briefings - november 12-13

white paper




What Got Us Here Wont Get Us There

It's no secret that we have huge challenges in InfoSec: Every day we seem to pump out more code, connect more machines, and collect more data than ever before. Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company InfoSec team is still struggling with problems that we "knew about" in the 90's.

This is not for a lack of effort: Security teams are bigger, security budgets are larger, and there is a security conference going on for almost every day of the year.

Lots of the fault here lies squarely with us.

This talk will discuss the problems we should be tackling, (the distractions we should be ignoring,) and then, riffing on the Marshall Goldsmith best seller (What Got You Here Won't Get You There) will aim to explore those activities that we are currently engaged in (as individuals and an industry) that are doing us all more harm than good.

presented by

Haroon Meer


(In-)Security of Backend-As-A-Service

Smartphone applications frequently need to store data remotely. From a developer's point of view, setting up and maintaining back-ends, however, is time-consuming and error-prone. Therefore, commercial cloud-based data storage solutions from Backend-As-A-Service (BaaS) providers such as the ones from Amazon, Google, and Facebook have become omnipresent. They provide simple APIs for common tasks such as managing database records or files. Adding a few library classes and writing three or four lines of code is sufficient to make an interaction between the cloud and the app, and, e.g., store credit card data. While this model is convenient, one might wonder whether it's really secure in practice (spoiler: it's not).

In this study, we will show that many BaaS solutions are completely insecure and attackers have no difficulties in breaking into the developer's backend. We investigated about two million Android apps and the results were quite shocking. We were able to access more than 56 million sensitive user records stored in the cloud by heavily misconfigured BaaS solutions. These records contained all sorts of sensitive data processed by Android apps: medical information, credit card data, photos, voice-, audio- and video-records, money transaction records, etc. Some apps even contained credentials that gave us full control over the remote storage. Adversaries could hijack Amazon S3-Buckets which gives them the ability to modify sensitive customer databases, add malicious code to well-known websites or directly run malware on the cloud at the app developer's expense. In order to find and verify these insecure BaaS solutions in Android applications, we developed an automatic exploit generator that extracts credentials from the app, even if they are obfuscated, and provides access to the respective BaaS backend.

presented by

Siegfried Rasthofer  &  Steven Arzt

A Peek Under the Blue Coat

Blue Coat ProxySG systems are widely deployed in big corporations to handle web traffic proxying and filtering. While they are very common, no work has ever been published regarding the internals of the system. With this talk, I will present the results of a detailed analysis of the entirely proprietary SG OS, which runs on commodity Intel hardware.

The talk will include a detailed description of :

  • OS mechanisms
  • File system internals
  • Security mechanisms (or lack thereof)

presented by

Raphael Rigo

All Your Root Checks Belong to Us: The Sad State of Root Detection

Today, mobile devices are ubiquitous; a facet of everyday life for most people. Due to increasing computational power, these devices are used to perform a large number of tasks, from personal email to corporate expense account management. It is a hassle for users to be required to maintain multiple mobile devices to separate personal and corporate activities, but in the past this was a commonplace requirement.

The Bring Your Own Device (BYOD) revolution has promised to consolidate personal and business applications onto one device for added convenience and to reduce costs. As business applications move to personal devices, a clear problem has arisen: how to keep business data secure and personal data private when they reside on the same device. Many solutions exist, both for increasing the security of mobile devices as well as BYOD and Mobile Device Management (MDM) software, to allow access to business applications and data while keeping it secure.

One chink in the armor for both security and business applications is "rooted" devices. These devices have been unlocked, providing low-level system access to users and applications. With root access, users may be able to bypass BYOD mechanisms in place to protect data, and malware may be able to access both private personal and business data on devices. As such, security applications and business applications often attempt to identify rooted devices and report them as compromised.

In this talk, we analyze the most popular Android security focused applications along with market leading BYOD solutions to discover how "rooted" devices are identified. We dissect the aforementioned applications with commonly available open source Android reverse engineering frameworks to demonstrate the relative ease of circumventing these root checks. Finally, we present AndroPoser, a simple tool that can subdue all the root checks we discovered, allowing "rooted" devices to appear "non-rooted."

presented by

Azzedine Benameur  &  Nathan Evans  &  Yun Shen

AndroBugs Framework: An Android Application Security Vulnerability Scanner

Android developers sometimes make coding mistakes with some of these mistakes leading to serious security vulnerabilities. However, it cannot be expected that every Android developer will first check the official Android Developer documents or have a mobile or web security background. Therefore, an Android analysis security system that can verify vulnerabilities before releasing Android applications on Google Play becomes crucial. AndroBugs Framework is a free Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities. In the Android system, each application's security is maintained by creating a different Linux user and group for each App to distinguish permissions. Valid security vulnerability occurs when a malicious App is able to steal the privacy information inside a legitimate App by exploiting the vulnerabilities in the legitimate App or intercepting the network packet (e.g. MITM attack) under the non-rooted phones. It is normally not considered as a valid vulnerability if hackers must have "root" permission (e.g. Xposed Framework) or have physical access to the phone (e.g. "adb backup" security issue) to exploit the vulnerabilities.

