Black Hat Sao Paulo Home Black Hat Sao Paulo Home Black Hat Sao Paulo Registration Black Hat Sao Paulo Registration Black Hat Sao Paulo Summit Black Hat Sao Paulo Summit Black Hat Sao Paulo Schedule Black Hat Sao Paulo Schedule Black Hat Sao Paulo Sponsors Black Hat Sao Paulo Sponsors Black Hat Sao Paulo Venue Black Hat Sao Paulo Venue
 
 

Summit


Workshops

Summit

A Practical Attack against MDM Solutions

Spyphones are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications- mainly phone fraud applications distributed through common application channels- target the typical consumer, spyphones are nation states’ tool of attacks. Why? Once installed, the software stealthily gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings.

How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypasses traditional mobile malware detection measures- and even circumvents common Mobile Device Management (MDM) features, such as encryption.

Presented by

Ohad Bobrov

Analyzing Blackberry 10 Apps for Security and Privacy Issues

The first line of smartphones from BlackBerry running the BlackBerry 10 operating system, the Z10 and Q10, have recently been made available for purchase. This release brings not just a new operating system to the masses, but a new app ecosystem as well. This presentation will cover some basics regarding BB10 including a primer on its QNX roots, how BlackBerry World functions, what apps for BB10 look like (native, android, air, etc), how BB10 app security compares to other platforms such as iOS and Android, and guidance on how BB10 apps can be analyzed for malware, security and privacy related issues, including demonstration of techniques developed and tools written to automate and simplify these types of analyses.

Presented by

Michael Price

Carna Botnet: Telnet's threat to the World (and Brazil)

This presentation will showcase the latest analysis and the progress of industry collaboration on the problem of internet facing devices that have default credential logins through telnet. The Carna Botnet, which was used to perform the first-ever map of the Internet – Internet Census 2012 – highlighted a major information security concern with devices that allow default credential login from the Internet by default. For more information on the Internet Census 2012, please refer to the anonymous researcher’s paper: http://internetcensus2012.bitbucket.org/paper.html.

A complete list of compromised devices that formed part of the Carna Botnet was obtained exclusively by Parth Shukla. This list is NOT publicly available from any source. This data was acquired directly from the anonymous researcher who performed the Internet Census. As confirmed by the researcher, AusCERT to date remains the only organization and researcher in the world that has the complete dataset. Relevant snippets of this data, however, have been provided to CERTs around the world, including Brazil’s CERT in order to reduce the threat made explicit by the Carna Botnet.

This presentation at BlackHat will be the first to shed light on the entire analytical process as conducted by Parth Shukla. It will provide exclusive up-to-date analyses of all the different identifying information for each of the compromised devices that formed part of the Botnet. This detailed analysis will indicate the prevalence of easily-exploited vulnerabilities in different countries, regions and in the devices of different manufacturers. Therefore, what these security problems mean for BlackHat attendees, IT professionals and manufacturers around the world will be thoroughly examined.

The ultimate aim of this presentation is to continue to draw public awareness to the larger concerns for information security professionals worldwide and for a growing economy such as Brazil. Hopefully, this awareness will persuade manufacturers and even local ISPs to collaborate and address this problem. The Carna Botnet reminds us all that there are numerous, simpler vulnerabilities at risk of exploitation and in need of immediate attention.

Presented by

Parth Shukla

Defeating WhatsApp’s Lack of Privacy

With the PRISM scandal, we began to question whether Microsoft, Google, Apple, and Facebook were the only companies working with governments to spy on the behavior of its citizens. Will WhatsApp be one of these companies? Does WhatsApp store its user conversations? News of the threat by Saudi Arabia to declare applications illegal if the server was not established in that country* does not make us feel calm. These sorts of things make us think that users are defenseless and no current measures to ensure the privacy of content shared on these platforms exists.

The main objective of this research is to add a new layer of security and privacy to ensure that in the exchange of information between members of a conversation, both the integrity and confidentiality, cannot be affected by an external attacker. This is achieved through a system to anonymize and encrypt conversations and data sent via WhatsApp, so that when they reach the servers they are not in "plain text" and only readable to the rightful owners.

