briefings - july 26 & 27


Stepping Up Our Game: Re-focusing the Security Community on Defense and Making Security Work for Everyone

Since the first Black Hat conference 20 years ago, the security community, industry and the world have changed to the point that it's time to re-examine whether we're living up to our responsibilities and potential.

Long gone are the days when "hacking" conjured up a sense of mischief and light-heartedness, with limited risks and harm. The harsh reality of the now is that the security community hasn't kept pace with the importance of technology in our society, even as the stakes have grown higher than ever. Our adversaries are no longer motivated only by money, personal data or competitive intelligence, but are now driven to use the critical technologies of our lives to arrest journalists and activists, to suppress democracy and manipulate public opinion. In these times, our community has a responsibility to the people of the world that goes beyond traditional facets of information security.

This talk will explore how we can adapt to better confront the obstacles we face as security practitioners. Can we incentivize and celebrate defensive security research in the same way that we applaud the discovery of vulnerabilities? How do we foster intelligent discussion of real-world trade-offs while avoiding sensationalism? We will discuss real situations from the last year where our community could have risen to the occasion, we will analyze what failed, and propose how we can further help protect people.

Presented By

Alex Stamos


'Ghost Telephonist' Link Hijack Exploitations in 4G LTE CS Fallback

In this presentation, one vulnerability in CSFB (Circuit Switched Fallback) in 4G LTE network is introduced. In the CSFB procedure, we found the authentication step is missing. The result is that an attacker can hijack the victim's communication. We named this attack as 'Ghost Telephonist.' Several exploitations can be made based on this vulnerability. When the call or SMS is not encrypted, or weakly encrypted, the attacker can get the content of the victim's call and SMS. The attacker can also initiate a call/SMS by impersonating the victim. Furthermore, Telephonist Attack can obtain the victim's phone number and then use the phone number to make advanced attack, e.g. breaking Internet online accounts. The victim will not sense being attacked since no 4G or 2G fake base station is used and no cell re-selection. These attacks can randomly choose victims or target a given victim. We verified these attacks with our own phones in operators' network in a small controllable scale. The experiments proved the vulnerability really exists. Finally, the countermeasures are proposed and now we are collaborating with operators and terminal manufactures to fix this vulnerability.

Presented By

Haoqi Shan  &  Jun Li  &  Yuwei Zheng  &  Lin Huang  &  Qing Yang

(in)Security in Building Automation: How to Create Dark Buildings with Light Speed

A number of talks in the last few years have addressed various topics in the generic area of industrial control system insecurity but only few have tapped into security of building automation systems, albeit its prevalence.

The usage of building automation, regardless if in private homes or corporate buildings, aims to optimize comfort, energy efficiency and physical access for its users. Is cyber security part of the equation? Unfortunately, not to the extent one might expect, cyber security is quite often found to be sacrificed either for comfort or efficiency.

The higher number of small and large-scale installations combination with easily exploitable vulnerabilities leads to a stronger exposure of building automation systems, which are often overlooked. Even worse, an adversary understanding the usage of regular building automation protocol functions for malicious purposes may not only create chaos within the breached building but can potentially even peak into internal networks over building protocols which are otherwise not reachable.

This talk describes prototypic attack scenarios through building automation systems one should consider, and how even without exploits, a number of protocol functions in common building automation protocols like BACnet/IP and KNXnet/IP can support a malicious adversary going for those scenarious.

For penetration testers who would like to explore this interesting field of industrial security research, we include a section on tooling. We will discuss noteworthy tools both from the security toolbox but also from the building automation toolbox for carrying out a number of attacks or their preparatory steps.

We will close out talk by discussing existing security measures proposed by the building automation industry as well as their adoption problems found in this field.

Presented By

Thomas Brandstetter

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.

Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.

Understanding the basics of this technique, the audience won't be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Presented By

Orange Tsai

Advanced Pre-Breach Planning: Utilizing a Purple Team to Measure Effectiveness vs. Maturity

For years, the cybersecurity industry has struggled with how to measure the cyber-readiness of an organization. While it is certainly a valid exercise to benchmark a cybersecurity program against a framework, such as NIST, these paper-work efforts articulate the maturity. To truly test the effectiveness of an organization's detect and response capabilities to a cyberattack, it's necessary to provide a sparring partner. This session will discuss the process of cycling the SOC and IR team through a realistic adversary simulation (from a prepared red team), and then observing the organization's response, from the eyes of an experienced blue team.

Presented By

Justin Harvey

Adventures in Attacking Wind Farm Control Networks

Wind farms are becoming a leading source for renewable energy. The increased reliance on wind energy makes wind farm control systems attractive targets for attackers. This talk explains how wind farm control networks work and how they can be attacked in order to negatively influence wind farm operations (e.g., wind turbine hijacking). Specifically, implementations of the IEC 61400-25 family of communications protocols are investigated (i.e., OPC XML-DA). This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack. Additionally, proof-of-concept attack tools are developed in order to exploit wind farm control network design and implementation vulnerabilities.

Presented By

Jason Staggs

All Your SMS & Contacts Belong to ADUPS & Others

Our research has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers in China - without disclosure or the users' consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD and the BLU Life One X2. These devices actively transmitted user and device information including the full-body of text messages, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI), serial number, Media Access Control (MAC) address, and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely-defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.

The firmware that shipped with the mobile devices and subsequent updates allowed for the remote installation of applications without the users' consent and, in some versions of the software, the transmission of fine-grained device location information. The core of the monitoring activities took place using a commercial Firmware Over The Air (FOTA) update software system that was shipped with the Android devices we tested and were managed by a company named Shanghai Adups Technology Co. Ltd.
Our findings are based on both code and network analysis of the firmware. The user and device information was collected automatically and transmitted periodically without the users' consent or knowledge. Some of the collected information was encrypted and then transmitted over secure web protocols to a server located in Shanghai. This software and behavior bypasses the detection of mobile anti-virus tools because they assume that software that ships with the device is not malware and thus, it is white-listed.

In September 2016, Adups claimed on its web site to have a world-wide presence with over 700 million active users, and a market share exceeding 70% across over 150 countries and regions with offices in Shanghai, Shenzhen, Beijing, Tokyo, New Delhi, and Miami. The Adups web site also stated that it produces firmware that is integrated in more than 400 leading mobile operators, semiconductor vendors, and device manufacturers spanning from wearable and mobile devices to cars and televisions.

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors

Active Directory (AD) object discretionary access control lists (DACLs) are an untapped offensive landscape, often overlooked by attackers and defenders alike. The control relationships between AD objects align perfectly with the "attackers think in graphs" philosophy and expose an entire class of previously unseen control edges, dramatically expanding the number of paths to complete domain compromise.

While DACL misconfigurations can provide numerous paths that facilitate elevation of domain rights, they also present a unique chance to covertly deploy Active Directory persistence. It's often difficult to determine whether a specific AD DACL misconfiguration was set intentionally or implemented by accident. This makes Active Directory DACL backdoors an excellent persistence opportunity: minimal forensic footprint, and maximum plausible deniability.

This talk will cover Active Directory DACLs in depth, our "misconfiguration taxonomy," and enumeration/analysis with BloodHound's newly released feature set. We will cover the abuse of AD DACL misconfigurations for the purpose of domain rights elevation, including common misconfigurations encountered in the wild. We will then cover methods to design AD DACL backdoors, including ways to evade current detections, and will conclude with defensive mitigation/detection techniques for everything described.

Presented By

Andy Robbins  &  Will Schroeder

And Then the Script-Kiddie Said Let There be No Light. Are Cyber-Attacks on the Power Grid Limited to Nation-State Actors?

Electricity is of paramount importance in our everyday lives. Our dependence on it is particularly evident during even brief power outages. You can think of power systems as the backbone of critical infrastructures. To date, cyber-attacks against power systems are considered to be extremely sophisticated and only within the reach of nation-states. However, through this presentation we will challenge this perception, and provide a structured methodology towards attacking a power system on a limited budget.

When gathering information during the design phase of an attack, it is electrifying what you can find on the internet if you know what to look for. We will demonstrate information obtained from the web that can be leveraged to model and analyze a target power system, and how we can use this information to model power systems throughout the globe.

However, this talk is not just about theory. We will demonstrate a critical vulnerability we discovered in General Electric Multilin products widely deployed in power systems. Essentially, we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack. We will also show a technique for remotely fingerprinting affected devices over the network.

The talk includes a live demo showcasing exploitation of the vulnerability on a feeder management relay and how this vulnerability can have significant impact on a nation. We will discuss mitigation strategies, including the specific firmware update that addresses this vulnerability, and provide our thoughts on what the next steps in securing the power infrastructure should be. Tune in for more.

Attacking Encrypted USB Keys the Hard(ware) Way

Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data.

In this talk, we will present our methodology to assess "secure" USB devices both from the software and the hardware perspectives. We will demonstrate how this methodology works in practice via a set of case-studies. We will demonstrate some of the practical attacks we found during our audit so you will learn what type of vulnerability to look for and how to exploit them. Armed with this knowledge and our tools, you will be able to evaluate the security of the USB device of your choice.

Automated Detection of Vulnerabilities in Black-Box Routers (and Other Network Devices)

Network protocols are based on open standards. However, the Internet runs mostly on proprietary and closed-source network devices such as routers and switches of big-name vendors like Cisco. A slight deviation in a vendor's implementation of a standard protocol may weaken the robustness and security of the protocol, thus creating a logical vulnerability an attacker may be able to exploit. Such logical vulnerabilities will likely affect many models of devices made by that vendor. However, finding these logical vulnerabilities in protocol implementations of routers demands great efforts to reverse-engineer them.

In this work, we present a method that leverages a formal black-box method to unearth deviations of protocol implementations in closed-source network devices with no need to access the binary or source code of the device. Our method finds such deviations in a fully automatic manner while leveraging a model-based testing approach. We applied the method to several routers to check their routing protocols' implementations (specifically OSPF) using the tool we found logical vulnerabilities in routers by Cisco and Quagga. The vulnerabilities affect in total dozens of models of routers. This is a joint work with Adi Sosnovich and Orna Grumberg.

Presented By

Gabi Nakibly

Automated Testing of Crypto Software Using Differential Fuzzing

We present a new and efficient approach to systematic testing of cryptographic software: differential fuzzing. Unlike general purpose software fuzzing such as afl, differential fuzzing doesn't aim to find memory corruption bugs (although they might come as a by-product), but to find logic bugs. Compared to test vectors, differential fuzzing provides greater code coverage. Compared to formal verification, differential fuzzing is easier to apply, both for testers and developers.

We'll release CDF, a tool that implements differential fuzzing for most common cryptographic APIs: RSA encryption and signatures, elliptic-curve cryptography, or any symmetric-key schemes through a unified interface. CDF combines differential fuzzing with a number of unit tests to detect vulnerabilities specific to the cryptographic functions tested. It can also detect timing leaks, thanks to state-of-the-art leakage detection techniques.

CDF is coded in Go, and is trivially portable to various CPU architectures. Unlike other tools, CDF runs its tests in a totally black-box fashion: no source code is needed, you only need an executable file such as a binary program, Python script, or shell script calling a remote service.

We ran CDF on high-profile, widely used crypto software components. CDF discovered issues in a number of libraries including Go's crypto package, OpenSSL, and mbedTLS.

AVPASS: Leaking and Bypassing Antivirus Detection Model Automatically

AVPASS is a tool for leaking the detection model of Android antivirus (AV) programs, and bypassing the AV detection by using the leaked information coupled with APK perturbation techniques. AVPASS is able to infer not only the detection features, but also hierarchy of detection rule chains. With help from the leaked model and the built-in APK perturbation functions, AVPASS is able to disguise any android malware as a benign application. Furthermore, using our novel additive mode, AVPASS supports safe querying and guarantees that one can test if the application will be detected by the AV without sending the whole or core parts of application. As a result, AVPASS leaked significant detection features of commercial AVs and achieved almost zero detection from VirusTotal when tested with more than 5,000 malware.

In this talk, we present the entire pipeline of the APK perturbation process, leaking model process, and auto-bypassing process. In addition, we show findings about commercial AVs, including their detection features and hierarchy, and inform the attendees about the potential weaknesses of modern AVs.

AVPASS will be demonstrated, showing that it modifies real world malware precisely, and allows them to bypass all AVs following the leaked model. AVPASS will be released with every tool that we have built, including the original source code and the related test data, to enable researchers to replicate the research on their own.

Presented By

Jinho Jung  &  Chanil Jeon  &  Max Wolotsky  &  Insu Yun  &  Taesoo Kim

Behind the Plexiglass Curtain: Stats and Stories from the Black Hat NOC

There's always a lot to say about the Black Hat network. Some of it's true, some of it...not so much. Whether you're confidently connected with your own devices, or you're on your burner laptop, burner phone, and wearing a tinfoil hat, you've likely thought to yourself "What the hell did I just connect to?" Join us for the annual Black Hat network debrief. We'll let you know all the stats and stories from behind the plexiglass curtain.

Presented By

Neil Wyler  &  Bart Stump

Betraying the BIOS: Where the Guardians of the BIOS are Failing

For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS?

In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.

Presented By

Alex Matrosov

Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game

We all groan when we hear it's "time for some game theory," but traditional game theory – modelling conflict and cooperation between rational decision-makers – still pervades how we think of defensive strategy as an industry. This primitive analysis is a disservice to defenders, who are facing humans (and who are, in fact, humans themselves), but are modelling their own actions and opponent's actions based on the assumption of machine-like behavior.

In this session, I will examine traditional game theory and propose why behavioral game theory should take its place in the philosophy of defense. Next, I'll review the first principles of game theory, through the lens of behavioral game theory, which empirically measures how humans actually behave in games, rather than assumes they will behave coldly rational.

I'll explain the "rules" of the information security game and how traditional game theory is poorly suited to those conditions, along with the various behavioral models and why they are a superior fit. I'll then explore the two primarily methods that play into how humans make decisions in games – "thinking" and "learning" and what empirical data from behavioral game theory studies suggests on how to improve thinking and learning, extrapolating to applications for infosec defenders.

Finally, I'll present new insights from my own research, examining how defenders and attackers play the infosec game specifically, and bridging from theory to practice, to see how the lessons from behavioral game theory can be tangibly incorporated into defenders' strategic decision making processes. I'll conclude the session by outlining the practical steps for improving threat modelling, countering offensive moves, and deciding which products to use, so that defenders can start gaining the high ground in the infosec game.

Presented By

Kelly Shortridge

Blue Pill for Your Phone

In this research, we've explored attack surface of hypervisors and TrustZone monitor in modern ARM based phones, using Google Nexus 5X, Nexus 6P, and Pixel as primary targets. We will explain different attack scenarios using SMC and other interfaces, as well as interaction methods between TrustZone and hypervisor privilege levels.

We will explore attack vectors which could allow malicious operating system (EL1) level to escalate privileges to hypervisor (EL2) level and potentially install virtualization rootkit in the hypervisor. We will also explore attack vectors through SMC and other low level interfaces, interactions between TrustZone and hypervisor (EL2) privilege levels. To help with further low level ARM security research, we will release ARM support for CHIPSEC framework and new modules to test issues in ARM based hypervisors and TrustZone implementations, including SMC fuzzer.

