As an industry we have counted on a steady drumbeat of technology advances to drive semiconductors and resultant microprocessors to ever-higher levels of integration and performance. That drumbeat was Moore's Law, the rough doubling of technology density every 18 months for the past three or more decades. However, within a period of two or three further beats that drum goes silent, and it has already quieted significantly, as many technology elements approach physical limits. A result of this has been the emergence of a host of new system architectures employing accelerative elements such as FPGA's and GPU's, first generation novel processors based on Synaptic designs, and a host of new software approaches, all designed to continue to drive progress in Information Technology and compensate for the loss of one key past accelerant.
Resultant performance gains exceeding 100X now enable deep encryption and real time data analytics supporting InfoSec without degrading system performance, while at the same time introducing entirely new system elements, hardware and software, that must similarly be secured. New assistive capabilities arise in the field of Artificial Intelligence, while at the same time causing concern about the long-term impact of this emergent technology. I will focus on the key changes coming in the technologies that underlay our industry, and the impact that accelerated innovation has had on our expectations of what Information Technology can truly accomplish, along with associated risks.
At the close of this year's conference, join Black Hat Founder Jeff Moss and members of the esteemed Black Hat Review Board for an insightful conversation on the most pressing issues facing the InfoSec community today. This Locknote will feature a candid discussion on the key takeaways coming out of Black Hat Asia 2015.
Mobile banking is about to become the de facto standard for banking activities. Banking apps on smartphones and tablets - are becoming more widespread and this evolution aims at strongly limiting the classical access to banks (physical, through PC browser, through ATM). The aim is to first cut the cost but also to make the personal data explode. Then three critical issues arise because we entrust those mobile applications by feeding them with passwords, private information, and access to one of the most critical parts of our liking (money): Do those applications protect our private life and especially which kind of information is leaking to the bank? Are they containing vulnerabilities that could be exploited by attackers? In this talk, we are going to present a deep analysis of many banking apps collected in the world. We have performed static and dynamic analysis based on the binaries AND the source code. We will show that almost all apps are endangering our private data (sometimes severely) but in a few cases the presence of vulnerabilities are extremely concerning. While we tried to contact all the relevant banks for a free, detailed technical feedback and to help them fixing their apps, we will explain that a few of them did not care about this feedback and therefore did not want to take any security measure. This talk contains demos and operational results on existing apps and will bring a particular focus on banks from Asia and Australia (Pacific area).
API wrapping technique is commonly used among malwares and code obfuscators. One of the advanced API wrapping techniques is runtime-obfuscation used by Themida. Runtime-obfuscation makes it difficult to reverse engineer by obfuscating API function on each run. So far, binary pattern matching or pattern-based code optimization techniques have been used to identify the original API functions from the runtime-obfuscated functions. Applying a new obfuscation pattern easily breaks these pattern-based approaches.
In this talk, I present a more resilient API deobfuscation scheme based on memory access analysis. This method utilizes memory access pattern of runtime-obfuscation technique. The embedded runtime-obfuscator in the packed binary obfuscates one API function at a time. While an API function is obfuscated, each memory value of the instructions is read, the instruction is transformed into obfuscated instructions, and the obfuscated instructions are written into a newly allocated memory block. Thus, a set of memory write addresses during one API function obfuscation process is a superset of the corresponding obfuscated API function addresses. API deobfuscator is implemented based on the explained memory access analysis. Every memory write address is recorded after an API function is read from memory before the next API function is read. After each API function is obfuscated, a map from each API function into obfuscated function addresses is constructed. The original API functions are identified by applying the target addresses of obfuscated function calls to the map.
The API deobfuscator utilizes Intel Pin to track memory accesses. The tool executes Themida packed binary files until the original entry point and restores every obfuscated API function call to the original API function call. The deobfuscated process can be analyzed by common debuggers such as Ollydbg.