Different layers have been defined inside a new hierarchy of security. The first layer of security involves encryption, using symmetric private keys and data exchanged between two users. In the second layer, we give a certain level of anonymity to the conversation using fake/anonymous accounts. By using intermediate communication nodes, we ensure that there is no direct communication between the mobile phone and the server.

Finally, a third layer would be set to modify the inner workings of the application, routing all traffic and conversation messages to its own server (XMPP) to ensure the privacy of communication. This would provide the user with their own WhatsApp server.

This technique has been developed to be used in a manner completely transparent to the users. This requires having a rooted Android mobile. If using other platforms like iPhone, we have developed a Raspberry-based platform that will act as an access point to implement these three new layers of security.

* http://www.reuters.com/article/2013/06/16/us-saudi-internet-idUSBRE95F04R20130616

Presented by

Jaime Sanchez

Fuzz in the Dark: Genetic Algorithm for Black-Box Fuzzing

Fuzzing (aka Fuzz-Testing) consists of automatically creating and evaluating inputs towards discovering vulnerabilities. Traditional undirected fuzzing may get stuck into one direction and thus may not be efficient to find a broad range of local optima.

In this work, we combine artificial intelligence and security testing techniques to guide the fuzzing via an evolutionary algorithm. Our work is the first application of a genetic algorithm for black-box fuzzing. We have designed heuristics for fuzzing PDF interpreters searching for memory corruption vulnerabilities and for fuzzing websites for cross site scripting.

Our evolutionary fuzzers ShiftMonkey and KameleonFuzz outperform traditional black-box fuzzers both in vulnerability detection capabilities and efficiency.

Presented by

Fabien Duchene

Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory

In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring, and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications.

The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide persistant files on your devices and how you would go about discovering them. The project also considers how typical forensics software interacts with NAND devices and how those tools can be subverted.

Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed

(Hint: your current tools probably don't work as well as you would like to believe.)

Presented by

Josh 'm0nk' Thomas

M-Payment Attack Vectors - The untold story

Brazil is now the fourth largest card payment market in the world, with more than 490 million cards used to make $335bn worth of transactions in 2012. It has over 260 million mobile subscriptions with an average around 1.3 mobile per capita. These figures suggest a sizeable demand for mobile payment, but at the same time, highlight concerns with fraud, information theft and other security issues.

There are many different business models when it comes to M-Payment, like Mobile Wallet, Person-to-Person, Mobile as POS, Mobile at the POS, among others. None of them are consolidated and neither are their technologies, leaving a very big space for attack vectors and security research.

In the current work, we’ll explore flaws found regarding the HSM, code submission and telecom problems, as well as some fraud scenarios that are taking place because of poor implementations and lack of security checks. Additionally, we’ll present the main type of products available in Brazil, the technologies involved, like USSD, SMS, S@T and NFC, their business models, and the failures we have found in the way they are used, with a special highlight on the exploitation possibilities.

Presented by

Thiago Musa

The Machines that Betrayed their Masters

The mobile devices we carry betray us to those who want to invade our privacy. Other researchers [1] have suggested that there is little difference between government mandated tracking devices and mobile phones - after all, a mobile phone is just a real time tracking device that reports your current location to one of a few telecommunication companies that are required by law to turn that information over to the government. Combine this with data interception laws, and large-scale data mining initiatives [2] and we have the commonly painted picture of the Big Brother Orwellian state. Large Internet organisations such as Google, Yahoo, Twitter, and Facebook have enough data on a large proportion of the planets' citizens to understand relationships, tastes, and even thoughts of their users. As Moxie put forward, "Who knows more about the citizens in their own country, Kim Jong-il, or Google?" [3]

Governments with unsavory privacy policies and data-hungry social media companies aside, what degree of monitoring, interception, and profiling could the average citizen or small organization impose on their fellow man? The Snoopy project was created to explore just this, and is perhaps a warning that we should not only be cautious of the more obvious/large privacy adversary. Snoopy is a distributed tracking, data interception, and profiling framework. It was created on a shoestring budget, and has been freely released.