Presented By

Oleksandr Bazhaniuk  &  Yuriy Bulygin

Bochspwn Reloaded: Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

In kernel-mode, buffer overflows and similar memory corruption issues in the internal logic are usually self-evident and can be detected with a number of static and dynamic approaches. On the contrary, flaws directly related to interactions with user-mode clients tend to be more subtle, and can survive unnoticed for many years, while still providing primitives similar to the classic bugs. One example of such flaws are so-called "double fetches" – repeated accesses to single user-mode memory units within the same semantic contexts, with the assumption that their values don't change in between the reads. These are race conditions which can be often exploited to achieve memory corruption, write-what-where conditions and other dangerous primitives; yet they never manifest themselves at runtime, unless being actively exploited. In 2013, Gynvael and I devised a project called "Bochspwn", which was used to discover at least 37 double fetches in the Windows kernel, by employing a custom full-system instrumentation built on top of the Bochs x86 emulator.

This presentation will introduce another subtle class of kernel vulnerabilities – disclosure of uninitialized stack and heap memory to user-mode applications. Since information leaks of this kind leave hardly any footprint, they are rarely noticed and reported to system vendors. However, we have found that it is still a prevalent problem in current kernels (especially Windows), and can be abused to defeat certain exploit mitigations or steal sensitive data residing in ring-0. In order to address this matter, we have developed a new Bochspwn-style instrumentation based on rudimentary kernel memory taint tracking, which we then used to discover 30 memory disclosure issues in Windows alone. In this talk, we will discuss the kernel design problems behind the bugs, the design of our tool, and the exploitation process of some of the most interesting findings.

Presented By

Mateusz Jurczyk

Bot vs. Bot for Evading Machine Learning Malware Detection

Machine learning offers opportunities to improve malware detection because of its ability to generalize to never-before-seen malware families and polymorphic strains. This has resulted in its practical use for either primary detection engines or supplementary heuristic detections by AV vendors. However, machine learning is also especially susceptible to evasion attacks by, ironically but unsurprisingly, other machine learning methods. We demonstrate how to evade machine learning malware detection by setting up an AI agent to compete against the malware detector that proactively probes it for blind spots that can be exploited. We focus on static Windows PE malware evasion, but the framework is generic and could be extended to other domains.

Reinforcement learning has produced models that top human performance in a myriad of games. Using similar techniques, our PE malware evasion technique can be framed as a competitive game between our agent and the machine learning model detector. Our agent inspects a PE file and selects a sequence of functionality-preserving mutations to the PE file which best evade the malware detection model. The agent learns through the experience of thousands of "games" against the detector, which sequence of actions is most likely to result in an evasive variant. Then, given any new PE malware that the agent has never before seen, the agent deploys a policy that results in a functionally-equivalent malware variant that has a good chance of evading the opposing machine learning detector.

We conclude with key defender takeaways. Teaching the machine learning detector about its blind spots is a simple and powerful idea. However, correct implementation is as much art as it is science. Finally, we caution attendees that without an adversarially-minded approach, machine learning offers early successes, but can quickly become a porous defense in the face of sophisticated adversaries.

Presented By

Hyrum Anderson

Breaking Electronic Door Locks Like You're on CSI: Cyber

Breaking electronic locks looks so fun in the movies – get your "tech wizard" member of the team to plug some gadget into the control panel on the locked door, the gadget scrolls through all the combinations, and then the door opens. The hardest part is figuring out what cool catch-phrase you'll use when the door opens.

Why can't real life be like this? This talk will look at a few consumer grade electronic locks, and aims to break them like you'd see in the movies (roughly). Along the way it features a detailed tear-down of the electronics on these locks & discuss vulnerabilities a hardware hacker can exploit to bypass them.

Presented By

Colin O'Flynn

Breaking the Laws of Robotics: Attacking Industrial Robots

Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point.

Industrial robots must follow three fundamental laws: accurately "read" from the physical world through sensors and "write" (i.e. perform actions) through actuators, refuse to execute self-damaging control logic, and most importantly, echoing Asimov, never harm humans. By combining a set of vulnerabilities we discovered on a real robot, we will demonstrate how remote attackers are able to violate such fundamental laws up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.

We will cover in-depth technical aspects (e.g., reverse engineering and vulnerability details, and attack PoCs), alongside a broader discussion on the security posture of industrial routers and robots: Why these devices are attractive for attackers? What could they achieve? Are they hard to compromise? How can their security be improved?

Breaking the x86 Instruction Set

A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. We'll disclose new x86 hardware glitches, previously unknown machine instructions, ubiquitous software bugs, and flaws in enterprise hypervisors. Best of all, we'll release our sandsifter toolset, so that you can audit - and break - your own processor.

Presented By

Christopher Domas

Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets

Remote exploits that compromise Android and iOS devices without user interaction have become an endangered species in recent years. Such exploits present a unique challenge: Without access to the rich scripting environment of the browser, exploit developers have been having a hard time bypassing mitigations such as DEP and ASLR.

But what happens when, underneath your heavily hardened OS, a separate chip parses all your Wi-Fi packets - and runs with no exploit mitigations whatsoever?

Meet Broadpwn, a vulnerability in Broadcom's Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction. The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices - from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.

In this talk, we'll take a deep dive into the internals of the BCM4354, 4358 and 4359 Wi-Fi chipsets, and explore the workings of the mysterious, closed-source HNDRTE operating system. Then, we'll plunge into the confusing universe of 802.11 standards in a quest to find promising attack surfaces.

Finally, we'll tell the story of how we found the bug and exploited it to achieve full code execution - and how we went on to leverage our control of the Wi-Fi chip in order to run code in the main application processor.

Presented By

Nitay Artenstein

Bug Collisions Meet Government Vulnerability Disclosure

How often does someone find your secret bugs? The Vulnerability Equities Process (VEP) helps determine if a software vulnerability known to the U.S. government will be disclosed or kept secret. A key part of that calculation is the likelihood that some other party may have found the same vulnerability. Yet, for years there has been little to no good analysis to say how often two parties independently discover the same vulnerability.

Suddenly in 2017, two studies which addressed this question were released within days of each other with different findings. Join us for a discussion with the lead authors and several luminaries in the security space as we pick apart the key findings from these reports and their implications for the policy community.

Presented By

Trey Herr  &  Jason Healey  &  Kim Zetter  &  Lillian Ablon  &  Katie Moussouris

Challenges of Cooperation Across Cyberspace

Cyberspace is formed and governed by a range of different technical and policy communities. A major challenge is insufficient awareness and mutual acceptance among the various communities. The traditional government dialogues on international security, for instance within the United Nations, have struggled to work with this reality when addressing issues of war and peace in cyberspace.

During this talk, the Chair and Commissioners of the recently established Global Commission on the Stability of Cyberspace (GCSC) will address the challenges of cooperating across different communities when addressing issues of international security and cyberspace. Commissioners with backgrounds in information security, Internet governance, diplomacy, international relations and law enforcement will comment on why it is important that their respective communities cooperate outside of their own silos, what the main barriers are, and how these can be overcome.

The Commission brings together stakeholders from the international security and cyberspace communities to develop proposals for norms and policies to guide responsible state and non-state behavior in cyberspace.

Cloak & Dagger: From Two Permissions to Complete Control of the UI Feedback Loop

While both the SYSTEM_ALERT_WINDOW and the BIND_ACCESSIBILITY_SERVICE Android permissions have been abused individually (e.g., in UI redressing attacks, accessibility attacks), previous attacks based on these permissions failed to completely control the UI feedback loop and thus either rely on vanishing side-channels to time the appearance of overlay UI, cannot respond properly to user input, or make the attacks literally visible. In this work, we demonstrate how combining the capabilities of these permissions leads to complete control of the UI feedback loop and creates devastating and stealthy attacks. In particular, we demonstrate how an app with these two permissions can launch a variety of stealthy, powerful attacks, ranging from stealing user's login credentials and security PIN, to the silent installation of a God-like app with all permissions enabled. To make things even worse, we note that when installing an app targeting a recent Android SDK, the list of its required permissions is not shown to the user and that these attacks can be carried out without needing to lure the user to knowingly enable any permission, thus leaving him completely unsuspecting. In fact, we found that the SYSTEM_ALERT_WINDOW permission is automatically granted for apps installed from the Play Store and, even though the BIND_ACCESSIBILITY_SERVICE is not automatically granted, our experiment shows that it is very easy to lure users to unknowingly grant that permission by abusing capabilities from the SYSTEM_ALERT_WINDOW permission. We also found that it is straightforward to get a proof-of-concept app requiring both permissions accepted on the official store. We evaluated the practicality of these attacks by performing a user study: none of the 20 human subjects that took part of the experiment even suspected they had been attacked. We conclude with a number of observations and best-practices that Google and developers can adopt to secure the Android GUI.

Cracking the Lens: Targeting HTTP's Hidden Attack-Surface

Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years.

In this presentation, I'll show how to use malformed requests and esoteric headers to coax these systems into revealing themselves and opening gateways into our victim's networks. I'll share how by combining these techniques with a little Bash I was able to thoroughly perforate DoD networks, trivially earn over $30k in vulnerability bounties, and accidentally exploit my own ISP.

While deconstructing the damage, I'll also showcase several hidden systems it unveiled, including not only covert request interception by the UK's largest ISP, but a substantially more suspicious Columbian ISP, a confused Tor backend, and a system that enabled reflected XSS to be escalated into SSRF. You'll also learn strategies to unblinker blind SSRF using exploit chains and caching mechanisms.

Finally, to further drag these systems out into the light, I'll release Collaborator Everywhere - an open source Burp Suite extension which augments your web traffic with a selection of the best techniques to harvest leads from cooperative websites.

Presented By

James Kettle

Cyber Wargaming: Lessons Learned in Influencing Security Stakeholders Inside and Outside Your Organization

The security industry faces a tough and growing problem: many of the fundamental decisions made which affect security are made by people that don't have the right cyber skills or experiences. This talk describes how the creation of a realistic, hands-on wargame environment can be leveraged to not only teach participants about attack and defense but to enable other organizational advantages.

The game environment puts two attacking teams competing in parallel with a single defending team, with all teams evaluated and scored. The game environment role-plays different attack motivation, technique and mindset with one team playing as hactivists and the other playing as nation state. The defending team manages a diverse mix of IT and OT assets, including an emulated oil refinery comprised of SCADA and HMI using industrial control protocol communications. And, the game leverages the human dimension, inclusive of insider threat and social engineering.

The game is 2.5 hours start to finish, comprised of short intro brief, teams then move to their operations areas where they are given team briefings, then an hour of gameplay, concluding with team post-briefs. Winning teams often are those that communicate best. The defending team has the most scoring opportunity but faces the toughest challenges.

This talk will present the technical architecture of the game environment for technical attendees interested in building their own. Our talk will present business value to the game for non-technical attendees interested in promoting their organizational capability, building brand awareness, or creating a customer-oriented training service. And, we will show screenshots, videos and detailed diagrams giving all attendees a close view of how the game is built and delivered.

Presented By

Jason Nichols

Datacenter Orchestration Security and Insecurity: Assessing Kubernetes Mesos and Docker at Scale

Your datacenter isn't a bunch of computers, it is *a* computer. While some large organizations have over a decade of experience running software-defined datacenters at massive scale, many more large organizations are just now laying the foundations for their own cloud-scale platforms based on similar ideas. Datacenter-level operating systems such as Kubernetes, Mesos, and Docker Enterprise significantly change both the computing and security paradigms of modern production environments, whether they are in the cloud, on-premises, or a hybrid of the two. The focus of a lot of security attention related to containers and DevOps has been on the kernel-level isolation mechanisms, but these modern datacenter orchestration systems make single-node privilege escalation and persistence significantly less useful. We'll go over the background of what security benefits modern datacenter-level orchestration systems provide and what challenges they also bring along with them. We'll also discuss how to think about attacking and defending entire clusters vs. single machines and what common attack patterns (privilege escalation, lateral movement, persistence) look like specific to the orchestration layers instead of through the traditional native operating systems.

Presented By

Dino Dai Zovi

Defeating Samsung KNOX with Zero Privilege

The story started mid-2016 by exploiting CVE-2016-6787 (found by myself) and rooting large numbers of Android devices shipped with 3.18 Linux kernel. However, we realized that our exploit wasn't working on Samsung Galaxy S7 Edge; the usual way we used to bypass KNOX on Galaxy S6 had expired.

After KeenLab successfully worked out several rooting solutions on many old Samsung smartphones in past two years, Samsung KNOX unsurprisingly enforced Galaxy S7 series. This time, KNOX introduced the Data Flow Integrity (DFI) as a part of its Real time Kernel Protection (RKP) implemented in TrustZone. KNOX RKP tried to use DFI to prevent a process which has compromised the Linux kernel from gaining root privilege. Furthermore, KNOX introduced KASLR as an additional mitigation. KNOX also removed the global variable "selinux enforce" in kernel, and permissive domain is not permitted - this means SELinux cannot be disabled or inserted a permissive domain even if you have already achieve kernel code execution.

In this talk I will describe how I used an exploit chain to defeat the new Samsung KNOX with zero privilege (exploit chain can be executed by any untrusted application), including KASLR bypassing, DFI bypassing, SELinux fully bypassing and privilege escalation. All details of vulnerabilities and mitigation bypassing techniques will be given during the presentation.

Presented By

Di Shen

Delivering Javascript to World+Dog

You've joined a startup building the next big enterprise unicorn. The product is delivered as javascript on all of your customers' websites. What could go wrong? The threat model of serving third party javascript all over the web will be reviewed. There's plenty of room for small engineering mistakes that lead to pwn-once, exploit everywhere fail. Strategies for focusing your SDL on these flaws will be discussed.

Next, defenses in key points of the delivery architecture will be explored, from the SaaS platform to CDNs to browsers. Now for the money - what does it take to convince customers to serve your code? It's a big leap of faith for customers to trust you and your arbitrary javascript on their site. The deeper their pockets are, the higher they set the bar for you throughout your architecture. What do they expect in your SDL? Finally, how do you sell this in your organization? Going beyond SDL best practices, strategies for building a product & engineering culture of protecting javascript delivery will be shared.

Presented By

Kyle Randolph

Developing Trust and Gitting Betrayed

Trust is an implicit requirement of doing business - at some point, we must trust employees, peers, and technology to a degree. The lack of proper management or understanding of these various trust relationships is a leading cause of security exposure. This talk will cover the analysis and exploitation of the trust relationships between code, platforms, developers, and their parent organization. We will look at the software development life cycle and how it can be actively exploited to attack, evade defenses, and ultimately own a target organization.

To support our discussion of attacking trust relationships, we will also be releasing and presenting GitPwnd, a tool to aid network penetration testers in compromising machines and spreading control within development-heavy environments. These environments tend to have heavily segmented networks and extensive logging and monitoring. Defensive tools often look for process activity and timing that differs from normal user behavior. GitPwnd evades these defenses by inserting itself into common development workflows. We'll describe GitPwnd's architecture, implementation choices to evade detection, and we'll conclude with a live demo of GitPwnd worming through a segmented network.

Presented By

Clint Gibler  &  Noah Beddome

Digital Vengeance: Exploiting the Most Notorious C&C Toolkits

Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.