RC4 is the most popular stream cipher in the world, and in particular is used to protect a significant portion of SSL/TLS sessions. In this session, we will show how an old vulnerability of RC4 can be used to mount a partial plaintext recovery attack on SSL-protected data, when RC4 is the chosen cipher. As opposed to BEAST, POODLE, CRIME, and other attacks on SSL that were published in the recent years, including the attack by Bernstein et-al on the usage of RC4, the new attack is not limited to recovery of temporal session tokens, but can be used to steal parts of permanent secret data such as account credentials when delivered as POST parameters. Furthermore, one of the variants of the new attack requires only passive eavesdropping to SSL connections, and presents the first practical attack on SSL that does not require active Man-in-the-Middle. Another unique characteristic of the new attack allows one of its variants to recover with non-negligible probability, parts of a secret that was transmitted only once over the TLS connection.
In this talk, we will demonstrate and unveil the latest developments on browser specific weaknesses including creative new mechanisms to compromise confidentiality, successfully perform login and history detection, serve mixed content, deliver malicious ghost binaries without a C&C server, exploit cache/timing side channels to extract secrets from third-party domains, and leverage new HTML5 features to carry out more stealthy attacks. This is a practical presentation with live demos that will challenge your knowledge of the Same Origin Policy and push the limits of what is possible with today's web clients.
Android malware are getting complicated with advanced code protection technologies such as obfuscation, packing, bytecode injection, and method hiding and so on. In order to defeat those, static and dynamic analysis tools have been used such as IDA, Smali, mobile sandboxes etc. However, malware are smart enough to differentiate their behavior at runtime or hide their intentions by detecting a running environment.
In this presentation, we are introducing the first interactive android binary debugger DABiD (Dynamic Android Binary Debugger) which reveals hidden claws of malware. DABiD is equipped with three key features. First of all, DABiD detects dynamic changes at runtime and reflects them on the fly. This feature enables analysts to confront with dynamic code modification technologies such as packing or bytecode injection. Secondly, DABiD monitors dynamically loaded classes and prepares them for debugging. Analysts do not need to dump or analyze newly loaded jars or dalvik executables manually. Thirdly, analysts are able to modify instructions to control execution flow or disable certain instructions. This feature helps analysts for effective debugging. As well as advanced features, DABiD provides basic functions such as automatic setup for debugging, decoding dalvik executable, setting breakpoints, getting data of register, and stack frame and so on. DABiD can run on a Smartphone and root permission is not required.
The blockchain is the public ledger stacking all bitcoin/altcoins transactions. It is constantly growing as "completed" blocks are automatically added to it with a new set of records. The blocks are added to the blockchain in a linear and chronological order. The blockchain has complete information about the addresses and their balances right from the genesis block to the most recently completed block through the mining process. Depending on the crypto-currency and the implementation of its protocols, there would be a fixed open space, where data can be stored, referenced or hosted on the blockchain within encrypted transactions and their records. This very versatile nature of the blockchain offers great opportunities for future innovation especially in decentralized systems.
The research focus revolves around the threat of embedding decentralized chunks of malware on the blockchain by either hosting it or referencing it with cascaded pointers. Transactions and data are encrypted throughout the blockchain networks using different versions of public/private key encryption. Could malware survive eternally inside crypto-transactions? A proof of concept will be explained highlighting the concerns revolving around the "abuse and bloating" of the blockchain while comparing it to previous malware hosting and deployment models.
In this talk, INTERPOL will frame the scope of this future threat and provide potential solutions for a threat surrounding the blockchain technology.
We present two new attacks against social navigation services. These attacks are based on creating a large number of reputed "bot drivers," and controlling their reported locations and movements pattern using fake GPS reports. We show how these attacks can be used to compromise social navigation systems by applying them to Waze - a prominent social navigation application used by over 50 million drivers. The first attack allows us to compromise user privacy by tracking the location and movement of users at any location. This attack is facilitated by automatically interacting with the application, capturing screen data, and parsing it using OCR techniques to produce location information over time. The second attack can fake traffic jams and dramatically influence routing decisions. This attack effectively influences the unpublished server-side Waze routing algorithm and allows us to direct users to a particular route. When combined, these attacks can be used to influence the driving directions produced for a given user. We present several techniques for preventing the attacks, and show that effective mitigation likely requires the use of additional carrier information.
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.
The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.
The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.
The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.
The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.
The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.
