briefings - march 31 & april 1

white paper




Devaluing Attack: Disincentivizing Threats Against the Next Billion Devices

Cyberattacks are not like natural disasters or other forces of nature, nor are they like diseases or other autonomously evolving and spreading agents (yet). They are ultimately and fundamentally driven by rational human action. As such, economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This, unfortunately, has a tendency to raise costs for the defender and their users too and does not scale well. An alternative and more scalable strategy is to reduce the value to the attacker of a successful attack. What does this look like? This strategy is already in use in many forms around us and we will point out where it is being employed successfully. Does it work? We will examine the phases of an intrusion common to both financially-motivated and state-sponsored attackers in order to show how defenses based on lowering the value versus raising the cost affect both the attacker and defender. Finally, we will explore what this strategy means for the security threats against the next billion devices.

presented by

Dino Dai Zovi


A New CVE-2015-0057 Exploit Technology

February 10, 2015, Patch Tuesday - Microsoft corporation pushed many system-level patches including CVE-2015-0057/MS15-010. On the same day, Udi Yavo - the CTO of the enSilo company released a technology blog[1]. As the discoverer of the vulnerability, Udi described the CVE-2015-0057 exploit in detail and demonstrated the process of exploiting the vulnerability on the 64-bit Windows 10 Technical Preview operating system. Four months later, on the 17th of June, a new variant of the Dyre banking trojan was caught by FireEye[2]. This variant of Dyre will attempt to exploit CVE-2013-3660 and CVE-2015-0057 to obtain system privileges and this is the first time CVE-2015-0057 was found to be exploited in the wild. On July 8th, NCC Group published their technical blog[3]. In that blog, they described their exploit method in detail, which can work reliably on all 32/64-bit Windows - from Windows XP to Windows 8.1.

It is worth noting that, in this year, we have repeatedly captured APT class zero-day attacks[4] [5] - all of which target the Windows kernel Win32K subsystem's User Mode Callback mechanism. This leads us to re-visit this old-school kernel attack surface. This topic will focus on CVE-2015-0057 and the User Mode Callback mechanism. We will examine the User Mode Callback mechanism from two aspects: exploit methodology and vulnerability detection. Additionally, from an attacker's perspective, this talk will also reveal some new exploit techniques.

[1] http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit
[2] https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html
[3] https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf
[4] https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
[5] https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html

presented by

Yu Wang

Android Commercial Spyware Disease and Medication

Android-based smartphones are gaining significant advantages on its counterparts in terms of market share among users. The increasing usage of Android OS make it ideal target for attackers. There is an urgent need to develop solutions that guard the user's privacy and can monitor, detect and block these eavesdropping applications. In this paper, two proposed paradigm are presented. The first proposed paradigm is a spyware application to highlight the security weaknesses' "disease." The spyware application has been used to deeply understand the vulnerabilities in the Android operating system, and to study how the spyware can be developed to abuse these vulnerabilities for intercepting victim's privacy such as received SMS, incoming calls and outgoing calls. The spyware abuses the Internet service to transfer the intercepted information from victim's cell phone illegally to a cloud database. The Android OS permission subsystem and the broadcast receiver subsystem contribute to form a haven for the spyware by granting it absolute control to listen, intercept and track the victim's privacy. The second proposed paradigm is a new detection paradigm "medication" based on fuzz testing technique to mitigate known vulnerabilities. In this proposal, anti-spyware solution "DroidSmartFuzzer" has been designed. The implementation of the anti-spyware application has been used to mitigate the risks of the mentioned attacks. It should be noted that the proposed paradigm "DroidSmart-Fuzzer" and its fuzzing test cases are designed not only to catch the proposed spyware application but also to catch any similar malicious application designed to intercept one or more of the listed privacies.