This presentation will demonstrate how AndroBugs Framework can help find valid vulnerabilities and help Android developers reduce the risk of having their applications exploited or hacked. Additionally, this system can also be used to efficiently and instantly find all the possible and potential security vulnerabilities in millions of Android apps. Using AndroBugs Framework, security vulnerabilities have been found in Android applications or SDKs developed by companies such as Facebook, Twitter, Microsoft, Yahoo!, Google Android, Huawei, Evernote, Alibaba, AT&T, and Sina Weibo, which have later been acknowledged by those companies in their Hall of Fame. Vulnerabilities in Android products by some of the famous companies will also be disclosed in this presentation and used as real cases to introduce the vulnerability vectors implemented in AndroBugs Framework.

presented by

Yu-Cheng Lin

Attacking the XNU Kernel in El Capitain

The XNU kernel powers Apple's operative systems. As their market share grows, exploitation of OS X and iOS is gaining popularity. The introduction of kernel exploit mitigations such as KASLR and SMEP has been overcome with new techniques. "vm_map_copy" corruption, a well-known technique useful for bypassing KASLR and SMAP / AS Isolation, has been mitigated in 10.11 & iOS 9. My talk will demonstrate new techniques to get around XNU's latest changes and I will demonstrate a real kernel exploit for the most recent version of El Capitain to bypass System Integrity Protection (rootless).

presented by

Luca Todesco

Authenticator Leakage through Backup Channels on Android

Security of authentication protocols heavily replies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate the authenticators into the persistent storage and entrust the underlying Android OS for mediation. Consequently, the authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with Internet and SD card permissions. With this exposure, the malicious apps can steal other apps' authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of 117 tested top-ranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector.

presented by

Guangdong Bai

Automating Linux Malware Analysis Using Limon Sandbox

A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform the target for malware attacks, so it becomes important to analyze the Linux malware. Today, there is a need to analyze Linux malwares in an automated way to understand its capabilities.

Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon apart from displaying the characteristics of the ELF binary, analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware's process activity, interaction with the file system, network, memory, and also stores the analyzed artifacts for later analysis, which helps in post mortem analysis. Since Limon relies on open source tools, it's easy for any security analyst to setup a personal sandbox to perform Linux malware analysis. The presentation will touch on the implementation details of the sandbox and will present a video demo showing the analysis of a real world Linux malware samples using Limon.

presented by

Monnappa K A

Breaking Access Controls with BLEKey

RFID access controls are broken. In this talk, we will demonstrate how to break into buildings using open-source hardware we're releasing.

Over the years, we've seen research pointing to deficiencies in every aspect of access control systems: the cards, the readers, and the backend. Yet, despite these revelations, there has been no meaningful change in their design or reduction in use around the world. Do these companies not care about physical security, or do they not understand the implications of these weaknesses?

We have improved upon previous research with an open-source hardware device that exploits the communication protocol used by the majority of access control systems today. Using a tiny device that can be easily embedded in an RFID reader, attendees will learn how to use Bluetooth LE and a cell phone (or PC) to circumvent access controls, log access information, and clone RFID cards.

Our goal is to use this device to help those relying on insecure devices understand the risks. We will also explain what can be done to lower the risk of access control attacks.

presented by

Eric Evenchick  &  Mark Baseggio

Bypassing Local Windows Authentication to Defeat Full Disk Encryption

In 2007, starting with Windows Vista, Microsoft began shipping a full disk encryption feature named BitLocker with professional and enterprise versions of Windows. Full disk encryption helps protect users from threats that include physical access. This can, for example, prevent the exposure of proprietary information and account credentials if a company laptop is lost, stolen, or even left temporarily accessible to an attacker.

Under the hood, BitLocker utilizes a system's Trusted Platform Module (TPM) to store the secret key used for full disk encryption, and is able to use the features of the TPM to safely provide transparent, passwordless decryption of the disk on boot. Because BitLocker can work transparentlywithout any extra passwords or prompts on bootmany enterprises have opted to enable this form of full disk encryption as a part of their data loss prevention strategy.

However, in this presentation, I will demonstrate how one can abuse physical access in order to bypass Windows authenticationthus accessing all of a user's dataeven when the disk is fully encrypted by BitLocker. This platform-independent attack effectively bypasses all of the protection offered by BitLocker, reliably and quickly allowing an attacker to retrieve all of the sensitive data on the machine, all without having to perform any cryptographic brute-forcing or hardware manipulation.

presented by

Ian Haken

Bypassing Self-Encrypting Drives (SED) in Enterprise Environments

For years, Full-Disk Encryption (FDE) solutions have been advertised as the "silver bullet" solution to protect against the unauthorized disclosure of sensitive data at rest. Hardware-based FDE, known as Self-Encrypting Drives (SED), have reportedly zero overhead and enhanced security in contrast to software encryption alternatives and have already been adopted by organizations across the world.