Cloud instances lifecycles are changing fast and forces us to improve the way we secure those IaaS instances. Nowadays we can find servers that are installed, launched, process data and terminate - all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic. In this presentation, we announce a new open source tool called "Cloudefigo" and explain how it enables accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server's communication. The result of those techniques is cloud servers that are resilient, automatically configured, with reduced attack surface.
Ever wanted to communicate with a NASA space probe launched in 1978, or spoof a restaurant's pager system? There are surprising similarities! How about use an airport's Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as tollbooths, building security, and vehicular keyless entry? Then there's 'printing' steganographic images onto the radio spectrum.
Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur - widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by 'blindly' analyzing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I'll show how long-term radio data gathering can be used to crack poorly implemented encryption schemes, such as the Radio Data Service's Traffic Message Channel.
I'll also look briefly at some other systems that are close to my heart: reversing satellite communications, tracking aircraft using Mode S and visualizing local airspace in real-time on a 3D map, monitoring the health of aircraft with ACARS (how many faults have been reported by the next plane you'll be traveling on, e.g. do the toilets work?), and hunting down the source of an interfering clandestine radio transmission.
If you have any SDR equipment, bring it along!
The introduction of the new Android Runtime (ART) brings several improvements in Android. But, as with any new technology, it also brings new ways to conduct or enhance malicious activities. In this presentation, we will detail one of those ways.
Once an attacker or malware has gained access to the Android device, the next step is to find ways to hide itself and gain persistence, and this is usually achieved by installing a rootkit. The majority of these rootkits are kernel mode rootkits and the common way of achieving persistence is by modifying files in the system partition. However, recent advancements in Android security, such as verified boot, have made this increasingly difficult. This presentation will demonstrate how to go around this difficulty by taking the game out of kernel mode and out of the system partition. We will show you how to take advantage of the mechanisms of ART to create a user mode rootkit.
We will start with a discussion of past Android rootkit research and how these techniques have become increasingly difficult to use in modern Android systems. Then we will go deep into ART internals where we will discuss the file formats and mechanisms relevant to rootkit creation. After we have understood the mechanisms involved, we will then discuss methods of crafting the rootkit i.e. what to change, where to find them, and how to change them, and techniques on gaining persistence on the system. We will also examine the limitations of this approach and possible future work in this area.
The talk will conclude with a live demonstration of an ART rootkit.
Controller Area Network (CAN) is found in a number of systems, and is the main form of networking used in the automotive industry. Every new car has multiple CAN buses that let controllers communicate. This bus controls everything from the camshaft on your engine to your power seats.
In this talk, we will present and release CANard, an open-source toolkit which allows easy scripting of CAN bus tasks. This toolkit allows us to easily work with CAN, to talk to automotive controllers, perform diagnostic actions, and fuzz the protocols.
We will start with a brief introduction to CAN, look at the required hardware, and then start sending and receiving messages. We will explore CANard's features, and see several demos of real world vulnerabilities using our tool. We'll demonstrate how to read and clear fault codes, crack diagnostics security, and fuzz controllers to take over vehicle operation.
The talk will focus on practical applications. By the end of the talk, attendees will not only gain an understanding of automotive systems, but will also have the tools to attack them.
Numerous websites customize their services according to different geo-locations of users, to provide more relevant content and better responsiveness, including Google, Craigslist, Google Maps, etc. Recently, mobile devices further allow web applications to directly read users' geo-location information from GPS sensors. However, if such websites leave location-sensitive content in the browser cache, other sites can sniff users' geo-locations by utilizing timing side-channels.
In this presentation, we demonstrate that such geo-location leakage channels are widely open in popular web applications today, including 62% of 55 Alexa Top 100 websites and 11 map service websites. With geo-inference attacks that measure the timing of browser cache queries, we can locate users' countries, cities, and neighborhoods in our case studies. We show that such attacks affect all five mainstream browsers (e.g., Chrome and Firefox) as well as TorBrowser in certain cases. We also discuss whether existing defenses can effectively prevent such attacks and additional support required for a better defense deployment.
The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have is hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.
This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue Aps and interception tools struggle to find useful details.This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research.
Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Multicasting is a key feature of IPv6 which is supposed to be used even by the Neighbor Discovery process. Most modern Operating Systems (OS), like Windows, Linux, and FreeBSD, not only come per-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from network scanning and OS fingerprinting on the local-link, to amplified DoS attacks and to consumption of resources at routers. To this end, we will discuss potential security issues related with the design of MLD and we will examine how they can be exploited by attackers. A live demo will show how such an attack can take place by using MLD messages in order to disrupt multicasting communication. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era.
Cheaters are a growing problem in multiplayer gaming. As games become increasingly complex, the level of sophistication in cheat detection and anti-cheating strategy is forced to keep pace. While some developers spend the time to create their own protections, many have turned to external anti-cheat libraries. These tools are managed by a central server and offer an ideal target for attackers. In this talk, we demonstrate a way to comprehensively bypass existing anti-cheat mechanisms and outline two practical attacks against one of the most popular anti-cheat engines, demonstrating the implications of a successful attack against anti-cheat software.
We present the first vulnerabilities in EMV (Europay, MasterCard and Visa) Contactless that do not use legacy modes and that are applicable to practically all EMV Contactless cards and terminals. In particular, we show that a relay attack can be performed with very limited resources and widely available off-the-shelf hardware. Our proof-of-concept relay attack proves that a criminal can pay at a Point-of-Sale terminal, using the card inside a wallet of a victim, while the victim is arbitrary far away from the terminal. Using EMV and Android specific optimizations, we show the world's first relayed transaction that is faster for certain cards than a transaction performed directly with the same card. Therefore, the most obvious countermeasure, timing restriction, will likely not be effective at all.
Furthermore, we identified other vulnerabilities in cards from certain issuers, and in the most used type of Point-of-Sale terminals in the Netherlands. For instance, certain Maestro cards have a vulnerability that concerns the distribution process of the cards. Furthermore, certain Visa cards break the EMV security requirements by using secret keys that are not unique. The most used type of Point-of-Sale terminals in the Netherlands is vulnerable to a Denial-of-Service attack, which presumably is the result of a buffer overflow.
Our findings have significant implications for the acceptance of contactless transactions by the public. Indeed, contactless transactions will not be widely accepted by customers if they are not confident about the security of contactless cards, and banks can suffer significant reputational damage.
We have discovered an attack that allows a non-privileged application to continually force the generation and logging of sensitive process information in a readable log file using the /system/bin/dumpstate binary on Samsung devices. The log output of the dumpstate binary includes the Android logs, kernel log, and other process-dependent log data. However, starting with Android 4.1, reading the Android logs is no longer permitted to user applications because the READ_LOGS permission was removed, but we were able to circumvent this limitation. To achieve this, we crafted an exploit that requires an application with the seemingly innocuous android.permission.RECEIVE_BOOT_COMPLETED permission. Reading the Android logs empowers a non-privileged user application to obtain private data circumventing all permission checks. The approach to obtain the Android log data has worked on all Samsung devices we have examined ranging from the Samsung Galaxy S1 up to and including the Samsung Galaxy S5 and the Samsung Note 4. The Android log generally contains private data written by the Android Operating System (OS), Google applications, and user applications. Moreover, we have identified 12 Samsung builds for Android where the Android OS writes the text of notifications by default to the Android log. Using our attacks on these 12 builds, we are able to get access to Facebook Messenger messages, text messages (including password resets), Google Chat messages, WhatsApp messages, missed calls, turn-by-turn directions from Google Maps, the sender and subject of emails, and any other notification. Our proof-of-concept application can obtain the text from all notifications that the Android OS receives for these builds. This enables a user application to obtain immensely private data from the user of these vulnerable Samsung devices. These builds are for the previous generation of Samsung devices that are still currently being sold in retail stores (e.g., Samsung Galaxy S4, Samsung Note 3, Samsung Note Pro 12.2, etc.).
