Come November Black Hat, the premier conference on information security, will return to the Netherlands for Black Hat Europe 2015. Some of the industry's brightest minds will deliver four days of Black Hat's signature Briefings and cutting-edge Trainings to bring you up to speed on a diverse range of intriguing and timely infosec research. In today's inaugural Black Hat Europe intel update, we'll check out nine diverse Briefings you can look forward to come November.
App developers have come to rely on Backend-As-A-Service providers like Amazon, Google and Facebook, which vastly simplify common tasks like managing database records. But are these services secure? The answer, as revealed in the Briefing (In-)Security of Backend-As-A-Service, is of course not. Presenters Rasthofer and Arzt will show the extreme ease with which one can break into these backends, accessing customer data and even planting malicious code. They'll also debut a new app which automatically extracts valid BAAS credentials from vulnerable apps.
Continuing with exploits, 38 of the top 50 banks rely on the Temenos system to process the daily transactions of their over 500 million customers. Shockingly, or perhaps not, this critical piece of financial infrastructure has its share of security holes. Cracking Online Banks - Exploiting Temenos will examine Temenos deployment strategies, illustrating security shortcomings, demonstrating remote breaches (plus remediation techniques), and granting insights into the do's and don'ts of Temeno deployment.
In previous decades the Bring Your Own Device phenomenon would have given security-minded IT officers hives, but today's it's the norm. IT attempts to ensure security of business-critical data via BYOD and Mobile Device Management (MDM) software, which often involves detecting and blacklisting rooted devices. But as you'll see in All Your Root Checks Belong to Us: The Sad State of Root Detection, it's very possible circumvent these root checks, opening the door to wanton security violations. The presenters will also debut AndroPoser, a simple tool that allows rooted devices to appear not so.
Root checks aren't the only thing we'll be bypassing. Full-Disk Encryption (FDE) solutions are sometimes seen as the silver bullet to protect against unauthorized disclosure of data. With zero overhead, they seem superior to software-based encryption solutions. In Bypassing Self-Encrypting Drives (SED) in Enterprise Environments, Boteanu and Fowler will reveal a critical SED flaw that's been lurking in the technology for years, as well as how organizations can protect themselves.
Shifting gears, the oil and gas industries are particularly plagued by cyber attacks, which can lead to blatant theft of resources. Cybersecurity for Oil and Gas Industries: How Hackers Can Manipulate Oil Stocks will show how industry SAP and Oracle systems can be exploited, so, for example, attackers can corrupt intricate gas-volume conversion calculations to alter pricing, excise duties, and transportation fees. Polyakov and Geli will shed light on this dark area, and discuss critical circumventions.
Speaking of oil, autonomous, self-driving vehicles are the next evolution in transportation, offering upgrades to safety, traffic efficiency, and passenger experience. They rely on an array of diverse sensors, including LiDAR, radar, cameras, which have to be robust against attacks and other interference. But as we'll see in Self-Driving Cars: Dont Trust Your Sensors! attackers can perpetrate remote attacks on LiDAR and camera-based systems using commodity hardware, achieving blinding, jamming, replay, relay, and spoofs. Jonathan Petit will will by proposing hardware/software countermeasures to improve resilience against such efforts.
Moving to malware, Microsoft's Control Flow Guard (CFG) exploit mitigation technology increases the difficulty of gaining code execution in Windows 8.1 and 10. Even so, Adobe Flash still suffers from serious security holes. Exploiting Adobe Flash Player in the Era of Control Flow GuardExploiting Adobe Flash Player in the Era of Control Flow Guard will begin by leveraging Flash's JIT compiler to bypass CFG, then delve into three practical data-only attacks. Although this Briefing focuses on Flash, these techniques and ideas can be applied against other software, too.
Some of the best attacks are those the victim won't even notice, and malware's increasingly turning to steganography -- obscuring covert communications in seemingly legitimate channels -- to handle command-and-control comms and bypass detection mechanisms. Hiding in Plain Sight - Advances in Malware Covert Communication Channels will explain recent advances in steganography, focusing on three recent malware families (Stegoloader, Vawtrak, and Lurk) and how they implement it. Examples will span commodity cybercrime as well as targeted attack malware.
On a similar note, Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files -- undetectable by normal means. Stegosploit - Exploit Delivery with Steganography and Polyglots will discuss two broad underlying techniques, steganography and polyglots. Presenter Shah will also release The Stegosploit Toolkit v0.3, which features tools to test image-based exploit delivery.
Black Hat Europe 2015 takes place November 10-13 in Amsterdam. The great early-bird rates end on September 4, so make haste to register and lock in those savings!