According to high rate installation of commercial spyware which increased in 2014 as mentioned in Google Android Security report [1] , Lacoon research team report [2], ALCATEL-LUCENT mobile malware reports [3], [4], [5], [6], and Joshua Dalman and Valerie Hantke research on Black Hat USA 2015 [7]. DroidSmartFuzzer has been tested against the top 15 commercial spyware [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], two free spy applications on Google Play[23], [24], two free spy applications on Amazon store [25], [26] and the proposed spyware application.

presented by

Mustafa Saad

Automated Detection of Firefox Extension-Reuse Vulnerabilities

Major web browsers provide extension mechanisms that allow third parties to modify the browser's behavior, enhance its functionality and GUI, and integrate it with popular web services. Extensions can often access private browsing information such as cookies, history, password stores and sensitive system resources. Consequently, malicious extensions, or attacks directed at legitimate vulnerable extensions, pose a significant security risk to users. The research community presented studies and tools that analyze the security properties of extensions and proposed various defenses against these threats. However, the possible interactions between multiple browser extensions have not been well-studied from a security perspective.

In this presentation, we identify a novel extension-reuse vulnerability that allows adversaries to launch stealthy attacks against users. This attack uses the existing functionality from legitimate extensions to avoid the inclusion of security-sensitive API calls within the malicious extension itself. We then present CROSSFIRE, a lightweight static analyzer for Firefox legacy extensions to automatically discover instances of extension-reuse vulnerabilities, generate exploits that confirm the presence of vulnerabilities, and output exploit templates to assist users of the tool in rapidly constructing proof-of-concept exploits. We analyzed 2,000 Firefox extensions with CrossFire and found that popular extensions, downloaded by millions of users, contain numerous exploitable extension-reuse vulnerabilities. We also performed a case study to show that malicious extensions exploiting extension-reuse vulnerabilities are indeed effective at cloaking themselves from extension vetters.

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface.

In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. Insights from this paper can help users, programmers and auditors in efficiently testing and securing their Internet-enabled embedded devices.

We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. We also perform comprehensive failure analysis. We show that by applying relatively easy fixes during corrective maintenance it is possible to remediate at least 61.3% of emulation failures and at least 25.2% of web interface launch failures. These experimental results demonstrate the effectiveness of our approach.

presented by

Andrei Costin

Break Out of the Truman Show: Active Detection and Escape of Dynamic Binary Instrumentation

Dynamic Binary Instrumentation (DBI) is an important and powerful technique to analyze runtime code behaviors for different usage including performance tuning, instruction analysis, new processor feature simulation and so on. For these usages, reasonable transparency is good enough to minimize side effect and collect correct results. As the security community starts to extend DBI usage to security defense, it becomes very important to keep DBI tools fully transparent to the exploits/malware being analyzed. In past years, various approaches have been reported to make DBI environment detectable by the targeted code. Current DBI detection studies mainly focus on detection methods such as memory inspection, resource and performance monitor, etc.

Given the imperfection of the binary translation process, more active detection methods can be used by specifically designed code to target the bug or blind spots of the DBI tools and identify the presence of the DBI by the execution results.

This talk focuses on such active detection techniques by exploiting the weakness of the DBI tools such as the incapability of handling 32-bit/64-bit cross-mode codes and other bugs. Moreover, this presentation will discuss that the anti-DBI practice can be taken one step further - not only to detect the DBI environment, but also to escape from its control, and reverse the game.

presented by

Ke Sun  &  Xiaoning Li

Bypassing Browser Security Policies for Fun and Profit

Mobile browsers in comparison to desktop browsers are relatively new and have not gone under same level of scrutiny. Browser vendors have introduced and implemented tons of protection mechanisms against memory corruption exploits, which makes it very difficult to write a reliable exploit that would work under all circumstances. This leaves us with the "other" category of Client Side attacks. In this presentation, we will present our research about bypassing core security policies implemented inside browsers such as the "Same Origin Policy," and "Content Security Policy," etc.

We will present several bypasses that were found in various mobile browsers during our research. In addition, we will also uncover other interesting security flaws found during our research such as Address Bar Spoofing, Content Spoofing, Cross Origin CSS Attacks, Charset Inheritance, CSP Bypass, Mixed Content Bypass, etc., as found in Android Browsers. We will also talk about the testing methodology that we used to uncover several android zero days.