Unknowingly, organizations using SED have been sitting on a critical exposure to their data that they thought was encrypted.
This session will explore SED solutions, a newly discovered vulnerability that allows you to circumvent their protection mechanisms and how organizations can protect themselves against this new threat.

presented by

Daniel Boteanu  &  Kevvie Fowler

Commix: Detecting and Exploiting Command Injection Flaws

Command injections are prevalent to any application independently of its operating system that hosts the application or the programming language that the application itself is developed. The impact of command injection attacks ranges from loss of data confidentiality and integrity to unauthorized remote access to the system that hosts the vulnerable application. A prime example of a real, infamous command injection vulnerability that clearly depicts the threats of this type of code injection was the recently discovered Shellshock bug. Despite the prevalence and the high impact of the command injection attacks, little attention has been given by the research community to this type of code injection. In particular, we have observed that although there are many software tools to detect and exploit other types of code injections such as SQL injections or Cross Site Scripting, to the best of our knowledge there is no dedicated and specialized software application that detects and exploits automatically command injection attacks. This talk attempts to fill this gap by proposing an open source tool that automates the process of detecting and exploiting command injection flaws on web applications, named as commix, (COMMand Injection eXploitation). This tool supports a plethora of functionalities, in order to cover several exploitation scenarios. Moreover, Commix is capable of detecting, with a high success rate, whether a web application is vulnerable to command injection attacks. Finally, during the evaluation of the tool, we have detected several 0-day vulnerabilities in applications.

Overall, the contributions of this work are: a) We provide a comprehensive analysis and categorization of command injection attacks; b) We present and analyze our open source tool that automates the process of detecting and exploiting command injection vulnerabilities; c) We will reveal (during our presentation) several 0-day command injection vulnerabilities that Commix detected on various web based applications from home services (embedded devices) to web servers.

Continuous Intrusion: Why CI tools are an Attackers Best Friends

Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.

This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

Popular CI tools, open source as well as proprietary will be the targets. The talk will be full of live demonstrations.

presented by

Nikhil Mittal

Cybercrime in the Deep Web

All content not indexed by traditional web-based search engines is known as the DeepWeb. Wrongly been associated only with the Onion Routing (TOR), the DeepWeb's ecosystem comprises a number of other anonymous and decentralized networks. The Invisible Internet Project (I2P), FreeNET, and Alternative Domain Names (like Name.Space and OpenNic) are examples of networks leveraged by bad actors to host malware, high-resilient botnets, underground forums and bitcoin-based cashout systems (e.g., for cryptolockers).

We designed and implemented a prototype system called DeWA for the automated collection and analysis of the DeepWeb, with the goal of quickly identifying new threats as soon they appear.

In this talk, we provide concrete examples of how using DeWA to detect, e.g., trading of illicit and counterfeit goods, underground forums, privacy leaks, hidden dropzones, malware hosting and TOR-based botnets.

Cybersecurity for Oil and Gas Industries: How Hackers Can Manipulate Oil Stocks

The industries most plagued by cyber-attacks are oil and gas. Several attacks against the infrastructure of oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major oil companies. The oil and gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in oil and gas industries, and there are even specific SAP modules for oil and gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service, and Oracle Enterprise Asset Management.

Cyber-attacks on SAP systems belonging to oil and gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices). Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks. For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.

Our talk, based on a several case studies conducted during research and professional services, will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to oil and gas companies as well as guidelines and processes on how to avoid them.

presented by

Alexander Polyakov  &  Mathieu Geli

Defending Against Malicious Application Compatibility Shims

The Application Compatibility Toolkit (ACT) is an important component of the Microsoft Application Compatibility ecosystem and holds a position of considerable tactical value on modern computer systems, but it is currently not well-known to those in the security industry. Microsoft specifically designed the ACT to intercept application API calls, alter the Portable Executable (PE) file loading process, and subvert the integrity of a number of key systems which ironically is the type of functionality seen in advanced rootkits. In my talk, I will demonstrate how the ACT is used to create Shim Database Files (sdb files / shims) which are simple to produce, easy to install, flexible, and stealthy. While the ACT offers an excellent post-exploitation avenue for novice attackers, a number of sophisticated actors have been observed leveraging the Application Compatibility Framework for advanced persistence and privilege escalation. I will go on to show far more advanced techniques such as in-memory patching, malware obfuscation, evasion, and system integrity subversion using malicious shims.

To aid defenders, I have released a number of tools that detect and prevent shimming. I will also demonstrate the offensive capabilities of malicious shims, along with numerous examples of how defenders can employ my publicly available countermeasures. These tools can be used by enterprise wide defenders/responders, single host administrators, and application developers to better protect their environments.

I will also demonstrate triage techniques that defenders can use for quick analysis via publicly available tools to determine an sdb file's general functionality.

presented by

Sean Pierce

Even the LastPass Will be Stolen Deal with It!

Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.

LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.

Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.

We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.

presented by

Alberto Garcia  &  Martin Vigo

Exploiting Adobe Flash Player in the Era of Control Flow Guard

Adobe Flash Player, one of the most ubiquitous pieces of software, is integrated into the operating system on Windows 8.1 and Windows 10. Along with the introduction of Control Flow Guard (CFG) - Microsoft's newest exploit mitigation technology - in November 2014, Flash Player binaries provided by Microsoft are now protected by CFG, which adds a check before every indirect call in the code in order to verify that the destination address of that call is one of the locations identified as "safe" at compile time. Gaining code execution isn't as simple as overwriting the vtable of an object and calling one of its virtual methods anymore.

We'll start this presentation by discussing an exploitation technique which leverages the Flash Player's JIT compiler in order to bypass CFG, and how Microsoft and Adobe have hardened Flash Player's JIT compiler against this technique in the June 2015 security updates. Then, we are going to discuss three practical data-only attacks, showing how it is possible to take advantage of vulnerabilities in Flash Player while avoiding the mess of having to deal with CFG. One of these alternative payloads makes it possible to execute arbitrary commands on the vulnerable system without injecting shellcode nor using ROP. Interestingly, detecting and protecting against these data-only attacks can be challenging.

Although this talk is focused on the challenges of exploiting Flash Player vulnerabilities on CFG-enabled systems, the techniques and ideas discussed here may be applied against other software.

presented by

Francisco Falcon

Faux Disk Encryption: Realities of Secure Storage on Mobile Devices

The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss or theft of a device which grants an attacker physical access which may be used to bypass security controls in order to gain access to application data. Depending on the application's data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.

In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for most attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Android respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with an analysis of what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings.

At the end of our talk, attendees will understand the significant challenges involved in storing data on an always-on and portable device, how to securely store data for different use cases, and how to uncover secure storage flaws in real-world applications.

presented by

Daniel Mayer  &  Drew Suarez

Fuzzing Android: A Recipe for Uncovering Vulnerabilities Inside System Components in Android

The presentation focuses on a fuzzing approach that can be used to uncover different types of vulnerabilities inside multiple core system components of the Android OS. The session will be targeted on exposing the general idea behind this approach and how it applies to several real-life targets from the Android OS with examples of actual discovered vulnerabilities. Some of the components that were targeted and found vulnerable: the Stagefright framework, the mediaserver process, the Android APK install process, the installd daemon, dex2oat, ART.

The presentation will cover a number of topics starting with the actual fuzzing process with the data/seed generation processes and test case execution, the logging and triage mechanisms, addressing challenges such as bug reproducibility, sorting out unique issues and prioritizing issues based on their severity. The second part of the presentation will take the talk towards explaining the creation of several tools that have been developed using this methodology. The actual implementation of the tools will be discussed with focus on the more innovative technical details, as well as the issues discovered, CVE entries released and possible exploitable patterns. An insight of the results that will be discussed: thousands of crashes discovered, tens of unique issues, 6 CVE entries released by Google.

presented by

Alexandru Blanda

Going AUTH the Rails on a Crazy Train

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it's up to the developers to keep themselves safe. In this talk, we take a look at patterns that we've seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

presented by

Jeff Jarmoc  &  Tomek Rabczak

Hey Man Have You Forgotten to Initialize Your Memory?

When the rules for this year's Pwn2Own contest came out, there was only less than one month left for us to prepare for our Internet Explorer Exploit. It was not an easy task to pop up a calc on this year's IE target, where you need to conquer the 64-bit IE child process, the control flow guard (CFG) on windows 8.1 as well as the enhanced-protected mode (EPM) of IE11.
This was the first time that 64-bit IE was used in the contest, which means more stronger ASLR that makes simple heap-spraying techinque does not work as it does on 32-bit process. Also on Windows 8.1, CFG is heavily used in user mode processes which makes it harder to transfer the execution-flow to our shellcode. And at last, we need to bypass the EPM sandbox without user interfaction and without re-starting/re-login the computer. We are glad that we finally made it, with two 0day vulnerabilities, which have already been patched by Microsfot in June 2015.

In this presentation, we will describe (for the first time) the details of the two vulnerabilities we used to take down 64-bit IE in this year's Pwn2Own. By going through the poc exploit, we will show how we achieved ASLR & CFG bypass and remote code execution in 64-bit IE with a single uninitialized memory bug. And, we will also discuss the TOCTOU vulnerability we used to bypass IE's EPM sandbox to achieve elevation of privilege.

Throughout the talk, we will describe several methods you may use to bypass exploit mitigtions (such as ASLR, CFG) on 64-bit IE,
to achieve remote code execution with your memory corruption bug.

presented by

Yuki Chen  &  Linan Hao

Hiding in Plain Sight - Advances in Malware Covert Communication Channels

Steganography, the art of concealing information in different types of medias, is a very old practice. Yet, it only recently started being used by malware operators on a large scale. Malware programmers and operators are increasing their efforts in developing covert communication channels between infected computers and their command and control servers. In addition to steganography, recent examples include hiding communication in inconspicuous network traffic such as DNS queries or HTTP 404 error messages.