If one looks at the many APT reports that have been released over the years, some clear patterns start to emerge. A small number of Remote Administration Tools (RATs) are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Korplug/Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.

Although the material in this talk will provide tools for launching an offensive against attackers, this talk is not intended to be an instructional for hacking back. The ethics and legality of counter attacks will be touched on only briefly as that is a discussion beyond the scope of this talk.

The presentation will disclose several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones.

Presented By

Waylon Grange

Don't Trust the DOM: Bypassing XSS Mitigations via Script Gadgets

Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.

Electronegativity - A Study of Electron Security

Despite all predictions, native Desktop apps are back. After years porting stand-alone apps to the web, we are witnessing an inverse trend. Many companies have started providing native desktop apps built using the same technologies as their web counterparts. In this trend, Github's Electron has become a popular framework to build cross-platform desktop apps with JavaScript, HTML, and CSS. While it seems to be easy, embedding a webapp in a self-contained web environment (Chromium, Node.Js) introduces new security challenges.

In this presentation, we will illustrate Electron's security model and describe current isolation mechanisms to prevent untrusted content from using Node.js primitives. Electron's IPC messaging, preloading and other internals will be comprehensively discussed. BrowserWindow and WebView security-relevant options will be also analyzed, together with design-level weaknesses and implementation bugs in Electron-based applications.

As part of our study of Electron security, we have mapped the overall attack surface and derived a comprehensive checklist of anti-patterns. A new tool (electronegativity) to facilitate testing of Electron-based apps will be released.

Presented By

Luca Carettoni

Escalating Insider Threats Using VMware's API

Enterprises often require that their IT teams have no access to data kept inside the machines they administer, a separation that is crucial for compliance, privacy and defense in depth. To this end, industries use VMWare's rich security model to separate the infrastructure domain from the guest machine domain. For example, most companies allow their IT teams to create, modify, backup and delete guest machines, but deny them guest machine operation functions such as file manipulation and console interaction.

The VMWare VIX API allows users with the required vSphere permissions to automate guest operations functions across VMWare platform products. Using VIX to interact with a virtual machine requires the administrator to go through two distinct security domains: 1) The vSphere host; 2) The guest operating system. With this two step authentication, even high vSphere permissions wouldn't necessarily allow interaction with guest machines.

VIX contains an undocumented functionality that breaks this security model, enabling a malicious user to bypass the guest domain authentication. To leverage this functionality an attacker would have to be able to modify the guest machine configuration in a way that will allow sending arbitrary commands to the guest machines and run them at root permissions. This method can be executed remotely, using an easy to use, well documented API, unlike other host-to-guest techniques which require high privileged access to the host.

In this session, we will provide real world examples of VMWare networks that are exposed to this security design flaw. We will demonstrate the ease at which an attacker can move from configuring a virtual machine to running commands with root permissions inside the guest machine. We will also showcase a tool that will allow you to test which users are capable of taking over guest machines.

Presented By

Ofri Ziv

Evading Microsoft ATA for Active Directory Domination

Microsoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?

The talk will be full of live demonstrations.

Presented By

Nikhil Mittal

Evil Bubbles or How to Deliver Attack Payload via the Physics of the Process

Until now, electronic communication was considered a single avenue for delivering attack payload. However, when it comes to cyber-physical systems, this assumption does not hold true. When field devices (sensors, valves, pumps, etc.) are inserted into the process, they become related to each other by the physics of the process. Physical process is a communication media for equipment and can be leveraged for delivering malicious payload even if the devices are segregated electronically. Sensors, valves, safety systems on an isolated network, analog equipment are all vulnerable to this attack vector.

In proposed scenario, an analog pump is damaged by a targeted manipulation of the upstream valve positioner, evoking cavitation process. The final attack payload is delivered to the pump in form of cavitation bubbles over the liquid flow. We will show the damage scenario "in action" with a physical demo on stage. To make things complicated for the defender, we will forger the valve positioner sensor signal to hide the attack from the operator and to confuse operator about true cause of process upset.

The second part of the talk will deal with the detection of this attack. After all, it is bad form to introduce a problem without having remedy. Forged sensor signals cannot be detected with any traditional IT security methods. The detection has to take form of process data plausibility and consistency checks. By monitoring health of pump we will be able to figure out the ongoing detrimental state of the process and accurately determine the ongoing cavitation process and its likely cause – all with a live demo on stage.

By the end of this talk the audience will recognize that security and safety zoning should expand all the way into the physical process (to consider interaction of equipment via the physical process).

Presented By

Marina Krotofil

Evilsploit – A Universal Hardware Hacking Toolkit

Hardware hacking is about to understand the inner working mechanism of hardware. Most of the time, the hardware hacking process starts from reversing. From the hardware point of view, reversing in static way includes uncovering the schematic and disassembling the binary. On the other hand, reversing in dynamic way includes finding a way to debug the hardware and to fuzz it accordingly.

In practice, it is almost a standard operating procedure to obtain the binary of the hardware and reverse it consequently. As a supplementary technique for static binary reversing, debugging allows the real hardware operation process to be demystified in run time. In fact, the binary itself can be obtained by applying debugging technique- while it is not available from manufacturer. So, it is crucial to figure out the provisioning ports of the hardware in order to start performing hardware hacking.

The conventional approach to identify provisioning ports is by using pin finder toolkits such as Jtagulator. However, it is impractical and inefficient once a provisioning port has been found; another toolkit such as Shikra has to be used to manipulate the provisioning port. It is not only prone to error, but not hacker-friendly. So, it is important to find a way to fill the gap between provisioning port identification and manipulation processes. With this, it allows the hardware hacking process to be automated by making it scriptable in high level.

We will present a new method to allow provisioning port identification and manipulation by using connection matrix. With this, it is possible to construct arbitrary analog-alike connection in array form to implement all pattern of interconnect between bus interfacing chip and the target. Hence, once the appropriate provisioning port has been figured out, in the meantime, it is ready to be used for debugging or firmware dumping purposes. Besides, it is also an ideal assistive toolset for unknown signal analysis, side channel analysis (SCA), and fault injection (FI).

Presented By

Chui Yew Leong  &  Mingming Wan

Evolutionary Kernel Fuzzing

The modern model of vulnerability mitigation includes robust sandboxing and usermode privilege separation to contain inevitable flaws in the design and implementation of software. As adoption of containment technology spreads to browsers and other software, we see the value of exploits continue to rise as multiple vulnerabilities must be chained together with extreme levels of binary artistry to achieve full system control. As such, there has recently been a high demand to identify kernel vulnerabilities that can bypass sandboxes and process isolation to successfully achieve full system compromise.

With this heightened demand, the past few years has seen a massive first wave of kernel vulnerability discovery in the graphics layer of the Windows kernel and the peripheral drivers of the Linux kernel. This first wave has proven successful even though the methods utilized tend to be using more rudimentary techniques of dumb mutational fuzzing or manual code review. This is a good indicator that it is time for investment in more advanced techniques that can be applied to kernel vulnerability research such as evolutionary fuzzing guided by code coverage.

This lecture will discuss methods for applying evolutionary coverage guided fuzzing to kernel system calls, IOCTLS, and other low level interfaces. First, to understand what makes an effective guided kernel fuzzer, we will discuss the tools available for open source drivers and kernels such as trinity and syzkaller which have found hundreds of vulnerabilities in the Linux kernel. Next we will look at using system emulators like QEMU for instrumenting kernel interfaces with code coverage to gain an understanding of the performance and limitations of this approach. Finally we will leverage our own custom driver to enable hardware branch tracing with Intel Processor Trace as a new method for evolutionary fuzzing against unmodified kernel binaries on Linux and Windows. The driver enabling this approach on Windows is authored by the presenter and available to the security community as opensource. This will be the first public lecture showing how to use highly performant modern hardware tracing engines to enable closed source kernel vulnerability research using coverage guided fuzzing.

Presented By

Richard Johnson

Exploit Kit Cornucopia

Detecting the compromised websites, gates, and dedicated hosts that make up the infrastructure used by Exploit Kits involves a variety of creative techniques. In this session, we will detail four approaches to uncovering these systems while explaining the underlying architecture of Exploit Kit networks. We will disclose a vulnerability in the injected code placed on compromised websites and exploit that vulnerability to uncover deeper infrastructure. Finally, we'll introduce a novel approach to obtaining the malware sent via phishing campaigns which is often the same result of an Exploit Kit compromise.

Presented By

Brad Antoniewicz  &  Matt Foley

Exploiting Network Printers

The idea of a paperless office has been dreamed of for more than three decades. However, nowadays printers are still one of the most essential devices for daily work and common Internet users. Instead of removing them, printers evolved from simple devices into complex network computer systems, installed directly into company networks, and carrying considerable confidential data in their print jobs. This makes them to an attractive attack target.

During our research we conducted a large scale analysis of printer attacks and systematized our knowledge by providing a general methodology for security analyses of printers. Based on our methodology, we implemented an open-source tool called PRinter Exploitation Toolkit (PRET). We used PRET to evaluate 20 printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks. These attacks included, for example, simple DoS attacks or skilled attacks, extracting print jobs and system files.

On top of our systematic analysis we reveal novel insights that enable attacks from the Internet by using advanced cross-site printing techniques, combined with printer CORS spoofing. Finally, we show how to apply our attacks to systems beyond typical printers like Google Cloud Print or document processing websites.

Presented By

Jens Müller

Fad or Future? Getting Past the Bug Bounty Hype

Ever want to talk to someone that runs a bug bounty program and get the real scoop on its impact to application security? Whether your company has a bounty program or is considering starting one, join this panel of bounty managers for real talk on signal vs noise, ROI, interacting with bounty hunters, and all the little things they wish they'd known before learning the hard way. Panelists will share strategies for day to day operations, handling conflicts and unsolicited disclosure, triage strategies and scope setting, and chat about which vulnerability types are found most often and why they still end up in production code after over a decade of advances in security tooling and secure development practices.

Fighting Targeted Malware in the Mobile Ecosystem

Meet Chrysaor, one of the most sophisticated and elusive mobile spyware products. Chrysaor, which is believed to be created by the NSO Group Technologies, is related to the iOS Pegasus malware. However, Google and Lookout hunted for their Android version from the end of 2016 to beginning of 2017, and were able to expose it in April.

This talk will recount how we pursued Chrysaor using a combination of on-device and cloud based security services. In particular, we will detail the methodology and techniques that allowed us to detect this malware that affect only dozens of devices out of the billions of security reports we get from Safetynet. We will also discuss how we used our installation graph engine to determine attribution.

Presented By

Megan Ruthven  &  Andrew Blaich

Fighting the Previous War (aka: Attacking and Defending in the Era of the Cloud)

For years and years, network pen-testers have owned companies and networks with playbooks written in the 90's. With a good mix of footprinting, scripting and unexpected interdependence, even moderately skilled attackers have been able to reign supreme without ever needing a 0day. How does this change as organizations slip more and more into the cloud? What do rootkits look like & what does lateral movement mean when its between different SaaS products? While we have seen point attacks on cloud vendors there hasn't been enough attention paid to the interdependence of these systems and we have seen precious little on pivoting through or defending these setups. This talk attempts to update those playbooks from the 90's for both red and blue teamers.

Presented By

Haroon Meer  &  Marco Slaviero

Firmware is the New Black - Analyzing Past Three Years of BIOS/UEFI Security Vulnerabilities

In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems - including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues - most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).

Presented By

Rodrigo Branco  &  Vincent Zimmer  &  Bruce Monroe

FlowFuzz - A Framework for Fuzzing OpenFlow-Enabled Software and Hardware Switches

Software-defined Networking (SDN) is a new networking paradigm which aims for increasing the flexibility of current network deployments by separating the data from the control plane and by providing programmable interfaces to configure the network. Resulting in a more agile and eased network management and therefore in cost savings, SDN is already deployed in live networks i.e. Google's B4 backbone and NOKIA's cloud infrastructure. Despite these benefits, SDN broadens the attack surface as additional networking devices and protocols are deployed. Due their critical role within the softwarized management of the network, these devices and protocols are high ranked targets for potential attackers and thus require extensive testing and hardening.

In this work, we present FlowFuzz a fuzzing framework for SDN-enabled software and hardware switches. In particular we focus on the OpenFlow protocol which is currently the de facto standard communication protocol between SDN-enabled switches and the central controlling instance. Whereas the framework utilizes the output of conventional tools such as AddressSanitizer for investigating software switches, it also evaluates data obtained from side channels, i.e., processing times and power consumption to identify unique code execution paths within hardware switches to optimize the fuzzing process. Furthermore, we use our framework implementation to perform a first evaluation of the OpenVSwitch and a total of four SDN-enabled hardware switches. We conclude by presenting our findings and outline future extensions of the fuzzing framework.

Presented By

Nicholas Gray  &  Thomas Zinner  &  Phuoc Tran-Gia  &  Manuel Sommer

Fractured Backbone: Breaking Modern OS Defenses with Firmware Attacks

In this work we analyzed two recent trends. The first trend is the growing threat of firmware attacks which include recent disclosures of Vault7 Mac EFI implants. We will detail vulnerabilities and attacks we discovered recently in system firmware including UEFI, Mac EFI and Coreboot which could lead to stealth and persistent firmware implants. We have also developed multiple techniques that can be used to detect that something wrong is going on with the firmware using open source CHIPSEC framework.

The second trend is modern operating systems started adopting stronger software defenses based on virtualization technology. Windows 10 introduced Virtualization Based Security (VBS) to provide hypervisor-based isolated execution environment to critical OS components and to protect sensitive data such as domain credentials. Previously, we discovered multiple ways adversaries could leverage firmware in attacks against hypervisors. We also demonstrated the first proof-of-concept attack on Windows 10 VBS exposing domain credentials protected by Credential Guard technology. We will apply this knowledge to analyze the security of modern hypervisor based OS defenses from the perspective of firmware and hardware attacks. We will detail firmware assisted attack vectors which can be used to compromise Windows 10 VBS. We will also describe changes done by platform vendors and Windows to improve mitigation against these attacks.

Free-Fall: Hacking Tesla from Wireless to CAN Bus

In today's world of connected cars, security is of vital importance. The security of these cars is not only a technological issue, but also an issue of human safety. In our research we focused on perhaps the most famous connected car model: Tesla.

In September 2016, our team (Keen Security Lab of Tencent) successfully implemented a remote attack on the Tesla Model S in both Parking and Driving mode. This remote attack utilized a complex chain of vulnerabilities. We have proved that we can gain entrance from wireless (Wi-Fi/Cellular), compromise many in-vehicle systems like IC, CID, and Gateway, and then inject malicious CAN messages into the CAN Bus. Just 10 days after we submitted our research to Tesla, Tesla responded with an update using their OTA mechanism and introduced the code signing protection into Tesla cars.

Our presentation will be in three parts: our research, Tesla's response, and the follow-up. We will, for the first time, share the details of the whole attack chain on the Tesla, and then reveal the implementation of Tesla's OTA and Code Signing features. Furthermore, we'll explore the new mitigation on Tesla and share our thoughts on them.