The Security Content Automation Protocol (SCAP) federates a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. There are a number of SCAP components such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Remediation Enumeration (CRE), Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL). Malware Attribute Enumeration and Characterization (MAEC) is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. These standards render data in the form of XML. Although these standards are linked to each other, there is a lack of commonality in their XML schema definitions. There is a need for a unique common metadata schema to represent important aspects relevant for designing efficient search engines. This common metadata supports distribution of data across various repositories that render SCAP content. Across all security content databases unique identification and a short description will be common. In addition, this model makes building of references to multiple components of SCAP intuitive. Differentiating attributes of security content can be represented as a list of properties, each property being a key-value pair. For example, in the case of CVE, (CVSS, 9.4) represents the key CVSS and a score of 9.4, where CVSS is Common Vulnerability Severity Score. In this model, modifications to the schema of SCAP components can easily be accommodated by just adding or deleting a property key-value pair without changing the model. Searching on this metadata enables fast response to queries and helps interlace various SCAP components; e.g., OVAL references CVE and each CVE depends on various platforms and products denoted by CPEs. This model enables Natural Language Processing (NLP) and render meaningful responses to queries such as most vulnerable applications OVAL definitions, vulnerabilities in Adobe Reader in 2014, what was released yesterday etc. This enables recognizing dates, SCAP components requested, products, platforms, or vendors. NLP supports an understanding of the intent of search in the repositories, thereby enriching user experience while benefiting from SCAP content to measure security posture of the systems. This archetype aids to resolve vulnerabilities before an attack happens. This model helps understand an incident in your machine and analyse if it is a malware attack. It will further help to scrutinize which vulnerability was exploited by the malware and most importantly, fix this attack.
Recently, a malware is constantly growing which forces malware analysts into hard work. An automated malware analysis can help security engineers, but some malware cannot be run in a sandbox environment. For example, sophisticated malware such as the Citadel and Zeus/GameOver are armed with anti-sandbox techniques to prevent running except on an infected host. These malware detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host. In this presentation, we present an automatically disarmament system for armed malware with anti-sandboxing. The system targets 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxing for automated sandbox analyzer. Disarmament approach focuses on exit reasons and exit before activity in malware execution. We developed CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware. We will provide statistics of evasive malware in the real world. We will report the result of analysis of large-scale samples.
A large part of the mobile applications in the store are developed leveraging frameworks for cross platform development, in order to code once and run on every mobile platform. But are those frameworks secure or is the developer trading off security for ease of development? We will explore and analyze the most popular cross platform frameworks for mobile development, exposing the vulnerabilities found in them, and detail how serious the implications are of using them in terms of security.
Point of Sale (POS) malwares have been stealing the limelight this year. They have been the elemental factor in some of the biggest breaches uncovered in the past couple of years.
This talk will cover the aspects of what happens after these details have been sent to the malware authors. The entire ecosystem of credit card frauds can be broadly classified into these three steps:
1. Purchase of raw details and dumps
2. Converting them to plastic cash/cards
3. Shop! Shop! Shop!
The focus of this talk will be on the above-mentioned points and how they form an organized network of cyber-crime.
There have been talks on the POS malware and the big breaches that it has caused. We know that millions of details have been stolen, but the aftermath is hardly discussed. It is important to understand the complete fraud ecosystem if we have to kill its roots. The talk will involve details of forums, which have only privileged access, internal details of the buyers/sellers, personal chats, and IRC encounters that makes it unique and research oriented.
Join Justin Searle for a two-hour workshop where he'll take you through the modbus network protocol standard and walk you through hands-on exercises, including analyzing modbus network captures, configuring modbus endpoint simulators, and generating your own modbus traffic to query and fuzz modbus devices. Come prepared with your laptops, a DVD drive, and an installed version of vmware player to take full advantage of this workshop!
Recently, Android application employs some techniques to protect their code such as APKProtect, DexGuard, BangCle, Ijiami, and LIAPP. These tools modify original DEX (Dalvik Executable) or replace original DEX to second DEX(for unpacking&loader) generated by packing tool. The tools employ many anti-analysis techniques to prevent being analyzed such as anti-debugging (for gdb), anti-jdwp (for java debugger), anti-tamper and obfuscation for dalvik and native code. Even they are using self-debugging (self-ptrace) techniques. These techniques cause a reverse engineer to be annoyed and devastated. Also, tools and systems which automatically analyze Android application cannot analyze them correctly because of their anti-analysis technique. However, we propose a novel general unpacking method without getting root privilege for unpacking. In this presentation, we are going to show you how it works.