When used properly, these covert communication channels can bypass many automated detection mechanisms and render malware communication difficult to detect and block. From an attacker's perspective, covert communication channels are a valuable addition because they allow messages to blend in with legitimate traffic and thus significantly lower the chance of being detected even when inspected by a human analyst.

This presentation studies recent advances in covert communication channels used by real-world malware. First, we will show how steganography has recently been used in three different malware families (Stegoloader, Vawtrak, and Lurk). We will dive into the implementation details on how steganography is implemented and discuss the strengths and weaknesses of each approach. Furthermore, we will detail and compare the usage of inconspicuous carrier protocols for covert communication channels in malware. Examples will span commodity cybercrime as well as targeted attack malware.

The cases that are discussed in this presentation are based on real life incidents. While it is easy to speculate how covert communication channels might be used by malicious actors, documentation of real-world cases is sparse. Yet, covert communication channels have arrived in both, the commodity cybercrime and targeted attack world. It is thus vital to understand the status-quo and identify current trends in cybercriminal and targeted attack malware. As such, we believe that it is mandatory to highlight what is currently being used in the wild.

How to Break XML Encryption - Automatically

In recent years, XML Encryption has become a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard.

Unfortunately, most of the current XML Encryption implementations do not support the newest XML Encryption specification and offer different XML Security configurations to protect confidentiality of the exchanged messages. Resulting from the attack complexity, evaluation of the security configuration correctness becomes tedious and error prone. Validation of the applied countermeasures can only be made with numerous XML messages provoking incorrect behavior by decrypting XML content. Up to now, this validation was only manually possible.

In this talk, we give an overview on the analysis of chosen-ciphertext attacks on XML Encryption and design an algorithm to perform a vulnerability scan on arbitrary encrypted XML messages. The algorithm can automatically detect a vulnerability and exploit it to retrieve the plaintext of a message protected by XML Encryption. To assess practicability of our approach, we implemented an open source attack plugin for Web Service attacking tool called WS-Attacker. With the plugin, we discovered new vulnerabilities in four out of five analyzed Web Service implementations, including IBM Datapower or Apache CXF.

presented by

Juraj Somorovsky

Implementing Practical Electrical Glitching Attacks

Techniques for glitching attacks are well known, but there is little information on how to implement a full reliable exploit on a target. In this talk, we attempt to implement and execute successful voltage and clock glitching attacks on a group of target devices. During the talk, we detail the necessary conditions required to create an affordable, and reliable exploit for a target device. Other attacks typically involve decapping the target chip, with the use of expensive equipment typically out of reach of the normal hobbyist. In contrast, electrical glitching is a technique that can be used non-invasively, and can allow attackers the ability to bypass normal software protections or generate exploitable conditions within the target device.

Electrical glitching involves modification of the clock or the voltage supplied to a chip. Clock glitching involves sending an out of cycle clock edge in order to make the chip advance to its next state prematurely, allowing us to bypass entire instructions. Voltage glitching involves increase or decreasing the voltage supplied to a chip in order to alter the state of the propagation delay experienced by the transistors in the chip, allowing you to corrupt register memory. The talk will involve studying and reproducing results from well known cases of electrical glitching such as the Xbox 360 clock glitch exploit.

presented by

Brett Giller

Is Your TimeSpace Safe? - Time and Position Spoofing Opensourcely

We have found a way to produce GPS spoofing with an extremely low cost SDR device and both iPhone and Apple Watch could be affected. (Tech details have already been submitted to Apple Product Security Team. )

The map apps of iOS and Android can be cheated too, and you can even produce an Uber position spoofing, which make LBS apps vulnerable.

Futhermore, the time information of smart devices could be easily cheated, since those devices rely heavily on GPS based timing or NTP service (also based on GPS timing).

Additionally, we will examine other common positioning methods used by smart devices, such as iBeacon/BLE/WiFi.

We will give a demo on how we collect WiFi Access Point SSID data, and then make a fake WiFi environment to cheat WiFi positioning system of Android.

In the end, we will also give some suggestions in order to prevent such spoofing.

presented by

Wang Kang  &  Shuhua Chen  &  Aimin Pan

Lessons from Defending the Indefensible

For the last year, we've been working hard to optimize CloudFlare's infrastructure to survive different types of denial of service attacks. If you have plenty of servers the usual advice of "buy more bandwidth" may be sufficient, but it certainly wasn't useful to us. At some point you need to do _something_ with the incoming traffic, and the servers have only so many CPU cycles.

