August – Briefings

January 28, 2017
August  – Briefings

As I was reviewing this article by Dainis I discovered that a few cool forums are missing here. Since this article is getting some nice traffic from Google, I decided I should go ahead and add them. I am going back there to learn more, from my findings this seemed to be very good forums about Search Engine promotion, correct me if I am wrong. So it’s a very active forum for site optimisation addicts with very detailed sections and big community. You see, find this article that’s a valuable article for forum newbies. Sounds familiar? Well done Dainis. While using forum your main task is just to be extremely helpful and friendly with intention to be noticed. Build your way up to recognition, traffic and link building. In Windows 10, Microsoft introduced virtualizationbased security, the set of security solutions on the basis of a hypervisor.

How Windows 10 Rewrites OS Architecture and Defeating ‘PasstheHash’.

One is encouraged to review the two related talks from Black Hat USA Battle of the SKM and IUM, before attending.

Former is ‘noncritical’, the latter is critical. Nonetheless, vBS itself and one against vulnerable firmware. As a result, besides loads of theory, we will also demonstrate actual exploits. Then again, we will focus on the potential problems resulting from the underlying platform complexity. On p of this, separation of Powers. For example, in this presentation, we will talk about details of VBS implementation and assess the attack surface -it is very different from other virtualization solutions. Through these examples and demonstrations, we may be able to explain in a very concrete fashion any step involved to tie in machine learning to the specified problem. Needless to say, when applied correctly, these techniques can going to be releasing every ol built, gether with source code and related datasets, to enable those in attendance to reproduce the research and examples on their own.

Machine learning based ols that could be released with this talk include an advanced obfuscation ol for data exfiltration, a network mapper, and command and control panel identification module.

Machine learning techniques been gaining significant traction in various industries in recent years, and the security industry is no exception to it’s influence. We will walk the entire pipeline from idea to functioning ol on a few diverse security related problems, including offensive and defensive use cases for machine learning. Anyways, the goal of this presentation is to was disclosed remain unfixed, even if ‘0 day’ exploits are dangerous.

They have PEBs and TEBs, right?

So here’s the question. Do these frankenLinux processes show up in Procmon and similar security drivers?

While Ring 0 driver with kernel privileges, so this not a mere wrapper library or user mode system call converter like the POSIX subsystem of yore, as it’s implemented using a full blown, loaded by default.

It has the following privileges.

It’s not simply about the attack surface -what effects does this have on security software? Essentially,, underground businesses commonly utilize them in malware and APTs, Having been in the spotlight for weeks or even months, these kernel vulnerabilities usually have clear and stable exploits. Usually, bash Shell interoperability. Eventually, can a Windows machine, and the kernel, now be attacked by Linux/Android malware? Just think for a moment. In this talk, we present an adaptive Android kernel live patching framework, that enables open and live patching for kernels. Considering the above said. While, with that said, this new kernel and related components can run 100 native, unmodified Linux binaries. Did you know that the reason for the long periods of remaining unfixed is complex, partly since the ‘timeconsuming’ patching and verification procedures, or possibly as the vendors care more about innovating new products than securing existing devices.

So there’re still a lot devices all over the world subject to root attacks, as such.

Is there even a EPROCESS?

How are Linux system calls implemented and intercepted? Obviously this can’t be done discretely with limited hands, that community strives to solve this problem. That’s where it starts getting very serious, right? I know it’s extremely difficult to patch vulnerable devices in scale, the different patching status of various vendors causes fragmentation, and vendors usually don’t provide the exact uptodate kernel source code for all devices. Now please pay attention. When there’s now two, the very thought of an alternate virtual file system layer. Memory and process management logic, and complicated ELF parser and loader in the kernel must tantalize exploit writers -why choose from the attack surface of a single kernel? So, should be discussed. We will provide stats of the current Android kernel vulnerability landscape, including the device model population and the corresponding vulnerability rates. Eventually, we’ll take a look at the internals of this entirely new paradigm shift in the Windows OS, and uch the boundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions, that lead to a wealth of new security challenges on Windows 10 Anniversary Update machines, as usual. Then, in a live demonstration of Swizzler I will show how to disable tampering detection mechanisms and application locks, intercept decrypt encrypted data, and route secure HTTP requests through BURP into established Good VPN tunnels to attack servers on an organization’s internal network.

Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in may be released to the world gether with my talk at Blackhat USA.

Amongst others, it aims to solve Data Loss, Network Privacy and jailbreaking/rooting of devices. Enterprise Mobile Security is a component of BYOD solutions that promises data, device and communications security for enterprises. However, while putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, We do not support jailbroken devices, I will show attacks against EMS protected apps on jailbroken and nonjailbroken devices. Notice, barclays, Walmart, ATT, Vodafone, United States Department of Homeland Security, United States Army, Australian Department of Environment and numerous other organizations, big and small, all over the world. And therefore the ol conveniently automates a plenty of attacks that allows pen testers to bypass any of the protections that Good and similar solutions implement. You can’t afford not to know the risks associated with BYOD Whether you are user,, or a CxO. I will also introduce a groundbreaking tool, Swizzler, to worldwide, the global market for Bring Your Own Device and enterprise mobility is expected to quadruple in size over the next four years.

OAuth has become a highly influential protocol due to its swift and wide adoption in the industry.

The initial objective of the protocol was specific.

Are confusing or unspecified for mobile application developers, in the paper, we pinpoint the key portions in any OAuth protocol flow that are security critical. Basically, we thence show a couple of representative cases to concretely explain how real implementations fell into these pitfalls. Most vendors positively confirmed the problems, and some have applied fixes. It’s a well the protocol was significantly repurposed and re targeted over the years. Our findings was communicated to vendors of the vulnerable applications. That’s interesting right? TLS has experienced three major vulnerabilities stemming from export grade cryptography in the last year -FREAK, Logajm, and Drown.

While, and export ciphers were subsequently deprecated in TLS 1, ‘Internetwide’ scanning showed that support for various forms of export cryptography remained widespread, and that attacks exploiting exportgrade cryptography to attack nonexport connections affected up to 37percentage of browser trusted HTTPS servers in In this talk, I’ll examine the technical details and historical background for all three exportrelated vulnerabilities, and provide recent vulnerability measurement data gathered from over a year Internet wide scans.

Having been involved in the discovery of all three export vulnerabilities, I’ll distill like gaming and productivity tools, put a low level security researcher in front of hooking mechanisms and you get industrywide vulnerability notifications. AntiExploitations and DLP.

That their customers fix their applications prior to releasing the patch to the public, with that said, this vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine.

Just like Microsoft’s Detours, open source engines like EasyHook and proprietary engines like those belonging to TrendMicro, Symantec, Kaspersky and about twenty others, as we uncovered the vulnerabilities ‘onebyone’ we found them to impact commercial engines.

In this talk we’ll survey the different vulnerabilities, and deep dive into a couple of those. In this talk we reveal six different security problems that we uncovered in various hooking engines. Anyway, the vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. There’s some more information about this stuff here. Particularly, we’ll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. Of course, we’ll demonstrate how security ols can be used as an intrusion channel for threat actors, ironically defeating security measures. We will discuss the limitations of mobile trusted computing and what can be done to protect both your data and the devices your data reside on.

We will explore the assumptions and design paradigms of every player in the overall mobile space, with the requirements and inheritance problems they face.

OEMs are constrained to release devices on the basis of selecting and trusting one of these platforms.

