Briefingsjuly 25-26


white paper






  • Changing the security paradigm....taking back your network and bringing pain to the adversary

       July 25

    The threat to our networks is increasing at an unprecedented rate. The hostile environment we operate in has rendered traditional security strategies obsolete. Adversary advances require changes in the way we operate, and "offense" changes the game. Former FBI Executive Assistant Director Shawn Henry explores the state of the industry from his perspective as the man who led all cyber programs for the FBI.

    Presented By:
    Shawn Henry

  • An Interview with Neal Stephenson

       July 26

    Black Hat USA 2012 is proud to welcome one of the world's foremost Historical and Science Fiction authors to our keynote stage. Get your questions ready! Attendees will get the chance to ask Mr. Stephenson about his life, processes, and works… But you may want to keep your latest Cryptonomicon conspiracy theories to yourself…as of course, we can neither confirm nor deny their validity. Join us!

    Presented By:
    Neal Stephenson


  • A Scientific (But Non Academic) Study of How Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies

       July 26

    Malware is widely acknowledged as a growing threat with hundreds of thousands of new samples reported each week. Analysis of these malware samples has to deal with this significant quantity but also with the defensive capabilities built into malware; Malware authors use a range of evasion techniques to harden their creations against accurate analysis. The evasion techniques aim to disrupt attempts of disassembly, debugging or analyse in a virtualized environment.

    This talk catalogs the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. We validate our catalog by running these detections against a database of 3 million samples (the system is constantly running and the numbers will be updated for the presentation), enabling us to present an analysis on the real state of evasion techniques in use by malware today. The resulting data will help security companies and researchers around the world to focus their attention on making their tools and processes more efficient to rapidly avoid the malware authors' countermeasures.

    This first of its kind, comprehensive catalog of countermeasures was compiled by the paper's authors by researching each of the known techniques employed by malware, and in the process new detections were proposed and developed. The underlying malware sample database has an open architecture that allows researchers not only to see the results of the analysis, but also to develop and plug-in new analysis capabilities. The system will be made available in beta at Black Hat, with the purpose of serving as a basis for innovative community research.

    Presented By:
    Rodrigo Branco

  • A Stitch in Time Saves Nine: A Case of Multiple Operating System Vulnerability

       July 25

    Six years ago Linux kernel developers fixed a vulnerability that was caused by using the "sysret" privileged Intel CPU instruction in an unsafe manner. Apparently, nobody realized (or cared enough to let others know) the full impact and how widespread and reliably exploitable the problem is: in 2012, four other popular operating systems were found to be vulnerable to user-to-kernel privilege escalation resulting from the same root cause.

    The presentation will explain the subtleties of the relevant Intel CPU instructions and the variety of ways they can be reliably exploited on unpatched systems. Exploits for a few affected operating systems will be demonstrated.

    Attendees are expected to have basic understanding of Intel CPUs architecture.

    Presented By:
    Rafal Wojtczuk

  • Advanced ARM Exploitation

       July 25

    "Hardware Hacking" is all the rage. Early last year (2011) we at debuted a talk entitled "Hardware Hacking for Software People" (see: The talk was a collection of experiences and simple techniques we as laymen had discovered/used over the years to perform very simple hardware penetration testing. We covered a range of topics from hardware eavesdropping and bus tapping to simple integrated circuit interfacing and debugging. The popularity of the talk, paper/slides, and video was surprising. People were really hungry for this stuff.

    Although that talk did conclude with demonstration of a real-world bug in a home cable modem, it did not dive into the gritty details of exploitation on embedded processors. Late last year (2011) we developed and privately delivered 5 day courses that taught Advanced software exploitation on ARM microprocessors (used in iPhones, appliances, iPads, Androids, Blackberries, et al.) We opened that course to the public for CanSecWest 2012 and Blackhat 2012 (see The response to that too has been very surprising.

    The purpose of the talk is to reach a broader audience and share the more interesting bits of the research that went into developing the Practical ARM Exploitation course that we are giving at Blackhat 2012. We discuss reliably defeating XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux (in embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built (see: ). We will also share some anecdotal "hardware hacking" experiences we had exploiting similar bugs on embedded devices running on other platforms (see:

  • Adventures in Bouncerland

       July 25

    Meet <REDACTED>*. He is a single function app that wanted to be much more. He always looked up those elite malware and botnet apps but now that the Google's Bouncer moved into town his hopes and dreams appeared to be shattered. This was until he was handed text file while strolling along a shady part of the Internet (AKA Pastebin). The title of this txt file was "Bypassing Google's Bouncer in 7 steps for Fun and Profit". Upon reading this, our little app began to glow with excitement. He routed himself all the way to the gates of Google Play and began his journey from a simple benign app that <REDACTED>*, to a full-fledged info stealing botnet warrior. In this presentation will tell the story of how our little app beat the Bouncer and got the girl (well, at least all her personal information, and a few naughty pics).

    * Our little buddy is still having fun in the market and we don't want anyone playing around with him right now, even you CFP reviewers.

  • AMF Testing Made Easy!

       July 26

    Since its introduction in 2002, Action Message Format (AMF) has attracted the interest of developers and bug-hunters. Techniques and extensions for traditional web security tools have been developed to support this binary protocol. In spite of that, bug hunting on AMF-based applications is still a manual and time-consuming activity. Moreover, several new features of the latest specification, such as externalizable objects and variable length encoding schemes, limit the existing tools. During this talk, I will introduce a new testing approach and toolchain, reshaping the concept of AMF fuzzing. Our automated gray-box testing technique allows security researchers to build custom AMF messages, dynamically generating objects from method signatures. The approach has been implemented in a Burp Suite plugin named Blazer. This tool consents to improve the coverage and the effectiveness of fuzzing efforts targeting complex applications. Real-world vulnerabilities discovered using Blazer will be presented as well as a generic methodology to make AMF testing easier and more robust. Adobe BlazeDS, a well-known Java remoting technology, will be used as our server-side reference implementation.

    Presented By:
    Luca Carettoni

  • Are You My Type? - Breaking .NET Sandboxes Through Serialization

       July 25

    In May, Microsoft issued a security update for .NET due to a number of serious issues I found. This release was the biggest update in the product's history, it aimed to correct a number of specific issues due to unsafe serialization usage as well as changing some of the core functionality to mitigate anything which could not be easily fixed without significant compatibility issues.

    This presentation will cover the process through which I identified these vulnerabilities and provide information on how they can be used to attack .NET applications, both locally and remotely, as well as demonstrating breaking out of the partial trust sandboxes used in technologies such as ClickOnce and XAML Browser Applications.

    Presented By:
    James Forshaw

  • Blended Threats and JavaScript: A Plan for Permanent Network Compromise

       July 26

    During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.

    This presentation will cover state-of-the-art Web browser blended threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.

  • Black Ops

       July 25

    If there's one thing we know, it's that we're doing it wrong. Sacred cows make the best hamburgers, so in this year's talk I'm going to play with some techniques that are obviously wrong and evil and naive. There will also be a lot of very interesting code, spanning the range from high speed network stacks to random number engines to a much deeper analysis of non-neutral networks. Finally, we will revisit DNSSEC, both in code, and in what it can mean to change the battleground in your favor.

    Presented By:
    Dan Kaminsky

  • Catching Insider Data Theft with Stochastic Forensics

       July 26

    A stochastic process is, by definition, something unpredictable, but unpredictable in a precise way. Think of the molecules in a gas: we can't predict how any individual molecule will move and shake; but by accepting that randomness and describing it mathematically, we can use the laws of statistics to accurately predict the gas's overall behavior.

    What's this have to do with data theft? Insider data theft often leaves no artifacts or broken windows, making it invisible to traditional forensics. But copying large amounts of data will always affect the file system, and when we look through stochastic lenses, copying sticks out like a sore thumb. Stochastic forensics is a new technique which uses these patterns to detect insider data theft, despite its lack of artifacts.

    I've used these techniques to catch data theft months after its occurrence. I'll show you the statistical patterns present on a typical filesystem, the distinct patterns induced by copying, and the mathematical technique which highlights the difference. You'll learn how to spot otherwise invisible data theft.

    Presented By:
    Jonathan Grier

  • Clonewise - Automated Package Clone Detection

       July 26

    Developers sometimes statically link libraries from other projects, maintain an internal copy of other software or fork development of an existing project. This practice can lead to software vulnerabilities when the embedded code is not kept up to date with upstream sources. As a result, manual techniques have been applied by Linux vendors to track embedded code and identify vulnerabilities. We propose an automated solution to identify embedded packages, which we call package clones, without any prior knowledge of these relationships. Our approach identifies similar source files based on file names and content to identify elationships between packages. We extract these and other features to perform statistical classification using machine learning. We evaluated our automated system named Clonewise against Debian's manually created database.

    Clonewise had a 68% true positive rate and a false positive rate of less than 1%. Additionally, our system detected many package clones not previously known or tracked. Our results are now starting to be used by Linux vendors such as Debian and Redhat to track embedded packages. Redhat started to track clones in a new wiki, and Debian are planning to integrate Clonewise into the operating procedures used by their security team. Based on our work, over 30 unknown package clone vulnerabilities have been identified and patched.

    Presented By:
    Silvio Cesare

  • Confessions of a WAF Developer: Protocol-Level Evasion of Web Application Firewalls

       July 25

    Most discussions of WAF evasion focus on bypassing detection via attack payload obfuscation. These techniques target how WAFs detect specific attack classes, and that's fine. Protocol-level evasion techniques target a lower processing layer, which is designed to parse HTTP streams into meaningful data. A successful evasion at this layer makes the WAF see a request that is different from that seen by the victim application. Through evasion, attacks become virtually invisible. The technique can be used with any class of attack.

