation has great impact on forensic investigation because most forensic software includes it.

The presentation is made up as follows. First, I explain the file viewer component in forensic software and how to fuzz it with a custom script of forensic software, MiniFuzz and a kernel driver for anti-debugging. Next, I describe two vulnerabilities (heap overflow and infinite loop DoS) detected by the fuzzer then demonstrate arbitrary code execution and hang-up of forensic software process using malicious files. I also fill in the gaps on some tricks for exploiting heap overflow (e.g., overwriting function pointers, finding the condition of heap spraying with bitmap images). Finally, I refer to countermeasures.

Mobile Malware: Why the traditional AV paradigm is doomed and how to use physics to detect undesirable routines

The traditional Anti-Virus paradigm focuses on signature-based and behavioral detection. These require substantial processing, which hurts the limited power resources of handsets. Also, carriers are reluctant and slow to deliver Firmware Over The Air (FOTA) patches, due to the rigorous testing they need to subject updates to, and the costs of over-the-air updates. A move to cloud-based screening fails to recognize that not all threats will be propagated over the backbone, may obfuscate themselves in transit; or fight back (as rootkits do) to evade reporting or use of techniques such as the "Google kill switch".

Hardware vendors are evaluating security solutions with hardware support, such as TrustZone, but while this reduces the vulnerabilities, it still exposes an attack surface. Software-based attestation has been proposed by several research groups, based on various techniques that rely on the physics of the device (such as the speed of the bus, etc) to detect undesirable routines. These techniques typically require some hardware support on the devices, though, such as a trustworthy authentication (of the device to an external verifier) and a timer that cannot be manipulated by malware.

New Trends in FastFlux Networks

Fast-flux networks has been adopted by attackers for many years. Existing works only focus on characteristics such as the fast changing rate of the IP addresses (e.g. A record) and the name server addresses (NS records); the single flux/double flux structure etc. In this work, we track and analyze over 200 fast-flux domains and we discovered that the features of the fast-flux networks have shifted. More specifically, we discovered that the change rate of the IP addresses and name server addresses are slower than before, in some cases even slower than some benign applications that leverage fast-flux alike techniques. We also discovered that IP addresses and name servers are shared among different families of fast-flux domains indicating that there is a well-established under-ground economic model for the use of fast-flux network. Moreover, we also noticed that instead of single or double flux, current fast-flux domains exhibits “n-levels” of flux behavior, i.e., there appears to be “n” levels of name servers in the DNS system for fast-flux domains. Finally, we also studied the benign applications that look alike fast-flux domains but not. In light of these new characteristics, we proposed several new detection approaches that capture the discoveries about the new features of fast-flux domains.

Presented by

Wei Xu
Xinran Wang

OPSEC failures of spies

The CIA is no more technologically sophisticated than your average American, and as a result, has suffered serious and embarrassing operational failures.

This is a rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job.

In 2005, news organizations around the world reported that an Italian court had signed arrest warrants for 26 Americans in connection with an extraordinary rendition of a Muslim cleric. At the heart of the case was the stunning lack of OPSEC the team of spies used while they surveilled and then snatched their target off the streets of Milan.

The incident, known as the Italian Job inside the CIA, became an international scandal and caused global outrage. What very few people ever understood was that the CIA's top spies were laughably uneducated about cell phone technology and ignorant of the electronic fingerprints left behind.

The story would be startling, though old, if not for the fact that eight years after the debacle in Milan, history repeated itself.

In 2011, an entire CIA network of Lebanese informants was busted by Hezbollah. The reason: cell phone OPSEC failures. After receiving a warning from Mossad, who had lost their network a year earlier the same way, the CIA dismissed Hezbollah's ability to run analytic software on raw cell phone traffic. But they did. And with a little effort, the CIA's network of spies, as well as their own officers, were identified one by one.

This is the true story of American Intelligence's Keystone Kops.

Presented by

Matthew Cole

Password Hashing: the Future is Now

Passwords are hashed everywhere: operating systems, smartphones, web services, disk encryption tools, SSH private keys, etc. Hashing passwords mitigates the impact of a compromised database by forcing attackers to bruteforce passwords. Bruteforce is easier when the hash function is not "salted", fast to evaluate, and easy to implement as multiple parallel instances on GPUs or multi-core systems. However existing solutions are not satisfactory, and the huge majority of systems rely on weak hashes (eg. leaks from Sony, LinkedIn, or more recently Evernote).