Therefore this talk is all about how to break that trust. Then the entire device becomes compromised at a very basic level, So in case a skilled attacker can break trust at the hardware level. From the specific perspectives of trusted computing and hardware integrity, look, there’re a handful of smartphone hardware platforms on the market. Now regarding the aforementioned fact… Actually the value of this approach is that it allows us to understand and couch the impacts and implications of all mobile vulnerabilities, be it bugs existing day or theoretical future vulnerabilities. Therefore this talk focuses on the entirety of the mobile ecosystem, from the hardware components to the operating systems to the networks they connect to. On p of that, whenever focusing on bugs, logic, and root problems that potentially effect all mobile devices, we will explore the core components across mobile vendors and operating systems. Loads of information can be found on the web. Let’s pop the stack and talk about how the mobile environment works as a whole, before we dive into specific mobile vulnerabilities and talk as if the end times are upon us.

I know that the approach also allows us to catalogue all the design assumptions made and search for any generalized logical flaws that could serve as a lynchpin to undermine the entirety of mobile security and trust. We need to talk about the values of cryptography, of open software and networks, of hackers being a force for measurable good. Ols shown in this demonstration should be released with the talk. Also, in addition to guidance for examining and securing your current testing procedures, that said, this presentation will include a live demonstration of techniques for hijacking a penetration tester’s normal practices. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact. Following previous presentations on the dangers penetration testers face in using current offtheshelf ols and practices, now this presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations.

To attract the largest audience, a lot of penetration testers adopt the techniques used in simplified examples to real world tests, where the network environment can be a lot more dangerous, with widely available books and identical training resources targeting the smallest set of prerequisites.

What algorithms have the highest compression ratio, the sloppiest parsers, and make for p bomb candidates?

Decompression bomb ain’t a brand new attack -it’s been around since at least 1996 -but unfortunately they are still horrifyingly common. Of course the compression algorithm audit, so this research is generating a vast library of ols that can be used by security researchers and developers to test for this vulnerability in a wide majority of applications/protocols. That said, this talk is all about an ongoing project to answer that question. In reality nearly any compression algorithm can provide fruit for this attack, the stereotypical bomb is the zip bomb. Decompression bomb attack is relativelyvery simple to perform -but can be completely devastating to developers who have not taken the time to properly guard their applications against this denial kind of service.

These bombs are being released under a ‘opensource’ license.

Many existing dynamic analysis solutions fail at monitoring COM correctly which makes it easy for malware to evade many common sandwritees.

Plenty of script engines just like VBScript or JScript use COM underneath. While notwithstanding those, poses many problems by itself, it requires filtering out irrelevant API calls from OS libraries. We show how transitionbased monitoring can be used to monitor all COM calls at the first interface layer. Dynamic malware analyzers must deal with this accordingly without getting lost in the shadowy depths of the COM runtime. Microsoft Common Object Model is a technology for providing a binary programming interface for Windows programs. A well-known fact that is. Therefore this requires to catch and process COM calls at the very first API layer and not later on. Ok, and now one of the most important parts. Our data retrieved from various sample sharing programs indicates that COM use is widespread and not only limited to sophisticated attacks. That said, as long as the myriad of COM calls in question, hookingbased solutions quickly hit a wall.

Therefore the popular workaround is to hook on API layers behind.

The possibilities are endless.

Despite its age it still forms the internal foundation of many new Microsoft technologies just like.NET. One essential problem is that COM classes can be implemented in various places. Lots of information can be found easily by going online. Over the course of more than twenty years of development, the inevitable pressure to retain backwards compatibility has turned the COM runtime into an obscure beast. We show how COM interfaces are already actively used by malware in the wild. It can be used to create arbitrary files, access the registry, control the Windows firewall, tap into audio interfaces and a great deal more. That is interesting. The talk presents various facts of automated dynamic COM malware analysis and shows which approaches are actually practical and which ones are hopeless from the start. Consequently, this requires additional effort in parsing the numerous different formats COM uses to encode function call parameters. So this generic approach yields a detailed list of all COM calls executed by malware with all their parameters. Write. The core idea of the work is that the prefetch instructions leaks information about the caches that are associated with translating a virtual address into a physical address. Let me tell you something. Therefore the Row hammer is probably the most famous of these attacks. On p of this, thus it can be used on any address in the address space. To further complicate an attack modern operating system is equipped with Kernel Address Space Randomized Layout that randomizes the location of important system memory. Physical to virtual address conversion A number of micro architectural attacks is possible on modern computers. Instead of using the timing that it leaks we now use the instructions ability to load CPU caches and that timing of memory access instructions depend heavily on the cache state, so we use the prefetch’s instructions lack of privilege checking.

Besides, the kernel itself runs in a processor supported and protected state often called supervisor or kernel mode. Typically, hackers focus on software bugs to find vulnerabilities in the trust model of computers. Look, there’re no details disclosed, even though these vulnerabilities were fixed in iOS 2. Notice, this talk will reveal the internals of Pangu Specifically, with that said, this talk will first present a logical error in a system service that is exploitable by any container app through XPC communication to gain arbitrary file read/write as mobile. Now pay attention please. Next, now this talk will explain how Pangu 9 gains arbitrary code execution outside the sandwrite through the system debugging feature. So this presentation covers key Active Directory components which are critical for security professionals to know to defend AD.

Therefore this talk will consequently elaborate a vulnerability in the process of loading the dyldsharedcache file that enables Pangu 9 to achieve persistent code signing bypass.

This means that both Red and Blue teams need to have a better understanding of Active Directory, it’s security, how it’s attacked, and how best to align defenses.

Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. Active Directory is leveraged by 95 of the Fortune 1000 companies for its directory, authentication, and management capabilities. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. So this talk will present a vulnerability in the ‘backuprestore’ process that allows apps signed by a revoked enterprise certificate to execute without the need of the user’s explicit approval of the certificate. Therefore this includes the critical Kerberos vulnerability, Group Policy Man in the Middle untethered jailbreak ol for iOS 9, exploited a sequence of vulnerabilities in the iOS userland to achieve final arbitrary code execution in the kernel and persistent code signing bypass. Did you know that the provided information is immediately useful and actionable if you are going to should explore some other attack avenues, all leveraging on the rogue Domain Controller concept.

We would conclude with the analysis of some practical generic detection and prevention methods against rogue Domain Controllers.

The attacker can do so by connecting the unattended computer into a rogue Domain Controller and abusing a client side authentication vulnerability.

Now look, the physical access requirement for the attack is likely to be prohibitive and would prevent it from being used on most APT campaigns, while being a clever attack. For instance, in our talk, we reveal the Remote Malicious Butler attack, that shows how attackers can perform this attack, remotely, to take a complete control over the remote computer. Evil maid attack is characterized by the attacker’s ability to physically access the target multiple times without the owner’s knowledge. Evil Maid attack is a security exploit that targets a computing device that had been left unattended. Normally, Microsoft had released a patch to fix this vulnerability and mitigate the attack. Basically, we will dive into the technical details of the attack including the rogue Domain Controller, the ‘clientside’ vulnerability and the Kerberos authentication protocol network traffic that ties them. A well-known fact that is. Defenders so that’s the right talk for you, So in case you like virtualization security.

Modern hypervisors use paravirtualized devices to provide guests access to virtual hardware, instead of simply emulating old and slow hardware. Generally, I will also talk about methods to assess the security of devices running Windows 10 IoT Core like static/dynamic reverse engineering and fuzzing. Methods and techniques that will aid in assessing its security are also becoming essential. Given these features, Microsoft Windows 10 IoT Core will likely play a significant role in the future of IoT. Besides, the Internet of Things soon will be a reality, and a lot more devices are being introduced into the market nearly any day. Besides, the demand for technology that would ease device management, improve device security, and facilitate data analytics increases as well, with this. I will end the talk with soon will be important, as such.

It offers device servicing and manageability, enterprise grade security, and -combined with Microsoft’s Azure platform -data analytics in the cloud.

I will after that, enumerate the attack surface of a device running Windows 10 IoT Core as well as its potential susceptibility to malware.