Apart from the theory, our presentation will also disclose a dozen of the most interesting examples of security vulnerabilities and weaknesses highlighted above, which we identified in the most popular Android third-party web browsers, and in Android WebView itself.

We will explain the root cause of the bug and demonstrate their exploitation, show examples of vulnerable code and, where possible, patches that were issued to address these vulnerabilities. Finally, we will demonstrate a sample test suite which can be used to assess basic security properties of any mobile web/browser.

presented by

Rafay Baloch

CANtact: An Open Tool for Automotive Exploitation

Controller Area Network (CAN) remains the leading protocol for networking automotive controllers. Access to CAN gives an attacker the ability to modify system operation, perform diagnostic actions, and disable the system. CAN is also used in SCADA networks and industrial control systems.

Historically, software and hardware for CAN has been expensive and targeted at automotive OEMs. Last year, we launched CANtact, an open source hardware CAN bus tool for PCs. This provides a low cost solution for converting CAN to USB and getting on the bus.

However, once connected to CAN, software is needed to make sense of traffic on the bus. CANtact is a new tool for this purpose. It allows the user to view CAN traffic, decode messages, and perform diagnostic actions in a graphical environment.

Existing CAN software is focused on developing systems, CANtact is designed for breaking them. The tool has been designed with reverse engineering and fuzzing in mind.

In this talk, we'll introduce the CANtact software, provide details about its design, and explain how it can be used to perform analysis on CAN systems. We'll also look into some of the analysis techinques that are useful for reverse engineering CAN systems.

presented by

Eric Evenchick

DSCompromised: A Windows DSC Attack Framework

DSCompromised is a PowerShell-based toolkit that leverages Windows Desired State Configuration (DSC) for command-and-control, malware persistence, and automatic re-infection of compromised systems. Never heard of DSC before? Worry not! We'll first explain the basics of how DSC, Microsoft's next-gen enterprise management technology, works - and how it can be controlled and abused by an attacker. Next, we'll walk through the steps necessary to use our DSCompromised framework to set up a command-and-control server, generate payloads, infect a victim, and even restore a remediated system back to a compromised state.

Finally, we'll pivot from the attacker/red team perspective to that of a blue team defender or incident responder. We'll illustrate the signs that DSC might be abused on a compromised system, and how to detect and investigate the forensic evidence it leaves behind. This presentation includes source code and on-screen demonstrations of multiple attack scenarios.

presented by

Ryan Kazanciyan  &  Matt Hastings

Enterprise Apps: Bypassing the iOS Gatekeeper

A critical component of Apple's security model is how the App Store serves as gatekeeper for all code on iOS devices. This makes Apple's Developer Enterprise Program its achilles heel, allowing enterprises to bypass the store's code validation process and deploy their own apps directly to devices.

In recent years we have witnessed a rise in usage of iOS Enterprise apps. This fact is especially alarming when considering how these certificates can be easily used for illegitimate purposes by anyone from known state-actor spies like Hacking Team (RCS) to Chinese app piracy stores.

Apple has tried to mitigate these issues in iOS 9 by introducing new features like requiring user intervention in order to use enterprise signed apps, but are these measures enough? We'll demonstrate, using zero-day novel attack, how to leverage new security features in iOS 9 to install a malicious enterprise app on a user's phone.

In this session, we will give an overview on how enterprise-signed apps have been used to attack iOS devices and examples of usages discovered in the wild. We'll share real world statistics about the prevalence of Enterprise apps installed on iOS devices and show which enterprise apps are the most popular. In addition we'll reveal our zero day vulnerability.

presented by

Avi Bashan  &  Ohad Bobrov

Exploiting Linux and PaX ASLR's Weaknesses on 32-bit and 64-bit Systems

In this work, we present four weaknesses in current Linux and PaX ASLR design and implementation:

1) Too low entropy
2) Non-uniform distribution
3) Correlation between objects
4) Inheritance

A proof of concept exploiting the correlation weakness is presented, which bypasses the Full ASLR Linux in 64-bit systems in less than one second - the system is protected. A deep analysis of all these weaknesses enabled us to propose a new ASLR design. A proof of concept on Linux will be named ASLR-NG, which overcomes all current ASLRs including PaX solution. Finally, we present ASLRA, a suit tool to analyze the ASLR entropy of Linux.