    Especially vulnerable to this type of attack are virtual patches, which are, somewhat ironically, the most successful use case for WAFs today. I will show how, through the combination of WAF design and implementation issues, inadequate documentation and inadequate user interfaces, many virtual patches can be trivially bypassed.

    In this talk I will share the lessons learned from 10 years of web application firewall development. The focus will be on demonstrating the problems that exist today, including a previously unknown flaw in ModSecurity that remained undetected for many years. In addition, I will discuss many evasion techniques that are countered in ModSecurity, but which may be effective against other tools.

    As part of this talk, I will release a catalogue of protocol-level evasion techniques and a complete testing suite.

    Presented By:
    Ivan Ristic

  • Control-Alt-Hack(TM): White Hat Hacking for Fun and Profit (A Computer Security Card Game)

       July 25

    You and your fellow players work for Hackers, Inc.: a small, elite computer security company of ethical, white hat hackers that perform security audits and provide consultation services. Their Motto: You Pay Us to Hack You.

    In 1992, Steve Jackson Games published the game Hacker, satirizing the Secret Service raid that seized drafts of GURPS Cyberpunk. The Hacker game manual helpfully states, "Important Notice To Secret Service! This Is Only A Game! These Are Not Real Hacking Instructions! You Cannot Hack Into Real Computers By Rolling Little Dice!" Now, 20 years later, we wish to announce a new card game that's fun, yes, but also designed to illustrate important aspects of computer security. We licensed our game mechanics (Ninja Burger) from none other than Steve Jackson Games, then created all-new content--complete with illustrations and graphic design--to deal with computer security topics.

    Each person plays as a white hat hacker at a company that performs security audits and provides consulting services. Your job is centered around Missions -- tasks that require you to apply your hacker skills (Hardware Hacking, Software Wizardry, Network Ninja, Social Engineering, Cryptanalysis, Forensics, and more) and a bit of luck in order to succeed. You gain Hacker Cred by successfully completing Missions ("Disinformation Debacle," "Mr. Botneto", "e-Theft Auto") and you lose Hacker Cred when you fail. Entropy cards help you along the way with advantages that you can purchase ("Superlative Visualization Software") and unexpected obstacles that you can use to thwart other players ("Failed to Document"). Gain enough Hacker Cred, and you win fame and fortune as the CEO of your very own consulting company.

    Why a game? Entertainment provides an engaging medium with which to raise awareness of the diversity of technologies impacted by security breaches and the creativity of techniques employed by attackers. In this talk, we will describe our goals in creating the game, discuss trials involved in the game design process, and discuss the potential applications of security-themed games. Come observe a game demo, look for a free copy to give away


       July 26

    The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers. This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will not require a detailed understanding of EFI, and will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.

    Presented By:
    Loukas K

  • Dex Education: Practicing Safe Dex

       July 26

    In an ecosystem full of potentially malicious apps, you need to be careful about the tools you use to analyze them. Without a full understanding of how the Android Dalvik VM or dex file interpreters actually work, it's easy for things to slip through the cracks. Based on learnings from the evolution of PC-based malware, it's clear that someone, somewhere will someday attempt to break the most commonly used tools for static and dynamic analysis of mobile malware. So we set out to see who was already breaking them and how, then, how we could break them more.

    We've taken a deep dive into Android's dex file format that has yielded interesting results related to detection of post-compilation file modification. After deconstructing some of the intricacies of the dex file format, we turned our attention to dex file analysis tools themselves, analyzing how they parse and manage the dex format. Along the way we observed a number of easily exploitable functionality, documenting specifically why they fail and how to fix them. From this output we've developed a proof of concept tool - APKfuscator - that shows how to exploit these flaws. It's our hope that it can be a tool that helps everyone practice safe dex.

    Presented By:
    Timothy Strazzere

  • Digging Deep Into The Flash Sandboxes

       July 26

    Lately we have seen how sandboxing technology is positively altering the software security landscape. From the Chrome browser, to Adobe Reader, to Mac and iOS applications, sandboxing has become one of the main exploit mitigation technologies that software has come to rely on. As with all critical security technologies, they need to be understood and scrutinized, mainly to see how effective they are, or at the very least, to satisfy one's curiosity. The sandbox implementations for Adobe's Flash Player certainly piqued ours.

    Our talk will explore the internals of three sandbox implementations for Flash: Protected Mode Flash for Chrome, Protected Mode Flash for Firefox, and Pepper Flash. And of course, we will show that an exhaustive exploration of the Flash sandboxes will eventually yield gold as we discuss and demonstrate some Flash sandbox escape vulnerabilities we found along the way.

    We start with a look at the high level architecture of each sandbox implementation. Here we will define the role of each process and the connections between them. In the second part, we will dive deep into the internal sandbox mechanisms at work such as the sandbox restrictions, the different IPC protocols in use, the services exposed by higher-privileged processes, and more. In the third part of our talk we will take a look at each sandbox's security and talk about the current limitations and weaknesses of each implementation. We will then discuss possible avenues to achieve a sandbox bypass or escape. Throughout all this we will be pointing out the various differences between these implementations.

  • Don't Stand So Close To Me: An Analysis of the NFC Attack Surface

       July 25

    Near Field Communication (NFC) has been used in mobile devices in some countries for a while and is now emerging on devices in use in the United States. This technology allows NFC enabled devices to communicate with each other within close range, typically a few centimeters. It is being rolled out as a way to make payments, by using the mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology. But as with the introduction of any new technology, the question must be asked what kind of impact the inclusion of this new functionality has on the attack surface of mobile devices. In this paper, we explore this question by introducing NFC and its associated protocols.

    Next we describe how to fuzz the NFC protocol stack for two devices as well as our results. Then we see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. So next time you present your phone to pay for your cab, be aware you might have just gotten owned.

    Presented By:
    Charlie Miller

  • Easy Local Windows Kernel Exploitation

       July 26

    For some common local Kernel vulnerabilities there is no general, multi-version and reliable way to exploit them. There have been interesting techniques published but they are not simple and/or neither they work across different Windows versions most of the time. This presentation will show some easy, reliable and cross platform techniques for exploiting some common local Windows kernel vulnerabilities. These new techniques allow even to exploit vulnerabilities that have been considered difficult or almost impossible to exploit in the past.

    Presented By:
    Cesar Cerrudo

  • Errata Hits Puberty: 13 Years of Chagrin

       July 25

    The Errata project has documented the shortcomings, hypocrisy, and disgraces of the information technology and security industries. For 13 years, we have acted as a watchdog and reminder that industries who sell integrity should have it as well. The public face of Errata is very different than the process that leads to it.

    This presentation will give a unique insight into the history, process, and blowback that are cornerstones of the project. This will include statistics, how Errata has fallen short, how it can be improved, and where the project is going. Most importantly, it will cover how the industry can better help the project, both in staying off the pages on, as well as contributing to it.

    Presented By:

  • Exchanging Demands

       July 26

    Smart phones and other portable devices are increasingly used with Microsoft Exchange to allow people to check their corporate emails or sync their calendars remotely. Exchange has an interesting relationship with its mobile clients. It demands a certain level of control over the devices, enforcing policy such as password complexity, screen timeouts, remote lock out and remote wipe functionality. This behavior is usually accepted by the user via a prompt when they first connect to Exchange. However, the protocol for updating these policies provides very little in the way of security and is quickly accepted by the device, often with no user interaction required.

    In this talk we will focus on the remote wipe functionality and how a potential attacker could abuse this functionality to remotely wipe devices that are connected to Exchange. By impersonating an Exchange server and sending appropriate policy updates through a simple script we are able to erase all data on devices remotely without any need for authentication. The presentation will explain how this can be accomplished and show proof of concept code for Android & iOS devices.

    Presented By:
    Peter Hannay

  • Exploit Mitigation Improvements in Win 8

       July 25

    Over the past decade, Microsoft has added security features to the Windows platform that help to mitigate risk by making it difficult and costly for attackers to develop reliable exploits for memory safety vulnerabilities. Some examples of these features include Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Visual C++'s code generation security (GS) protection for stack-based buffer overruns. In Windows 8, Microsoft has made a number of substantial improvements that are designed to break known exploitation techniques and in some cases prevent entire classes of vulnerabilities from being exploited. This presentation will provide a detailed technical walkthrough of the improvements that have been made along with an evaluation of their expected impact. In closing, this presentation will look beyond Windows 8 by providing a glimpse into some of the future directions in exploit mitigation research that are currently being explored by Microsoft.

    Presented By:
    Matt Miller
    Ken Johnson

  • Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap

       July 25

    jemalloc is a userland memory allocator that is being increasingly adopted by software projects as a high performance heap manager. It is used in Mozilla Firefox for the Windows, Mac OS X and Linux platforms, and as the default system allocator on the FreeBSD and NetBSD operating systems. Facebook also uses jemalloc in various components to handle the load of its web services. However, despite such widespread use, there is no work on the exploitation of jemalloc.

    Our research addresses this. We will begin by examining the architecture of the jemalloc heap manager and its internal concepts, while focusing on identifying possible attack vectors. jemalloc does not utilize concepts such as 'unlinking' or 'frontlinking' that have been used extensively in the past to undermine the security of other allocators. Therefore, we will develop novel exploitation approaches and primitives that can be used to attack jemalloc heap corruption vulnerabilities. As a case study, we will investigate Mozilla Firefox and demonstrate the impact of our developed exploitation primitives on the browser's heap. In order to aid the researchers willing to continue our work, we will also release our jemalloc debugging tool belt.