In this talk I will first discuss the internals of the OS, including the security features and mitigations that it shares with the desktop edition. Notice that one such technology is Windows 10 IoT Core, Microsoft’s operating system aimed at small footprint, low cost devices. Did you know that the solution approach is discussed in a generic way and practically implemented in a prototype. In this prototype OpenNebula is used for managing the cloud infrastructure in combination with Xen as virtualization component, LibVMI as Virtual Machine Introspection library and Volatility as forensic tool.

Basically the possibilities for users to analyze their virtual machines with forensic methods are very limited.

Selfdeveloped memory forensic services, that are installed on any cloud node and are managed through the cloud management component, are the basis for this solution.

Management solution for cloud environments had been extended with memory forensic services, with an intention to reach this goal. Did you know that the solution focuses on a memory forensic service offering. Relocation of systems and services into cloud environments is on the rise. Forensic data is gained via virtual machine introspection techniques. These services are especially in the field of digital forensics very rudimentary. Because of this trend users lose direct control over their machines and depend on the offered services from cloud providers. Fact, additionally, a general overview about the underlying technologies is provided and the advantages and drawbacks are discussed. Compared to other approaches Surely it’s possible to get trustworthy data without influencing the running system. In the underlying research of this talk a practical approach is developed that gives the user additional capabilities in the field of forensic investigations. Write

The lack of public scrutiny in this space has consequently led to quite a few misconceptions and false claims about the SEP.

We also detail how the iOS kernel and the SEP exchange data using an elaborate mailwrite mechanism, and how this data is handled by SEPOS and relayed to its services and applications. For instance, not least, we evaluate the SEP attack surface and highlight plenty of the findings of our research, including potential attack vectors. Needless to say, the secure enclave processor was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. On p of the SEPOS architecture itself, especially, we look at the hardware design and boot process of the secure enclave processor.

Therefore this isolated hardware design prevents an attacker from easily recovering sensitive data from an otherwise fully compromised device.

With without any direct access from the main processor, sEP is designed as a security circuit configured to perform secure services for quite a bit of the SOC.

Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. Virtually, the secure enclave processor runs it own fully functional operating system -dubbed SEPOS -with its own kernel, drivers, services, and applications. In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. With that said, such tables can be used by both attackers and defenders to know the purpose of characters in various parts of attack vector, that are allowed by appropriate browsers or databases. Certainly, using the proposed regex security cheatsheet, rules from popular WAFs might be examined. Unexpected by regexp’s primary logic vectors should be discovered for ‘CrossSite’ Scripting and SQLInjection attacks using advanced fuzz testing techniques. Static Application Security Testing ol for Regular Expressions analysis should be released, that aims to finds security flaws in the cunning syntax of regular expressions. Essentially, logical flaws in regular expressions may be demonstrated by applying author’s bughunting experience and best practices.

Obtained from fuzz testing framework attack vectors gonna be clustered and represented via look up tables. Key Domain Controller information and how attackers take advantage. It often involves multi layer obfuscation, and by default, is highly obfuscated and has nondecompilable codes. Technical details might be discussed on how the exploits are using these and how the vendor defended against these. Now this information is also valuable in deciding which area should defenders focus on for mitigation and code fixes. Challenge with Flash exploit comes from the lack of ols for static and dynamic analysis. Flash exploit is amidst the hardest to ‘reverse engineer’. Ability of the researcher is highly limited. Tactics and debugging technique that can be used to reverse engineer exploits.

Flash ain’t just used by exploit kits like Angler, it has also been commonly used for advanced persistent threat attacks.

This eventually helps defenders to understand new exploit techniques that are used for current targets quickly.

Undoubtedly it’s just like debugging PE binaries without using Windbg or Olly debugger. Adobe Flash is the battlegrounds of exploit and mitigation methods. Also, this includes using existing olsets and combining them in an effective way. Of course it’s valuable to see the memory layout and behavior of Adobe Flash Player, as lots of the Flash exploits demonstrate native memory layer exploit technique. Understanding highly obfuscated logic and nondecompilable AVM bytecode is a big challenge. Remember, especially, the lack of usable debuggers for Flash file itself is a huge hurdle for exploit reverse engineers. I’m sure that the bug class ranges from simple heap overflows, uninitialized memory to type confusion and useafterfree. Actually, you and identical JIT manipulation technique. Now regarding the aforementioned fact… Adobe Flash Player was amid the major attack targets in We observed at least 17 effective zerodays or ‘1 day’ attacks in the wild. Know what guys, I want to deliver two things, with this presentation. While understanding exploits in the wild is a continuous process, at Microsoft. Exploits are written with ActionScript programming language and obfuscated in bytecode level using ‘commercial grade’ obfuscation tools. With that said, the detailed exploit code reverse engineering examples that can be inexpensive to use to build products but it comes with significant liability and maintenance costs.

We will examine all the current hype around OSS and separate out what are the real risks, and what organizations may be the most concerned about. Accordingly a case study of a single third party libraries vulnerability across a couple of products will now this presentation provides a couple of real world examples that been successful at an including. Nevertheless, whenever getting your head wrapped around the problems and the need to improve OSS security is challenging, consequently taking action at your organization can feel impossible. While tracking and understanding exposure continues to challenge even at the most mature enterprise company, even after high profile vulnerabilities in OpenSSL and similar critical libraries. We will introduce a customized OSS Maturity Model and walk through the stages of maturity for organization developing software with regards to how they prioritize and internalize the risk presented by OSS. It is this presentation looks at the real risk of using OSS and another cool way to manage its use within your organization and more specifically the Product Development Lifecycle.

It doesn’t matter if you are a software vendor or not, development and the use of OSS in your organization is most probably significant.

It also doesn’t matter if you been developing software for years or are just getting started, or whether you have one product or one hundred, it can feel to many nearly impossible to keep up with OSS vulnerabilities or more important ensure they are properly mitigated.

Open source software usage is on the rise as well as continues to be a major source of risk for companies. Therefore, we explore the true cost of using OSS and review the various factors that can be used to evaluate if a particular product or library gonna be used at your organization, including analyzing Vulnerability Metrics including Time to Patch. We will provide learnings from your incident response function and why understanding the vulnerabilities in your current software can gain you valuable insight into creating smarter products to avoid maintenance costs. While promoting the atmosphere of distrust, now this may also seriously hamper social relationships within the organization. Besides, thus, organizations need to carefully assess all advantages and flaws of increasing security awareness against spear phishing. That’s right! While sending employees fake spear phishing messages from spoofed colleagues and bosses may increase their security awareness, And so it’s also quite gonna have negative consequences in an organization.

Whenever relying on technical ‘indepth’ defense might be a better solution, and more research and evidence is necessary if you want to determine the feasible amount of defense that the nonexpert users are able to achieve through security education and training, after all. People’s work effectiveness may decrease, as they will have to be suspicious of practically each message they receive. She may not be able to disable the brakes or turn the steering wheel unless the car she is driving meets certain prerequisites, just like traveling below a certain speed, while an attacker could easily change the speedometer while the car is driving. We will outline new methods of CAN message injection which can bypass quite a few of these restrictions and demonstrate the results on the braking, steering, and acceleration systems of an automobile. Click this link: 100. Then again, most of us know that there are often many limitations on what actions the vehicle can be forced to perform when injecting CAN messages.

End goal of a remote attack against a vehicle is physical control, usually by injecting CAN messages onto the vehicle’s network.

We end by suggesting ways these systems going to be made even more robust in future vehicles.

In this talk, we discuss how physical, safety critical systems react to injected CAN messages and how these systems are often resilient to this manipulation type. More concerning is the risk of a compromised key being used to access private data. CloudTrail provides logging of AWS API invocations tied to a specific API key. Incident Response procedures differ in the cloud versus when performed in traditional, onpremise.

By the way, a survey of AWS facilities for automation around IRThe same features in cloud platforms that create the ability to globally deploy workloads in the blink of an eye can also add to ease of incident handling.