Presented By

Sen Nie  &  Ling Liu  &  Yuefeng Du

Friday the 13th: JSON Attacks

2016 was the year of Java deserialization apocalypse. Although Java Deserialization attacks were known for years, the publication of the Apache Commons Collection Remote Code Execution (RCE from now on) gadget finally brought this forgotten vulnerability to the spotlight and motivated the community to start finding and fixing these issues. One of the most suggested solutions for avoiding Java deserialization issues was to move away from Java Deserialization altogether and use safer formats such as JSON. In this talk, we will analyze the most popular JSON parsers in both .NET and Java for potential RCE vectors.

We will demonstrate that RCE is also possible in these libraries and present details about the ones that are vulnerable to RCE by default. We will also discuss common configurations that make other libraries vulnerable. In addition to focusing on JSON format, we will generalize the attack techniques to other serialization formats. In particular, we will pay close attention to several serialization formats in .NET. These formats have also been known to be vulnerable since 2012 but the lack of known RCE gadgets led some software vendors to not take this issue seriously. We hope this talk will change this. With the intention of bringing the due attention to this vulnerability class in .NET, we will review the known vulnerable formats, present other formats which we found to be vulnerable, and conclude with presenting several gadgets from system libraries that may be used to achieve RCE in a stable way: no memory corruption -- just simple process invocation. Finally, we will provide recommendations on how to determine if your code is vulnerable, provide remediation advice, and discuss alternative approaches.

Presented By

Alvaro Muñoz  &  Oleksandr Mirosh

Game of Chromes: Owning the Web with Zombie Chrome Extensions

On April 16, 2016, an army of bots stormed upon Wix servers, creating new accounts and publishing shady websites in mass. The attack was carried by a malicious Chrome extension, installed on tens of thousands of devices, sending HTTP requests simultaneously. This "Extension Bot" has used Wix websites platform and Facebook messaging service, to distribute itself among users. Two months later, same attackers strike again. This time they used infectious notifications, popping up on Facebook and leading to a malicious Windows-runnable JSE file. Upon clicking, the file ran and installed a Chrome extension on the victim's browser. Then the extension used Facebook messaging once again to pass itself on to more victims.

Analyzing these attacks, we were amazed by the highly elusive nature of these bots, especially when it comes to bypassing web-based bot-detection systems. This shouldn't be surprising, since legit browser extensions are supposed to send Facebook messages, create Wix websites, or in fact perform any action on behalf of the user. On the other hand, smuggling a malicious extension into Google Web Store and distributing it among victims efficiently, like these attackers did, is let's say - not a stroll in the park. But don't worry, there are other options.

Recently, several popular Chrome extensions were found to be vulnerable to XSS. Yep, the same old XSS every rookie finds in so many web applications. So, browser extensions suffer from it too, and sadly, in their case it can be much deadlier than in regular websites. One noticeable example is the Adobe Acrobat Chrome extension, which was silently installed on January 10 by Adobe, on an insane number of 30 million devices. A DOM-based XSS vulnerability in the extension (found by Google Project Zero) allowed an attacker to craft a content that would run Javascript as the extension.

In this talk, I will show how such a flaw leads to full and permanent control over the victim's browser, turning the extension into zombie. Additionally, shedding more light on the 2016 attacks on Wix and Facebook described in the beginning, I will demonstrate how an attacker can use similar techniques to distribute her malicious payload efficiently on to new victims, through popular social platforms - creating the web's most powerful botnet ever.

Presented By

Tomer Cohen

Garbage In Garbage Out: How Purportedly Great Machine Learning Models can be Screwed Up by Bad Data

As processing power and deep learning techniques have improved, deep learning has become a powerful tool to detect and classify increasingly complex and obfuscated malware at scale.

A plethora of white papers exist touting impressive malware detection and false positive rates using machine learning - often deep learning. However, virtually all of these rates are only shown in the context of a single source of data the authors choose to train and test on. Accuracy statistics are generally the result of training on a portion of some dataset (like VirusTotal data), and testing on a different portion of the same dataset. But model effectiveness (specifically detection rates in the extremely low false-positive-rate region) may vary significantly when used on new, different datasets - specifically, when used in the wild on actual consumer data.

In this presentation, I will present sensitivity results from the same deep learning model designed to detect malicious URLs, trained and tested across 3 different sources of URL data. After reviewing the results, we'll dive into what caused our results by looking into: 1) surface differences between the different sources of data, and 2) higher level feature activations that our neural net identified in certain data sets, but failed to identify in others.

Deep learning uses a massive amount of unseen complex features to predict results, which enables them to fit beautifully to datasets. But it also means that if the training and testing data is even slightly biased with respect to the real-world test case data, some of those unseen complex features will end up damaging accuracy instead of bolstering it. Even with great labels and a lot of data, if the data we use to train our deep learning models doesn't mimic the data it will eventually be tested on in the wild, our models are likely to miss out on a lot.

Presented By

Hillary Sanders

Go Nuclear: Breaking Radiation Monitoring Devices

USA, 1979: The Three Mile Island Nuclear Generating Station suffered a core meltdown. Operators were unable to cope with the ambiguous signals the plant's HMI was sending, leading to one of the most serious nuclear accidents on US soil. Spain, 2007: Bypassing security checks, someone stole approximately 70 fuel pellets of uranium oxide from a nuclear fuel facility. They were later found abandoned nearby. How this material ended up there is still a mystery. Are these scenarios possible now? Critical infrastructure such as nuclear power plants, seaports, borders, and even hospitals are equipped with radiation monitoring devices. This equipment detects and prevents threats ranging from nuclear material smuggling to radiation contamination.

The purpose of this talk is to provide a comprehensive description of the technical details and approach used to discover multiple vulnerabilities that affect widely deployed radiation monitoring devices, involving software and firmware reverse engineering, RF analysis, and hardware hacking.

Presented By

Ruben Santamarta

Go to Hunt Then Sleep

Are nightmares of data breaches and targeted attacks keeping your CISO up at night? You know you should be hunting for these threats, but where do you start? Told in the style of the popular children's story spoof, this soothing bedtime tale will lead Li'l Threat Hunters through the first five hunts they should do to find bad guys and, ultimately, help their CISOs "Go the F*#k to Sleep."

Presented By

David Bianco  &  Robert Lee

Hacking Hardware with a $10 SD Card Reader

Dumping firmware from hardware, utilizing a non-eMMC flash storage device, can be a daunting task with expensive programmers required, 15+ wires to solder (or a pricey socket), and dumps that contain extra data to allow for error correction. With the growing widespread use of eMMC flash storage, the process can be simplified to 5 wires and a cheap SD card reader/writer allowing for direct access to the filesystem within flash in an interface similar to that of using an SD card.

In this presentation, we will be showing attendees how to identify eMMC flash storage chips, how to reverse engineer the in circuit pinouts, and how to dump or modify the data within. We will be showcasing the tips and tricks to properly reverse engineer hardware containing eMMC flash storage (without bricking) along with a clear explanation of the process from identification to programming. The presentation will then finish with a demonstration of the process along with a number of free SD to eMMC breakouts for attendees.

Presented By

Amir Etemadieh  &  Khoa Hoang  &  CJ Heres

Hacking Serverless Runtimes: Profiling AWS Lambda Azure Functions and More

Serverless technology is getting increasingly ubiquitous in the enterprise and startup communities. As micro-services multiply and single purpose services grow, how do you audit and defend serverless runtimes? The advantages of serverless runtimes are clear: increased agility, ease of use, and ephemerality (i.e., not managing a fleet of "pet" servers). There is a trade off for that convenience though - reduced transparency. In this talk, we will deep dive into both public data and information unearthed by our research to give you the full story on serverless, how it works, and attack chains in the serverless cloud(s) Azure, AWS, and a few other sandboxes. Who will be the victor in the great sandbox showdown?

Presented By

Andrew Krug  &  Graham Jones

Honey I Shrunk the Attack Surface – Adventures in Android Security Hardening

Information security is ever evolving, and Android's security posture is no different. Users and application developers have high expectations that their data will be kept safe, private, and secure, and it's the responsibility of the Android Security Team to enable this. To do this, Android has focused on four critical principles of information security: exploit mitigation, exploit containment, attack surface reduction, and safe-by-default features.

In this talk, we will discuss Android's attack surface reduction history, and how that fits into the broader Android security story. We will go into detail on the specific technical strategies used to achieve the attack surface reduction, and explore specific bugs which were made unreachable as a result of the hardening over the last several years. And we will examine the overall result of the hardening, and areas for improvement.

Presented By

Nick Kralevich

How We Created the First SHA-1 Collision and What it Means for Hash Security

In February 2017, we announced the first SHA-1 collision. This collision combined with a clever use of the PDF format allows attackers to forge PDF pairs that have identical SHA-1 hashes and yet display different content. This attack is the result of over two years of intense research. It took 6500 CPU years and 110 GPU years of computations which is still 100,000 times faster than a brute-force attack.

In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor.

We discuss the aftermath of the release including the positive changes it brought and its unforeseen consequences. For example it was discovered that SVN is vulnerable to SHA-1 collision attacks only after the WebKit SVN repository was brought down by the commit of a unit-test aimed at verifying that Webkit is immune to collision attacks.

Building on the Github and Gmail examples we explain how to use counter-cryptanalysis to mitigate the risk of a collision attacks against software that has yet to move away from SHA-1. Finally, we look at the next generation of hash functions and what the future of hash security holds.

Presented By

Elie Bursztein

Hunting GPS Jammers

This presentation provides an introduction to the vulnerabilities of satellite navigation and timing systems and the ways in which these vulnerabilities have been exploited. First, the specific vulnerabilities of GPS-based systems are introduced – the main vulnerabilities of GPS are due to the very low signal strength of the satellite signals. The paper discusses the effect of RF interference on satellite navigation and timing systems and introduces some real examples of disruption caused by real interference events. Evidence is also produced to show that interference events are widespread. The spoofing of GPS position and timing is also introduced. This presentation shows that spoofing can be carried out either at the application layer (the Pokemon GO game is presented as an example of this kind of hacking) or at RF level, where it is also shown that there are real examples of this kind of attack. Real examples of exploitation of GPS vulnerabilities are presented.

These will include:

  • Real examples of GPS jamming attacks (deliberate and even accidental)
  • Real examples of GPS spoofing – At application layer, Pokemon GO game,
  • Automatic Identification Service (AIS)
  • At RF level – DEFCON examples/demos and the attempted spoofing of drones

Evidence will also be presented to show that there are a significant number of exploitations of RF interference by several groups of attackers with various motives. It will be shown that the groups who are attempting to exploit navigation and timing system vulnerabilities are the same types who have exploited IT systems. Approaches to mitigate systems and devices against the described vulnerabilities are proposed - a protective risk assessment and test framework are presented as being a method that can make significant improvements to existing systems.

We designed and built out a network that receives real-time data from purpose built detectors. The detectors are located at several airports, military bases, ranges, and along highways near tollbooths.

Receivers and sensors along with historical data have been used to hunt down willful and intentional GPS jamming by people wishing to evade tolls, trucking companies, employees wanting to evade employer surveillance as well as sophisticated jamming patterns and spoofing that would require a highly-sophisticated adversary and gear that is not available COTS/to civilians. Technology has been demonstrated to identify, track and report small time offenders, track down complex GPS network issues and assist in investigations where military assets have been targeted. We will demo the detection network, show of some of the historical data and bring sensors to Black Hat for everyone to see and play with. We will also talk through some of the cases where we tracked down sources of intentional jamming.

Presented By

Vlad Gostomelsky

Ichthyology: Phishing as a Science

Many companies consider phishing inevitable: the best we can do is run training for our employees, and cross our fingers. But does phishing training actually work?

In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.

Presented By

Karla Burnett

Industroyer/Crashoverride: Zero Things Cool About a Threat Group Targeting the Power Grid

The cyber attack on Ukraine's power grid on December 17th, 2016 was the second time in history a power grid had been disrupted due to a digital attack. The first was Ukraine December 23rd, 2015. But unlike the 2015 attack, not much details have been public about the threat that faced the power grid in 2016 until now. In June, 2017 ESET released a report on a malware sample they identified as Industroyer. They passed the sample ahead of time to Dragos, Inc. who focused on the industrial control system (ICS) aspects of the malware and revealed new functionality that spelled a nightmare scenario for power grid operators: ICS tailored malware capable of disrupting grid operations at scale in environments independent of system choices. Dragos identified the malware family and new functionality as CRASHOVERRIDE.

This talk will walk through the Ukraine 2015 and Ukraine 2016 events with a central focus on the malware, technical analysis of it, and the impact to grid operations. There have only been three other pieces of ICS tailored malware publicly revealed before (Stuxnet, Havex, and BlackEnergy2) making this malware of particular interest in the community. The fact that it could be re-purposed immediately to target grids around Europe and with simple modifications target grids in the United States marks a hallmark event. Defense is doable and our grid operators are actively defending our infrastructure. But learning from such a significant threat is vital to making sure our defensible systems stay defended.

Presented By

Robert Lee  &  Joe Slowik  &  Ben Miller  &  Anton Cherepanov  &  Robert Lipovsky

Infecting the Enterprise: Abusing Office365+Powershell for Covert C2

As Enterprises rush to adopt Office365 for increased business agility and cost reduction, too few are taking time to truly evaluate the risk associated with this decision. This briefing will attempt to shine a light on the potential hazards of Microsoft's SaaS offerings while also demonstrating a practical example of what a malicious actor can do when Office365 is allowed into the Enterprise.

Specifically, this presentation will outline in detail how an attacker can leverage the combination of Office365+PowerShell to take advantage of native features which:

• Mount external Office365 storage and conceal its presence from end-users
• Encrypt and facilitate innocuous external communication with C2
• Exfiltrate data at high speed
• Bypass AV, DLP, Sandboxes, and NGFW along the way.

Presented By

Craig Dods

Influencing the Market to Improve Security

Vulnerabilities have never been so marketable. There are many ways for security researchers to monetize their efforts: bug bounties, private markets, and of course work for hire. MedSec introduced us to a new way to monetize vulnerabilities by influencing market makers. What does the future hold for this approach? Are there other ways to fix the dysfunctional market around product security. With a fireside chat, Chris Wysopal will ask Justine Bone about the MedSec and Muddy Waters collaboration and how we can learn from this as we look to the future.

Presented By

Justine Bone  &  Chris Wysopal

Intel AMT Stealth Breakthrough

Every modern computer system based on Intel architecture has Intel Management Engine (ME) - a built-in subsystem with a wide array of powerful capabilities (such as full access to operating memory, out-of-band access to a network interface, running independently of CPU even when it is in a shutdown state, etc.). On the one hand, these capabilities allow Intel to implement many features and technologies based on Intel ME. On the other hand, it makes Intel ME a tempting target for an attacker. Especially, if an attack can be conducted remotely.

Here, Intel Active Management Technology (AMT) fits perfectly – it is based on Intel ME and means for a remote administration of computer system. So… during this talk we will discuss methods of remote pwning of almost every Intel based system, manufactured since 2010 or later.