Hacking a Professional Drone

Professional drones are now actively used across various industries (for example utility companies, law enforcement and first responder organizations, government agencies and universities) to perform daily critical operations. In this Briefing, Nils Rodday performs a live hack which exploits vulnerabilities of the professional drone and effectively compromises the security of the system to take over control. He also examines practical fixes and approaches for remediating these compromises.

presented by

Nils Rodday

Hey Your Parcel Looks Bad - Fuzzing and Exploiting Parcel-ization Vulnerabilities in Android

Binder is the heart of Android IPC and parcel is its blood. Most things in Android can and are intended to be parceled/unparceled from one process to another. Starting an activity? An intent will be parceled at caller side and eventually unparceled at receiver side. Calling an service? Same, except the receiver side is usually system_server or other privileged service process. Playing a video? Parcels are silently constructed and sent crossed /dev/binder to mediaserver.

Wait, what if the parcel is bad? Evil attacking process can craft malformed marshalled byte stream, thus triggering vulnerability in the receiver side's processing function, corrupting some memory and achieving privilege escalation. We call it "BadParcel." By fuzzing and code auditing, we have managed to find such high-severity vulnerabilities, most of which are also effective for current Android 6.0, enabling zero-permission attacking application to execute code in target high-privilege process like mediaserver and system_server. We will introduce how we write and run our custom fuzzers to effectively generate crashes and identify those bugs, including discussion and work on integration with ASAN and AFL. Besides, we will also present how to exploit one of those bugs, turning it from a simple benign-looking info-leak like index-out-of-bound, to reliable full PC control and shell code execution in mediaserver. We will elaborate the heap spray and memory fengshui technique we use, which we believe could shed some light on exploiting these kind of bugs.

presented by

Qidan He

I'm Not a Human: Breaking the Google reCAPTCHA

Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an arms race, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the solvers. Recent work, however, presented a generic attack that can be applied to any text-based captcha scheme. Fittingly, Google recently unveiled the latest version of reCaptcha. The goal of their new system is twofold; to minimize the effort for legitimate users, while requiring tasks that are more challenging to computers than text recognition. ReCaptcha is driven by an "advanced risk analysis system" that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or identify images with similar content.

In this paper, we conduct a comprehensive study of reCaptcha, and explore how the risk analysis is influenced by each aspect of the request. Through extensive experimentation, we identify flaws that allow adversaries to effortlessly influence the risk analysis process, bypass restrictions, and deploy large-scale attacks. Subsequently, we design a novel low-cost attack that leverages deep learning technologies for the semantic annotation of images. Our system is extremely effective, automatically solving 70.78% of the image reCaptcha challenges, while requiring only 19 seconds per challenge. We also apply our attack to the Facebook image captcha and achieve an accuracy of 83.5%. Based on our experimental findings, we propose a series of safeguards and modifications for impacting the scalability and accuracy of our attacks. Overall, while our study focuses on reCaptcha, our findings have wide implications; as the semantic information conveyed via images is increasingly within the realm of automated reasoning, the future of captchas relies on the exploration of novel directions.

presented by

Iasonas Polakis  &  Suphannee Sivakorn

Incident Response @ Scale - Building a Next Generation SOC

When the ratio of security personnel to endpoints/users/customers is so low, managing the amount of incidents that come in becomes impossible. In this talk we will discuss these Monitoring & Incident Response challenges, and how most of the processes can be (semi-)automated to lower the initial triage and full resolution timeline, increase visibility and over ability to protect your organization.

presented by

Omer Cohen

Let's See What's Out There - Mapping the Wireless IoT

"Radio... The final IoT frontier.
These are the problems of penetration testers.
Our continuing mission:
To explore strange new signals...
To seek out new devices; new protocols...
To boldly detect what no one is aware of!"