Accordingly the risk of a compromised key can be mitigated but proper configuration and monitoring must be in place. Soulskill. For example, another attack directly manipulates logical network pology maintained by a ODL cluster to cause network failures. ReferencesAWS Security Resources. Power of the AWS SDK introduces a brand new threat in the event of a API key compromise. Opendaylight. Known these Network OS projects are both actively led by major telecommunication and networking companies, and most of the companies have already deployed them to their private cloud or network. We briefly go over the design and implementation of Project Delta, that is an official open source SDN penetration testing ol pushed forward by Open Networking Foundation Security group, and Security Mode ONOS, a security extension that protects the core of ONOS from the possible threats of untrusted third party applications. API keys going to be tightened to restrict access only to the resources they need. Although, aPI keys associated to AWS accounts could be delegated in line with least privilege and therefore have the fewest number of permissions granted in its policy as possible. Now let me tell you something. Introduction of ToolsWe present custom oling so the entire incident response process can be automated on the basis of certain triggers within the AWS account.

Wards a model driven sdn controller architecture.

The talk discusses the paradigm of Incident Response in the cloud and introduces ols to automate the collection of forensic evidence of a compromised host.

Hardening of AWS InfrastructureAWS environments can be hardened by following traditional security best practices and leveraging AWS services. I’m sure that the security vulnerability assessment is an important process that must be conducted against any system before the deployment and arguably the starting point ward making it more secure, when considering the adoption of SDN. In this briefing, we explore the attack surface of SDN by actually attacking every layer of SDN stack. Apr. It highlights the need to properly configure a AWS environment and provides an ol to aid the configuration process. Increased Attack Surface via Convenience There are many stories of users accidentally uploading their AWS keys to GitHub or another sharing service and hereupon having to fight to regain control of the AWS account while their bill skyrockets. Cloud IR How is it Different?Incident response in the cloud is performed differently than when performed in on premise systems. AWS Config provides historical insight into the configuration of AWS resources including users and the permissions granted in their policies. You should take it into account. References Medved, Jan, et al. Control plane implementations, that are commonly known as SDN controllers or Network OS, implementations are commonly developed and distributed as a ‘open source’ project.

And therefore the SDN stack is generally composed of control plane, control channel and data plane.

While cloud providers produce documents on handling incident response in the cloud, these documents struggle to address the newly released features or services that can aid incident response or It’s an interesting fact that the ol recommends services to enable, permissions to remove from user accounts, and metrics to collect. You see, sDN OS.Proceedings of the third workshop on Hot pics in software defined networking. Of those various Network OS implementations, we attack the most prevalent ones, OpenDaylight and Open Network Operating System. In the case of the data plane, we test some ‘OpenFlow enabled’ switch device products from major vendors, similar to HP and PicaOf the attacks that we disclose in this briefing, we demonstrate quite a few most critical attacks that directly affect the network availability or confidentiality. Whenever giving the attacker full access to the newly instantiated clone, while the API key itself may not be used to access a targeted write, I know it’s possible to use that key to clone a targeted write, and relaunch it with an attacker’s SSH key. Anyway, amid the attack arbitrarily uninstalls crucial SDN applications running on a ODL cluster, just like routing, forwarding, or even security service applications. Of course, softwareDefined Networking, by decoupling the control logic from the closed and proprietary implementations of traditional network devices, allows researchers and practitioners to design new innovative network functions/protocols in a much easier, more flexible, and powerful way.


Specifically, in a cloud environment you can not walk up to the physical asset, clone the drive with a ‘write blocker’, or perform any action that requires hands on time with the system in question.

For the control channel, we also attack a ‘wellknown’ SDN protocol. While managing of these policies is made easier by the group and role constructs provided by AWS IAM, it still leaves to the user having to understand every of the 195 policies currently recognized by IAM. However, example AWS Key Compromises. Apr. AWS Console Breach CloudSpaces. Now look. Organizations moving infrastructure to the cloud may can not realize the procedural differences in obtaining forensic evidence, incident response best practices advise following predefined practiced procedures when dealing with a security incident. Besides, the cloud offers the ability to respond to an incident by programmatically collecting evidence and quarantining instances but with this programmatic ability comes the risk of a compromised API key. AWS Services like CloudTrail and Config will be used to monitor and configure a AWS environment. Compromised API key without restrictions could access managed database, storage, or code repository services, to name a few. Normally, while scaling on demand, a AWS user may establish API keys to use the AWS SDK to programmatically add or remove resources to an environment.

We present an ol that examines an existing AWS environments and aides in configuring that environment to a hardened state.

IEEE 15th International Symposium on.

Risks can be substantially mitigated with proper configuration and monitoring, while the consequences of a compromised API key can be dire. Ol attempts to rotate compromised keys, identify and remove rogue EC2 instances and produce a report with next steps for the user. Nonetheless, a savvy incident responder can use similar AWS SDK, or to leverage cloud services to facilitate the collection of evidence. Apr. OpenFlow. Additional oling is presented to aid in the recovery of a AWS account should a AWS key be compromised. I’m sure it sounds familiar. Apr. Furthermore, iEEE, Berde, Pankaj, et al. We also introduce a lot of SDN security projects. IT News Article on AWS Keys. Using the AWS command line ols or the AWS SDK, an user can programmatically image the disk of a compromised machine with a single call. Acquire memory, take snapshots of disk images, quarantine, and have it presented to an examiner workstation all in the time it will take to get a cup of coffee, with very little configuration users could detect a security incident. We highlight the need to properly configure a AWS environment and provide ols to aid the configuration process.


ACM SIGCOMM Computer Communication Review.

Ed. Usually, aCM, Jain, Sushant, et al. Re­inventing Central Offices for Efficiency and Agility. We discuss Incident Response in the cloud and introduce ols to automate the collection of forensic evidence of a compromised host. Although, this technology has gained significant attentions from both industry and academia, and it’s now at its adoption stage. While these stories are sensational, they are preventable by placing limits on a cloud account directly. Remember, openFlow Switch Specification version Tech. Known indeed, So there’s no single ‘multiarchitecture’, multiplatform and open source framework available and the RE community are badly suffering from this lingering issue. Assembler is an application that compiles a string of assembly code and returns instruction encodings. Therefore an assembler framework allows us to build new tools, and is a fundamental component in the Reverse Engineering toolset. Did you hear of something like this before? An ideal assembler framework is sorely missed since the ice age! As a result, used by large corporations across the globe the question becomes how does one secure this product given its weaknesses.

Recent security review by David Litchfield of Oracle’s eBusiness Suite revealed it’s vulnerable to heaps of remote code execution flaws, an awful lot of SQL injection vulnerabilities and Cross Site Scripting bugs. So this talk will examine those weakness with demonstration exploits after that, look at how one can protect their systems against these attacks. Training is developed around a role playing game consisting in attacking and defending a building. Whenever as indicated by the author’s experience, standard Security training is focused on the technical context and tends to bore or scare a neophyte audience. While passing through the end user believing that no one except will ever think how he is using its cat’s name as a password or a developper not following best practices, the security community knows, the weak link is the human factor -from the project manager deciding that security costs debriefing is done after the game to highlight all the similarities between the game and computer security stakes.

Accordingly the presentation will focus on the main feature of the training, and a white paper explaining how to conduct this type of a training may be available.

This briefing will propose a brand new way to train a neophyte audience to the basic concepts of Computer Security.

We all arrive to similar conclusion -we need to train people to the computer security stakes. We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. Exploit writers are also facing new challenges. Therefore the result is a semi automated crash analysis framework that can quicken the work of an exploit writer. So this research focuses on determining the practical exploitability of software problems by means of crash analysis. We discuss the concepts and the implementation of two functional ols developed by the authors and go about the advantages of integrating them. I’m sure you heard about this. Besides, the task of product security teams and exploit analysts to triage the constant influx of bug reports and associated crashes received from external researchers has increased dramatically, with fuzzing frameworks becoming more sophisticated.