After a brief introduction of the problem and previous solution attempts, this talk presents a roadmap towards new improved hashing methods, as desired by a number of parties (from industry and standardization organizations).

First, we'll enumerate the technical challenges for software and security engineers as well as cryptographers and attackers, discussion questions like: why, counter-intuitively, parallelism is desirable? How can complexity theory benefit password hashing? How to define a metric that encompasses performance on GPUs and ASICs? Should hashing be performed by the client, server, or both? What about DoS induced by slow hashing? etc.

Then we'll describe the initiative that motivated this talk: the Password Hashing Competition (PHC), a project similar to the pure-cryptography competitions AES, eSTREAM, or SHA-3, but focused on the password hashing problem: the PHC gathers the leading experts from the password cracking scene as well as cryptographers and software engineers from academia, industry, as well as NIST, to develop the hashing methods of the future.

Presented by

Jean-Philippe Aumasson

Shattering Illusions in Lock-Free Worlds: Compiler/Hardware Behaviors in OSes and VMs

Memory access operations in OSes, VMs or traditional applications from different threads and processes can lead to various security issues depending on the compiler/hardware - especially in non-blocking code. Compilers/hardware pretend to provide sequential order execution, and this illusion does hold for single-threaded code. However, they are not aware of which memory locations are shared and developers oftentimes make the wrong assumptions about memory models. It can be subtle to protect these memory sections from aggressive read/write re-ordering and various optimizations depending on the compiler on x86, x86-64 or the loosely ordered IA64, ARM CPUs as well as GPUs - and it can easily lead to "losing the illusion" of sequential consistency.

I will discuss common issues depending on the hardware and compiler used, mostly related to loosely ordered hardware and the C/C++11 memory models, but will also compare how they hold in higher level languages. Developers will better understand how these issues can be mitigated and researchers will be able to find them more easily.

Presented by

Marc Blanchou


The global Tor network and its routing protocols provide an excellent framework for online anonymity. However, the selection of Tor-friendly software for Windows currently sucks.

Want to anonymously browse the web? You’re stuck with Firefox, and don’t even think about trying to anonymously use Flash.

Want to dynamically analyze malware without letting the C2 server know your home IP address? You’re outta luck.

Want to anonymously use any program that doesn’t natively support SOCKS or HTTP proxying? Not gonna happen.

While some solutions currently exist for generically rerouting traffic through Tor, these solutions either don’t support Windows or require an additional network gateway device.

This talk presents a new tool to securely, anonymously, and transparently route all TCP/IP and DNS traffic through Tor, regardless of the client software, and without relying on VPNs or additional hardware or virtual machines. Black Hat 2013 will mark the release of this new Tor tool -- Tortilla!

Presented by

Jason Geffner

Truncating TLS Connections to Violate Beliefs in Web Applications

We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.

Presented by

Ben Smyth
Alfredo Pironti

Untwining Twine

Over 14 years ago, Kevin Ashton was the first to coin the term "internet of things," and pointed out that data on the Internet is mostly created by humans. Things have changed considerably since 1999 - Lou Bega's Mambo No. 5 is no longer on the radio, many appliances ship with embedded systems that can be remotely monitored, and the smart home is something we're all excited for and terrified of.

Twine is a consumer device that provides remote environmental monitoring through a variety of sensors, such as moisture, temperature, vibration, etc... We will discuss our analysis of Twine, and will lead you through the steps taken to understand what's going on under the hood of a "black box" device. The audience will be introduced to the challenges faced, and to the different approaches that can be leveraged to understand (and exploit!) embedded devices (the fridge that tweets and similar devices). Topics include: capturing traffic on a non-proxy aware device, obtaining and reverse engineering the firmware, analyzing opaque binary traffic, emulating a Twine device and gaining console access via the debug serial port.

The Web IS Vulnerable: XSS Defense on the BattleFront

Cross-site scripting issues remain a big problem of the web: using a combination of big data mining and relatively simple detection methods, we have identified attackers successfully exploiting XSS flaws on over 1,000 vulnerable pages on hundreds of websites, spanning multiple countries, types of organizations, all major TLDs, and well known international companies. We also found numerous malicious attacks of different severity leveraging existing XSS vulnerabilities.

In this talk first we summarize our findings, presenting both unusual cases and various statistics, and then we follow up with present state-of-the art methods of protection from probing for XSS vulnerabilities and XSS attacks, showing that they are capable of intercepting over 95% of the real-world malicious samples. We will also introduce a new research tool called detectXSSlib, which is a lightweight module for nginx server dedicated to real-time detection of XSS attacks.