Distributed? Snoopy has a client/server model, with numerous 'drones' deployed in the field collecting data about the Wi-Fi signals the devices in your pockets are emitting. All of this data is uploaded to a central server for processing. A drone may be any Linux based device that has an IEEE 802.11 adapter supporting packet injection, and some form of Internet connectivity. Examples of drone devices include the Nokia N900, the SheevaPlug, and the RaspberryPi.

Tracking? If the signals your devices are emitting are unique, then we can track your movements. For example, 802.11 (Wi-Fi) or 802.15 (Bluetooth) signals would include your device's unique MAC addresses. With enough drones deployed over an area it would be possible to monitor peoples' movements on both a macro and micro scale. For example, deploying drones at every London underground station we could observe a device (and its master) entering the underground at Liverpool Street station each morning between 8am and 9am, and leaving at Victoria Station at 10am. At the macro scale we could observe large-scale human movement patterns [3].

Passive Data Interception? The devices we carry may emit more than just an identifying signal, as per the above point. They may also inadvertently disclose information about themselves, or their masters. For example, Snoopy monitors for 802.11 probe requests.

These requests reveal the vendor of the device (via the MAC), but of greater interest include the names of the networks the device is looking for. Alas, the default behavior of all our wireless gadgets is to constantly search for every wireless network we've ever saved. The harm in this may be subtle at first thought, but for example, we are able to determine the street address of these SSIDs if they are suitably unique.

Active Data Interception? Snoopy can create rogue access points, tricking your devices into obtaining their Internet via them. Cunningly all data is routed through the Snoopy server - allowing traffic analysis or manipulation at a central point (of which Snoopy does plenty of).

Profiling? Snoopy explores collected data with the assistance of Maltego. We have numerous transforms to explore physical word movements (e.g. who attended Black Hat Vegas, Abu Dhabi, and Amsterdam?) and Internet traffic (e.g. extracting friends from Facebook traffic). Numerous transforms have been written, but it is trivial for the end user to write their own.

Many aspects of Snoopy exist independently of other projects, but when brought together, we believe their whole is greater than the sum of their individual parts.

[1] Def Con 18 Changing threats to privacy - Moxie Marlinspike - https://www.youtube.com/watch?v=eG0KrT6pBPk

[2] Palantir Technologies Nabs $56M In New Funding - http://techcrunch.com/2012/05/16/palantir-new-funding/

[3] The Really Smart Phone - http://online.wsj.com/article/SB100014240527487045476045762632616798 48814.html?KEYWORDS=Really+Smart

Presented by

Daniel Cuthbert

Open for Business - What Can Enterprises Do to Combat DDoS attacks?

For the second year in a row, massive DDoS attacks dominated the news headlines. DDoS attacks are growing in frequency, getting bigger and more complex. Reputation loss, spikes in customer support calls, and downtime are some of the costs incurred by targeted business.

Proper defense against DDoS are non-trivial, as they must involve various controls owned by different groups inside an organization. Tried-and-tested protections used in the past such as firewalls or intrusion prevention systems are of no help against some attacks. Blended mitigations are required to fight morphing attacks.

In this talk, we will examine different DoS attack techniques used against web offerings. Attacks discussed in this presentation include attacks against the application layer, network layer, and potential attack points against outsourced services such as AWS. All attacks are highly efficient and asymmetric. For each attack, Cassio Goldschmidt will discuss network solutions and code fixes that can be employed to mitigate the problem.

Presented by

Cassio Goldschmidt

Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher

Every day we produce tons of digital breadcrumbs through our activities in online services – from social networks, photo sharing, mailing lists, online forums and blogs to more specialized tools, such as commits to open source projects, music listening services and travel schedules. These have long been known to provide useful information when profiling a target for social engineering purposes, especially due to the frantic pace and often uncensored way at which we generate such content.

