DOE AGORA Qualquer valor

McNamee

KEYNOTES

 

BRIEFINGS

 

WORKSHOPS

 

TURBO TALKS

BRIEFINGS

KEYNOTES


DAY ONE KEYNOTE JULY 31


PRESENTED BY

Gen. Alexander

PRESENTED BY

Brian Muirhead

 

BRIEFINGS


A PRACTICAL ATTACK AGAINST MDM SOLUTIONS

Spyphones are surveillance tools surreptitiously planted on a users handheld device. While malicious mobile applications mainly phone fraud applications distributed through common application channels - target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.
How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.

A TALE OF ONE SOFTWARE BYPASS OF WINDOWS 8 SECURE BOOT

Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.

ABOVE MY PAY GRADE: CYBER RESPONSE AT THE NATIONAL LEVEL

Incident response is usually a deeply technical forensic investigation and mitigation for an individual organization. But for incidents that are not merely cyber crime but truly national security events, such as large-scale disruptive attacks that could be acts of war by another nation, the process is completely dissimilar, needing a different kind of thinking.
This talk will discuss exactly how, detailing the flow of national security incident response in the United States using the scenario of a major attack on the finance sector. The response starts at individual banks and exchanges, through the public-private sector information sharing processes (like FS-ISAC). Treasury handles the financial side of the crisis while DHS tackles the technical. If needed, the incident can be escalated to the military and president especially if the incident becomes especially disruptive or destructive. The talk examines this flow and the actions and decisions within the national security apparatus, concluding with the pros and cons of this approach and comparing it to the process in other key countries.

PRESENTED BY

Jason Healey

ANDROID: ONE ROOT TO OWN THEM ALL

This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.

PRESENTED BY

Jeff Forristal

BINARYPIG - SCALABLE MALWARE ANALYTICS IN HADOOP

Over the past 2.5 years Endgame received 20M samples of malware equating to roughly 9.5 TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10M samples in the last quarter of 2012 [1]. Its total corpus is estimated to be about 100M samples. VirusTotal receives between 300k and 600k unique files per day, and of those roughly one-third to half are positively identified as malware [2].
This huge volume of malware offers both challenges and opportunities for security research especially applied machine learning. Endgame performs static analysis on malware in order to extract feature sets used for performing large-scale machine learning. Since malware research has traditionally been the domain of reverse engineers, most existing malware analysis tools were designed to process single binaries or multiple binaries on a single computer and are unprepared to confront terabytes of malware simultaneously. There is no easy way for security researchers to apply static analysis techniques at scale; companies and individuals that want to pursue this path are forced to create their own solutions.
Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset.
To address this problem, we will present our open framework, BinaryPig, as well as some example uses of this technology to perform a multiyear, multi-terabyte, multimillion-sample malware census. This framework is built over Apache Hadoop, Apache Pig, and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware.
In addition, we will demonstrate the results of our exploration and the techniques used to derive these results. The framework, analysis modules, and some example applications will be released as open source (Apache 2.0 License) at Blackhat.

BIOS SECURITY

In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.
We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.

BLACK-BOX ASSESSMENT OF PSEUDORANDOM ALGORITHMS

Last year at Black Hat, Argyros and Kiayias devastated all things pseudorandom in open-source PHP applications. This year, we're bringing PRNG attacks to the masses.
We'll point out flaws in many of the most common non-cryptographic pseudorandom number generators (PRNGs) and examine how to identify a PRNG based on a black-box analysis of application output. In many cases, most or all of the PRNG's internal state can be recovered, enabling determination of past output and prediction of future output. We'll present algorithms that run many orders of magnitude faster than a brute-force search, including reversing and seeking the PRNG stream in constant time. Finally, of course, we'll demonstrate everything and give away our tool so that you can perform the attacks during your own assessments.

BLACKBERRYOS 10 FROM A SECURITY PERSPECTIVE

BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.
This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?

PRESENTED BY

Ralf-Philipp Weinmann

BLUETOOTH SMART: THE GOOD, THE BAD, THE UGLY, AND THE FIX!

Bluetooth Smart, AKA Bluetooth Low Energy (BTLE), is a new modulation mode and link-layer packet format defined in Bluetooth 4.0. A new class of low-power devices and high-end smartphones are already on the market using this protocol. Applications include everything from fitness devices to wireless door locks. The Good: Bluetooth Smart is well-designed and good at what it does. We explain its workings from the PHY layer (raw RF) all the way to the application layer. The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools. The Fix: We implement Elliptic Curve Diffie-Hellman to exchange a key in-band. This backward-compatible fix renders the protocol secure against passive eavesdroppers.