We demonstrate the use of the integrated ol with public vulnerabilities, including a few that the authors themselves discovered, analyzed/exploited and reported.

The idea here goes to leverage both these approaches and to integrate them into one single framework that provides, at the moment of a crash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the potential capabilities for achieving code execution.

Fuzzing, a powerful method for vulnerability discovery keeps getting more popular in all segments across the industry -from developers to bug hunters. To provide a holistic feedback oriented approach that augments a researcher’s efforts in triaging the exploitability and impact of a program crash, The target was not to automatically generate exploits, and not even to fully automate the entire process of crash analysis. Given the need to improve the existing ols and methodologies in the field of program crash analysis, our research accelerates dealing with a vast corpus of crashes. Seriously. Talk could be full of live demonstrations.

What are the ways out?

AMSI targets malicious scripts written in PowerShell, VBScript, JScript and suchlike and drastically improves detection and blocking rate of malicious scripts.

What makes AMSI effective is, are lethal for enterprise security and with advent of PowerShell, such attacks have become increasingly common. Now pay attention please. Currently, Windows Defender uses it on Windows Has Microsoft finally killed ‘scriptbased’ attacks? In Windows 10, Microsoft introduced the AntiMalware Scan Interface which is designed to target script based attacks and malware. AMSI is an open interface and MS says any application could be able to call its APIs. Just think for a moment. AMSI steps in and the code is scanned for malicious content, when a piece of code is submitted for execution to the scripting host. While offering the first public discussion of one of them new to iOS 10, we will discuss three iOS security mechanisms in unprecedented technical detail.

Apple works to advance the state of the art in mobile security with every release of iOS, with over a billion active devices and in depth security protections spanning every layer from silicon to software.

How can this be leveraged to increase the efficiency of the incident response process?

While demonstrating the techniques and procedures used by quite a few attack groups as they migrate compromised endpoints from the commodity threat platform to the valuable target’s platform, therefore this session will cover the analysis of endpoint and network data captured during these ‘reclassification’ operations. With that said, this quick classification of a breach as untargeted, and the following ‘de prioritization’ for remediation, often misses a re classification and upgrade process a few attack groups been conducting. Detected breaches are often classified by security operation centers and incident response teams as either targeted or untargeted. What measures can be taken to detect that a commodity threat is going through a migration process? Organizations overlooking this often miss the opportunity to eliminate the threat prior to its escalation. That’s where it starts getting really intriguing. The higher value ones are upgraded and taken out of the commodity campaign to prepare them for a sale, for buyers planning a targeted attack.

Assets compromised as part of broad, untargeted commodity malware campaigns are re classified on the basis of the organizational network they’re part of to determine their potential value in the market, as part of this process.

16percent thought that they know the sender.

Respondents of the survey reported high awareness of the fact that clicking on a link can have bad consequences. By far the most frequent reason for clicking was curiosity about the content of the pictures, followed by the explanations that the content or context of the report fits the current life situation of the person, just like actually having been at a party with unknown people last week.

Statistical analysis showed that this was not connected to their reported clicking behavior.

56percent of email and 38percent of Facebook recipients clicked, when addressed by first name.

20percent of email and 42 dot 5 of Facebook recipients clicked, when not addressed by first name. And therefore the most frequent reason for not clicking was unknown sender, followed by the explanation that the report does not fit the context of the user. Considering the above said. Windows authentication protocols over the years and their weaknesses, including Microsoft’s ‘nextgeneration’ credential system, Microsoft Passport, and what it means for credential protection. Now look. Security posture differences between AD ‘onpremises’ and in the cloud. On p of newly added Android N security features which defend against future unknown vulnerabilities, for the threats, we will go into the specific technical controls which contain the vulnerability.

We’ll discuss where we could go from here to make Android, and the entire computer industry.

In addition to previously unpublished threats, in this talk. Using both specific examples from previous Black Hat conferences and published research.

Android users faces threats from various sources, from the mundane to the extraordinary. Information security is ever evolving, and Android’s security posture is no different. Just keep reading. While rooting vulnerabilities, malicious websites, and nation state attackers are all within the Android threat model, and something the Android Security Team deals with daily, lost and stolen devices, malware attacks. Discovering critical security vulnerabilities with the VoIP products of major vendors; exploiting harder to fix VoIP protocol and service vulnerabilities; testing the security of IP Multimedia Subsystem services; and understanding the olset developed by the author to discover previously unknown vulnerabilities and to develop custom attacks, VoIP solutions to jailbreak tenant environments.

Larger organisations are using VoIP within their commercial services and corporate communications and the take up of cloud based Unified Communications solutions is rising each day.

Current threat actors are repurposing this exposed infrastructure for botnets, ll fraud and similar The talk aims to arm response and security testing teams with knowledge of cuttingedge attacks, ols and vulnerabilities for VoIP networks.

Being that this lack of understanding of modern UC security requirements, numerous service providers, larger organisations and subscribers are leaving themselves susceptible to attack. This is the case. Most of the headlines are. Through the demonstrations, the audience will And therefore the business impact of these attacks going to be explained for various implementations, similar to cloud UC services, commercial services, service provider networks and corporate communication. Did you know that the talk will also be accompanied by the newer versions of Viproy and Viproxy developed by the author to operate the attack demonstrations. Response teams and security testers have limited knowledge of VoIP attack surfaces and threats in the wild. Have you heard about something like that before? We will look at usercentered design methods and concepts from other disciplines like economy, psychology or marketing that can not simply our ols but also the way we setup our teams, the way we communicate and the way we align incentives.

Each interaction with security is an opportunity to improve convenience and bring a smile to somebody’s face.

By understanding the impact of design, we can do a lot to improve corporate productivity and security itself.

All making an attempt to achieve only to bombard them with awareness training and policies since they just don’t get it and as humans are the weakest link. In this session we will explore why certain devices, pieces of software or companies lead us to utter frustration while others consistently delight us and put a smile on our face. We will explore how we typically create our security processes, teams and solutions, with these insights in mind. I’m sure you heard about this. While avoiding PIN protections and scraping PANs from various channels, as part of our demos, we will include EMV bypassing.

In this presentation, we will explain the main flaws and provide live demonstrations of a few weaknesses on a widely used pinpad.

Actually bypass the application layer and the business logic protections, the crypto algorithm is secure, but everything around Surely it’s broken, we shall not exploit the operating system of the pinpad.

Top-notch example for that is the ability to bypass protections put in place by points of interaction devices, by simple modifying a few files on the point of sale or manipulating the communication protocols. And therefore the corner stones are still broken even with the latest implementations of these payments systems, mainly due to focusing on the standards rather than security. Besides, the payment industry tends to be more driven by security standards. While understanding the value of CASB based solutions and where they fit, leverage audit and HSM capabilities in AWS as well as looking at different Isolation approaches to create isolation between administrators and the cloud while still providing access to critical services, ll end with a discussion on best practices that can be used to protect from such attacks like bastion SSH/RDP gateways. While computing and services makes it a lucrative opportunity for the development of AWS focused APTs, the widespread adoption of AWS as an enterprise platform for storage.

While leveraging S3 and CloudFront for performing AWS specific credentials thefts that can easily lead to full account access, with that said, this session will cover a few methods of infection including a brand new concept -account jumping for taking over both PaaS and IaaS resources. Dirty account transfer.

We will demonstrate how attackers code can be well hidden via Lambda functions, the significant poser with storage affinity to a specific account.

We will hereafter discuss the post infection phase and how attackers can manipulate AWS resources for complete MITM attacks on services. Keep reading! We’ll examine hybrid deployments from the cloud and compromising the on premise datacenter by leveraging and modifying connectivity methods. While read and write data and even reverse its way from the cloud to the the corporate datacenter, we will cover preinfection, post infection and advanced persistency techniques on AWS that allows an attacker to access staging and production environments. Now please pay attention.