The Internet of Things (IoT) is considered to be the next phase of the Internet revolution - linking more and more objects of the real world to the virtual world and enabling anytime, anyplace and anything communication. Due to the vast increase in popularity and distribution, the IoT has become an interesting target for attackers. Because it is becoming more and more common for IoT devices to communicate over wireless channels, direct physical access to the targeted systems or network is no longer necessary. The attack range is then only dependent on the antennas used and the power of their transmitters.

Nowadays many companies are beginning to think about targeted attacks in the wireless world as a real threat but nobody is aware of what devices are out there, which protocols are used for communication and what information is transmitted. This huge attack surface is often a massive blind spot in cyber security strategies.

This talk provides insight into the problems that arise during security assessments in the wireless world, state-of-the-art wireless signal identification and what best practices should be used for revealing unknown signals.

The focus will be on the needs of a typical penetration tester, and in addition to the problem identification, we will release and demo a new tool that enables security testers to easily map the radio spectrum and identify unknown communication and devices.

presented by

Tobias Zillner

Locknote: Conclusions and Key Takeaways from Black Hat Asia 2016

At the close of this year's conference, join Black Hat Founder Jeff Moss and members of the esteemed Black Hat Review Board for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of Black Hat Asia and how these trends will impact future InfoSec strategies.

presented by

Jeff Moss

Multivariate Solutions to Emerging Passive DNS Challenges

These days, most threat intelligence analysts know how to use passive DNS to pivot on initial indicators: given one bad domain, analysts will routinely use passive DNS to identify other domains using the same IP address or name servers, etc.

Less discussed are the corner cases that make simple passive DNS methods hard to successfully employ. For example, if a domain's name servers are shared with 100,000 other domains (including many legitimate domains!), "guilt by association" based solely on name server commonality can become difficult.

Fortunately, it is still possible to identify related bad domains by employing passive DNS along with various other attributes rather than just focusing on a single screening factor such as shared name servers. Audience members will learn about the emerging challenges to using Passive DNS and specific steps they can take to successfully overcome them.

presented by

Paul Vixie

Never Trust Your Inputs: Causing 'Catastrophic Physical Consequences' from the Sensor (or How to Fool ADC)

Our world is analog. Computers are digital. When a microcontroller in an Industrial Control System (ICS) or embedded system acquires data from the physical world it uses analog-to-digital converters (ADC) to transform amperage or voltage into a useful unit of measurement. Decisions on how to control physical applications are taken based on the interpretation of the measured data. Certain pieces of process data must be accurate at all times in order to maintain efficiency and safety of the process. Understanding data sources and their pathways is essential to understanding how the attacker might perturb the process potentially causing "catastrophic physical consequences."

Development and usage of systems with ADCs is well understood and mastered to perfection. But let's look at it from the security perspective. In the production environment, the state of the physical process is estimated based on the measured physical phenomena like temperature or velocity which are converted to a voltage (V) value by a sensor or a transmitter. The signal may be consumed by two devices: process control equipment (PLC or RTU) and by Digital Acquisition system (DAQ) that sends data for historical logging and "big data" analysis. What if you want to perturb the process, but keep it secret to the monitoring systems like DAQ? What if you could generate a specific analog signal that will be interpreted by these two components in a completely different way? E.g. PLC will read 7 V and DAQ will read 1 V (corresponding to 400 and 20 units of temperature). You can do a lot of fun things if you understand how ADC works.