Intel SGX Remote Attestation is Not Sufficient

In this paper, we argue that SGX Remote Attestation provided by Intel is not sufficient to guarantee confidentiality and integrity for running unmodified applications in the cloud. In particular, we demonstrate cases where:

  • A dishonest service provider instantiates both a valid enclave running on real hardware, as well as the same enclave running in a software simulator in parallel, is always able to respond correctly to Remote Attestation queries, all the while running the enclave inside a software simulator with full access to enclave's internal state.
  • A dishonest service provider rewinds the "enclave's tape" and replays computation even though the data is encrypted with platform specific seal-keys. This is a form of replay attack.
  • A dishonest service provider runs multiple instances of the same enclave in parallel and launches chosen cipher-text attacks on the protocol.

This talk will also discuss the details about Remote Attestation mechanism:
  • What keys are embedded inside each SGX hardware, and what's the protocol for providing proof of knowledge? Are these protocols zero-knowledge, as claimed by Intel?
  • How the EPID's zero-knowledge proof of knowledge works, what anonymity guarantees it provides, and can it be replaced with other simpler schemes where platform anonymity is not a concern.
  • What key-exchanges take place between Intel Attestation Service, Software Vendor's own service, Intel Provided Platform Enclaves (e.g., launch enclave, etc.), and the enclave itself.

Presented By

Yogesh Swami

Intercepting iCloud Keychain

iCloud Keychain employs end-to-end encryption to synchronise secrets across devices enrolled in iCloud. We discovered a critical cryptographic implementation flaw which would have allowed sophisticated attackers with privileged access to iCloud communications to man-in-the-middle iCloud Keychain Sync and gain plaintext access to iCloud Keychain secrets.

Presented By

Alex Radocea

IoTCandyJar: Towards an Intelligent-Interaction Honeypot for IoT Devices

In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. There is a strong need to develop suitable and cost-efficient methods to find vulnerabilities in IoT devices - in order to address them before attackers take advantage of them. In the previous Black Hat conference, conventional honeypot technology has been discussed multiple times. In this work, we focus on the adaptation of honeypots for improving the security of IoTs, and argue why we need to have a huge innovation to build honeypot for IoT devices.

Due to the heterogeneity of IoT devices, manually crafting the low-interaction honeypot is not affordable; on the other hand, we cannot purchase all of the physical IoT devices to build high-interaction honeypot. This dilemma forced us to seek an innovative way to build honeypot for IoT devices. We propose an automatic way to learn the behavioral knowledge of IoT devices and build "intelligent-interaction" honeypot. We also leverage multiple machine learning techniques to improve the quality and quantity.

Presented By

Tongbo Luo  &  Zhaoyan Xu  &  Xin Ouyang  &  Xing Jin

kR^X: Comprehensive Kernel Protection Against Just-In-Time Code Reuse

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As more strict memory isolation mechanisms between the kernel and user space, like Intel's SMEP, become commonplace, attackers increasingly rely on code reuse techniques to exploit kernel vulnerabilities. Contrary to similar attacks in more restrictive settings, such as web browsers, in kernel exploitation, non-privileged local adversaries have great flexibility in abusing memory disclosure vulnerabilities to dynamically discover, or infer, the location of certain code snippets and construct code-reuse payloads.

In this talk, we present kR^X: a kernel hardening scheme that prevents kernel code reuse attacks. kR^X achieves this by coupling code diversification with the enforcement of a "read XOR execute" (R^X) memory safety policy. We demonstrate how to achieve this without employing a hypervisor or a super-privileged component, but rather with a self-hardening approach implemented mostly as a set of GCC plugins. We discuss multiple ways to prevent return address leaks that might allow attackers to infer the internal code layout, using encryption and deception techniques. Finally, we explore how to utilize hardware support, such as MPX on modern Intel CPUs to optimize performance.

Presented By

Marios Pomonis

Lies and Damn Lies: Getting Past the Hype of Endpoint Security Solutions

Signatures are dead! We need to focus on machine learning, artificial intelligence, math models, lions, tigers and bears, Oh My!! - STOP!! - How many times have we heard all these buzzwords at conferences, or our managers saying that solution X will solve all our problems. I don't know about you, but I was tired of listening to the hype and the over-use of these terms that really made no sense.

One thing is true, signatures are dead. Today's malware is created with obfuscation and deception and our opponents do not play fair. Do you blame them? They want to get in. Who needs to rob a bank anymore at gun point when the security door is left open and traps are easy to bypass. Thank you Powershell! So what's the answer? Is it Next Generation AV or EDR, or it is Security 101? Over the past 5 months, we have invested significant time building a business case for an Endpoint protection system - understand the problem, creating testing scenarios to evaluate 5 solutions in the market. Over 30,000 pieces of malware were put to the test from our internal private collection, as well as known and unknown samples freely available. With all of the marketing hype, brochureware and buzzwords, it's hard to know what's the real deal. As we talk to colleagues from other companies, one thing is clear, many still struggle with good testing methodologies, what malware to test and how to test their endpoint security.

We will discuss key considerations used in our decision-making process. Testing malware for our company was important, but it was not our only testing criteria. We looked at the ease of installation on the agent, use of their UI, SaaS, on-prem, hybrid, reporting, performance of agent using different system resources, how much the agent replied on their cloud intelligence compared to on-box performance, powershell scenarios, and a variety of other factors. Companies additionally need to take into consideration the cost of any potential new infrastructure, cost per seat, professional services, one off costs, 1, 2, 3 year terms and other factors. Ultimately, we want to extend our resources to help others in the industry and discuss key differences between the solutions that were evaluated.

Presented By

Lidia Giuliano  &  Mike Spaulding

Many Birds One Stone: Exploiting a Single SQLite Vulnerability Across Multiple Software

SQLite is widely used as embedded database software for local/client storage in application software, such as web browsers and mobile applications. As a relational database, SQLite is vulnerable to SQL injection attack, which has been well-studied for a long time. Memory corruption bugs in SQLite are usually not considered security issues, since they are normally unlikely to be exploitable. In this talk, we will study several remotely exploitable memory corruption cases to show the dangerous attack surface in SQLite.

The journey of SQLite exploitation starts with Web SQL. Web SQL Database is a web page API for storing data in databases that can be queried using SQL language. Although W3C working group has ceased working on the specification since 2010, many modern browsers including Google Chrome, Apple Safari and Opera have an implementation based on SQLite as the backend for years. We will go through several previous issues of SQLite and discuss how they affect the browsers and how they have been fixed. Also, we will present new vulnerabilities in SQLite that we used to compromise Apple Safari in Pwn2Own 2017. The new bugs exist in all browsers that support Web SQL Database, including browser components Android WebView and iOS UIWebView widely used in mobile applications. We will demonstrate our exploit against multiple browser targets from multiple platforms to show the impact of a single SQLite vulnerability.

Many programming languages have a support of SQLite API bindings such as PHP, Lua and Java. Memory corruption bugs of SQLite may also affect security features of these programming languages. We will show SQLite exploitation in PHP SQLite extension to bypass PHP security restrictions, as an example.

Presented By

Siji Feng  &  Zhi Zhou  &  Kun Yang

Network Automation is Not Your Safe Haven: Protocol Analysis and Vulnerabilities of Autonomic Network

Autonomic systems are smart systems which do not need any human management or intervention. Cisco is one of the first companies to deploy the technology in which the routers are just "Plug and Play" with no need for configuration. All that is needed is 5 commands to build fully automated network. It is already supported in pretty much all of the recent software images for enterprise level and carrier grade routers/switches. This is the bright side of the technology. On the other hand, the configuration is hidden and the interfaces are inaccessible. The protocol is proprietary and there is no mechanism to know what is running within your network.

In this talk, we will have a quick overview on Cisco's Autonomic Network Architecture, then I will reverse-engineer the proprietary protocol through its multiple phases. Finally, multiple vulnerabilities will be presented, one of which allows to crash systems remotely by knowing their IPv6 address.

Presented By

Omar Eissa

New Adventures in Spying 3G and 4G Users: Locate Track & Monitor

The 3G and 4G devices deployed worldwide are vulnerable to IMSI catcher aka Stingray devices. The next generation 5G network may address user's privacy issues related to these IMSI catcher attack techniques. However in this talk, we introduce new attack vectors that enable tracking and activity monitoring of mobile users.

In particular, we uncover a new flaw in the widely deployed cryptographic protocol in 3G and 4G cellular networks. We discuss different methods to exploit this flaw using low-cost setup. Further, we present several attacks to demonstrate their impact on end-users carrying 3G and 4G devices. Lastly, we discuss countermeasures to address these privacy issues.

Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev

How did the Feds catch the notorious Russian computer hacker Roman Seleznev - the person responsible for over 400 point of sale hacks and at least $169 million in credit card fraud? What challenges did the government face piecing together the international trail of electronic evidence that he left? How was Seleznev located and ultimately arrested? This presentation will begin with a review of the investigation that will include a summary of the electronic evidence that was collected and the methods used to collect that evidence. The team that convicted Seleznev will show how that evidence of user attribution was used to finger Seleznev as the hacker and infamous credit card broker behind the online nics nCuX, Track2, Bulba and 2Pac. The presentation will further discuss efforts to locate Seleznev, a Russian national, and apprehend him while he vacationed in the Maldives. Finally, the presentation will cover the August 2016 federal jury trial with a focus on computer forensic issues, including how prosecutors used Microsoft Windows artifacts to successfully combat Seleznev's trial defense. They argued that the laptop he was arrested with had been tampered with and that evidence on the laptop had been planted by a mysterious super hacker.

Presented By

Harold Chun  &  Norman Barbosa

Offensive Malware Analysis: Dissecting OSX/FruitFly via a Custom C&C Server

Creating a custom command and control (C&C) server for someone else's malware has a myriad of benefits. If you can take over a domain, you then may able to fully hijack other hackers' infected hosts. A more prosaic benefit is expediting analysis. While hackers and governments may be more interested in the former, malware analysts can benefit from the latter.

FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that, even now, is only detected by a handful of security products.

We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.

While this dropper component also communicates with the C&C server and supports some basic commands, it drops a binary payload in order to perform more complex actions. However, instead of fully reversing this piece of the malware, the talk will focus on an initial triage and show how this was sufficient for the creation of a custom C&C server. With such a server, we can easily coerce the malware to reveal it's full capabilities. For example, the malware invokes a handful of low-level mouse & graphics APIs, passing in a variety of dynamic parameters. Instead of spending hours reversing and debugging this complex code, via the C&C server, we can simply send it various commands and observe the effects.

Of course, this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

While some of this talk is FruitFly and/or macOS specific, conceptually it should broadly apply to analyzing other malware, even on other operating systems :).

Presented By

Patrick Wardle

OpenCrypto: Unchaining the JavaCard Ecosystem

JavaCard is a subset of Java that allows applets to run securely on smartcards and has been deployed to over 15 billion devices. Its main advantage compared to competing technologies is "applet interoperability." Unfortunately, over the years, several glitches in the ecosystem became apparent, and hindered its evolution. For instance, in practice, most applets are tailored for a specific card model, while there is at least a three-year gap between the time a JavaCard specification is released, and the time features appear in products.

We argue that these inconsistencies between the JavaCard vision and practice are due to the control card vendors have over the ecosystem. Specifically, since JavaCard relies on vendors to implement the specification, this enables them to impose barriers to protect their market share. For instance, the cryptographic coprocessor is accessible only for high-level operations (e.g., ECDSA signing method), while low-level methods (e.g., ECPoint Addition) are available only in vendor-specific, proprietary APIs. Moreover, vendors often release new features of the specification in their own APIs.

In this session, we present the OpenCrypto library that enables programmers to utilize all the capabilities of JavaCards (e.g., the cryptographic coprocessor) without being bound to a specific vendor. The library realizes classes for: 1) mutable Integers, 2) Elliptic Curve Points and 3) EC Curves. Currently, these classes are either not supported at all (even though they may be listed in the JC specification, e.g., Integers), or are available only through vendor-specific APIs (e.g., ECPoint). To overcome the vendor barriers, we use a combination of low-level byte manipulation tricks and mathematical properties to reconstruct low-level arithmetic operations (e.g., integer multiplication, ECPoint Addition) from high-level crypto methods (e.g., RSA encryption). Our final library supports all the methods found in the proprietary APIs, performs almost as fast, and eliminates vendor-specific dependencies from the ecosystem.

Presented By

Vasilios Mavroudis  &  George Danezis  &  Petr Svenda  &  Dan Cvrcek

Orange is the New Purple - How and Why to Integrate Development Teams with Red/Blue Teams to Build More Secure Software

Introducing a new paradigm for integrating developers with offensive and defensive teams to enhance SDLC. Utilizing Red, Blue, and now Yellow (Development) Teams in a structured way to provide knowledge sharing, strengthening of defenses, coverage, and response, and ultimately the development of a high level of security maturity over time. This new concept of "Red + Yellow == Orange && Blue + Yellow == Green" focuses on the role of Developers as a critical piece of security assurance activities when combined with Offensive and Defensive Teams. Orange Teams add value when they have been integrated into SDLC by creating a cycle of perpetual offensive testing and threat modeling to make software more secure over time through a high level of dedicated interaction. Green teams add value when they help ensure software is capable of providing good DFIR information. This talk will evaluate how different Team combinations can lead to more secure software.

Presented By

April C. Wright

PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond

Distributed denial of service attacks (DDoS) are a constant problem for network operators today. Thanks to low cost of entry, high effectiveness, and the difficulty present in filtering out such attacks from inbound network traffic, DDoS attacks are relatively common and difficult to mitigate against. Recent discoveries regarding the conformity of network traffic to certain power law distributions, namely Benford's and Zipf's laws, has allowed us to develop a new method of denial of service detection based entirely on packet header inspection.

Power law distributions are fascinating artifacts of natural processes, applications of which can be found in anywhere from word counts in books through to numbers used in bank statements. Our research can detect DDoS attacks by using such distributions to detect strongly unnatural network traffic scenarios with only minimal metadata. This however, is not the whole story. Power law potential in IDS is largely un-researched, and could be applied for more general anomaly based IDS purposes. It can even be used to filter for denial of service packets in live streams of data.

What makes Power Laws both fascinating and interesting is that they have an inbuilt "resistance" to attempts to tamper or subvert the data analysis. Given the low computational cost associated with Power law processing and the foolproof security inherent to the methods, Power law distributions make perfect tools for cyber defense, especially in the areas of DoS and intrusion detection.
In this talk, we will introduce and discuss the significance and power of power law distributions, how they relate to computers, and how this can be used to develop new anomaly detection systems.

Presented By

Stefan Prandl

Practical Tips for Defending Web Applications in the Age of DevOps

The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today's world of agile, DevOps, and CI/CD.

This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to: 

  • Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
  • Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
  • Measure maturity of your organizations security efforts in a non-theoretical way

Presented By

Zane Lackey

Protecting Pentests: Recommendations for Performing More Secure Tests

This presentation represents a capstone to previous years' work by the author on the subject of vulnerabilities that exist in penetration testing tools, procedures, and learning materials. These vulnerabilities and common practices have been shown to unnecessarily put client systems and data at risk. Systems and infrastructure used by penetration testing teams are also at risk of compromise, through immediately disruptive attacks or worse: quietly and over a long period of time.

In this work, Wesley presents a comprehensive set of recommendations that can be used to build secure penetration testing operations. This includes technical recommendations, policies, procedures, and guidance on how to communicate and work with client organizations about the risks and mitigations. The goal is to develop testing capabilities that are more professionally sound, and that protect client organizations and pentesting infrastructure, while avoiding a negative impact on the speed, agility, and creativity that good testers are able to apply to engagements with current practices.