Just like exposed DMA that permits exfiltration, and sometimes modification, of user process memory Whether a software and hardware combination,, or there remains a hardware weakness where attestation keys can be compromised.

That said, this presentation will highlight one of these implementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology.

Whether kernel based, these technologies claim that no elevated process, System Management Mode based, or hypervisor based gonna be able to compromise the user’s data and execution.

These attacks against TXT and AES NI have never been published before. They are not without their own weaknesses, while certainly adding robust options to the defenders toolset. That’s right! Hardware Enforced’ Security is uted as the panacea solution to many modern computer security challenges. Summation will offer defenses against all most of the technologies attempt to protect user data from privileged processes snooping or controlling execution. Specifically, we will show how a hypervisor rootkit can bypass Intel’s Trusted Execution Environment DRTM and capture keys from Intel’s AESNI instructions. You should take it into account. Trusted computing has had a varied history, to include technologies similar to Trusted Execution Technology, ARM TrustZone, and now Microsoft Isolated User Mode and Intel SGX.

In this talk we will demonstrate how ‘lowlevel’ technologies like hypervisors can be used to subvert the claims of security made by these mechanisms.

Problems with these technologies have surfaced not as design problems but during implementation.

So this presentation will highlight the ageold problem of misconfiguration of Intel TXT by exploiting a machine through the use of another Intel technology, the Type 1″ hypervisor. As security professionals we are in an unique position to completely new research about a threat actor targeting lawyers and activists in Europe and the Post Soviet States. There’s some more info about it here. Lots of them don’t even have a single security professional on staff, Activists, lawyers and journalists are, for the most part, completely unprepared to deal with ‘cyberattacks’.

In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers across the planet, including EFF.

The PLC user programs can be uploaded and downloaded without any restriction.

Older S7 300 and S7400 PLCs are supported by a few OpenSource solutions supporting the protocols used on these older PLCs. Actually the ‘builtin’ know how protection forbids modifications of the user program on the PLC and prevents the extraction of the user program from the PLC. So it’s the first time so it is publicly shown. Infection of the PLC takes roughly 10 seconds. Depending on the actually used model of the S71200″ different setups can be required. Our worm malware requires 385kb RAM and 2166kb persistent memory. For the remote administration of the compromised PLCs we implemented a CommandControl server. Infected PLCs automatically contact the CC server and can be remotely controlled using this connection. No PCs or additional hardware is required. Since the infection has succeeded the PLC undergoes a warm restart and the worm is running additionally to to the original user program.

We will present and demonstrate the first PLC only worm.

Our malware requires 7ms per cycle.

Did you know that the Siemens Simatic PLCs are managed using a proprietary Siemens protocol. Using this connection we can manipulate any physical input or output of the PLC. We developed the first PLC only worm. While the infection is in progress the PLC is in Stop mode. Actually the operator does not notice any changed behavior. Using this interface even PLCs not connected to the ethernet network might be compromised. Original user program still has loads of time to run. Model RAM Persistent Memory S7 1211″ 50kb 1Mb S71212″ 75kb 1MB S71214″ 100kb 4MB S7 1215 125kb 4MB ‘S71217’ 150kb 4MB A critical requirement for the execution of a PLC program is the cycle time for one full cycle of the user program. Our PLC worm will scan and compromise Siemens Simatic S71200 v1 v3 PLCs without any external support. When accessing these blocks the TIA Portal crashes preventing the forensic analysis. Our malware attaches itself to the original software and runs in parallel to the original user program. Besides, an additional proxy function enables us to access any additional system using a tunnel.

Only after these are found the program compromises these PLCs by uploading itself to these devices.

We are now able to install and extract any user program on these PLCs currently sold by Siemens.

It’s a well-known fact that the current versions S71200v4″ and ‘S71500’ again changed the protocol and are not susceptible to the attack. So it is the first time publicly shown. By default all Siemens Simatic ‘S71200v1v3’ PLCs are susceptible to this attack. Lastly the Stop mode might be initiated through the CC connection requiring a cold restart of the PLC by disconnecting the power supply. On the basis of this work we developed a PLC program which scans a local network for other S7 1200v3″ PLCs. Now this talk emphasizes the significance of the built in protection features in modern PLCs and their correct deployment by the user. Worm is fully selfcontained and lives only on the PLC. Futhermore this protocol is used to upload and download user programs to the PLC. I’d say if the operator connects to the PLC using the programming software TIA Portal 11 the operator may notice unnamed additional function blocks.

Our worm prevents its detection and analysis.

If the PLC does not offer the memory required by the original user software including our worm the worm may overwrite the original user program.

While we present an attack via the ethernet interface the installation of the user program can also happen using the field bus interface. With that said, this feature does not offer the protection advertised. We will demonstrate the attack in the course of the talk. Our own implementation can extract the user program, display the source code, modify the program and reinstall the modified program. These PLCs are not susceptible to the attack. Therefore this protection is only implemented within the programming software used to install the software. Besides, the worm is only written using the programming language SCL and does not need any additional support. Besides, the ‘builtin’ access protection does prevent the attack we will demonstrate. We can upload and download user programs using this feature to any PLC using our own implementation. Accordingly the Siemens Simatic PLCs support a couple of protection mechanisms. With the introduction of the ‘S7 1200v4’ Siemens introduced again a brand new protocol. We will explain these mechanisms and their result on the attack. Furthermore this protection is implemented only in the programming software. So it’s just 7 of the maximum cycle time configured by default on the PLC models we inspected.

Using this protocol the PLC should be stopped, started and diagnostic information should be read.

The built in copy protection restricts the user program to run only on a subset of PLCs with specific serial numbers.

So already installed user software ain’t removed and still running on the PLC. We inspected the protocol on the basis of the S7 1200v3 and implemented the protocol by ourselves. With the introduction of the S71200 the protocol is replaced by a new version. When the first PLC is infected using the Ethernet all other PLCs connected by the field bus must be compromised as well. That protection is implemented on the client. Winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation.

In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel.

This presentation will detail the eight winning browser to super user exploitation chains demonstrated at this year’s Pwn2Own contest.

Whenever reducing attack surfaces with application sandwriteing is a step in the right direction, the attack surface remains expansive and sandwritees are clearly still just a speed bump on the road to complete compromise. It’s shell on earth, If you’re like us, you can’t get enough of it. Any successful submission provided remote code execution as the super user via the browser or a default browser plugin. Kernel exploitation is clearly a poser which has not disappeared and is possibly on the rise. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented. We will cover pics just like modern browser exploitation, the complexity of kernel Use After Free exploitation, and the simplicity of exploiting logic mastercard company. We implement a proof of concept attack allowing us to violate the authenticity of affected HTTPS connections and inject content. We investigate noncereuse problems with the Galois/Counter Mode algorithm as used in TLS. Tears into the internal design of the local drive, and extends the work by Czarny Rigo to validate the security depending on the MB86C311 chipset.

Now this presentation demonstrates a method of brute forcing a ‘AES 256’ encrypted solid state drive by spoofing the ‘front panel’ keyboard. Differences between forests and domains, including how multidomain AD forests affect the security of the forest. Secure Channel is Microsoft’s standard SSL/TLS Library underpinning services like RDP, Outlook, Internet Explorer, Windows Update, SQL Server, LDAPS, Skype and many third party applications. With that said, this information is therefore leveraged to decrypt a session that uses ephemeral key exchanges. How does Schannel guard its secrets?This talk looks at how Schannel leverages Microsoft’s CryptoAPI NG to cache the master keys, session keys, private and ephemeral keys, and session tickets used in TLS/SSL connections. What about the internals? Schannel had been the subject of scrutiny in the past a few years from an external perspective due to reported vulnerabilities, including a RCE. It discusses the underlying data structures, and how to extract both the keys and similar useful information that provides forensic context about connection.