  • File disinfection framework: Striking back at polymorphic viruses

       July 25

    "Invincibility lies in the defense; the possibility of victory in the attack." – Sun Tzu

    Polymorphic viruses make up an ever-increasing percentage of daily malware collections. The sophistication of these attacks significantly exceeds the capabilities of existing classification and handling solutions. The situation goes from bad to worse when we attempt the most complicated part of incident response, file disinfection and remediation.

    To combat this problem we've created a new open source project, the File Disinfection Framework (FDF), built on top of a new generation of TitanEngine and tailored specifically to aid in solving these hard problems. FDF combines both static analysis and emulation to enable users to rapidly switch between modes of operation to use the best features of each approach. Highly advanced static functions are hidden behind a simple and easy-to-use program interface that enables the broad range of capabilities that are required for decryption, decompression and disinfection. Their complement is a set of functions that enable quick and very customizable emulation. For the first time, analysts will have the ability to truly see and control everything that happens inside the emulated environment. They can run high level code inside the context of the emulated process to influence objects and files and direct the execution flow.

    File disinfection framework features:

    • Static analysis functionality that has the ability to view, modify and build on-the-fly PE32/PE32+ files, fields and tables. A large number of embedded decompression routines is included along with systems that dynamically define static structures and build polymorphic decrypters.
    • Highly advanced PE32/PE32+ file validation and repair functionality that completely solves the issues brought up by our last year's BlackHat presentation titled "Constant insecurity: Things you didn't know about PE file format". These functions accurately detect and identify all purposely-malformed PE files that break current security tools or evade detection. In addition, if the file is damaged (as usually happens during virus infections) and deemed repairable, it is automatically repaired to maximize the number of remediated files.
    • Integrated hash database functionality that helps to resolved the otherwise unsolvable problem of reverting function name hashes back to their original names. This custom database is easily extended to add even more libraries and functions to its known hash lists.
    • A truly unique x86 emulator written from scratch that supports the following Windows features
      • Multiple processes in parallel each in a separate emulated OS
      • Vital Windows structures: PEB, TEB (with multiple threads) and SEH
      • x86 assembly code execution with support for FPU and MMX instructions
      • Windows objects such as handles, mutexes and environment variables
      • Hundreds of standard Windows APIs that can easily be extended by the user
      • Dynamically build libraries that mirror the application requirements
      • The entire file system with customizable drives
      • Interface which matches the standard Windows debug API
      • Use of emulated APIs which are directly exposed to user
    • User can call standard Windows APIs inside the context of an emulated process. For example the user can dynamically create a new DLL file inside the virtual file system and load it into the context of an emulated process by calling LoadLibrary equivalent. Every emulated API is exposed to the user and therefore usable with the option of hooking any API one or more times.
      • Advanced breakpoint logic which includes breakpoints on specific instruction groups and specific instruction behavior such as read or write to a specific part of the memory
      • Seamless switching between emulation and static analysis
    • Specific functionally designed to disinfect files infected with polymorphic viruses such as Virut and Sality with examples that show its use.
    • Tools to aid in writing disinfection routines such as automatic binary profiling with search for the presence and location of the virus stub.

    File disinfection framework has been developed under the cyber fast track program run by DARPA and built on top of the new generation of TitanEngine. It's an open source cross platform x86-x64 library that enables its user to unpack, disinfect and build PE32/PE32+ files. These and all Emulation components of the new major release of this framework have been designed to be presented as a BlackHat exclusive. This talk will be followed by the public release of the source code along with whitepapers that outline possible use case scenario for this technology.

  • Find Me in Your Database: An Examination of Index Security

       July 26

    This talk will look at the Oracle indexing architecture and examine some new flaws, with demonstration exploits. We'll also discuss how to find such issues in custom applications as well as an examination of the forensic aspects.

    Presented By:
    David Litchfield

  • Flowers for Automated Malware Analysis

       July 26

    Malware, as the centerpiece of threats to the Internet, has increased exponentially. To handle the large volume of malware samples collected each day, numerous automated malware analysis techniques have been developed. In response, malware authors have made analysis environment detections increasingly popular and commoditized. In turn, security practitioners have created systems that make an analysis environment appear like a normal system (e.g., baremetal malware analysis). Thus far, neither side has claimed a definitive advantage.

    In this presentation, we demonstrate techniques that, if widely adopted by the criminal underground, would permanently disadvantage automated malware analysis by making it ineffective and unscalable. To do so, we turn the problem of analysis environment detection on its head. That is, instead of trying to design techniques that detect specific analysis environments, we instead propose malware that will fail to execute correctly on any environment other than the one originally infected.

    To achieve this goal, we developed two obfuscation techniques that make the successful execution of a malware sample dependent on the unique properties of the original infected host. To reinforce the potential for malware authors to leverage this type of analysis resistance, we discuss the Flashback botnet's use of a similar technique to prevent the automated analysis of its samples.

    Presented By:
    Chengyu Song
    Paul Royal

  • From the Iriscode to the Iris: A New Vulnerability of Iris Recognition Systems

       July 25

    A binary iriscode is a very compact representation of an iris image, and, for a long time, it has been assumed that it did not contain enough information to allow the reconstruction of the original iris. The present work proposes a novel probabilistic approach to reconstruct iris images from binary templates and analyzes to what extent the reconstructed samples are similar to the original ones (that is, those from which the templates were extracted). The performance of the reconstruction technique is assessed by estimating the success chances of an attack carried out with the synthetic iris patterns against a commercial iris recognition system. The experimental results show that the reconstructed images are very realistic and that, even though a human expert would not be easily deceived by them, there is a high chance that they can break into an iris recognition system.

    Presented By:
    Javier Galbally

  • Ghost is in the Air(traffic)

       July 25

    Subtitle: On security aspects of ADS-B and other "flying" technology

    Air-related technologies are on the verge of tehnological upgrade and advance in approximately the same manner the mobile communication networks and smartphones were 5-10 years.

    As noticed in practice, these technological advances open opportunities for performance and innovation, but at the same time open great opportunity for security exploitation.

    In this talk and whitepaper, we will approach the ADS-B (in)security from the practical angle, presenting the feasibility and techniques of how potential attackers could play with generated/injected airtraffic and as such potentially opening new attack surfaces onto AirTrafficControl systems.

    Presented By:
    Andrei Costin

  • Google Native Client - Analysis Of A Secure Browser Plugin Sandbox

       July 25

    Native Client is Google's attempt at bringing millions of lines of existing C/C++ code to the Chrome web browser in a secure sandbox through a combination of software fault isolation, a custom compiler toolchain and a secure plugin architecture. Sound challenging? It is! Native Client isn't a typical browser extension and it certainly isn't ActiveX. Native Client allows for all sorts of applications to run inside in your browser, everything from games to PDF readers. In this talk I will cover the basics of the Native Client sandbox and general security relevant architecture including PPAPI (the replacement for NPAPI), vulnerabilities I discovered via source review in the PPAPI interface and finally a tool that dynamically generates code to fuzz the Native Client PPAPI interfaces based on the IDL (Interface Description Language) files found in the Chrome source tree.

    Presented By:
    Chris Rohlf

  • Hacking the Corporate Mind: Using Social Engineering Tactics to Improve Organizational Security Acceptance

       July 26

    Network defenders face a wide variety of problems on a daily basis. Unfortunately, the biggest of those problems come from the very organizations that we are trying to protect. Departmental and organizational concerns are often at odds with good security practices. As information security professionals, we are good at designing solutions to protect our networks, and the data housed on them. That said, we are awful at communicating the need for these controls in a way that the users will either understand or listen to. In this presentation, I will discuss using social engineering techniques against your organization's users. Through the application of social engineering tactics, I will show how to bridge the gulf between the user and the information security team. Allowing for better security awareness, better adherence to information security policy, and fewer difficulties in user acceptance.

    Presented By:
    James Philput

  • Hacking with WebSockets

       July 26

    HTML5 isn't just for watching videos on your iPad. Its features may be the target of a security attack as much as they may be used to improve an attack. Vulnerabilities like XSS have been around since the web's beginning, but exploiting them has become increasingly sophisticated. HTML5 features like WebSockets are part of the framework for controlling browsers compromised by XSS.

    This presentation provides an overview of WebSockets. How they might increase the attack surface of a web site, their implications for privacy, and the potential security problems with protocols tunneled over them. Then it demonstrates how WebSockets can be used as an effective part of a hacking framework.

    It closes with recommendations for deploying WebSockets securely, applying security principles to web app design, and providing a tool for exploring WebSockets security.

  • Hardware backdooring is practical

       July 26

    This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.

    Presented By:
    Jonathan Brossard

  • Here Be Backdoors: A Journey Into The Secrets Of Industrial Firmware

       July 25

    PLCs, Smart Meters, SCADA, Industrial Control Systems…nowadays all those terms are well known for the security industry. When critical Infrastructures come into play, the security of all those systems and devices that control refineries, Water treatment or nuclear plants pose a significant attack vector.

    For years, the isolation of that world provided the best 'defense' but things are changing and that scenario is no longer valid. Is it feasible to attack a power plant without ever visiting one? Is is possible to hack into a Smart meter…without having that Smart Meter? Yes, it is. This talk discusses the approach followed to do so, mixing theory and practice.