Presented By

Wesley McGrew

Protecting Visual Assets: Digital Image Counter-Forensics

They say an image is worth a thousand words, and surely that means it's worth spending a few words protecting. While most data security policies and practices today focus on primarily text or document-based asset hardening and protection, visual assets (e.g. photographs) are often left vulnerable to adversarial data collection. To use a simple yet damaging example, can you imagine posting a photo of a location-sensitive data center only to forget to remove GPS coordinates from the image's metadata? What about a student ID number seen on an Instagram feed, which, when coupled with photos of the same target's birthday party, can be used to obtain their university credentials?

Our talk will discuss various counter-forensic measures against both existent and emergent threats targeting image-centric intelligence gathering which adversaries may use to leverage target exploitation attacks.

Specifically, the problem is as follows: visual assets can inadvertently leak valuable information which should be kept private. The target may either not realize that the particular information is being leaked, or may realize that it is being leaked but may not consider the fact that the leaked information should be kept private in the first place. Our presentation will explore the myriad ways that images may be mined for said information, and in turn, offer counter-forensic techniques of preventing said data leakage by focusing on obfuscation, removal, and altercation of the leaked information.

Presented By

Nikita Mazurov  &  Kenneth Brown

Presented By

Dino Dai Zovi

Quantifying Risk in Consumer Software at Scale - Consumer Reports' Digital Standard

Last year Mudge and Sarah pulled back the curtains on the non-profit Cyber Independent Testing Laboratory: An organization designed to quantify the efficacy of security development practices and predict future software risks and vulnerabilities. One of the surprise discoveries was that their methodologies mapped to the pricing structure of the underground 0day market.

The first half of this talk will disclose the progress and findings since then. This includes universal fuzzers, results of new target analysis across 4 major operating systems, early results from porting their analysis to IoT architectures, and the future roadmap for this non-profit organization.

The second half of the talk focuses on the recently announced open 'Digital Standard', an effort put together by Consumer Reports, Disconnect, Ranking Digital Rights, and Cyber-ITL. The challenges in capturing and conveying meaningful information covering privacy, safety, exploitability, and consumer rights in all forms of software will be addressed by representatives from each organization.

Presented By

Sarah Zatko  &  Eason Goodale

RBN Reloaded - Amplifying Signals from the Underground

Threat intelligence gains immensely in clarity and precision when signals intelligence (SIGINT) and on-the-ground human intelligence (HUMINT) work closely in tandem. This fusion offers the best opportunity to build real visibility into an adversary's TTPs, intent, sophistication and composition. As a result, a deeper understanding of the adversary not only leads to better decision making to mitigate the threat, but also helps to proactively exploit pain points and have a longer lasting impact.

In this talk, we will illustrate how we use the network- (SIGINT) and actor-centric (HUMINT) approaches, in much the same way SIGINT and HUMINT have contributed in the fight against terrorism, organized crime and the drug trade, to proactively expose key information about sophisticated bulletproof hosting (BPH) operations that have been enabling long-lasting and lucrative cybercrime campaigns.

We will be showcasing the results of combining both approaches by highlighting details of our research into a top tier Russian BPH service that has been supporting the full spectrum (banking trojans, phishing, ransomware, etc) of cyber criminals since at least 2010. The talk will highlight key findings such as networks/ASNs, the service's history across the underground marketplace, and relationships with other bulletproof hosters.

We will also describe a new large scale integrated methodology that combines both the network- and actor-centric approaches to track, expose and disrupt crimeware. This system is built to offer the capabilities of a search and recommender engine. The network-centric component is powered by worldwide DNS and network data that is ingested, processed and indexed at Internet scale. The actor-centric component is facilitated by exclusive access to closed underground forums, marketplaces and threat actors/groups.

Given initial intelligence from the actor or network perspective, we show how we use the search and recommender system to amplify seed signals and cast a much wider net on a richer set of crimeware assets: malware C2s, dump shops, criminal forums and jabber servers, rogue VPN and proxy services, stolen accounts shops, etc.

This talk will be beneficial to a wide audience including threat intelligence analysts, security researchers, big data engineers, investigators, and decision makers.

Presented By

Dhia Mahjoub  &  David Rodriguez  &  Jason Passwaters

Real Humans Simulated Attacks: Usability Testing with Attack Scenarios

User studies are critical to understanding how users perceive and interact with security and privacy software and features. While it is important that users be able to configure and use security tools when they are not at risk, it is even more important that the tools continue to protect users during an attack. Conducting user studies in the presence of (simulated) risk is complicated. We would like to observe how users behave when they are actually at risk, but at the same time we cannot harm user study participants or subject them to increased risk. Often the risky situations we are interested in occur relatively infrequently in the real world, and thus can be difficult to observe in the wild. Researchers use a variety of strategies to overcome these challenges and place participants in situations where they will believe their security or privacy is at risk, without subjecting them to increases in actual harm. In some studies, researchers recruit participants to perform real tasks not directly related to security so that they can observe how participants respond to simulated security-related prompts or cues that occur while users are focused on primary tasks. In other studies, researchers create a hypothetical scenario and try to get participants sufficiently engaged in it that they will be motivated to avoid simulated harm. Sometimes researchers have the opportunity to observe real, rather than simulated attacks, although these opportunities are usually difficult to come by. Researchers can monitor real world user behavior over long periods of time (in public or with permission of participants) and observe how users respond to risks that occur naturally, without researcher intervention. In this talk, I will motivate the importance of security user studies and talk about a number of different user study approaches we have used at the CyLab Usable Privacy and Security Lab at Carnegie Mellon University.

Presented By

Lorrie Cranor

Redesigning PKI to Solve Revocation Expiration and Rotation Problems

As the previous Director of Security at companies like Linksys, Belkin, and Wink, I learned hard lessons about the pitfalls of PKI. This was especially true on IoT devices, where the responsibility was on consumers or site managers to update & fix devices when security issues arose. I've experienced expired keys that killed device connections, private keys being accidentally dropped on consumer devices, and breaches that required replacing all keys on devices, servers, and user applications. This led me to create oneID, now called Neustar TDI, which is an open source framework that replaces PKI with one that has real-time revocation, key rotation, key reset/replacement, and individual identities for every device, server, service, and user. It starts with the premise that every server, service, network, device, and user will be compromised at some point, so we should start our security model with that assumption and build protection to limit that as much as possible. It specifically does not trust anything by default and trust continually has to be proven, rather than trusting and checking for revocation. It puts the SOC or NOC in control rather than the users or site managers.

Presented By

Brian Knopf

Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science

Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, being a Windows-signed binary native on Windows 7 and later that enables reflective injection of binaries and DLLs and memory-resident execution of remotely hosted scripts, has made it increasingly attractive for attackers and commodity malware authors alike. In environments where PowerShell is heavily used, filtering out legitimate activity to detect malicious PowerShell usage is not trivial.

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scanning Interface) detections available in Windows 10 and PowerShell 5.0 perform significantly better, but obfuscation and evasion techniques can bypass both detection approaches.

Six months after the release of Invoke-Obfuscation, these obfuscation techniques continue to bypass A/V signatures and many content matching detections. In addition, the recent release of Invoke-CradleCrafter has made detecting remote download cradle syntaxes much more difficult.

The excellent logging available in PowerShell 5.0 (not to mention the many security features baked into PowerShell 5.0) is the key to detecting existing and future obfuscation techniques. However, PowerShell 5.0 logging produces a substantial amount of logs, which is great for SIEM salespeople but not ideal for your security budget.

Revoke-Obfuscation is a PowerShell framework to help detect obfuscated PowerShell commands and scripts by applying a suite of unique statistical analysis, character distribution and command invocation checks against any arbitrary PowerShell command or script. It works with PowerShell .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and allows for the easy addition of new custom indicators.

Approaches for evading these detection techniques will be discussed and demonstrated. Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation.

Presented By

Daniel Bohannon  &  Lee Holmes

rVMI: A New Paradigm for Full System Analysis

Debuggers can play a valuable role in dynamic malware analysis, but these tools fall short in many areas for an obvious reason: their primary objective is debugging and not analyzing malware. Modern malware uses a variety of anti-analysis and anti-debugging techniques that actively exploit this reality. Techniques range from the simple use of APIs and breakpoint detection to sophisticated multi-stage/multi-process architectures. Such malware exploits the fact that debuggers are best suited for single-process analysis and run within the same environment as the sample, which makes them vulnerable to detection and evasion.

These shortcomings require a paradigm that supports full-system analysis and remains completely isolated from the target environment, while maintaining the flexible and interactive nature of a debugger. Virtual machine introspection (VMI) provides isolation as well as the inspection and interposition features required to support full-system analysis. By making VMI accessible to a fully scriptable environment, one can achieve an interactive full system analysis engine.

To address this need, we present rVMI, a system that combines VMI and Rekall (a powerful memory forensics framework) to provide a platform for scriptable and interactive malware analysis. rVMI operates from the hypervisor on a live system with the ability to start, resume, and trap events at will. With this complete control over the target environment, an analyst can debug any number of processes or the kernel with the same level of ease in a manner that is completely invisible to the target. Analysis can be conducted from an interactive shell or through scripts. In either case the analyst has access to the entire arsenal that Rekall provides, which allows her to enumerate processes, inspect kernel data structures, access process address spaces, etc. As rVMI exports a python interface it can easily be extended with any external tool that supports python.

Presented By

Jonas Pfoh  &  Sebastian Vogl

ShieldFS: The Last Word in Ransomware Resilient File Systems

Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. The remarkable amount of illicit profit and the cybercriminals' increasing interest in ransomware schemes demonstrate that current defense solutions are failing, and a large number of users are actually paying the ransoms. In fact, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient, because, when luck allows a sample to be isolated and analyzed, it is already too late for several users! Moreover, modern ransomware implements several techniques to prevent detection by common AV. Similarly, for performance reasons, backups leave a small-but-important window of recent files unprotected.

We believe that a forward-looking solution is to equip modern operating systems with generic, practical self-healing capabilities against this serious threat.

In this talk, we will present ShieldFS, a drop-in driver that makes the Windows native filesystem immune to ransomware attacks, even when detection fails ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism whenever its detection component reveals suspicious activity. For this, ShieldFS monitors the filesystem's internals to update a set of adaptive models that profile the system activity over time. This detection is based on a study of the filesystem activity of over 2,245 applications, and takes into account the entropy of write operations, frequency of read, write, and folder-listing operations, fraction of files renamed, and the file-type usage statistics. Additionally, ShieldFS monitors the memory pages of each "potentially malicious" process, searching for traces of the typical block cipher key schedules.

We will show how ShieldFS can shadow the write operations. Whenever one or more processes violate our detection component, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back.

Last, we will demo how effective ShieldFS is against samples from state of the art ransomware families, showing that it is able to detect the malicious activity at runtime and transparently recover all the original files.

Skype & Type: Keystroke Leakage over VoIP

It is well-known that acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, physical properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed physical proximity to the victim, to place compromised microphones. We argue that this is hardly realistic. We also observe that during VoIP calls people often engage in secondary activities (including typing), unintentionally giving potential eavesdroppers full access to their microphone. From these observations, we build a new attack, called Skype&Type (S&T), that involves VoIP software.

In this talk, we will present S&T and show that two very popular VoIP software (Skype and Google Hangouts) convey enough audio information to reconstruct the victim's input from keystroke noise. We will present the architecture of S&T, which we release as a tool to the community, to solicit contributions and to raise awareness on such underlooked side channels.

Presented By

Daniele Lain  &  Mauro Conti  &  Gene Tsudik  &  Alberto Compagno

So You Want to Market Your Security Product...

When it comes to marketing tactics, security products are no different than any other consumer products – advertisers sometimes fall victim to their own hype. A walk across the floor at a security expo presents a bewildering range of product claims, ranging from the mundane to the questionable to the implausible. Marketers sometimes exploit potential customers' fear, uncertainty, and doubt (FUD), banking that emotional appeals will overtake reason.

But marketers of security products are subject to the same truth-in-advertising laws as all other advertisers. In this talk, we will discuss the Federal Trade Commission's (FTC) longstanding authority to protect consumers from unfair and deceptive practices. We will focus on how deceptive claims and advertising are violations of the FTC Act, and offer guidance on what security companies should do to avoid making deceptive claims. We also offer questions researchers and security professionals can ask to challenge claims companies make.

Presented By

Aaron Alva  &  Terrell McSweeny

Sonic Gun to Smart Devices: Your Devices Lose Control Under Ultrasound/Sound

MEMS sensors, such as accelerometers and gyroscopes, play non-substitutive roles in modern smart devices. A vulnerability has been revealed that the inside sensing elements will resonate when imposed acoustic wave at the certain frequencies, thus yielding spoiled data. We developed the attack method and achieved data manipulation via precise parameter tuning for both gyroscopes and accelerometers. Also, we invented a joint attack by combining both ones providing hackers with more versatility. We will explore extensively the impact of this vulnerability among several categories of devices with MEMS sensors onboard, including VR devices, self-balancing vehicles, and drones.

Using a home-built ultrasound/sound emitting system, we launch attacks towards prevailing VR products, including smartphones such as iPhone 7 and Galaxy S7. By emitting an ultrasound/sound beam onto devices at resonant frequencies, we are able to manipulate the "virtual world." For example, we can steer the facing direction without the user's movement, trigger quake with different frequencies and amplitudes and so on. It could daze some users as it contradicts with their real feeling, which may cause a fall or even physical injury.

"Shooting" a self-balancing vehicle, we show that it would lose balance as soon as we "pull the trigger." In a realistic circumstance, the user would probably fall and even get injured while riding speedily. We also attack a commercial product of DJI, induced change of its flight state, which could ultimately lead to a crash. These attacks can exclusively deprive users of their control. Moreover, in the cases of the VR device and the self-balancing vehicle, users may get physically injured! We also introduce several countermeasures, on both hardware and software to mitigate the vulnerability. Last but not least, through all these attacks, we call for the attention of related companies to prevent further exploitations.

Presented By

Zhengbo Wang  &  Wang Kang  &  Bo Yang  &  Shangyuan LI  &  Aimin Pan

Splunking Dark Tools - A Pentesters Guide to Pwnage Visualization

A rise in data analytics and machine learning has left the typical pentesters behind in the dust. This talk covers the required tools for consolidating, analyzing and visualizing the dark tools that are used by every red team. This can all be done at scale keeping up with even the most bleeding edge continues integration and deployments environments. We'll release the required framework for getting the data where it needs to be, the technical add-ons to ensure this data is ingested in usable formats, and dashboards for Splunk to leverage this data for mass pawnage of your target!

Presented By

Nathan Bates  &  Bryce Kunz

SS7 Attacker Heaven Turns into Riot: How to Make Nation-State and Intelligence Attackers' Lives Much Harder on Mobile Networks

The SS7 mobile vulnerabilities affect the security of all mobile users worldwide. The SS7 is signalisation between Mobile Operators Core Network about where your mobile phone is located and where to send media, so the secured end-device does not help here, as it is only a consequence of having legitimate SS7 traffic. To protect against SS7 vulnerabilities, you need to play at operator-level. And this was not really the kind of thing you could do up till now.