In this talk, we will discuss a rarely-addressed topic of analog signals processing security. Tampering with the frequency and phase can cause ADC outputting spurious digital signal; modifying the ranges can cause integer overflow and trigger logic vulnerability in the PLC/embedded software. We will analyze several attack vectors on ADC, misconfiguration of signal scaling and every other design detail that allow the attacker to fool ADC (and all systems depending on its output signal). We will illustrate how outlined vulnerabilities can be exploited in the software (demo) and conclude with the consequences of such attacks in the context of exploiting physical processes.

presented by

Alexander Bolshev  &  Marina Krotofil

NumChecker: A System Approach for Kernel Rootkit Detection and Identification

Kernel rootkits are stealthy and can have unrestricted access to system resources. In our talk, we will present NumChecker, a new Virtual Machine Monitor (VMM) based framework to detect and identify control-flow modifying kernel rootkits in a guest Virtual Machine (VM). NumChecker detects and identifies malicious modifications to a system call in the guest VM by measuring low-level events that occur during the system call's execution.

To efficiently measure these events, NumChecker leverages the Hardware Performance Counters (HPCs) in modern processors. HPCs today are able to measure a large number of low-level events that are related to program behavior. We implement NumChecker on Linux with the Kernel-based Virtual Machine. The results on a number of real-world kernel rootkits show that NumChecker is practical and effective.

presented by

Xueyang Wang  &  Xiaofei Guo

PLC-Blaster: A Worm Living Solely in the PLC

We will present and demonstrate the first PLC only worm. Our PLC worm will scan and compromise Siemens Simatic S7-1200 PLCs Version 1 through 3 without any external support. No PCs or additional hardware is required. The worm is fully self-contained and "lives" only on the PLC. Siemens S7-1200 PLCs offer different protection features. The access protection prevents the worm from compromising the the PLC. To our knowledge, this is the first time such a worm is publicly shown.

The Siemens Simatic PLCs are managed using a proprietary Siemens protocol. Using this protocol, the PLC may be stopped, started and diagnostic information may be read. Futhermore, this protocol is used to upload and download user programs to the PLC. The older S7-300 and S7-400 PLCs are supported by several OpenSource solutions, like snap7, supporting the protocols used on these older PLCs. These solutions have already been used to misuse PLCs for attacking purposes (Klick and Lau, Black Hat USA 2015). With the introduction of the S7-1200 the protocol has been replaced by a new version not yet publicly analyzed. We inspected the protocol based on the S7-1200v3 and implemented the protocol by ourselves in our ICShell. We are now able to install and extract any user program on these PLCs. These newest extensions to the ICShell have not been published yet.

Based on this work, we developed a PLC program which scans a local network for other S7-1200 PLCs. Once these are found the program compromises these PLCs by uploading itself to these devices. The already installed user software is not removed and still running on the PLC. Our malware attaches itself to the original software and runs in parallel to the original user program. The operator does not notice any changed behavior. We developed the first PLC only worm.

The worm is only written using the programming language SCL and does not need any additional support. For the remote administration of the compromised PLCs, we implemented a Command&Control (C&C) server. Infected PLCs automatically contact the C&C server and may be remotely controlled using this connection. Using this connection, we can manipulate any physical input or output of the PLC. An additional proxy function enables us to access any additional system using a tunnel. Lastly, the Stop mode may be initiated through the C&C connection requiring a cold restart of the PLC by disconnecting the power supply to recover. We will demonstrate the attack during our talk.

Our worm prevents its detection and analysis. If the operator connects to the PLC using the programming software TIA Portal 11, the operator may notice unnamed additional function blocks. But, when accessing these blocks the TIA Portal crashes preventing the forensic analysis.

The infection of the PLC takes roughly 10 seconds. While the infection is in progress the PLC is in Stop mode. As soon as the infection has succeeded, the PLC undergoes a warm restart and the worm is running additionally to to the original user program.

Our worm malware requires 38,5kb RAM and 216,6kb persistent memory. If the PLC does not offer the memory required by the original user software including our worm, it may overwrite the original user program. Based on the actually used model of the S7-1200 different setups may be required.