    This presentation pivots around the analysis of firmware through reverse engineering in order to discover additional scenarios such as backdoors, confidential documentation or software, vulnerabilities... Everything explained will be based on real cases, unveiling curious 'features' found in industrial devices and finally disclosing some previously unknown details of an interesting case: a backdoor discovered in a family of Smart Meters.

    We will navigate through the dark waters of Industrial Control Systems, where the security by obscurity has ruled for years. Join us into this journey, here be backdoors…

    Presented By:
    Ruben Santamarta

  • Hookin' Ain't Easy: BeEF Injection with MITM

       July 26

    Kiddies gotta make the money, and it don't come easy when those mean users don't click our links. And if there aren't any ports open, what's a PenTest John to do?? If you are curious about hooking browsers without yucky social engineering or XSS, getting the goods through proxy hosts, or even if you're just BeEF-curious, this is the one you've been waiting for.

    This talk is about, that's right, BEEF INJECTION: a completely unabashed love story between MITM and the BeEF Framework. Through demos and new code, we'll show you how to hook up with browsers using old pickup lines like ARP Poisoning and Karma Attacks, and once you get their digits, we'll even show you how to maintain that relationship, and use it to get even more connections you never dreamed of. Featuring in-depth BeEF tips by Ryan Linn, author of "Coding for Penetration Testers", and Steve Ocepek, creator of thicknet and the seminal favorite, "How to Get a Date Using Unshielded Twisted Pair and a Hot Glue Gun", you too can get in on the Pro Tips and up your IEEE 802 dating game.

    Presented By:
    Steve Ocepek
    Ryan Linn

  • How many bricks does it take to crack a microcell?

       July 26

    This is a tale of a journey that tested almost every security related skill I have acquired over the past six years. It is a story of a software hackers trip through a hardware hackers world; a story of successes, failures, logic flaws and learning.

    This talk is my adventure through reverse engineering a 3G microcell. It will cover topics from hardware hacking, kernel reversing, firmware extraction and manipulation, software reversing, networking, memory forensics, social engineering, and more. I have gained a wealth of knowledge going through the process of completely pulling apart this device and want to share my trial and errors. The talk covers such a broad spectrum of topics with differential depths that anyone attending should obtain some knowledge they previously did not have.

    Presented By:
    Mathew Rowley

  • How the Analysis of Electrical Current Consumption of Embedded Systems Could Lead to Code Reversing?

       July 25

    A practical approach of Power Analysis dedicated to reverse Engineering

    This submission presents an experimental protocol developed to extract (part of) the code that runs on an embedded system using its power consumption

    Experimental content (no math!), proof of concept, tools, limits, protections and prospective

    The purpose of our study is to try to show how the analysis of electrical consumption of an embedded system enables us to find parts of the codes that it executes; this is done by presenting an operating mode, tools, a solid analysis, results, counter-measures and future research axes. It is all about trying to find another approach to the audit system. This approach aims at acquiring the code (reverse engineering) without having a physical access to the internal system components.

    Our submission content will consist in making a quick presentation of the physical phenomenon at the origin of this type of information leak, confirming whether a sequence of instructions (opcode and data) can be found (reversed) by the analysis of electrical current used by the embedded system during the execution of a program, assessing then overcoming the technical difficulties in its achievement (Signal Acquisition, treatment and analysis, limitsÉ), presenting a proof of concept and possible countermeasures to limit the risks.

    Presented By:
    Yann Allain
    Julien Moinard

  • HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits

       July 26

    HTML5 is an emerging stack for next generation applications. HTML5 is enhancing browser capabilities and able to execute Rich Internet Applications in the context of modern browser architecture. Interestingly HTML5 can run on mobile devices as well and it makes even more complicated. HTML5 is not a single technology stack but combination of various components like XMLHttpRequest (XHR), Document Object model (DOM), Cross Origin Resource Sharing (CORS) and enhanced HTML/Browser rendering. It brings several new technologies to the browser which were not seen before like localstorage, webSQL, websocket, webworkers, enhanced XHR, DOM based XPATH to name a few. It has enhanced attack surface and point of exploitations for attacker and malicious agents. By leveraging these vectors one can craft stealth attacks and silent exploits, it is hard to detect and easy to compromise. In this paper and talk we are going to walk through these new architectures, attack surface and possible threats. Here is the top 10 threats which we are going to cover in detail with real life examples and demos.

    • A1 - CORS Attacks & CSRF
    • A2 - ClickJacking, CORJacking and UI exploits
    • A3 - XSS with HTML5 tags, attributes and events
    • A4 - Web Storage and DOM information extraction
    • A5 - SQLi & Blind Enumeration
    • A6 - Web Messaging and Web Workers injections
    • A7 - DOM based XSS with HTML5 & Messaging
    • A8 - Third party/Offline HTML Widgets and Gadgets
    • A9 - Web Sockets and Attacks
    • A10 - Protocol/Schema/APIs attacks with HTML5

    Above attack vectors and understanding will give more idea about HTML5 security concerns and required defense. It is imperative to focus on these new attack vectors and start addressing in today's environment before attackers start leveraging these features to their advantage. We are going to see new tricks for HTML5 vulnerabilities scanning and tools.

    Presented By:
    Shreeraj Shah

  • Intrusion Detection Along the Kill Chain: Why Your Detection System Sucks and What To Do About It

       July 25

    The field of intrusion detection is a complete failure. Vendor products at best address a narrow part of the problem and more typically are completely worthless at detecting sophisticated attacks. This talk discusses the fundamental problems in the field and why the state of the art isn't good enough. We then introduce the concept of the attacker plane and the kill chain how to use them to make a much more sophisticated intrusion detection system. Finally we cover ways of putting them into action. Even veterans of the field will find something new here.

    Presented By:
    John Flynn

  • iOS Application Security Assessment and Automation: Introducing SIRA

       July 26

    Apple's AppStore continues to grow in popularity, and iOS devices continue to have a high perception of security from both users and experts. However, applications on the AppStore often have security or privacy flaws that are not apparent, even to sophisticated users. Security experts can find these flaws via manual tests, but the enormity of the AppStore ensures that only a small minority of apps could ever be manually tested.

    This presentation will demonstrate a new tool and methodology to perform automated or semi-automated assessment of iOS applications and assist with manual testing. In addition, our findings about the prevalence of different types of security issues in iOS applications will be discussed, giving a window into the risks of trusting your data to products on the AppStore.

  • iOS Kernel Heap Armageddon Revisited

       July 26

    Previous work on kernel heap exploitation for iOS or Mac OS X has only covered attacking the freelist of the kernel heap zone allocator. It was however never discussed before what other kernel heap memory allocators exist or what kernel heap allocation functions wrap these allocators. Attacks against further heap meta data or attacking kernel application data has not been discussed before.

    This talk will introduce the audience to the big picture of memory allocators in the iOS kernel heap. It will be shown how attacks can be carried out against other meta data stored by other allocators or wrappers. It will be shown how memory allocated into different zones or allocated by different allocators is positioned to each other and if cross attacks are possible. It will be shown how overwriting C++ objects inside the kernel can result in arbitrary code execution. Finally this talk will leverage this to present a generic technique that allows to control the iOS kernel heap in a similar fashion as JavaScript is used in today's browser exploits to control the user space heap.

    Presented By:
    Stefan Esser

  • iOS Security

       July 26

    Apple designed the iOS platform with security at its core. In this talk, Dallas De Atley, manager of the Platform Security team at Apple, will discuss key security technologies in iOS.

    Presented By:
    Dallas De Atley

  • Legal Aspects of Cyberspace Operations

       July 26

    This presentation examines the legal regime surrounding cyberspace operations. The analysis looks at the legal underpinnings of computer network security; defense; exploitation; and, attack. After covering the laws and policies related to these topics, we will examine several of the recent incidents and intrusions that have occurred and discuss why none of them have been classified as "attacks" by those who could do so. Attendees will get an understanding of the hot legal topics in computer network operations. Past presentations have shown much of what is taken away is audience driven in response to their questions and the subsequent discussion. And, as always, I try to impress upon computer security professionals the importance of working closely with their legal counsel early and often, and explaining the technical aspects of computer security to their attorneys at a third grade level so my profession can understand it and then turn around and explain it to a judge or jury at a first grade level. (All material is unclassified and available in the public domain.)

    Presented By:
    Robert Clark

  • Looking Into The Eye Of The Meter

       July 25

    When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye.

    This IS the talk that was not presented at ShmooCon 2012 in response to requests from a Smart Grid vendor and the concerns of several utilities. We have worked with them. They should be okay with this.....should.....

    Presented By:
    Don C. Weber

  • My Arduino Can Beat Up Your Hotel Room Lock

    Nearly ten million Onity locks are installed in hotels worldwide, representing 1/3 of hotels and about 50% of hotel locks. Chances are good that you've stayed in dozens of such hotels in your life and you may even be staying in one tonight. This presentation will show, in detail, how they're designed and implemented. Then we will take a look at how they are insecure by design and release a number of critical, unpatchable vulnerabilities.

    You will never see locks the same way again.

    Click here to see Cody and the rest of the Day Zero Briefings line-up

    Presented By:
    Cody Brocious

  • Owning bad guys {and mafia} with javascript botnets

       July 25

    Man in the middle attacks are still one of the most powerful techniques for owning machines. In this talk mitm schemas in anonymous services are going to be discussed. Then attendees will see how easily a botnet using javascript can be created to analyze that kind of connections and some of the actions of bad people, mafia, scammers, etc... behind those services are doing... in real. It promises to be funny

    Presented By:
    Chema Alonso

  • PinPadPwn

       July 25

    Pin Pads or Payment Terminals are widely used to accept payments from customers. These devices run Payment Applications on top of the device specific firmware. It shouldn't come as no surprise to anyone that these applications and operating systems are just as vulnerable as any other systems when it comes to handling user input.