Let's change this. In this talk we propose methods that allow any operator in the world - not only the rich ones - to protect themselves and send the attackers' tricks back to the sender. What if SS7 became a much more difficult and problematic playground for the attacker?

In this talk, we will discuss the current status, possible solutions, and outline advanced SS7 attacks and defenses using open-source SS7 firewall which we will publish after the talk. The signaling firewall is new, so we will not only use it to reduce the vulnerabilities in the SS7 networks, but we also show how to trick and abuse the attackers to make the work much harder for attackers, and give them a hard time interpreting the results. Intelligence agencies love SS7 for the wrong reasons. We will show examples and how we can make eavesdropping and geolocation a nightmare for these nation-state attackers.

The adoption of such signaling firewall could help to reduce the exposure for both active and passive attacks on a larger scale. We will present the capabilities of this solution including the encryption of signaling, report the attacks to central threat intelligence and forward the attackers to honeypot. So what about to find where these SS7 attacks are coming and to start protecting the networks?

Presented By

Martin Kacer  &  Philippe Langlois

Taking DMA Attacks to the Next Level: How to do Arbitrary Memory Reads/Writes in a Live and Unmodified System Using a Rogue Memory Controller

Physical DMA attacks on devices and the ability to read and modify memory contents can be a serious security threat, especially for mobile devices, which can be easily lost or stolen, and for government and remote enterprise data centers, where entry of an untrusted entity can be easily overlooked. In particular, the ability to read memory can expose secrets (i.e. disk encryption keys) that reside thereon, and the ability to actively modify memory can be used to bypass the platform's security policies/mechanisms. However, those types of attacks typically require a specific interface (e.g. Thunderbolt™) to operate and can also be mitigated by blocking associated drivers and ports.

In our talk, we will present a novel, physical, DMA attack that is undetectable, doesn't require a particular port and takes advantage of an inherent vulnerability of standard DIMM slot hardware design. Using our custom PCB probe with an FPGA, we were able to connect to the exposed DDR4 pins of an off-the-shelf desktop system in a non-invasive manner and while the system was on (S3 sleep state). Masking ourselves as the system's benign memory controller, we are able to read or modify memory at any physical address, and the victim system accepts our modifications when exiting from sleep.

We will focus on how we reverse engineered the memory controller and DIMM circuitry to inject our signals in the victim system's memory bus while the system was in S3 sleep state, the JEDEC standard DDR4 commands our memory controller issued to perform each operation, the timing constraints, mapping between physical addresses to DDR4 addresses, and finally the design of our PCB and FPGA.

Presented By

Anna Trikalinou  &  Dan Lake

Taking Over the World Through MQTT - Aftermath

During a test, we found an open port on a server. After some digging, we realised this port was used by a protocol we never heard of before, namely MQTT. Therefore, we decided to dig a little a little deeper to see what this protocol had to offer.

Approximately thirty minutes later, we were looking at coordinates for airplanes. An hour later, the list had increased to include Prisons with door control, cars, electrical meters, medical equipment, mobile phones, status of home alarm and home automation systems and a whole lot of other devices. Not only could we see the data sent and received by these devices, but even more so, we could actually control the devices. We could send messages and commands, and we could even issue firmware updates to devices, and even open Prison Doors!

MQTT it is used by a lot of M2M IoT devices, especially devices that require low-bandwidth communication. There is very little previous research on this protocol and the devices that use it; all we found was a very basic fuzzer and a few posts about security. The protocol is widely used by devices with low or intermittent internet access.

We have created our own small tool for testing endpoints, and we have discovered that many times, protocol data is written into SQL databases, so we will also look at SQL and server attacks through this protocol. That was then, over a year ago. How does it look today? Is it getting worse? What new 'fun' devices have we found since then, and what was the worlds response to our findings?

Presented By

Lucas Lundgren

Taking Windows 10 Kernel Exploitation to the Next Level – Leveraging Write-What-Where Vulnerabilities in Creators Update

Since the release of Windows 10, and especially in the Anniversary Edition released in August of 2016 and the upcoming Creators Update, Microsoft has continued introducing exploit mitigations to the Windows kernel. These include full scale KASLR, fixing kernel pointer leaks, and even Hypervisor assisted mitigations of assembly instructions like SIDT (Store Interrupt Descriptor Table Register).

This presentation picks up the mantle and reviews a number of powerful read and write kernel primitives that can still be leveraged despite the most recent hardening mitigations. The presented techniques include abusing the kernel-mode Window and Bitmap objects, which Microsoft has attempted to lock down several times. Doing so will present a generic approach to leveraging write-what-where vulnerabilities.

A stable and precise kernel exploit has to be able to overcome KASLR, most often using kernel driver leaks. Although Microsoft has mitigated all publicly known leak sources, I will disclose two previously unknown KASLR bypasses in Windows 10 Creators Update. Obtaining kernel-mode code execution on Windows has become more difficult with the hardening of SMEP and the randomization of Page Table entries. I will show how a generic de-randomization of the Page Table entries can be performed through dynamic reverse engineering. This technique does not depend on the underlying hardware and can also be applied to virtual machines. Additionally, I will present an entirely different method which makes the usage of Page Table entries obsolete. This method allocates an arbitrary size piece of executable kernel pool memory and transfers code execution to it through hijacked system calls. It is important to note that this method will work even when VBS blocks the misuse of Page Table entries. Overall, this presentation gives a complete overhaul of Windows kernel exploitation, exposing multiple generic methods which can be leveraged by future kernel driver vulnerabilities.

Presented By

Morten Schenk

The Active Directory Botnet

Botnets and C&C servers are taking over the internet and are a major threat to all of us ... but what happens when these botnets and C&C servers start existing and operating inside the walls of our organisations? What if these botnets and C&C servers could bypass all of our network controls? What if these botnets and C&C servers could communicate internally across our security zones and organisations? What if micro-segmentation suddenly became useless?

This brand new attack technique being released at Black Hat USA makes this nightmare a reality by turning your Active Directory Domain Controllers into C&C servers that can command a powerful internal botnet. This attack technique is a fundamental flaw within the way that nearly every organisation implements their Active Directory solution, which leaves a gaping hole within their security and their ability to contain security breaches. This is achieved by leveraging standard Active Directory attributes and features to force your Domain Controllers to act as a central communication point for all internally compromised systems.

Due to the architecture of nearly every Active Directory implementation on the planet, almost all servers, workstations, laptops, mobile devices, and wireless devices throughout our organisations can connect to a Domain Controller for authentication purposes. This provides the ability for our internal Active Directory Botnet to communicate through a network of strategically placed Active Directory C&C servers. This enables all of your network access controls to be bypassed through this central authentication mechanism that automatically synchronises our botnet traffic across all of your Domain Controllers throughout your organisation. This means that our Active Directory Botnet can not only communicate across WAN sites globally, but if your Active Directory is configured with a Forest Trust with a third party, then the Active Directory Botnet is empowered with an internal cross-organisation communication channel to extend its control.

So, how does the Active Directory Botnet work? Standard Active Directory accounts support over 50 user attributes that can be combined to create a communication channel between any compromised domain machine located throughout your organisation. The Active Directory Botnet Client injects unique data entries into their corresponding AD account attributes within the target Domain Controller, and begins polling to identify other compromised systems within the domain. At this point, any Active Directory Botnet Client within the domain can identify compromised machines and begin issuing commands to be executed on either individual systems or across all infected endpoints.

The Active Directory Botnet Clients then execute the commands and begin tunnelling the command output back through their corresponding Active Directory account attribute fields, which are then collected by the Active Directory Botnet Client that issued the original command. Active Directory Botnet Cloaking features enable confidential communications between AD Botnet Clients to avoid detection, and has the ability to use custom Active Directory properties to bypass detection attempts. This attack provides a powerful communication channel for attacks that bypass networks access controls and enable a centralised Active Directory Command & Control solution.

A series of live demonstrations of this attack will be performed during the presentation to show the attack in action. The primary way of preventing this attack is to monitor regular changes to Active Directory standard user attributes that are not typically changed on a regular basis, and by rearchitecting security zones to use different Active Directory Forests. This is a clear violation of the way that Active Directory is typically used; however, due to the overwhelming insecure architecture implementations of Active Directory, and the difficulty of changing Active Directory architectures, this new attack technique will be effective for many years to come.

Presented By

Ty Miller  &  Paul Kalinin

The Adventures of AV and the Leaky Sandbox

Everyone loves cloud-AV. It incorporates up-to-date intelligence from multiple global sources ("wisdom of the clouds"), and (in theory) it has small footprint. There's simply no downside in moving to cloud-AV, right? Consider a high-security enterprise with strict egress filtering, that is - endpoints have no direct Internet connection, or the endpoints' connection to the Internet is restricted to hosts used by their legitimately installed software. Let's say there's malware running on one of the endpoints with all the privileges it needs. This is bad of course, but thankfully, the last line of defense is there - the malware can't really exfiltrate data to the Internet, due to the strict Internet connection policy enforcement.

Now, let's also assume that this enterprise has cloud-enhanced anti-virus (AV) agents installed on its endpoints. You'd think that this can only improve the security of the enterprise. You'd argue that if malware is already running on the endpoint with full privileges, then an AV agent can't degrade the security of the endpoint. And you'd be completely wrong.

In this presentation, we describe and demonstrate a novel technique for exfiltrating data from highly secure enterprises whose endpoints have no direct Internet connection, or whose endpoints' connection to the Internet is restricted to hosts used by their legitimately installed software. Assuming the endpoint has a cloud-enhanced antivirus product installed, we show that if the anti-virus product employs an Internet-connected sandbox in its cloud, it in fact facilitates such exfiltration. We release the tool we developed to implement the exfiltration technique, and we provide real-world results from several prominent AV products. We also provide data and insights on those AV in-the-cloud sandboxes. Finally, we address the issues of how to further enhance the attack, and how can cloud-based AV vendors mitigate it.

Presented By

Itzik Kotler  &  Amit Klein

The Art of Securing 100 Products

How many times you heard people stating "its best practice"? How many times you successfully implemented ALL best practices for a large scale of products? This presentation takes you out of the comfort zone of the best practices and guides you through the day-to-day challenges to secure 100 products - while considering the procedural and technological challenges - such as working with diverse software architectures, multiple development languages/platforms, variety of development lifecycles, injecting security into continuous integration/delivery etc.

This presentation introduces solid approaches to cope with these challenges by scaling out the application security team's capabilities, putting the right security tools in place, and following newly introduced thumb rules to build a successful application security program. As result of this talk, you will be armed with the practical execution approach for securing a massive scale of products.

Presented By

Nir Valtman

The Avalanche Takedown: Landslide for Law Enforcement

It was a highly secure infrastructure of servers that allegedly offered cyber criminals an unfettered platform from which to conduct malware campaigns and "money mule" money laundering schemes, targeting victims in the U.S. and around the world. Estimates of the scope of network put the dollar losses in the hundreds of million and the number of systems infected at more than 500,000.

But the Avalanche network, which was specifically designed to thwart detection by law enforcement, turned out to be not so impenetrable after all. In December 2016, the FBI took part in a successful multi-national operation to dismantle Avalanche, alongside law enforcement partners representing 40 countries and with the cooperation of private sector partners. The investigation involved arrests and searches in four countries, the seizing of servers, and the unprecedented effort to sinkhole more than 800,000 malicious domains associated with the network.

The types of malware and money mule schemes operating over the Avalanche network varied. Ransomware such as Nymain, for example, encrypted victims' computer files until the victim paid a ransom (typically in a form of electronic currency) to the cybercriminal. Other malware, such as GozNym, was designed to steal victims' sensitive banking credentials and use those credentials to initiate fraudulent wire transfers. The money mule schemes operating over Avalanche involved highly organized networks of "mules" who purchased goods with stolen funds, enabling cybercriminals to launder the money they acquired through the malware attacks or other illegal means.

Come hear about how the FBI worked jointly with other agencies, international organizations, foreign government partners, and the private sector to conduct the successful Avalanche takedown, and what the operations means for the future of cyber crime.

Presented By

Tom Grasso

The Epocholypse 2038: What's in Store for the Next 20 Years

It's the 20th Black Hat, and it's been a wild ride from 1997 to 2017. So, what will happen over the NEXT 20 years? Let's ask Mikko. In this talk he will outlane the changing landscape of computer security and what are likely to be the most important upcoming developments. By understanding attackers and their motives, we can best protect our computers. And in the future, there's much more to protect than just computers.

Presented By

Mikko Hypponen

The Future of ApplePwn - How to Save Your Money

When people ask about wireless payments (PayPass, ApplePay, SamsungPay, etc), everyone certainly claims that ApplePay is one of the most secure systems. The separate microprocessor for payments (Secure Enclave), absence of card data storing/transmitting in plaintext during payments look like an ideal defense. However, the devil is in the details! We'll present a specially developed opensource utilities which demonstrates how hackers can reconnect your card to their iPhone or make fraudulent payments directly on the victim's phone, even without a jailbreak.

Presented By

Timur Yunusov

The Industrial Revolution of Lateral Movement

Recent advancements in the Targeted Attacks technology, and specifically to the Lateral Movement phase of it, are about to ignite an Industrial Revolution in this field.

The original Industrial Revolution and its use of modern methods of mass production is said to had brought "improvements in the cost, quality, quantity, and variety of goods available". The Lateral Movement Industrial Revolution will have similar effects on the attack side.

Consequently, it will have grave repercussions on the defensive side. As always when facing a stressful situation, defenders can respond either by: Fight, Flight, or Freeze.

In this talk, we will describe these recent advancements in the field of automated Lateral, followed by a demo and the release of 'GoFetch', a new open-source lateral movement automation tool. We will conclude with a discussion on the implications of Lateral Movement industrialization on both attackers and defenders.

Presented By

Tal Be'ery  &  Tal Maor

The Origin of Array [@@species]: How Standards Drive Bugs in Script Engines

Web standards are ever-evolving and determine what browsers can do. But new features can also lead to new vulnerabilities as they exercise existing functionality in new and unexpected ways. This talk discusses some of the more interesting and unusual features of JavaScript, and how they lead to bugs in a variety of software, including Adobe Flash, Chrome, Microsoft Edge and Safari. Recommended for browser researchers, developers and anyone who's ever tried to implement a standard.

Presented By

Natalie Silvanovich

The Shadow Brokers – Cyber Fear Game-Changers

Who are The Shadow Brokers? I have no clue. Nobody really does. The Shadow Brokers are one of most controversial characters of this Cyber-Era. The mysterious group emerged mid-summer 2016 when they started to anonymously, publicly drop tools and operational notes that allegedly belonged to the NSA Tailored Access Operations unit. This group referred to itself as The Shadow Brokers and quickly became the NSA's worst nightmare since Edward Snowden.

Previous whistle blowers released documents redacted of sensitive nature, such as authors. But with The Shadow Brokers, what emerged was a different level of dangerous and more aggressive leaks that didn't only release highly sensitive tools, but also revealed a wide range of modus operandi that included agents' names and the full disclosure of the NSA's complex (and many argue irresponsible) attack against the backbone of the Middle East's financial institutions. For now, The Shadow Brokers are happy to have the general public guessing their identity and true origins. Is it an intelligence organization running a highly complex set of misdirection and penetration? Is it a second Snowden with access to the NSA's most sensitive cyber weapons? We may never know. What is certain, is that the emergence of The Shadow Brokers is a game-changer and presents a massively embarrassing (and dangerous) breach for the NSA, the world's most advanced signal intelligence agency and best resourced government backed hacking organization. This embarrassment became a muse for the most destructive and fast-spreading ransomware (WannaCry) in History, shutting down hospitals and companies across the Globe.

