Europe 2014: Connection Errors
With networking, one of computing's greatest strengths can just as easily be one of its worst weaknesses. Today's quartet of Black Hat Europe 2014 Briefings show that with great interconnectivity comes great vulnerabilities.
SSL/TLS has suffered a fair few attacks over the last couple years, with some targeting its crypto and protocol (BEAST, CRIME) and others rewriting https links into http (SSLStrip). The widely deployed HTTP Strict Transport Security (HSTS) was developed to protect against SSLStrip attacks. There's just one problem, which Jose Selvi will lay out in Bypassing HTTP Strict Transport Security: Under certain circumstances, an attacker could exploit an inter-operation vulnerability to bypass HSTS protection and use well-known attack techniques like SSLStrip. Come learn about HSTS's strengths and weaknesses and the details of this vulnerability.
It's 2014: Can you trust the Internet? No, not really. Bad actors all over the globe have seriously compromised its software and infrastructure. Workarounds include encrypted transport links, mesh networks, and harassing users for being unable to use GPG safely... all of which fail in different ways. Endrun - Secure Digital Communications for Our Modern Dystopia will explore how ideas from NASA's Disruption-Tolerant Networking project can prevent information leakage in a functional system, leading to the creation of a reliable, eventually-consistent communications system ideal for activists, refugees, and yes, trolls.
IPv4 addresses are an endangered breed, so over the next few years the slow wave that is IPv6 will finally get its chance to save networking as we know it. Of course, IPv6 brings more than just a huge address space: It also comes with several documented security issues. Evasion of High-End IDPS Devices at the IPv6 Era will present the latest research on IPv6 exploits, illuminating techniques that allow attackers to launch any kind of attack against targets, from port scanning to SQLi, while remaining undetected. And how to defend? That's on the agenda, too.
Finally, software-defined networking provides the network with the same control and flexibility as the cloud, and will soon see wider-spread adoption. But current implementations are full of weaknesses. Consider Floodlight and OpenDaylight: clear-text wire protocol implementations, little support for switch TLS, no authentication for nodes, poorly conceived rate-limiting in controllers, controller APIs that don't require authentication, and back-door netconf access... where to stop? In Abusing Software Defined Radio Networks Gregory Pickett will demonstrate a new toolkit that lets you run rampant in these SDNs, as well as how to defend against it.
Intrigued? We hope so! Head on over to Black Hat Europe 2014's registration page to get your attendance plans in order.