    As the use of Chip and Pin continues to replace the fairly basic magnetic stripe cards, these devices are handling more and more complex information from untrusted sources; namely the EMV protocol spoken by all major payment smart-cards. On top of this many of these terminals are connected through Ethernet, GPRS, WiFi or phone lines, which add to the overall attack surface.

    We will demonstrate that memory corruption vulnerabilities in payment terminals and applications are a reality and that they can be used to gain code execution on the terminals. Furthermore we will demonstrate and discuss potential payloads and how these can profit an attacker.

    Presented By:
    Rafael Dominguez Vega

  • PRNG: Pwning Random Number Generators (in PHP applications)

       July 25

    We present a number of novel, practical, techniques for exploiting randomness vulnerabilities in PHP applications. We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting the PHP core randomness generators.

    Our suite of new techniques and tools go far beyond previously known attacks (e.g. Kamkar and Esser) and can be used to mount attacks against all PRNG of the PHP core system even when it is hardened with the Suhosin extension. Using them we demonstrate how to create practical attacks for a number of very popular PHP applications (including Mediawiki, Gallery, osCommerce and Joomla) that result in the complete take over of arbitrary user accounts.

    While our techniques are designed for the PHP language, the principles behind ]them are independent of PHP and readily apply to any system that utilizes weak randomness generators or low entropy sources.

    We will also release tools that assist in the exploitation of randomness vulnerabilities and exploits for some vulnerable applications.

  • Probing Mobile Operator Networks

       July 25

    Cellular networks do not only host mobile and smart phones but a wide variety of other devices. We investigated what kind of devices currently sit on cellular networks. In this talk we provide a walk through on how to probe cellular networks from start to end. Finally we show some of our results from our effort and discuss the security implications of our findings.

    Presented By:
    Collin Mulliner

  • Recent Java Exploitation Trends and Malware

       July 26

    We are seeing more and more Java vulnerabilities exploited in the wild. While it might surprise many users, and even some people in the industry, to hear that Java is currently a major vector for malware propagation, attackers haven't forgotten that it is still installed and used on a huge number of systems and devices, including those running Microsoft Windows, Mac OSX and different flavors of Unix. Since Java supports multiple platforms, one Java vulnerability can sometimes lead to exploitation on multiple platforms.

    Java vulnerabilities are often about evading the sandbox. With sandbox evasion vulnerabilities, the exploitation is much easier and multi-platform attacks are feasible - all those security measures against memory corruption issues won't help. The widely-exploited CVE-2012-0507 vulnerability, for example, was a sandbox breach. We saw active Mac OSX system breaches using this vulnerability, and before that, the vulnerability was used for widespread infection of Windows systems. The cost of writing multi-platform exploits is relatively low and the success rate of exploitation is high.

    As we can see, Java vulnerabilities have become more and more popular. However, there is a lack of knowledge on how exploitation of these vulnerabilities actually works. Many Java vulnerabilities result in a sandbox breach, but the way the breach happens is quite a complex process. In this presentation, we will look at some recent Java vulnerabilities and show where these vulnerabilities occur. We will also show you how the exploitation happens and how the bad guys adapt them to use in their arsenal. Of course, Java exploits and malware are written in Java. That opens up an easy way for the attackers to obfuscate and hide their exploits inside complicated logic and code. On the other hand, it means a hard life for security researchers. We are also going to show you an example of an exploit that was obfuscated and modified in a way that made analysis and detection difficult. We share Java debugging techniques and our experience in dealing with these problems.

    Presented By:
    Jeong Wook Oh

  • Scaling Up Baseband Attacks: More (Unexpected) Attack Surface

       July 25

    Baseband processors are the components of your mobile phone that communicate with the cellular network. In 2010 I demonstrated the first vulnerabilities in baseband stacks that were remotely exploitable using a fake base station.

    Subsequently, people assumed that baseband attacks are attack vectors requiring some physical proximity of the attacker to the target. In this talk we will uproot this narrow definition and show an unexpected attack vector that allows an attacker to remotely exploit bugs in a certain component of the baseband stack over an IP connection. Depending on the configuration of certain components in the carrier network, a large population of smartphones may be simultaneously attacked without even needing to set up your own base station.

    Presented By:
    Ralf-Philipp Weinmann

  • SexyDefense - Maximizing the Home-Field Advantage

       July 25

    Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that's hard. Usually after the pentesters (or worst - red team) leaves, there's a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time - can you fix this so your security posture will actually be better the next time these guys come around?

    This talk focuses mainly on what should be done (note - no what should be BOUGHT - you probably have most of what you need already in place and you just don't know it yet).

    The talk will show how to expand the spectrum of defenders from a reactive one to a proactive one, will discuss ways of performing intelligence gathering on your opponents, and modeling that would assist in focusing on an effective defense rather than a "best practice" one. Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you!

    Presented By:
    Iftach Ian Amit

  • Smashing the Future for Fun and Profit

       July 25

    Has it really been 15 years? Time flies when keeping up with Moore's law is the measure. In 1997, Jeff Moss held the very first Black Hat. He gathered together some of the best hackers and security minds of the time to discuss the current state of the hack. A unique and neutral field was created in which the security community--private, public, and independent practitioners alike could come together and exchange research, theories, and experiences with no vendor influences. That idea seems to have caught on. Jeff knew that Black Hat could serve the community best if it concentrated on finding research by some of the brightest minds of the day, and he had an uncanny knack for finding them.

    Please join Black Hat for this very special session, as we bring together 5 of the original 1997-98 speakers: Jeff Moss, Bruce Schneier, Marcus Ranum, Adam Shostack, and Jennifer Granick to share their vision of security over the next 15 years. One of Black Hat's core values is its focus on cutting edge research and emergent technologies. So there will be no war stories in this session. Each speaker will have the opportunity to deliver his or her own view. Based on the track records, take good notes.

  • SNSCat: What You Don't Know About Sometimes Hurts The Most

       July 26

    A vulnerability exists through the use of Social Networking Sites that could allow the exfiltration /infiltration of data on "secured networks". SNSCat provides a simple to use post-penetration data exfiltration/infiltration and C2 (Command and Control) platform using images and documents on social media sites (Facebook, Google Apps, twitter, imgur, etc). The first part of our presentation will focus on case studies demonstrating the risks assumed by allowing social media sites on business networks both by malicious insiders and outsiders. After coverage of preliminary terms and concepts, we will introduce our tool and show how one can easily move files in and out of a network using social media sites. We will next demonstrate how one can use SNSCat along with the implants we have created to establish full command and control between the controller and the listening agents. Automation of commands is vital in establishing a robust botnet covertly communicating and responding to instructions from the controller. Anonymity is also essential which keeps the attacker and victim networks from ever touching each other. SNSCat is built to provide these very functions! Finally, we will introduce how one can plug in their own home-brewed steganography and cryptology modules as well as how one can build connectors for additional sites into our framework. In a 60 minute presentation, we will show you how to bypass network security equipment via social networking sites to mask data infiltration/exfiltration and C2 from any network with access to social networking sites.

    Presented By:
    Dan Gunter
    Solomon Sonya

  • SQL Injection to MIPS Overflows: Rooting SOHO Routers

       July 26

    This presentation details an approach by which SQL injection is used to exploit unexposed buffer overflows, yielding remote, root-level access to Netgear wireless routers. Additionally, the same SQL injection can be used to extract arbitrary files, including plain-text passwords, from the file systems of the routers. This presentation guides the audience through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the course of describing several vulnerabilities, I present effective investigation and exploitation techniques of interest to anyone analyzing SOHO routers and other embedded devices.

    Presented By:
    Zachary Cutlip

  • SSRF vs. Business Critical Applications

       July 26

    Typical business critical applications have many vulnerabilities because of their complexity, customizable options and lack of awareness. Most countermeasures are designed to secure system using firewalls and DMZ's so that, for example, to enter technology network from the Internet, attacker has to bypass 3 or more lines of defense. It looks ok until somebody finds a way to attack secured system through trusted sources. With the help of SSRF and one of its implementations Ð XXE Tunneling Ð it is possible to root a system within one request which will be from trusted source and will bypass all restrictions.

    SSRF, as in Server Side Request Forgery. A great concept of the attack which was discussed in 2008 with very little information about theory and practical examples. We have decided to change it and conducted a deep research in this area. As we deal with ERP security, we take SAP as the example for practicing SSRF attacks. The idea is to find victim server interfaces that will allow sending packets initiated by victim's server to the localhost interface of the victim server or to another server secured by firewall from outside. Ideally this interface must allow us to send any packet to any host and any port. And this interface must be accessed remotely without authentication or at least with minimum rights. Looks like a dream but this is possible. Why this attack is especially dangerous to SAP? Because many restrictions preventing the exploitation of previously found vulnerabilities, for example in RFC and Message Server or Oracle auth, prevent only attacks from external sources but not from localhost!

    We have found various SSRF vulnerabilities which allow internal network port scanning, sending any HTTP requests from server, bruteforcing backed and more but the most powerful technique was XXE Tunneling. We made a deep research of the XXE vulnerability and most of the popular XML parsers and found that it can be used not only for file reading and hash stealing but even for getting shell or sending any packet to any host (0-day). What does it mean for business critical systems? Actually XML interfaces are normally used for data transfer between Portal's, ERP's, BI's, DCS's, SCADA's and other systems. Using an XXE vulnerability you can bypass firewalls and other security restrictions. What about practice? To show a real threat we took the most popular business application platform Ð SAP NetWeaver and its various XML parsers. We found that it is possible to bypass almost all security restrictions in SAP systems. Using XXE Tunneling it is possible to reopen many old attacks and conduct new ones which were impossible before.