Model:Available RAM (used by worm):Available persistent memory (used by worm)

S7-1211:50kb (77%):1Mb (21%)
S7-1212:75kb (51%):1MB (5 %)
S7-1214:100kb (38%):4MB (5 %)
S7-1215:125kb (30%):4MB (5 %)
S7-1217:150kb (25%):4MB (5 %)

A critical requirement for the execution of a PLC program is the cycle time for one full cycle of the user program. Our malware requires 7ms per cycle. This is just 4.7% of the maximum cycle time configured by default on the PLC models we inspected. The original user program still has plenty of time to run.

By default, all Siemens Simatic S7-1200 v1-3 are susceptible to this attack. The PLC user programs may be uploaded and downloaded without any restriction. The Siemens Simatic PLCs support several protection mechanisms. We will explain these mechanisms and their result on the attack.

Siemens PLCs support several protection features including the access protection. The access protection does prevent the attack we will demonstrate. The access protection is disabled by default.

With the introduction of the S7-1200v4 Siemens introduced again a new protocol. These PLCs are not susceptible to the attack.

While we present an attack via the ethernet interface the installation of the user program can also happen using the field bus interface. Using this interface even PLCs not connected to the ethernet network may be compromised. Once the first PLC is infected using the Ethernet, all other PLCs connected via the same field bus would be compromised as well.

This talk emphasizes the significance of the built in protection features in modern PLCs and their correct deployment by the user.

Practical New Developments in the BREACH Attack

In 2013, BREACH was the sensation of Black Hat USA, introducing a still not mitigated attack vector that exploited compression to compromise SSL connections.

In this talk, we propose new methods to practically extend the attack against the most commonly used encryption ciphers. We describe a command-and-control technique to exploit plain HTTP connections in order to perform the attack in a persistent manner. We also present new statistical methods that can be used to bypass noise present in block ciphers as well as to avoid noise present in usual web applications. Parallelization and optimization techniques are also explored.

We will close the talk by proposing novel mitigation techniques. Finally, we will reveal our tool implementation, as well as experimental results on popular web services.

Rapid Radio Reversing

Wireless security researchers have an unprecedented array of tools at their disposal today. Although Software-Defined Radio (SDR) is the single most valuable tool for reverse engineering wireless signals, it is sometimes faster and easier to use other tools for portions of the reverse engineering process. I'll discuss how beneficial a hybrid SDR/non-SDR approach has been to security researchers, and I'll walk through an example of the process.

presented by

Michael Ossmann

su-a-Cyder: Homebrewing Malware for iOS Like a B0$$!

Developing malware for iOS devices has never been easier, so here is a tool to do it for you. Apple's development policy has changed, BIG TIME. What was once an Android realm problem, may be turning into a new headache for Apple. Homebrewing of Malware on iOS is now possible without leaving a trace. In this workshop, you will develop and execute your first iOS Malware sample utilizing the su-A-Cyder framework for iOS Malware PoC. Tools and Techniques will be presented live and released after the talk.

presented by

Chilik Tamir

The Kitchen's Finally Burned Down: DLP Security Bakeoff

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. For instance, Data Loss Prevention (DLP) solutions have often been touted as the "silver bullet" that will keep corporations from becoming the next headline. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass -- or worse.

This talk will discuss our previous and current research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves.

presented by

Zach Lanier  &  Kelly Lum

The Perl Jam 2: The Camel Strikes Back

Presenting "The Perl Jam: Exploiting a 20 Year-old Vulnerability" at 31c3 opened a Pandora's Box full of Perl debates and controversies. Many of these debates originated from the Perl community itself, with unforgiving arguments such as "vulnerabilities are the developer's fault", "RTFM" and "I really hate the Camel abuse in the presentation" that were mostly directed at me.

This is why I'm proud to say that this year I finally got the message - finding vulnerabilities in core modules is not enough. I need to prove there are problems in the most fundamental aspects of the Perl language, or the Perl community will keep ignoring the many language issues. So I did, and we are going to analyze it in a presentation filled with lolz, WATs, and 0-days, so maybe this time something will change.