In this talk, we'll share our experiences in defending our services. We'll go through many layers, from flowspec and sflow, to ethtool tweaks, kernel bypass techniques, iptables examples to useful sysctls. We'll touch on details such as: why increasing backlog queue size may hurt you, why your servers can't send more than 200k syn cookies per second, how to stop a botnet with iptables ipsets and hashlimits, when enabling conntrack makes sense or how to process 10M pps on a single commodity server. Our favorite defense techniques are using BPF, so we will spent a fair bit of time discussing this.

We'll discuss what we tried, what worked, what didn't, and why some of the technically sound ideas turned up to be totally impractical.

Our experience is in defending HTTP/S and DNS services, on which this talk will focus, but our techniques are applicable to the usual variety of DDoS'es like Chargen, SSDP, NTP or DNS reflection.

presented by

Marek Majkowski

Locknote: Conclusions and Key Takeaways from Black Hat Europe 2015

At the close of this year's conference, join Black Hat Founder Jeff Moss and members of the esteemed Black Hat Review Board for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of Black Hat Europe and how these trends will impact future InfoSec strategies.

presented by

Jeff Moss  &  Marion Marschalek  &  Haroon Meer  &  Jennifer Savage

LTE & IMSI Catcher Myths

It is true that LTE (4G) is more secure than its old generations GSM (2G) & UMTS (3G). In theory, most of the traditional IMSI catchers would not work in a straightforward manner against LTE-based mobile phones due to LTE's enhanced security mechanisms. However, in practice, it is possible to bypass these LTE security features, due to vulnerabilities in baseband software and in deployed LTE networks. In this talk, we build an LTE IMSI catcher and show how most popular phones fail when they are on LTE networks.

New (and Newly-Changed) Fully Qualified Domain Names: A View of Worldwide Changes to the Internets DNS

The Domain Name System (DNS) is highly dynamic, and changes to it are continually taking place.

For example, new base domain names get registered and used for the first time, new resource records (and new resource record types such as MX, PTR, AAAA) get created within those base domains, and resource records get set to new values. A single domain can have up to 100 resource records returned at once.

Historically, all of those changes were largely overlooked in the flood of DNS traffic available to security analysts and DNS researchers from DNS-data sharing sites until now. In this presentation, Dr. Paul Vixie will discuss a ground-breaking approach that tames this information fire hose - the creation of two winnowed, real-time data streams, one consisting of newly-observed fully-qualified domain names, and another of DNS changes.

These new streams make it easy to identify numerous security-relevant DNS changes. For example, if a prominent web server is subject to a DNS poisoning attack or its name servers are changed without authorization at the registrar, that hijacked web server will show up in these streams as having experienced a "DNS change." Spam sites that formerly used DNS wildcarding in an attempt to "fly under the radar" are now easily identified, since each of their new pseudo-random Fully Qualified Domain Names (FQDN)s gets tagged as being new. Similarly, operators of fast flux or double fast flux networks can no longer hide.

Dr. Vixie will provide practical examples of how this innovative new approach will allow for more timely and effective approaches to combating malicious Internet behavior, including significantly improving brand protection and anti-phishing controls, and increasing situational awareness.

He will also discuss limitations associated with this approach, including filtering choices, and limitations to the paradigm and his talk will include a demo with Q&A.

presented by

Paul Vixie

New Tool for Discovering Flash Player 0-day Attacks in the Wild from Various Channels

2015 is the Year of Flash. Zero day attacks found in 2015 are almost always using flash player.

In 2013 and 2014, JAVA and IE were the most popular attack targets for PCs. Oracle introduced a pop-up window to escape from the attack spotlight. Microsoft introduced isolated heap and memory protector to avoid huge attacks from UAF bugs in the second half of 2014. Based on these findings in late 2014, I predicted that 2015 would be the Year of the Flash Attack. Armed with this knowledge, I worked to discover several flash 0-day attacks. The most important thing to discover with flash 0-day attacks is how to get effective samples in the wild, and the second important task is how to identify 0-days effectively from these samples which maybe very large data sets. In this session, I will detail the following points:

  • The various channels I used to get flash samples in the wild.
  • The process I used to identify 0-day samples from these big sets of data.
  • The tool I used to detect flash 0-day attack samples with extremely low false positive alerts.

presented by

Peter Pi

Panel: What You Need to Know About the Changing Regulatory Landscape in Information Security

The past two years have seen an increasing amount of scrutiny of the Information Security industry by policy makers around the world. The Wassenaar agreement and the EU Dual Use regulation are just two examples of the type of policy challenges that we face as the industry matures. What has been clear from these recent experiences is that there is a fundamental lack of communication and understanding between the parties involved and fostering communication will be essential to tackle future regulatory efforts. Join us for a panel that brings together policy makers, civil society and industry experts to examine the current status of the regulatory environment in Europe and the impact on our community.

Self-Driving and Connected Cars: Fooling Sensors and Tracking Drivers

Automated and connected vehicles are the next evolution in transportation and will improve safety, traffic efficiency and driving experience. This talk will be divided in two parts: 1) security of autonomous automated vehicles and 2) privacy of connected vehicles.