    A tool called XXEScanner which will help to gain critical information from server, make scans and execute attacks on victim host or backend will be released as part of the OWASP-EAS project.

  • State of Web Exploit Toolkits

       July 26

    Web exploit toolkits have become the most popular method for cybercriminals to compromise hosts and to leverage those hosts for various methods of profit. This talk will give a deep dive on some of the most popular exploit kits available today including Blackhole and Phoenix and also take a look at some of the newer players that have appeared from Asia. An overview of how each kit is constructed, analysis of its observed shellcodes, obfuscations, and exploits will be presented to give a better understanding of the differences and similarities between these kits, ways that we have developed to harvest data from them and any trends that may be present.

    Presented By:
    Jason Jones

  • Still Passing the Hash 15 Years Later? Using the Keys to the Kingdom to Access All your Data

       July 26

    Kerberos is the cornerstone of Windows domain authentication, but NTLM is still used to accomplish everyday tasks. These tasks include checking email, sharing files, browsing websites and are all accomplished through the use of a password hash. Skip and Chris will utilize several tools that have been ÒenhancedÓ to connect to Exchange, MSSQL, SharePoint and file servers using hashes instead of passwords. This demonstrates the "so what" of losing control of the domain hashes on your domain controller: all of your data can be compromised.

  • Targeted Intrusion Remediation: Lessons From The Front Lines

       July 26

    Successfully remediating a targeted, persistent intrusion generally requires a different approach from that applied to non-targeted threats. Regardless of the remediation actions enacted by victim organizations, experience has shown that such threats will continue to target certain organizations. In order to be successful against these types of threats, organizations must change the way they think about remediation. This presentation outlines a model to guide tactical and strategic security planning by focusing efforts on the following three goals:

    • Inhibit attacker's activities.
    • Enhance visibility to detect indicators of compromise.
    • Enhance the security team's ability to effectively and rapidly respond to intrusions.

    Jim Aldridge is a Manager in Mandiant's Washington, D.C. office and is responsible for Mandiant's incident remediation services, which involve helping Mandiant clients effectively recover from intrusions. In the past 12 months, Jim led the remediation activities for a dozen targeted threat intrusions. Nearly all these cases involved APT threat actors.

    Presented By:
    Jim Aldridge

  • The Christopher Columbus Rule and DHS

       July 26

    "Never fail to distinguish what's new, from what's new to you." This rule applies to a lot people when they think about innovation and technology in the government. At the U.S. Department of Homeland Security, in addition to running the National Cybersecurity and Communication Integration Center (NCCIC), the US-CERT and the ICS-CERT, they work daily with companies from across the globe to share critical threat and vulnerability information. DHS also supports and provides funding for a broad range of cutting-edge cybersecurity research initiatives, from the development and implementation of DNSSEC to sponsoring the use of open source technologies and from development of new cyber forensics tools to testing technologies that protect the nation's industrial control systems and critical infrastructures. This is not your grandfather's Buick! Come hear Deputy Under Secretary for Cybersecurity Mark Weatherford talk about research and training opportunities, the growing number of cybersecurity competitions sponsored by DHS, and how they are always looking to hire a few good men and women.

    Presented By:
    Mark Weatherford

  • The Defense RESTs: Automation and APIs for Improving Security

       July 25

    Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test. Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud. There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods.

    Presented By:
    David Mortman

  • The Info Leak Era on Software Exploitation

       July 25

    Previously, and mainly due to application compatibility. ASLR has not been as effective as it has been expected. Nowadays, once some of the problems to fully deploy ASLR has been solved, it has become the key mitigation preventing reliable exploitation of software vulnerabilities. Defeating ASLR is a hot topic in the exploitation world.

    During this talk, it will be presented why other mitigations without ASLR are not strong ones and why if you defeat ASLR you mainly defeat the rest of them. Methods to defeat ASLR had been fixed lately and the current way for this is using information leak vulnerabilities.

    During this talk it will be presented several techniques that could be applied to convert vulnerabilities into information leaks:

    • Creating an info leak from a partial stack overflow
    • Creating an info leak from a heap overflow with heap massaging
    • Creating an info leak from an object though non virtual calls
    • Member variables with function pointers
    • Write4 pointers
    • Freeing the wrong object
    • Application specific info leaks: CVE-2012-0769, the case of the perfect info leak
    • Converting an info leak into an UXSS
    Presented By:
    Fermin J. Serna

  • The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet

       July 25

    In what may be the greatest technical shift the Internet has seen, three of the network's major foundations are being overhauled simultaneously: IPv6, DNSSEC and the creation of hundreds of new top-level domains. Two of these technologies are direct responses to the artificial scarcity of names and addresses on the Internet, and one is meant to address the lack of trust we have in the Internet's fundamental architecture. Unfortunately the unexpected secondary effects of these changes have not been appropriately explored, and enterprise IT and risk teams need to come to grips with the fact that the products and processes they have honed over the last decade will not serve them well in the next.

    This talk will provide a quick background of these technologies and the direct security impacts faced by network administrators today, even if you're "not using that yet". (Hint: You probably are, you just don't know it.) A great deal of modern fraud, spam and brand abuse infrastructure is based upon assumptions from the IPv4/old gTLD world, and we will explore which of these protections are completely useless and which can be retrofitted to provide some value. We will then explore the indirect impacts on monitoring, compliance, intrusion detection and prevention, and the future of enterprise architecture and defense.

    Presented By:
    Alex Stamos
    Tom Ritter

  • The subway line 8 - Exploitation of Windows 8 Metro Style Apps

       July 26

    Windows 8 introduces lots of security improvements; one of the most interesting features is the Metro-style app. It not only provides fancy user interface, but also a solid application sandbox environment. All Metro-style applications run in AppContainer, and the AppContainer sandbox isolates the execution of each application. It can make sure that an App does not have access to capabilities that it hasn't declared and been granted by the user.

    This presentation will introduce the design of Metro-style app as well as AppContainer sandbox. We will dive into details of the architecture and see how it works, how does it protect from a malicious App attack. After reviewing the design, we are going to look for possible attack vectors to bypass the sandbox. Analysis will start from low level to high level. We will describe how we find the target to attack, and how we do analyze in different layers, such as debug of APLC, COM server attack, WinRT API fuzzing, and logic flaw discovery. Not only the methodology, we will also demonstrate some problems we have discovered, including tricks to bypass AppContainer to access files, launch program, and connect to Internet.

  • Torturing OpenSSL

       July 25

    For any computing system to be secure, both hardware and software have to be trusted. If the hardware layer in a secure system is compromised, not only it is possible to extract secret information about the software, but it is also extremely difficult for the software to detect that an attack is underway.

    This talk will detail a complete end-to-end security attack to on a microprocessor system and will demonstrate how hardware vulnerabilities can be exploited to target systems that are software-secure. Specifically, we present a side-channel attack to the RSA signature algorithm by leveraging transient hardware faults at the server. Faults may be induced via voltage-supply variation, temperature variation, injection of single-event faults, etc. When affected by faults, the server produces erroneous RSA signatures, which it returns to the client. Once a sufficient number of erroneously signed messages is collected at the client end, we filter those that can leak private key information and we use them to extract the private key. We developed an algorithm to extract the private RSA key from messages affected by single-bit faults in the multiplication during Fixed Window Exponentiation (FWE), that is, the standard exponentiation algorithm used in OpenSSL during RSA signing. Our algorithm was inspired by a solution developed by Boneh, et al. for the Chinese Remainder Theorem (CRT) [D. Boneh, R. DeMillo, and R. Lipton. On the importance of eliminating errors in cryptographic computations. Journal of Cryptology, Dec 2001], an algorithm particularly prone to attacks. Depending of the window size used in the encryption algorithm, it is possible to extract 4-6 bits of the private key from an erroneously signed message.

    Our attack is perpetrated using a FPGA platform implementing a SPARC-based microprocessor running unmodified Linux and the OpenSSL authentication library. The server provides 1024-bits RSA authentication to a client we control via Ethernet connection. Faults are injected by inducing variations in the supply voltage on the FPGA platform or by subjecting the server to high temperatures. Our client collects a few thousands signed messages, which we transfer to an 80-machines computing pool to compute the private RSA key in less than 100 hours.

    Note that our attack does not require access to the victim system's internal components, but simply proximity to it. Moreover, it is conceivable that an attack leveraging solely high temperatures can be carried out on machines in a remote poorly-conditioned server room. Finally, the attack does not leave any trail of the attack in the victim machine, and thus it cannot be detected.

    The presentation includes a live demo of the attack on an FPGA platform implementing a SPARC system. The system is powered via a voltage controller, used to induce variations in the supply voltage. The server is simplified to use a 128-bits private key so that the attack can be perpetrated during the briefing.

    Presented By:
    Valeria Bertacco

  • Trust, Security, and Society

       July 26

    Human societies run on trust. Every day, we all trust millions of people, organizations, and systems -- and we do it so easily that we barely notice. But in any system of trust, there is an alternative, parasitic, strategy that involves abusing that trust. Making sure those defectors don't destroy the very cooperative systems they're abusing is an age-old problem, and we've developed a variety of societal pressures to induce cooperation: moral systems, reputational systems, institutional systems, and security systems. Understanding how these different societal pressures work -- and fail -- is essential to understanding the problems we face in today's increasingly technological and interconnected world.