PRESENTED BY

Mike Ryan

BOCHSPWN: IDENTIFYING 0-DAYS VIA SYSTEM-WIDE MEMORY ACCESS PATTERN ANALYSIS

Throughout the last two decades, the field of automated vulnerability discovery has evolved into the advanced state we have today: effective dynamic analysis is achieved with a plethora of complex, privately developed fuzzers dedicated to specific products, file formats or protocols, with source code and binary-level static analysis slowly catching up, yet already proving useful in specific scenarios. Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers. Considering the current impact of ring-0 security on the overall system security posture and number of kernel-specific bug classes, we would like to propose a novel, dynamic approach to locating subtle kernel security flaws that would likely otherwise remain unnoticed for years.
The presentation will introduce the concept of identifying vulnerabilities in operating systems’ kernels by employing dynamic CPU-level instrumentation over a live system session, on the example of using memory access patterns to extract information about potential race conditions in interacting with user-mode memory. We will discuss several different ways to implement the idea, with special emphasis on the “Bochspwn” project we developed last year and successfully used to discover around 50 local elevation of privilege vulnerabilities in the Windows kernel so far, with many of them already addressed in the ms13-016, ms13-017, ms13-031 and ms13-036 security bulletins. The tool itself will be open-sourced during the conference, thus allowing a wider audience to test and further develop the approach.

BUGALYZE.COM - DETECTING BUGS USING DECOMPILATION AND DATA FLOW ANALYSIS

Bugwise is a free online web service at www.bugalyze.com to perform static analysis of binary executables to detect software bugs and vulnerabilities. It detects bugs using a combination of decompilation to recover high level information, and data flow analysis to discover issues such as use-after-frees and double frees. Bugwise has been developed over the past several years and is implemented as a series of modules in a greater system that performs other binary analysis tasks such as malware detection. This entire system consists of more than 100,000 lines of C++ code and a scalable load balanced multi-node Amazon EC2 cluster. In this talk, I will explain how Bugwise works. The system is still in the development stage but has successfully found a number of real bugs and vulnerabilities in Debian Linux. This includes double free, use-after-free, and over 50 getenv(,strcpy) bugs statically found from scanning the entire Debian repository.

PRESENTED BY

Silvio Cesare

BUYING INTO THE BIAS: WHY VULNERABILITY STATISTICS SUCK

Academic researchers, journalists, security vendors, software vendors, and other enterprising... uh... enterprises often analyze vulnerability statistics using large repositories of vulnerability data, such as CVE, OSVDB, and others. These stats are claimed to demonstrate trends in disclosure, such as the number or type of vulnerabilities, or their relative severity. Worse, they are often (mis)used to compare competing products to assess which one offers the best security.
Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending.
As maintainers of two well-known vulnerability information repositories, we're sick of hearing about sloppy research after it's been released, and we're not going to take it any more.
We will give concrete examples of the misuses and abuses of vulnerability statistics over the years, revealing which studies do it right (rather, the least wrong), and how to judge future claims so that you can make better decisions based on these "studies." We will cover all the kinds of documented and undocumented bias that can exist in a vulnerability data source; how variations in counting hurt comparative analyses; and all the ways that vulnerability information is observed, cataloged, and annotated.
Steve will provide vendor-neutral, friendly, supportive suggestions to the industry. Jericho will do no such thing.

COMBATING THE INSIDER THREAT AT THE FBI: REAL WORLD LESSONS LEARNED

What do T.S. Eliot, Puxatony Phil, eugenics, DLP, crowdsourcing, black swans, and narcissism have in common? They are all key concepts for an effective insider threat program. Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade. The talk will provide insight on how our nation's premier law enforcement agency is detecting and deterring insider threat using a variety of techniques and technologies. This session will provide unique lessons learned from building a real world, operational insider threat monitoring and response program.