Automated vehicles are equipped with multiple sensors (LiDAR, radar, camera, etc.) enabling local awareness of their surroundings. A fully automated vehicle will solely rely on its sensors readings to make short-term (i.e. safety-related) and long-term (i.e. planning) driving decisions. In this context, sensors have to be robust against intentional or unintentional attacks that aim at lowering sensor data quality or alter sensor input to disrupt the automation system. This talk presents remote attacks on camera-based system and LiDAR using commodity hardware. Results from laboratory experiments show effective blinding, jamming, replay, relay, and spoofing attacks. We propose software and hardware countermeasures that improve sensors resilience against these attacks. As such sensors are also deployed in today's cars for advanced driver assistance systems (ADAS), our results have a short-term relevancy beyond automated driving.

Connected Vehicle is an upcoming technology that allow vehicles and road-side infrastructure to communicate to increase traffic efficiency and safety. To enable cooperative awareness, vehicles continually broadcast messages containing their location. These messages can be received by anyone, jeopardizing location privacy. A misconception is that such attacks are only possible by a global attacker with extensive resources (e.g. sniffing stations at every intersections giving a full city-wide coverage). In this paper, we demonstrate the feasibility of location tracking attack in an ITS in the presence of a mid-sized attacker (i.e. an attacker that has partial network coverage but can choose which parts to cover). We conduct an empirical study on the campus of the University of Twente, The Netherlands by deploying ITS hardware on a small scale. As road intersections are likely targets for an attacker to eavesdrop, we propose a graph-based approach to determine which intersections an attacker should cover. We also derive a cost analysis that gives an indication of the financial resources an attacker needs to track a vehicle. To mitigate location tracking attacks, we assess the benefit of pseudonym change strategies and propose a privacy metric to quantify a vehicle's level of privacy in the presence of mid-sized attackers. Experiment results demonstrate that tracking is feasible even if such an attacker covers a small number of intersections. If this is deficiency of privacy protection is left unaddressed, it will be cost efficient for any interested parties to set up scalable passive surveillance and sousveillance operations.

presented by

Jonathan Petit

Silently Breaking ASLR in the Cloud

To reduce the memory footprint and to increase the cost-effectiveness of virtual machines (VMs) running on the same host, cloud providers use memory deduplication. Memory deduplication searches for memory pages with the same contents and merges them into one, read-only memory page. Writing to these pages is expensive due to page faults caused by the memory protection, and this cost can be used by an attacker as a side-channel to detect whether a page has been shared. Leveraging this memory side-channel, we craft an attack that leaks the randomized base addresses of libraries and executables mapped in processes of neighboring VMs, and hence, defeats ASLR. Our proof-of-concept exploit, CAIN (Cross-VM ASL INtrospection), defeats ASLR of a 64-bit Windows Server 2012 victim VM running on a default KVM configuration in less than five hours.

In this session, we will discuss the underlying concepts of the attack and we will present the CAIN PoC exploit.

presented by

Antonio Barresi  &  Kaveh Razavi  &  Mathias Payer  &  Thomas Gross

Stegosploit - Exploit Delivery with Steganography and Polyglots

"A good exploit is one that is delivered with style."

Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This talk discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded. The Stegosploit Toolkit v0.3, to be released with improvements upon existing v0.2, contains the tools necessary to test image based exploit delivery.

presented by

Saumil Shah

Triaging Crashes with Backward Taint Analysis for ARM Architecture

We have developed a set of tools for analyzing crashes that occur on Linux OS and ARM architecture to determine exploitability with taint analysis for practical use. For the analysis, Dynamic Binary Instrumentation (DBI) is required to extract context information of each instruction at runtime. Unfortunately, most existing DBI tools have been developed for x86 architecture. Therefore, we have developed a dedicated tool called ARM-Tracer based on ptrace system call. ARM-Tracer can dynamically trace a specific thread in the multi-threaded environment and generate a trace log until the target gets crashed. Then, the trace log is analyzed by another tool that we have developed to perform the backward taint analysis on Desktop for efficiency. The tool is named ARM-Analyzer, a stand-alone GUI application developed in C# language, which lets us know whether the crash is affected by the input data. For this, we analyzed ARM instructions to identify taint objects of each instruction.

During this talk, we will demonstrate our tools by applying them to an Android application for the crash analysis. We will also release our tools at Black Hat.

presented by

Dongwoo Kim  &  Sangwho Kim

Unboxing the White-Box: Practical Attacks Against Obfuscated Ciphers

White-Box Cryptography (WBC) aims to provide software implementations of cryptographic algorithms that are resistant against an attacker with full access to the internals. Therefore, the key must remain secure even if the attacker is able to inspect and modify the execution of the cryptographic algorithm. This is often referred to as "security in the White-Box context."

In a vanilla implementation of a cryptographic algorithm, access to intermediate results directly leads to extraction of the key. To achieve security in the white-box context, data encoding schemes and strong obfuscation are typically applied. This type of implementation is commonly seen in DRM systems, and is currently gaining momentum in the mobile payment market.