    Presented By:
    Bruce Schneier

  • We have you by the Gadgets

       July 26

    Why send someone an executable when you can just send them a sidebar gadget?

    We will be talking about the windows gadget platform and what the nastiness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of.

    We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.

  • Web Tracking for You

    There has been a lot of conversation recently around the privacy degrading techniques used by shady online advertisers, faceless megacorps, and social network overlords to track users across the web. But, after all the recriminations and fancy infographics about the supposed loss of privacy, where does that leave people who need to implement tracking of website visitors? People seem so distracted with "punch the monkey" advertising cookies that they have lost a sense of the need to legitimately track and identify potential bad actors.

    This talk is a technical examination of the tracking techniques that can be implemented to identify and track users via their web browsers. The key concepts of active and passive fingerprinting, tracking, and user unmasking are discussed in detail. From the humble browser cookie to more advanced techniques to sidestep private browsing modes, the most effective approaches are discussed in relation to the various web browsers across operating systems and desktop and mobile environments.

    At the conclusion of the presentation, an open source tracking server will be released that implements the techniques covered in the talk. Additionally, several utilities to facilitate injection of tracking content and correlation of collected data will also be made available. These tools will be suitable to deploy on your network to track web users or on your local machine in a standalone "Track Yourself" mode.

    Presented By:
    Gregory Fleischer

  • Windows Phone 7 Internals and Exploitability

       July 26

    Windows Phone 7 is a modern mobile operating system developed by Microsoft. This operating system -- based on Windows CE 6 -- protects the system and the user by modern sandbox and secure application model. These security models are veiled and were difficult to uncover but we succeeded to analyze and inspect not well-known Windows Phone 7 security internals by comprehensive reverse engineering.

    This operating system is properly implemented which makes exploitation and privilege escalation extremely difficult. However, it does not mean exploitation is impossible. Even the sandbox can be breached on some latest Windows Phone 7.5 devices.

    The first topic is Windows Phone 7 security analysis. In this presentation, I will talk how we analyzed the system and how Windows Phone 7 looks secure/unsecure along with examples.

    The second topic is customizations by thirt-party vendors. Windows Phone 7-based devices by some vendors have special interfaces for system applications. Some interfaces however makes subverting sandbox easier because of various design/implementation issues such as directory traversal and improper privileged operations. I will talk about this kind of vulnerability along with its countermeasure.

    Presented By:
    Tsukasa Oi

  • Windows 8 Heap Internals

       July 25

    Windows 8 developer preview was released in September 2011. While many focused on the Metro UI of the operating system, we decided to investigate the memory manager. Although generic heap exploitation has been dead for quite some time, intricate knowledge of both the application and underlying operating system's memory manager have continued to prove that reliable heap exploitation is still achievable. This presentation will focus on the transition of heap exploitation mitigations from Windows 7 to Windows 8 (Consumer Preview) from both a user-land and kernel-land perspective. We will be examining the inner workings of the Windows memory manager for allocations, de-allocations and all additional heap-related security features implemented in Windows 8. Also, additional tips and tricks will be covered providing the attendees the proper knowledge to achieve the highest possible levels of heap determinism.

    Presented By:
    Chris Valasek
    Tarjei Mandt


  • <ghz or bust: blackhat

       July 25

    Wifi is cool and so is cellular, but the real fun stuff happens below the GHz line. medical systems, mfg plant/industrial systems, cell phones, power systems, it's all in there!

    Atlas and some friends set out to turn pink girltech toys into power-systems-attack tools. through through several turns and changes, the cc1111usb project was born, specifically to make attacking these systems easier for all of you. with a $50 usb dongle, the world of ISM sub-GHz is literally at your fingertips.

    New and improved! if you missed it at shmoocon, here's your chance to see the intro to this fun new world. if you caught it at shmoo, come to the talk and prove your <ghz prowess and wirelessly hack a special pink girl's toy target!

    NOTE: To make the most of this course, attendees will need to have a wireless dongle in order to participate in the lab exercises. @tlas personally recommends the following wireless dongle: Texas Instruments CC1111 USB Evaluation Module Kit 868/915 MHz which is available for order direct from the manufacturer (Part number cc1111emk) at

    Presented By:

  • Advanced Chrome Extension Exploitation - Leveraging API Powers for the Better Evil

       July 25

    Browser exploitation can seem to be a nearly unachievable task these days. ASLR, DEP, segregated processes and sandboxes have proven to be effective in abating exploits by attackers. Our expectation of browser security is so high, that in addition to bug bounty programs, competitions such as Pwn2Own and Pwnium have been formed around the core concept of weeding out dangerous bugs.

    But even with all the current protections, there is still attack surface not being exploited. We are, of course, talking about Chrome Extensions security bugs. These bugs can lead to extremely powerful attacks, which can effectively allow an attacker to take over your browser. In our workshop, we will demonstrate the power given to an attacker in a presence of a vulnerable extension, and present a tool which will assist in their practical exploitation.

  • Code Reviewing Web Application Framework Based Applications (Struts 2, Spring MVC, Ruby on Rails (Groovy on Grails), .NET MVC)

       July 25

    This workshop will give participants an opportunity to practically review Web Application Framework based applications for security vulnerabilities. The material in this workshop provides the hands-on experience that one would need to quickly understand each web application framework (Struts 2, Spring MVC, Ruby on Rails (Groovy on Grails), .NET MVC, Zend PHP, and Scala Play) and identify vulnerabilities in applications using those frameworks. Sample applications are provided with guided tasks to ease participants into understanding the nuances of each framework and the overall steps a code reviewer should follow to identify vulnerabilities.

    Presented By:
    Abraham Kang

  • Lessons Of Binary Analysis

       July 26

    Ever wanted to know more about how static binary analysis works? It's complicated. Ever want to know how C++ language elements are automatically transformed? The high-level overview of how machines analyze code for security flaws is just the beginning. In this talk we'll be delving into the gritty details of the modeling process.

    Presented By:
    Christien Rioux

  • Linux interactive exploit development with GDB and PEDA

       July 25

    Exploit development requires a lot of interactive works with debugger, automating time consuming tasks will help speed up that process. People is familiar with GDB (GNU Debugger) on Linux/Unix, unfortunately GDB lacks of commands specific to exploit development. Since version 7.0, GDB added support for Python scripting, this brings opportunities to improve the situation. PEDA - Python Exploit Development Assistance for GDB - is a wrapper for Python GDB that comes as a gdbinit script with many handy commands to ease exploit development tasks. PEDA is the first script in its class with notable features:

    • Debugging helpers: smart context display with detail memory references; function calls tracing with detail arguments; specific instructions tracing; stepping until specific instruction; bypass/deactive undesired functions (e.g ptrace); execution statistics with profiling; process snapshoting.
    • Advanced memory operations: fast, convenient memory searching for regex/value/reference/address/pointer; display, dump, load, compare, XOR memory content.
    • Exploit helpers: cyclic pattern create and search; ELF headers and symbols retrieval; simple ASM instructions and ROP gadgets search; common shellcodes and ROP payloads generation (ret2plt data transfer, ret2dlresolve); exploit skeleton generation; in memory fuzzer; crashdump logging.

    PEDA's commands and wrapper API can also be reused to write custom automation scripts easily, hence makes GDB become a powerful exploit development toolkit.

    During this hands-on workshop, attendees will learn how to use PEDA interactive commands, write python automation scripts through various exploit exercises, wargame/CTF challenges and real world exploits.

    Binging your laptop with an Ubuntu Live to play with and get a special copy of PEDA.

    Presented By:
    Long Le

  • Mobile Network Forensics Workshop

       July 26

    Intentionally or not, your phone leaks data to the world. What can you-- or your enemies-- uncover from mobile network traffic? Dig through real-life Android packet captures to uncover GPS coordinates, usernames and accounts, social networking data, and more. Dissect a traffic dump of Android malware and analyze phone data as it is exfiltrated to third-party servers. The second half of this workshop is a mobile network forensics contest. Each attendee will be given a mysterious USB drive and a note with a challenge. Students must use the skills they've gained in class to unravel the mystery. You are the forensics investigator. Can you solve the puzzle in time?

    To participate, workshop attendees must bring a laptop with at least 2GB of RAM, a DVD drive. and VMWare Workstation or Player preinstalled and licensed (evaluation licenses are available from VMWare's web site).

    Presented By:
    Eric Fulton

  • Ruby for Pentesters: The Workshop

       July 26

    Having a great set of test tools could be the difference between a successful engagement and utter catastrophe. Being able to create tools on the fly to solve intractable test or research problems is a challenge we face every day.

    In this workshop we'll lead off by demonstrating the power and flexibility of Ruby. Then we'll teach you how to use your new superpowers to rapidly prototype solutions for real-world problems including:

    • The fast path to binary and protocol reversing tools
    • Rapidly prototyped network clients using our 'bag of tricks' approach
    • Dealing with Java using JRuby
    • Extending Burp Suite using Buby
    • Building scriptable debuggers and hit tracers with Ragweed
    • Hooking into native code with FFI
    • Adding Redis in the mix to manage test cases and results from within your Ruby code
    Participants will be given a virtual test environment to use that includes a toolchain and sample applications to test - they just need to bring a laptop. The toolchain will also be available on the conference DVD and for download.

    Quick demonstrations leading into hands-on hacking on real apps will keep the workshop fast-paced and fun.