PRESENTED BY

Patrick Reidy

COMPROMISING INDUSTRIAL FACILITIES FROM 40 MILES AWAY

The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks have enabled these companies to reduce implementation, maintenance, and equipment costs and enhance personal safety by enabling new topologies for remote monitoring and administration in hazardous locations.
However, the manner in which sensor networks handle and control cryptographic keys is very different from the way in which they are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task.
In this presentation, we review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. We also demonstrate some attacks that exploit key distribution vulnerabilities, which we recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies.
An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers. A remotely and wirelessly exploitable memory corruption bug could disable all the sensor nodes and forever shut down an entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified. This can lead to unexpected, harmful, and dangerous consequences.

CREEPYDOL: CHEAP, DISTRIBUTED STALKING

Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors, who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.

PRESENTED BY

Brendan O'Connor

DEFENDING NETWORKS WITH INCOMPLETE INFORMATION: A MACHINE LEARNING APPROACH

Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response.
Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst.
On this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.

PRESENTED BY

Alexandre Pinto

DISSECTING CSRF ATTACKS & COUNTERMEASURES

Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately.
The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives.
Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Storage Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.

END-TO-END ANALYSIS OF A DOMAIN GENERATING ALGORITHM MALWARE FAMILY

Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices.
The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. This presentation will bring to light how this malware is tied to an underground campaign that has been active for at least the past six years.

PRESENTED BY

Jason Geffner

ENERGY FRAUD AND ORCHESTRATED BLACKOUTS: ISSUES WITH WIRELESS METERING PROTOCOLS (WM-BUS)

Government requirements, new business cases, and consumer behavioral changes drive energy market players to improve the overall management of energy infrastructures.
While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability, and privacy.
Nations absolutely recognize the criticality of the energy infrastructure for their economic and political stability. Therefore, various initiatives to ensure reliability and availability of their energy infrastructures are being driven at nation as well as at nation union levels. In order to contribute to the evaluation of national cyber security risks, the author decided to conduct a security analysis in the field of smart energy.
Utilities have started to introduce new field device technology - smart meters. As the name implies, smart meters do support many more use cases than any old conventional electricity meter did. Not only does the new generation of meters support fine granular remote data reading, but it also facilitates remote load control or remote software updates. Hence, to build a secure advanced metering infrastructure (AMI), communication protocols must support bi-directional data transmission and protect meter data and control commands in transit.
Therefore, analysis of smart metering protocols is of great interest. The work presented has analyzed the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure.
The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication.
Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys.
Following that, the availability and reliability of the smart grid or at least parts of it may not be guaranteed.

PRESENTED BY

Cyrill Brunschwiler

EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER

This talk will examine 0-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.
Additionally, a proof-of-concept attack will be demonstrated in which a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.

PRESENTED BY

Craig Heffner

EVADING DEEP INSPECTION FOR FUN AND SHELL

Whether you have a Next Generation Firewall, an IPS, IDS, or a BDS, the security provided by these devices depends on their capability to perform robust TCP/IP reassembly. If this fails, the device can be bypassed. We researched the TCP/IP reassembly capabilities of security boxes and found that their detection can be evaded or pierced through with evasions that apply to the IP & TCP layers. The TCP reassembly capabilities of most security boxes are still poor. Instead of doing proper TCP reassembly, many of the analyzed boxes try to prevent attacks by anomaly detection, for example, by blocking small TCP segments. However, blocking small segments leads to false positives, so this kind of blocking strategy cannot be applied to real traffic without the false positive risk. We also found evasions that allowed the attack to succeed without any logs in the security box, even if all signatures were set to block.

THE FACTORING DEAD: PREPARING FOR THE CRYPTOPOCALYPSE

The last several years has seen an explosion of practical exploitation of widespread cryptographic weaknesses, such as BEAST, CRIME, Lucky 13 and the RC4 bias vulnerabilities. The invention of these techniques requires a lot of hard work, deep knowledge and the ability to generate a pithy acronym, but rarely involves the use of a completely unknown weakness. Cryptography researchers have known about the existence of compression oracles, RC4 biases and problems with CBC mode for years, but the general information security community has been unaware of these dangers until fully working exploits were demonstrated.
In this talk, the speakers will explain the latest breakthroughs in the academic crypto community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the latest breakthroughs in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. We will explain the basic theories behind RSA and the state-of-the-art in large numbering factoring, and how several recent papers may point the way to massive improvements in this area.
The talk will then switch to the practical aspects of the doomsday scenario, and will answer the question "What happens the day after RSA is broken?" We will point out the many obvious and hidden uses of RSA and related algorithms and outline how software engineers and security teams can operate in a post-RSA world. We will also discuss the results of our survey of popular products and software, and point out the ways in which individuals can prepare for the zombi^H^H^H crypto apocalypse.