Therefore this makes it forensically relevant in cases where other evidence of the connection may have dissipated. While storing up to 20000 entries for client and server any, information in the cache lives for at least 10 hours by default on modern configurations. Therefore this pic will talk about how to get the PLC data stream in a PLC communication system which should use G3 or Prime standard, and will also talk about how to detect attacking in the net. Therefore the PLC technology is divided with 2 ‘sub field’. PLC and ‘wideband’ PLC. For the ‘narrow band’ PLC, look, there’re 2 very import standards. We will focus on how to identify which kind of standard the system using and how to sniff the PLC data in physical level. Power line communication is a kind of communication technology which uses the power line as the communication media. Prime and GBoth the standards are widely used in AMR and electric monitor system and it lead to the rise of threat in AMR system security and electric safety. We also described the security properties of any and asked participants for their opinions. In a 52person interview study, we asked participants to complete encryption tasks using both a traditional ‘key exchange’ model and a keydirectorybased registration model. Little is known about how average users evaluate these tradeoffs, these ols sacrifice some security properties for convenience, that alarms some security experts.

Recently ols like Apple’s iMessage and Google’s End to End have made it more broadly accessible by using ‘keydirectory’ services, Historically, endtoend encryption has proven extremely difficult for people to use correctly.

We found that participants understood the two models well and made coherent assessments about when different tradeoffs isn’t able to decrypt the content, to achieve true message privacy. Recent revelations demonstrate that these communications can often be intercepted, loads of critical communications now take place digitally. Over the past year I have worked at understanding and breaking the new methods that ATM manufactures have implemented on producing Next Generation Secure ATM systems. While uching also on failures in the past with EMV implementations and how bank card data of the future will most possibly be sold with the new EMV data -with a short life span, so this talk will demonstrate how a $ 2000 investment can perform unattended cash outs.

Therefore this demonstration of the system can cash out around $ 20000/ $ 50000 in 15 min.

This includes bypassing Antiskimming/Anti Shimming methods introduced to the latest generation ATMs, gether with NFC long range attacks that allow ‘realtime’ card communication now this talk will include a demonstration of LaCara, an automated cash out machine that works on current EMV and NFC ATMs. La Cara is an entire fascia placed on the machine to hide the auto PIN keyboard and flashable EMV card system that silently withdraws money from harvested card data. With these methods revealed we going to be able to protect against similar kinds of attacks types. AD database format, files, and object storage. At the end, a proofofconcept, able to work both in passive mode and in active mode, might be released.

Throughout the talk, the author will explain the theory behind the attack, how common the factors are that make it possible and his custom pratical implementation of the technique.

Even RSA keys of 4096 bits can be factored at the cost of a few CPU cycles and computational resources.

Devices like firewall, switch, router and identical embedded appliances are more exposed than traditional IT servers or clients, as long as of these premises. They always taught us that a single thing that can be pulled out from a SSL/TLS session using strong authentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged throughout the handshake -an insufficient condition to place a MiTM attack without to generate alarms on the validity of the TLS connection and certificate itself. All that needed is the generation of a faulty digital signature from server, an event that can be observed when occurring certain conditions like CPU overheating, RAM Surely it’s possible to derive the private key of server regardless of the size of the used modulus. It’s not always true. Mostly there’re various messaging standards in place like AMQP, MQTT, and STOMP.

Last but not least, the Java Messaging Exploitation Tool should be presented to wheneverit gets to the Java World it’s rather unknown that Messaging in the Java ecosystem relies heavily on Java’s serialization.

Message Brokers similar to Pivotal’s RabbitMQ, IBM’s WebSphere MQ and others often form a key component of a modern backend system’s architecture. Now this talk will show the attack surface of various Java messaging API implementations and their deserialization vulnerabilities. Recent advances in the exploitation of Java deserialization vulnerabilities can be applied to exploit applications using Java messaging. It’s used by your favourite Mobile Messenger as well as in your bank’s backend system. Messaging can be found everywhere. We will also show a set of new techniques we developed for automatically detecting Hare flaws within different Android versions, that can be utilized by the device manufacturers and identical parties to secure their custom OSes.

Whenever demonstrating the significant impacts of the poser from stealing user’s voice notes, controlling the screen unlock process, replacing Google Email’s account settings to injecting messages into Facebook app and Skype, on the factory image of 97 most popular Android devices, we discovered 21557 likely Hare flaws.

We will provide the guidance for avoiding this pitfall when building future systems.

Further, it helps decision makers to understand that national security choices day have ramifications for democracy and human rights tomorrow. For the purposes of tailoring the Android to different hardware platforms, countries/regions and similar needs, hardware manufacturers, device manufacturers, carriers and others have aggressively customized Android into thousands of system images. Look, there’re still many skeptics of cyber war, and more questions than answers. With that said, this ‘NATO funded’ research project, undertaken by 20 leading authorities on national security and network security, is a benchmark for world leaders and system administrators alike, and sheds light on whether cyber war is now reality or still science fiction. Does computer hacking have strategic effects? What are the political and military limits to digital operations in peacetime and war? How much does it conflict between Russia and Ukraine appears to have all the ingredients for cyber war. In this talk, we will show that such flaws could’ve serious security implications, I’m pretty sure, that’s, a malicious app can acquire critical system capabilities by pretending to be the owner of an attribute who was used on a device while the party defining it does not exist due to vendor customizations.

Now this practice has led to a highly fragmented ecosystem where the complicated relations among its components and apps though which one party interacts with the other been seriously compromised.

Moscow and Kyiv are playing for the highest geopolitical stakes, and both countries have expertise in information technology and computer hacking.

That said, this leads to the pervasiveness of Hare, a vulnerabilities type never investigated before. Whenever expecting from the users error free decision making under these circumstances is being highly unrealistic, even if they are provided with effective awareness training. It will be possible to make virtually any person click on a link, as any person going to be curious about something, or interested in some topic, or find the notification plausible as they know the sender, or since it fits their expectations. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X with near perfect accuracy in a few seconds. We propose potential hardware modifications that can prevent or mitigate the DrK attack. In DrK, we turned this property into a timing channel that can accurately distinguish the mapping status and execution status of the privileged address space.

Among various hardening techniques, kernel address space layout randomization is the most effective and widely adopted technique that can practically mitigate various memory corruption vulnerabilities, just like buffer overflow and use after free.

Kernel hardening had been an important topic, as many applications and security mechanisms often consider the kernel their Trusted Computing Base.

In this talk, we present a novel timing side channel attack against KASLR, called DrK, that can accurately, silently, and rapidly derandomize the kernel memory layout by identifying page properties. Whenever making it nearly impossible to be detected in practice, its surprising accuracy and precision, basically has no visible footprint. In principle, KASLR is secure as long as no memory disclosure vulnerability exists and high randomness is ensured. DrK is on the basis of a brand new hardware feature, Intel Transactional Synchronization Extension, that allows us to execute a transaction without interrupting the underlying operating system even when the transaction is aborted due to like access violation and page faults. In this presentation we recap the injections we discovered earlier this year and show them in detail.

That’s what actually allowed us to detect the injection events first off.

We also present a novel client side ol to mitigate such attacks that has minimal performance impact.

Earlier this year we have shown that false content injection is practiced by network operators for commercial purposes. In this work we present a massively largescale survey of Internet traffic that studies the practice of false content injections on the web. Additionally, we shall show new kinds of ‘non commercial’ injections, identify the injectors behind them and discuss their modi operandi. We examined more than 5 data Petabits from Basically the attacks we discovered are done using outofband TCP injection of false packets. These network operators inject advertisements and malware into webpages viewed by potentially ALL users on the Internet. We shall discuss in detail analysis of a targeted injection attack against a American website. That’s a very practical, hands on ol for developers that the Voice Privacy Alliance believes is crucial in case you want to secure voice enabled technologies and promote innovation.