  • The Dark Art of iOS Application Hacking

       July 26

    This talk demonstrates how modern day financial applications, password and credit card managers, and other applications handling sensitive data are attacked on the iOS platform, and sometimes all too easily breached in as little as seconds. Attendees will learn how iOS applications are infected, how low-level classes and objects are manipulated and abused, logic checks bypassed, and other dark techniques used to steal data.

    The electronic information age has made the theft of data a very lucrative occupation. Criminals stand to greatly benefit from electronic crimes, making their investment well worth the risk. The chances that your applications will be vulnerable to attack are very high. Due to a number of common vulnerabilities in the iOS monoculture, attackers can easily reverse engineer, trace, and manipulation applications in ways that even most iOS developers aren't aware of. Even many encryption implementations are weak, and a good hacker can penetrate these and other layers that, so many times, present only a false sense of security to the application's developers.

    This talk is designed to demonstrate many of the techniques black hats use to steal data and manipulate software, so that developers will better know the fight they're up against, and hopefully how to avoid many all-too common mistakes that leave your applications exposed to easy attacks. These attacks are not necessarily limited to just the theft of data from the device, but can sometimes even lead to much more nefarious attacks. The audience will also learn about some techniques to better secure applications, such as counter debugging techniques, attack response, implementing better encryption, etc.

    In this talk, the audience will see an example of how some credit card payment processing applications have been breached, allowing a criminal not only to expose the credit card data stored on the device, but also to manipulate the application to grant him huge credit card refunds for purchases that he didn't make, paid straight from the merchant's stolen account. You'll see many more examples, too, of exploits that put data at risk, such as password and credit card managers, and other applications. Attendees will gain a basic understanding of how these attacks are executed, and many examples and demonstrations of how to code more securely in ways that won't leave applications exposed to such attacks.

    Presented By:
    Jonathan Zdziarski

Turbo Talks

  • CuteCats.exe and the Arab Spring

       July 25

    There has been significant discussion regarding the impact of the internet, social media, and smart phones on the uprisings in the Middle East. Accompanying the digitisation of dissent and the growth of an increasingly connected online community has been the rise in malware targeting activists in the region.

    From backdoored anti-censorship software to malicious PDFs promising details on revolutionary high councils, this talk will detail specific examples and provide analysis of malware which has been seen to target dissidents in Libya, Syria and other countries over the past 18 months. The distribution of these attacks across forums specialising in regional issues, social media and spear phishing will also be discussed.

    Presented By:
    Morgan Marquis-Boire

  • Embedded Device Firmware Vulnerability Hunting Using FRAK

       July 26

    We present FRAK**, the firmware reverse analysis konsole. FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images. We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers.

    Presented By:
    Ang Cui

  • HTExploit Bypassing Htaccess Restrictions

       July 25

    HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess files can be configured to protect a web directory with an authentication process. By using this tool anyone would be able to list the contents of a directory protected this way, bypassing the authentication process.

  • libinjection: A C library for SQLi detection and generation through lexical analysis of real world attacks

       July 25

    SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. libinjection is a new open source C library that detects SQLi using lexical analysis. With little upfront knowledge of what SQLi is, the algorithm has been trained on tens of thousands of real SQLi attacks and hundreds of millions of user inputs taken from a Top 50 website for high precision and accuracy. In addition, the algorithm categorizes SQLi attacks and provides templates for new attacks or new fuzzing algorithms. libinjection is available now on github for integration into applications, web application firewalls, or porting to other programming languages.

    Presented By:
    Nick Galbreath

  • Mapping and Evolution of Android Permissions

       July 26

    The Android Open Source Project provides a software stack for mobile devices. The provided API enforces restrictions on specific operations a process is allowed to perform through a permissions mechanism. Due to the fine-grained nature of the model (and lack of a map), it is non-obvious which calls require which permission(s) for an API of over 2400 classes. Also, due to the on-going development of the AOSP and API, these required permissions have changed. Both of these provide headaches for application security testers and application developers. We first discuss our methodology for building a Android API permission map, including active and passive discovery tools. We then present the evolution of the map as the Android API has transformed through releases. This work is significant because of the need for an understanding of the API permission requirements in application security testing and the current lack of clarity in this ever-growing environment.

    Presented By:
    Andrew Reiter
    Zach Lanier

  • ModSecurity as Universal Cross-platform Web Protection Tool

       July 25

    For many years ModSecurity was a number one free open source web application firewall for the Apache web server. At this year's BlackHat we would like to announce that right now ModSecurity is also available for IIS and nginx servers, making it a first free cross-platform WAF for on-line services. Using MSRC response process and CVE-2011-3414 as an example, we will show how ModSecurity can be used in early detection of attacks and mitigation of vulnerabilities affecting web infrastructure. We will also show how OWASP ModSecurity Core Rule Set can be used as a base for detection of 0-day attacks on Apache, IIS and nginx servers.

  • Passive Bluetooth Monitoring in Scapy

       July 26

    Recognizing a need to support passive bluetooth monitoring in Scapy, Python's interactive monitoring framework, a project was launched to produce this functionality. Through this functionality, a new means for interactively observing bluetooth was created along with Python APIs to assist in the development of bluetooth auditing, pentesting and exploitation tools.

    The project supplements the work of Michael Ossman et al by providing Python extensions and Scapy modules which interact with an Ubertooth dongle. The project also provides support for other passive bluetooth techniques not present in the current Ubertooth core software such as NAP identification, vendor lookup, extended logging and more.

    In conjunction with this presentation, the source for this project will be released along with distribution packages for easy installation.

    Presented By:
    Ryan Holeman

  • Stamp Out Hash Corruption, Crack All The Things

       July 26

    The precursor to cracking any password is getting the right hash. In this talk we are going to cover how we discovered that Cain and Able, Creddump, Metasploit and other hash extraction tools regularly yield corrupt hashes that cannot be cracked. We will take a deep dive into password extraction mechanics, the birth of a viral logic flaw that started it all and how to prevent corrupt hashes. At the conclusion of this talk we will release patches that prevent hash corruption in these tools that many security professionals use every day.

  • STIX: The Structured Threat Information eXpression

       July 25

    This Turbo Talk will give a brief introduction and overview of an ongoing effort to define a standardized integrated information architecture for representing structured cyber threat information.

    The effort known as the Structured Threat Information eXpression (STIX) is a work in progress among a broad community of industry, government, academic and international experts. This representation, as a whole or in parts, is actively being pursued as a basis for automation and information sharing within several active communities.

    Presented By:
    Sean Barnum

  • SYNful Deceit, Stateful Subterfuge

       July 26

    Successful network reconnaissance and attacks are almost always predicated by effectively identify listening application services. However, the task can be daunting with various deployments of SYN Flood protections that can mask legitimate results. Furthermore, misconceptions are plenty and suggestions are elusive regarding how to truly detect the actual available services from the false positives. This presentation will delve into techniques used for SYN Flood protection and how to defeat various open-source and commercial vendor implementations.

    The presentation will consist of IPv4 packet level details. As a result, a solid understanding of TCP/IP and the IPv4 connection process is highly advised prior to attending this presentation. Further understanding of typical port scanning techniques, such as SYN and ACK scans, will be useful, as well. Finally, a tool will be released so attendees can continue to explore the concepts and techniques within their own networks.

    Presented By:
    Tom Steele
    Chris Patten

  • The last gasp of the industrial air-gap...

       July 25

    Industrial Systems are widely believed to be air-gapped. At previous Black Hat conferences, people have demonstrated individual utilities control systems directly connected to the internet. However, this is not an isolated incident of failure, but rather a disturbing trend. By visualising results from SHODAN over a 2 1/2 year period, we can see that there are thousands of exposed systems around the world. By using some goelocation, and vulnerability pattern matching to service banners we can see their rough physical location and the numbers of standard vulnerabilities they are exposed to.

    This allows us to look at some statistics about the industrial system security posture of whole nations and regions. During the process of this project I worked with ICS-CERT to inform asset-owners of their exposure and other CERT teams around the world. The project has reached out to 63 countries, and sparked discussion of convergence towards the public internet of many insecure protocols and devices. The original dissertation can be found here:

    and a bit of previous press here:

    Presented By:
    Eireann Leverett

  • When security gets in the way: PenTesting mobile apps that use certificate pinning

       July 26

    More and more mobile applications such as the Chrome, Twitter and apps have started relying on SSL certificate pinning to further improve the security of the application's network communications. Certificate pinning allows the application to authenticate the application's servers without relying on the device trust store. Instead, a white-list of certificates known to be used by the servers is directly stored in the application, effectively restricting the set of certificates the application will accept when connecting to those servers.

    While improving the security of end users, not using the device trust store to validate the servers' identity also makes black-box testing of such apps much more challenging. Without access to the application's source code to manually disable certificate validation, the tester is left with no simple options to intercept the application's SSL traffic.

    We've been working on a set of tools for both Android and iOS to make it easy to defeat certificate pinning when performing black-box testing of mobile apps.

    On iOS, a Mobile Subtrate "tweak" has been developed in order to hook at run-time specific SSL functions performing certificate validation. Using Cydia, the "tweak" can easily be deployed on a jailbroken device, allowing the tester to disable certificate validation for any app running on that device in a matter of minutes.

    For Android applications, a custom JDWP debugger has been built to perform API hooking tasks. This tool can be easily used on any Android device or emulator that allows USB debugging and application debugging.

    This presentation will discuss the techniques we used to create those iOS and Android API hooking tools, common use case scenarios, and demonstrations of the tools in action.