FACT AND FICTION: DEFENDING YOUR MEDICAL DEVICES

In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this brought much needed attention to the issue, it has also uncovered a great deal of misinformation. This talk is going to tackle those confusing and controversial topics. What’s the reality of patching a medical device? Is it safe to run anti-virus protection on them? You’ll find out in this talk. This presentation will outline a framework on how vendors, buyers, and administrators of medical devices can bring substantive changes in the security of these devices. This talk will also have the unique element of discussing a medical device software bug that InGuardians uncovered. This bug will be discussed in detail and replicated live on stage. InGuardians has worked closely with the FDA on properly documenting and submitting this through their tracking system. This will be covered in full detail so other researchers will know how to properly disclose bugs and vulnerabilities.

PRESENTED BY

Jay Radcliffe

FULLY ARBITRARY 802.3 PACKET INJECTION: MAXIMIZING THE ETHERNET ATTACK SURFACE

It is generally assumed that crafting arbitrary, and sniffing, Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) have historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released.
This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored.
We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.

FUNDERBOLT: ADVENTURES IN THUNDERBOLT DMA ATTACKS

Intel's Thunderbolt allows for high-speed data transfers for a variety of peripherals including high-resolution high-bandwidth graphics displays, all using the same physical connection. This convenience comes at a bit of a cost: an external port into your computer's bus and possibly memory! Thunderbolt ports appear on high-end laptops like the MacBook Pro, but also increasingly on PC hardware, and on newer desktop and server motherboards. This proprietary technology is undocumented but problems with it could potentially undermine the privacy and security of users.
This talk chronicles process of exploring these risks through a practical exercise in reverse engineering. Experience the tribulations with reversing Thunderbolt chips, understand the attack strategies for exploiting DMA and see the pitfalls one encounters along the way, while gaining a deeper understanding of the risks of this new feature.

PRESENTED BY

Russ Sevinsky

HACKING LIKE IN THE MOVIES: VISUALIZING PAGE TABLES FOR LOCAL EXPLOITATION

A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for:
  • Windows 8 on x86_64
  • Windows 8 RT on ARMv7
  • Linux 3.8 on x86_64
  • Linux 3.4 on ARMv7 alias Android 4.2
  • XNU on x86_64 alias OS X
  • XNU on ARMv7 alias iOS
Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures.
By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses.
To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android <= 4.0.x generic user-space ASLR bypass. For those interested in actually owning targets, we will show an Android 4.2.2 generic user-space ASLR bypass that also affects other latest Linux/ARM kernels.

HACKING, SURVEILLING, AND DECEIVING VICTIMS ON SMART TV

Smart TVs sold over 80,000,000 units around the world in 2012. This next generation "smart" platform is becoming more and more popular. On the other hand, we hardly see security research on Smart TVs. This presentation will cover vulnerabilities we've found on the platform.
You can imagine that Smart TVs have almost the exact same attack vectors that PC and Smart Phones have. Also, Smart TVs have interesting new attack surface such as the remote controller. We'll talk about attack points for Smart TV platform and cover security bugs we discovered. This talk will mostly focus on what attackers can do on a hacked Smart TV.
For example, expensive Smart TVs have many hardware devices like a Camera or Mic which, if remotely controlled, means bad guys can spy remotely without you knowing. Even more, it is possible to make Smart TVs monitor you 24/7 even though users turn off their TV, meaning #1984 could be done.
In addition, we'll point out a difference of viewpoint on leaked information type among PC, Smart Phone and Smart TV. Lastly, we'll give demo of live remote surveillance cam, which is sent to attacker's server at this talk.
This talk is an extended version of one, which I gave at CANSECWEST. It will demonstrate a spoofed news story on a hacked Smart TV and possibly TVshing (Smart TV edition of phishing.)

PRESENTED BY

SeungJin 'Beist' Lee

HIDING @ DEPTH - EXPLORING, SUBVERTING AND BREAKING NAND FLASH MEMORY

In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications. The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide peristent files on your devices and how you would go about discovering them. The project also considers how typical forensic software interacts with NAND devices and how those tools can be subverted. Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed (Hint: your current tools probably don't work as well as you would like to believe).

Comentários

Ebook

Postagens mais visitadas