Join me for a journey in which we will delve into more 0-days in Bugzilla, an RCE on everyone who follows CGI.pm documentation, and precious WTF moments with basically any other CGI module in the world, including (but not limited to) Mojolicious, Catalyst and PSGI, affecting almost every Perl based CGI application in existence.

I hope this talk will finally prove that developers are NOT the fault here, it's the LANGUAGE, and its anti-intuitive, fail-prone 'TMTOWTDI' syntax. Btw, maybe it's time to check your $$references ;)

presented by

Netanel Rubin

The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing

In a world where threat actors move fast and the Internet evolves in a non-deterministic fashion, turning threat intelligence into automated protection has proven to be a challenge for the information security industry. While traditional threat research methods will never go away, there is an increasing need for powerful decision models that can process data in a real-time fashion and scale to incorporate increasingly-rich sources of threat intel. This talk will focus on one way to build a scalable machine learning infrastructure in real-time on a massive amount of DNS data (approximately 80B queries per day).

In this talk, we will offer a sneak peek into how OpenDNS does scalable data science. We will touch on two core components, Big Data engineering and Big Data science, and specifically how they are used to implement a real-time threat detection systems for large-scale network traffic.

To begin, we will detail Avalanche, a stream processing framework that helps OpenDNS data scientists create their own data processing pipelines using a modular graph-oriented representation. Each node acts as a data stream processor running as a process, thread or EC2 instance. In this graph database, the edges represent streaming channels connecting the different inputs and outputs of the nodes. The whole data pipeline can then easily be scaled and deployed to hundreds of instances in an AWS cloud.

The Avalanche project's paradigm is to translate the approach that the finance world has been using for decades in high frequency or quantitative trading and apply it to traffic analysis. Applying intelligent detection models as close as possible to the data source holds the key to build a truly predictive security system, one where requests are classified and filtered on the fly. In our particular case at OpenDNS, we see a strong interest in integrating such a detection pipeline at the resolver level.

We will next discuss how we integrate our statistical model NLP-Rank (a model that does large scale phishing detection) with Avalanche, and show some benchmarks. At its core, NLP-Rank is a fraud detection system that applies machine learning to the HTML content of a domain's web page to extract relevant terms and identify whether the content is potentially malicious or not. In this sense we are automating the security analyst's decision-making process in judging whether a website is legitimate or not. Typically when an analyst performs a review for a domain or URL in question, the analyst visits the site in a TOR browser, analyzes the content, and identifies the themes/summarize the page before deciding whether it's a fake or a false positive.

In this talk, we will describe how we have automated this process at OpenDNS. We will also discuss the unique characteristics of NLP-Rank, including its machine learning techniques. Additionally, we will discuss the design and implementation of our phishing classification system. We will provide an overview of data preprocessing techniques and the information retrieval/natural language processing techniques used by our classifier. We will then discuss how Avalanche manages the results of NLP-Rank, how we add those results to our blocklists and our corpus, and Avalanche's overall performance.

presented by

Thibault Reuille  &  Jeremiah O'Connor

The Tactical Application Security Program: Getting Stuff Done

How many times have we heard the following pieces of wisdom from CISOs or other security talking heads? Be strategic, not tactical. Build security in - forget about break-fix.

Like a siren song, these words have caused a great many professionals to crash upon the rocks, and the strategy-first camp is simply doing a disservice to your users. Maybe that is why the average CISO only lasts a couple of years.

In our talk, we're going to tackle this conventional wisdom in the name of Getting Shit Done and propose a new path: The Tactical Security Program. We've established a lightweight, heavy hitting team thats performed over 400 assessments, handled over 900 bugs, and established a private bug bounty program all in one year, and we'd like to share some of our practices. If you are managing a program, you will come out of our talk with some actionable advice. If you are a worker bee, we will teach you how to subvert the system from within.

And while we're at it, we will tell you why following some of the newer trends of security wisdom, including embracing public bug bounty programs, is also a bad idea. Yeah, we said it.

presented by

Cory Scott  &  David Cintz