Assessing the security of WBC implementations is a challenge both for evaluators and for WBC designers, as it often requires a powerful mix of reverse engineering and applied cryptanalysis skills.

In this presentation, we show how attacks typically used to attack hardware cryptosystems can be ported to the white-box settings. We will introduce generic yet practical attacks on WBC implementations of the TDES and AES ciphers. Additionally, we will analyze the requirements for each attack and discuss potential countermeasures.

We have applied these attacks to recover cryptographic keys from commercial as well as academic implementations. During the presentation, we will demonstrate several attacks on open source WBC implementations using custom tools.

If you are tasked with evaluating the attack resistance of a WBC-based solution, this presentation will provide a better understanding of what White-Box Cryptography is and how to evaluate its robustness against different key extraction attacks. If you are a WBC designer, you will obtain a better understanding of what the most common weak points of such schemes are.

Our results highlight the importance of evaluating WBC implementations with respect to these generic attacks in order to provide correct judgment about their level of security.

presented by

Eloi Sanfelix  &  Job de Haas  &  Cristofaro Mune

VoIP Wars: Destroying Jar Jar Lync

Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication, and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones, and teleconference devices. Also, the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows), and web applications developed with .NET framework.

Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP teleconference and platform issues. Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync front-end and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks, and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options, and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud, and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment. A brief introduction to Microsoft Lync ecosystem Security requirements, design vulnerabilities and priorities Modern threats against commercial Microsoft Lync services Demonstration of new attack vectors against target test platform.

presented by

Fatih Ozavci

Vulnerability Exploitation in Docker Container Environments

According to Forrester, 53% of IT respondents say their biggest concern about containers is security. Containerization is not only prevalent in browsers (Google Chrome), desktop applications (Adobe Reader X), and mobile operating systems (Apple iOS), but is also invading the data center via Docker. Docker and other LXC-based containerization solutions provide isolation via Linux control groups (cgroups). However, containers can still be exploited and even with kernel-level isolation, critical data can be stolen. In this presentation, the FlawCheck team will exploit real-world Docker implementations and show what can be done to mitigate the risk.

presented by

Anthony Bettini

Watching the Watchdog: Protecting Kerberos Authentication with Network Monitoring

Being the default authentication protocol for Windows-based networks, the Kerberos protocol is a prime target for attackers, especially for APTs attackers, seeking to steal the user's identity and steal secrets from the enterprise's data center.
In late 2014 and early 2015, we saw a lot of research on the attacker side, yielding the Golden Ticket, Forged PAC (MS14-068) and the Skeleton Key attacks. Now it is the time to present the defensive side research. We will expose a novel method of detecting and defeating ALL of these attacks (and others) based solely on network monitoring. We continue to show a novel variant of the Golden Ticket attack, the "Diamond PAC" attack, that is able to evade a naïve network monitoring detection and provide a detection solution for it. The talk includes the release of the "Kerberos Leash" tool - a free tool we developed that implements some of the detection techniques for the benefit of the security community.

presented by

Tal Be'ery  &  Michael Cherny

Your Scripts in My Page - What Could Possibly Go Wrong?

When it comes to web security, there is the one policy to rule them all: The Same-origin Policy. Thanks to this policy, sites hosted on disjunct origins are nice and cleanly separated, thus preventing the leakage of sensitive information into the hands of unauthorized parties. Unfortunately, HTML predates the Same-origin Policy and, thus, was not designed with the origin-based security model in mind. In consequence, HTML tags can freely reference cross-domain locations and include cross-domain content in their hosting web pages.

In this talk, we will present an attack, resulting from this circumstance, that has been widely overlooked in the past but affects a surprisingly high number of Web sites: Information leakage via cross-domain script inclusion.

Modern web sites frequently generate JavaScript on-the-fly via server-side scripting, incorporating personalized user data in the process. Thanks to HTML's general ignorance of the Same-origin Policy, an attacker is able to include such dynamic scripts into web pages under his control using script-tags pointing to the vulnerable site. This, in turn, allows him to learn many of the secrets contained in these scripts, through the scripts interaction with the page it is included in. In our experiments, we were able to obtain personal information such as name & address of the logged-in user, leak CSRF tokens, read the users emails, and occasionally fully compromise the user's account. All possible by simply including a script-URL into one of our web pages.

To systematically investigate the issue, we conducted a study on its prevalence in a set of 150 top-ranked domains, in which we observed that a third of the examined sites utilize dynamic JavaScript. Using our attack techniques, we able to leak sensitive data from more than 80% of these sites via remote script inclusion. In the talk we will present the study in general, and the most interesting cases in detail, showing the wide range of possible attack variations along with a bag of tricks how the including page can be prepared to efficiently leak a script's secrets. Furthermore, we present an efficient detection mechanism, in the form of a browser extension, as well as defensive measure, which enable robust protection.

presented by

Ben Stock  &  Martin Johns  &  Sebastian Lekies