In this talk, I'll detail the leaks The Shadow Brokers have conducted and examine the short and long term impact these leaks present. I'll also perform a deep dive in some of the most intrusive tools designed by the most sophisticated nation state intelligence agency. Additionally, attendees will learn what changed pre-The Shadow Brokers and during-The Shadow Brokers regarding geopolitical interests using cyber fear as a service.

Presented By

Matt Suiche

They're Coming for Your Tools: Exploiting Design Flaws for Active Intrusion Prevention

Several popular attack tools and techniques remain effective in the real world, even though they are well understood and documented. Consequently, many attackers and other individuals within the professional penetration testing community have not grown beyond their tools, partially because of the effectiveness of several widely available attack scripts. In this talk, we hope to offer a more active approach toward intrusion prevention that enables defenders to use simple network software applications to seek out these attacks. By using active intrusion detection strategies, administrators can create a situation where attackers who are overly reliant on their tools will expose themselves to detection and other significant complications.

The examples developed to demonstrate this approach allow administrators to:

  • Hijack other people's shells from the Metasploit Framework's Meterpreter control channel
  • Detect and disrupt NBNS/LLMNR injection attacks, such as the attacks made popular by the "Responder" script
  • Detect and/or complicate common attacks against wireless networks in multiple ways

Passive (or mostly passive) intrusion detection and prevention systems have been around for decades. However, these systems can be computationally intensive and their responses rarely go very far. We have implemented methodologies for detecting and disrupting common attacks by generating tailored network traffic. Unlike most expensive "magic box" solutions, lightweight programs targeting real world attack techniques can improve security by using inexpensive embedded hardware.

This talk is intended for both defensive and offensive security. Attackers or penetration testers who rely blindly on their toolkits leave themselves vulnerable not only to detection, but also exploitation. Conversely, network administrators can manipulate their own network traffic to detect and complicate several common attacks. Security professionals can use the software written during the course of this research on cheap lightweight (even embedded or virtual) hardware to protect themselves against real world attack scenarios. We hope to inspire others to take this approach and develop more affordable yet effective security solutions. We also hope to demonstrate how penetration testers who rely on mysterious tools without learning how they work endanger themselves.

Presented By

John Ventura

Tracking Ransomware End to End

A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back. In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.

In this talk, we demonstrate a method to track the ransomware ecosystem at scale, from distribution sites to the cash-out points. By processing 100k+ samples, we shed light on the economics and infrastructure of the largest families, and we provide insight on their revenue and conversion rates. With a deep dive in the two largest groups, we show the details of their operation. Finally, we uncover the cash-out points, tracking how the money exits the bitcoin network, enabling the authorities to pick up the money trail using conventional financial tracing means.

Web Cache Deception Attack

Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts. The attack is amazingly simple to identify and exploit. During this talk, the audience will be introduced to an in-depth analysis of the anatomy, prerequisites and mitigation of the attack. The talk will proceed with the behaviors of different web servers and caching mechanisms, and will be capped off with examples of vulnerable websites and a live demo.

Presented By

Omer Gil

Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers

With over 5 billion pulls from the Docker Hub, Docker is proving to be the most dominant technology in an exploding trend of containerization. An increasing number of production applications are now running inside containers; and to get to production, developers first use containers on their own machines. Docker offers its developer versions supporting Linux, Mac, and even Windows. To support Windows and Mac developers, Docker uses their respective hypervisors to run linux containers.

Developers are a prime target for attackers, as they often use less secure environment, are administrators on their own systems and have access to sensitive information. Developers running docker on their own machines, may have by default (as in the case of Docker for Windows) or by their own bad configuration, their RESTful docker API listening for TCP connections.

In this talk, we will break down a complex attack on docker developers. We first show how a developer visiting a malicious web page, will end up with a reverse shell to his internal network. We go several steps further and show how to remain persistent and stealthy on the developer machine without being detected.

To reach our end goal we use two new form of attacks: Host Rebinding and Shadow Containers. Host Rebinding will be used to bypass the Same Origin protection of browsers, while Shadow Containers is a persistency technique on the hypervisor using containers.

We will end the talk with practical methods of mitigation against such attacks. We will also revisit the industry stance on DNS-Rebinding protections and how they don't mitigate attacks from the local area network.

Presented By

Michael Cherny  &  Sagie Dulce

What They're Teaching Kids These Days: Comparing Security Curricula and Accreditations to Industry Needs

Security is hard, but security education may be harder. Few academic institutions have the skills or resources to dedicate solely to security education. Rather, most security programs in higher education have grown out of or have been welded on to other technology programs. The resulting fractured educational ecosystem has created a disparity in the skill sets of graduating students and has made it challenging to develop standards to ensure consistency across educational programs. This talk will take a look at how security curricula have traditionally been developed and continued to be shaped by a variety of forces. We will examine some of the proposed solutions for accrediting programs and analyze their strengths and weaknesses. Subsequently, we will try to determine which type of student each model is designed to produce and provide our own recommendations about how to standardize security education.

Presented By

Chaim Sanders  &  Rob Olson

What's on the Wireless? Automating RF Signal Identification

Most organisations want to monitor wireless devices within their environment, but, with a growing number of disparate low cost wireless technologies appearing on the market, the scale of this task can be unmanageable. Even identifying the presence of rogue signals can be difficult, let alone identifying an offending device.

Software defined radio receivers allow us to receive arbitrary RF signals and are therefore the perfect platform on which to build automated spectrum monitoring tools. Now, we can take this concept further by combining rapid spectrum monitoring with automated signal identification and analysis, allowing organisations to seek out rogue RF devices in their environment.

We have developed open source tools to monitor the RF spectrum at a high level and then drill down to individual signals, supporting both reverse engineering and signals intelligence. By automatically combining the results with OSINT data from regulatory bodies around the world, we are able to build up a picture of devices transmitting in an environment.

Presented By

Michael Ossmann  &  Dominic Spill

When IoT Attacks: Understanding the Safety Risks Associated with Connected Devices

The Internet of Things (IoT) is all around us, making our lives more convenient. We've seen IoT devices being taken over to conduct DDoS attacks. We've heard about connected refrigerators being used to SPAM users and baby monitors being used to scream obscenities at innocent infants, but could an IoT device be re-purposed to physically attack an unsuspecting user? Let's find out.

Presented By

Billy Rios  &  Jonathan Butts

White Hat Privilege: The Legal Landscape for a Cybersecurity Professional Seeking to Safeguard Sensitive Client Data

The law affords unique protections to communications between a lawyer and client, commonly referred to as the "attorney-client privilege." This tool is indispensable because a lawyer can best advocate for a client when the client is free to disclose both the good and the bad. The law affords similar protections to communications between a physician/therapist and patient.

Cybersecurity professionals have no equivalent. This is true despite the fact that cybersecurity professionals are regularly entrusted with more sensitive information (about an individual/company) than what is entrusted to a lawyer or doctor. Security consultants can hold their clients' darkest secrets, or perhaps information that could "bring down" the company. These professionals are asked to find flaws, infiltrate networks, gather sensitive data, and document exactly how it happened, all-the-while contemplating how to use the information to the worst detriment of the target.

Although security consultants have no straightforward legal privilege for protecting client data, they may have the best mechanism of all: White Hat Privilege. By using this term, the speakers submit that a white hat professional is perhaps able to utilize technical savvy to implement technological solutions to the problem of protecting client data while staying within the confines of the law.

In this talk, we will examine the legal landscape for cybersecurity professionals seeking to safeguard a clients' sensitive client data. We will cover issues including contract formation, risk allocation, and other legal issues that arise during formation of services contracts. We will pivot to legal regimes for handling PII, cross-border data transfers, IP rights, and export-control issues. And because security professionals are not static beings, we will also examine border crossings, including authority of TSA/Customs to search and seize devices that might hold client data. While examining these issues, where possible, we will discuss potential technological solutions to legal problems.

Presented By

Karen Neuman  &  Jacob Osborn

Why Most Cyber Security Training Fails and What We Can Do About it

To date, the only pro-active, user-focused solution against spear phishing has been cyber security awareness training. However, multiple lines of evidence—from continuing news stories of bigger and bolder breaches to objective academic assessments of training effects—point to its limited effectiveness.

Yet, organizations continue to spend millions of dollars and countless man-hours on it. The problem is our current approach of providing the same form of training to everyone: it is is akin to prescribing the same medicine to every patient, sometimes repeatedly, without so much as diagnosing him or her. Small wonder then that spear phishing continues to wreck havoc. At the core of the problem is our inability to diagnose what ails the patient: Who is at risk from spear phishing? Why are they at risk? And how much of a risk are they?

The current presentation will provide a mechanism for answering these questions by using the Cyber Risk Index (CRI)—an empirically derived quantitative metric that helps identify the likely victims of different spear phishing attacks, reasons for their victimization, and the remedial measures that would best work to protect them. CRI scores range from 0–100 and can be derived using existing training and simulated spear phishing/pen-testing methods that most organizations use. Using a case study of an actual spear phishing pen-test that was conducted in a large, US based financial firm, the presentation will detail how CRI scores are derived and used. The talk will detail how the CRI helped assess the value of training and identify why training worked for some employees while not for most others. It will also discuss how the CRI helped identify the weak-links in the organization, design individualized training and protections, track improvements—and overtime improve individual readiness and enhance the organization's cyber reliance.

Presented By

Arun Vishwanath

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

Encrypted Wi-Fi networks are increasingly popular. This is highlighted by new standards such as Hotspot 2.0 and Opportunistic Wireless Encryption. Hotspot 2.0 streamlines network discovery and selection, creating an authenticated roaming experience matching that of cellular phones. On the other hand, Opportunistic Wireless Encryption introduces unauthenticated encryption for Wi-Fi networks. However, these advancements are meaningless if there are implementation flaws in the cryptographic 4-way Wi-Fi handshake that negotiates the fresh session keys.

In this talk we show how to detect and abuse logical flaws in implementations of this handshake.Our goal is not to detect common programming errors such as buffer overflows or double frees, but to detect logical vulnerabilities. An example of a logical vulnerability is that some message(s) in a handshake can be skipped, causing it to use or negotiate an uninitialized (all-zero) cryptographic key. Clearly such vulnerabilities void all security guarantees. To detect these types of logical vulnerabilities, we first build a model of the Wi-Fi handshake that describes the expected behavior of an implementation. We then automatically generate invalid executions of the handshake, and check whether an implementation correctly reacts to these invalid executions.

We tested 12 Wi-Fi access points, and found irregularities in all of them. These consist of authentication bypasses, fingerprinting techniques, downgrade attacks, denial-of-service (DoS) attacks, and so on. Most prominently, we discovered two critical vulnerabilities in OpenBSD. The first can be abused as a DoS against the AP, and the second can be exploited to perform a man-in-the-middle attack against WPA1 and WPA2 clients. We also discovered downgrade attacks against MediaTek and Broadcom that force usage of TKIP and RC4. Additionally, we discovered a targeted DoS against Windows 7. We also found other irregularities in Airohive, Apple, Cisco, Hostapd, and Windows 10.

Presented By

Mathy Vanhoef

Wire Me Through Machine Learning

In this world of technology where communication through email plays an important role, vicious threats also follow. One of the most beautifully crafted email threat commonly known as Business email compromise (BEC) scam or CEO fraud has shown its impact on more than 400 Organizations resulting in loss of over US $3 billion. Business email compromise (BEC) scam, also known as whaling, is a targeted attack sent to higher level management specifically to C level executives masquerading as an email communication from a CEO to a CFO. These emails are designed in a way that they have the power to influence the target to perform financial transactions such as wire transfers on a short notice. These attacks are successfully carried out by first building trust of the target.

This paper will throw light on one of the most important tactics used by attacker(s) to design and execute a BEC attack through machine learning. BEC attacks are highly targeted attacks and involve high level of research through skillful social engineering. Attackers have access to more than enough data through social media accounts of high level executives or financially responsible member of the target organization, official websites, news, current affairs, travel plans, data breaches and insider(s). All this vital information can be used to build and train machine learning algorithms.

In this talk, we shall provide a demo on how an attacker's machine learning model can train itself with the help of the information provided to it as a feed to execute a successful attack. After data collection, features extraction and selection is performed. Tools to perform complex data analysis are readily available. By applying regression algorithms to predict values or by using clustering algorithms to expose structure in data sets, the attacker can systematically plan for the next phase. After implementation of the algorithms, the attacker can train the machine to predict the output and check the working of the model. Thus, in the final phase the attacker instructs the machine to launch an attack by skillfully crafting emails with spoofed header fields. These emails are able to bypass the anti-spam filter as they highly resemble legit emails. We expect these methods to be used like "Target Accession as a Service" in 2017. We will also talk about mitigation steps that can be achieved with the help of machine learning.

Presented By

Ankit Singh  &  Vijay Thaware

WSUSpendu: How to Hang WSUS Clients

You are performing a pentest. You just owned the first domain controller. That was easy. All the computers belong to you, but unfortunately, you can't reach the final goal. The last target is further in the network, inaccessible and heavily filtered. Thankfully, one last hope remains. You realize the target domain pulls its updates from the WSUS server of the compromised domain, the one you fully control. Hope is back...but once again, it fails. The only tools available for controlling the updates are not working: they require a network attack that is prevented by the network architecture and the server configuration. All hope is lost...

We will present a new approach, allowing you to circumvent these limitations and to exploit this situation in order to deliver updates. Thus, you will be able to control the targeted network from the very WSUS server you own. By extension, this approach may serve as a basis for an air gap attack for disconnected networks. Our talk will describe vulnerable architectures to this approach and also make some in-context demonstration of the attack with new public tooling. Finally, as nothing is inescapable, we will also explain how you can protect your update architecture.

Presented By

Romain Coltel  &  Yves Le Provost

Zero Days Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

Zero-day vulnerabilities and their exploits are useful in offensive operations as well as in defensive and academic settings.

RAND obtained rare access to a dataset of information about more than 200 zero-day software vulnerabilities and their exploits - many of which are still publicly unknown. We analyzed these data to provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (publicly unknown), dead (publicly known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities (longevity), the likelihood of another party discovering a vulnerability within a given time period (collision rate), and the time and costs involved in developing an exploit for a zero-day vulnerability.

The RAND study is the first publicly available research to examine vulnerabilities and their fully-functional exploits that are still currently unknown to the public. The research establishes initial baseline metrics that can augment conventional proxy examples and expert opinion, inform ongoing policy discussions, and complement current efforts to related to retention and disclosure of zero-day vulnerabilities and exploits.

This research can help inform software vendors, vulnerability researchers, and policymakers by illuminating the overlap between vulnerabilities found privately and publicly, highlighting the characteristics of these vulnerabilities, and providing a behind-the-scenes look at zero-day exploit development.

Presented By

Lillian Ablon