Our talk takes a tool-oriented approach to these profiling activities. By using data mining techniques combined with natural language processing, we can determine patterns in the way a user interacts with other users, his usual choice of vocabulary and phrasing, the friends/colleagues he most frequently communicates with as well as the topics discussed with them. By consuming publicly available data, using both official APIs and scraping web pages, our profile can be used to validate how close forged content is to actual target-generated data.

We will discuss the indexing of unstructured content, including issues such as the legal and technical implications of using official APIs versus scraping, how to build user relationship graphs and how to add temporal references to the collected data.

We will also release a tool that automates the data mining and natural language processing (NLP) of unstructured information available on public data sources, as well as comparing user created content against a generated profile using various criteria, including:

  • Network of friends/colleagues;
  • Frequency of communication with friends/colleagues;
  • Shared interests between target and friends/colleagues;
  • Hobbies and personal activities;
  • Upcoming and past trips;
  • Frequency of use of verbs;
  • Frequency of use of adjectives;
  • Frequency of use of nouns;
  • Average number of words per sentence or paragraph.

World War C

Militaries today must prepare for the conflicts of tomorrow. But in the era of cyber war, national security planners may be forced to quietly begin the attack in peacetime, because hacking hard targets such as military services and critical infrastructure takes months if not years of painstaking subversion. This talk reveals how and where the next World War may already have begun.

Presented by

Kenneth Geers

Workshops

Fun and Games with OSINT

The Internet, a rich source of Open-Source Intelligence (OSINT). How are attackers using our 'online life' to discover weaknesses in our networks and applications?

This workshop takes attendees through four steps that modern attackers are using in order to bypass network protection devices and exfiltrate sensitive data.

Attendees will learn how to:

  • Harness OSINT for information about their target
  • Create malicious payloads sent via Social Engineering methods
  • Exploit systems, and finally
  • Exfiltrate sensitive data out of a secure network

This workshop is open to all event attendees. To get the most out of this session, attendees should bring a modern laptop, VMware and a minimum of 4 GB RAM and 20GB free space for virtual machines used in this workshop.

Presented by

Daniel Cuthbert

Mobile eXploitation Pipeline (MXP)

Mobile eXploitation Pipeline (MXP) is a semi-automated unknown / zero-day vulnerability discovery pipeline for mobile platforms. MXP has been built and refined over a three year period as part of our research & development efforts in mobile security. MXP was initially developed to discover unknown vulnerabilities in Symbian mobile platform and subsequently extended to Android and iOS mobile platforms as well. MXP is a complete system comprising of server-side and on-device software modules and not just a penetration testing tool. It is also not just a simple tool but a complete system and process comprising of automatic, semi-automatic and manual stages. MXP comprises of four stages and has successfully discovered unknown vulnerabilities in Symbian, iOS, and Android.

In this workshop, we will present our experience of building MXP, why we did what we did in a certain way, and show a live demo of our system. Following the presentation, we will show the audience on how to setup the MXP system, walk through the system's web-based control centre along with the mobile clients on iOS and Android. We will show some statistics of vulnerabilities from our experiments, but we don't plan to discuss about specific vulnerabilities that we have discovered using MXP.

Presented by

Krishnan S. P. T.

No More Neck Beards: An Introduction to Abusing the Android Kernel

The Android / Linux kernel seems to still remain a magical place to a lot of us in the security industry. We understand exploitation fairly well, but when it comes to simple manipulation we find ourselves lost. In this workshop, I am hoping to change that paradigm.

We will focus on a guided exploration of some interesting and often overlooked portions of the kernel. We will analyze them, understand them, recompile them and see what happens on a real device. The primary focus will be recreating the NandX project (hiding data on NAND Flash hardware) and Project Burner (manipulating power routing on device internals), but we will also walk through some other peculiar code that can be found hidden deep in the standard source tree.

The direct goal of this workshop is for all attendees to walk away with a deeper understanding and familiarity of the kernel itself and the ability to recreate and extend my specific kernel research.

Presented by

Josh 'm0nk' Thomas