Voice enabled technology provides developers with great innovation opportunities as well as risks.

These security stories Voice Privacy Alliance created a set of 39 Agile security stories specifically for voice enabled IoT products as part of the Voice Privacy Innovation Toolkit. Now look, the ‘browserbased’ XS search attack exploits the differences in the sizes of HTTP responses, and works even when significant inflation of the response is impossible. Now look, a novel attack type that allows the attacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record into the storage, when So there’s no leakage of information via the timing side channel it’s possible to use second order ‘XS search’. SO XSsearch attacks can be used to extract sensitive information similar to email content of Gmail and Yahoo users, and search history of Bing users.

That said, this part also involves algorithmic improvements compared to previous work.

The attack exploits inflation techniques to efficiently distinguish between search requests that yield results and requests that do not.

Cross site search is a practical timing side channel attack that allows the extraction of sensitive information from web services. We begin with browser based XSsearch attack and demonstrate its use in extracting users’ private data from Gmail and Facebook. As the difference in the sizes of the responses increases, it becomes easier to distinguish between them, This work focuses on the response inflation technique that increases the size of the response. Now look, the corresponding webpage showed the access denied message, when clicked.

We argue that knowing how people reason about their clicking behavior can and later asked them about the reasons for their clicking behavior. We will also describe the backend architecture, on the basis of HBase and ElasticSearch, that we use to index global Internet metadata so it’s easily searchable and retrievable.

We distinguish two such types hosting infrastructures.

Join us in this talk to learn about effective methods to investigate malware from both network and actors’ perspectives and hear about our experience on how to deploy and mine large scale Internet data to support threat research.

Crimeware campaigns nowadays rely heavily on bulletproof hosting for scalable deployment. I am sure that the talk describes how to proactively bridge the gap between the actors and network views by identifying the IP space of the mentioned hosters given very few initial indicators and predictively block it. Concurrently, we investigate underground forums for emerging signals about bulletproof hosters just about to be employed for malware campaigns. We start by using DNS traffic analysis and passive DNS mining algorithms to massively detect malware domains. So it is made possible thanks to the deployment at large scale of DNS PTR, SSL, and HTTP data provided by Project Sonar datasets and our own scanning of certain IP regions. In this talk, we describe a holistic and scalable approach to investigating and combating cybercrime. That’s a fact, it’s undoubtedly a serious challenge facing security researchers to devise means to quickly index and search through vast quantities of security related log data.

Therefore this network is a hostingasa service platform for various malware and ransomware C2, phishing, carding, and botnet panels.

We will demonstrate novel methods using DNS PTR data to further map out the entire IP space of bulletproof hosters serving these attacks, right after we identify the hosting Ps of these domains.

By the way, the second type exists in dedicated servers acquired from rogue hosting companies or large abused hosting providers with the purpose of hosting exploit kits, phishing, malware C2, and identical gray content. I know that the network attack surface exploited by malware manifests itself through various aspects similar to hosting IP space, DNS traffic, open ports, BGP announcements, ASN peerings, and SSL certificates. Undoubtedly it’s crucial to actors’ view tracks trends, motivations, and TTPs of cyber criminals by infiltrating and maintaining access to closed underground forums where threat actors collaborate to plan cyber attacks. In the case of fast flux proxy networks, we leverage SSL data to map out larger sets of compromised hosts. Using random kenize numbers and implementing Magnetic Secure Transmission technology, that do not guarantee that any ken generated with Samsung Pay must be applied to make a purchase with similar Samsung device.

It’s really necessary to that said, this makes it impossible for Samsung Pay to have a full control process of the kens pile. That means that an attacker could steal a ken from a Samsung Pay device and use it without restrictions. How random is a Spay kenized number? Therefore this app is a complex mechanism which has attempting to become amid the most secure approaches offering functionality and simplicity for its customers, without storing or sharing any kind of user’s debit card information. Inconvenient but practical is that Samsung’s users could utilize the app in airplane mode. a lot of the vulnerabilities have not been fixed until this submission though we reported to Apple over half a year ago.

We will take Airwrite, Bonjour and Multipeer Connectivity as examples to show the vulnerabilities in their design and implementation and how we hacked these ZeroConf frameworks and system services to perform MitM attacks.

We will introduce ZeroConf techniques and publish technical details of our attacks to Apple ZeroConf techniques.

When the design pendulum swings wards usability, concerns may arise if the system is adequately protected. Apple has adopted ZeroConf techniques in various frameworks and system services on iOS and OS X to minimize user involvements in system setup, as the major proponent of ZeroConf techniques. While enabling them to work together, with the proliferation of portable computing systems like tablet, internet of Things, and suchlike, ordinary users are facing the increasing burden to properly configure those devices. In this presentation, we will report the first systematic study on the security implications of these ZeroConf techniques on Apple systems. Even when attempts been made to protect them against such threats, zeroConf frameworks on the Apple platforms. Are mostly unprotected and system services. Turn out to be completely vulnerable to an impersonation or Man in the Middle attack. While allowing a malicious device to steal documents to be printed out by other devices or files transferred between other devices, the consequences are serious. Our research brings to light a disturbing lack of security consideration in these systems’ designs. We will also show that a certain amount vulnerabilities are due to TLS’ incompetence to secure ‘device to device’ communication in the ZeroConf scenario, that is novel discovery and contributes to the state of the art. Such ZeroConf services are characterized by automatic IP selection, host name resolving and target service discovery.

Our study highlights the fundamental security challenges underlying ZeroConf techniques. Whenever using techniques dubbed ‘zero configuration’, in response to this utility challenge, major device manufacturers and software vendors tend to build their systems in a plug and play fashion. Basically the meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by hundreds of the security field. We will prevent weaponized exploits targeting Windows and Linux ‘x8664’ operating systems that nominally bypass antiexploit technologies like Microsoft’s EMET tool. We extend and generalize this approach by fine tuning lowlevel processor features that enable us to insert a CFI policy to detect and prevent abnormal branches in ‘real time’. Prior research has demonstrated the effectiveness of leveraging processorprovided features similar to the Performance Monitoring Unit in case you are going to trap various events for detecting ROP behaviors.

Configuration of PMU interrupt delivery without tripping Microsoft’s PatchGuard; efficient algorithms for discovery of valid branch destinations in PE and ELF files at ‘runtime’; and the impact of operating in virtualized environments, Windows thread context swapping.

HTTP/2 approach to mitigate ‘control flow’ hijack attacks on the Intel architecture.

We will highlight novel solutions to major obstacles we faced. We will also present collected metrics on performance impact and the realworld applications of this technology. Rather than the kernel level, qUIC is an applicationlayer UDP based protocol that multiplexes connections between endpoints at the application level. Our promising results have shown this approach capable of protecting COTS binaries from ‘controlflow’ hijack attempts stemming from useafterfree and memory corruption vulnerabilities with acceptable overhead on modern Windows and Linux systems. In this talk, we will cover our research methodology, results, and limitations. Effectiveness of our approach using ‘hardware assisted’ traps to monitor program execution and enforce CFI policies on mispredicted branches should be demonstrated in real time. With that said, this presentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents, Latest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats with Drones as delivery platform.

Industrial Plant operators are being forced to rethink their most fundamental assumptions about Industrial Wireless and Cyber Physical security, with new Drone technologies appearing in the consumer space daily.

Demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards similar to HPKP to cover previously unforeseen scenarios, In this talk, we’ll strictly explore the risks posed by SRI, CSP, and HPKP.

Builders supporting legacy applications actively make ‘trade offs’ between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose. We’ll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk, as a bonus for the breakers. Attention is shifting ward mitigating more complex threats, with the most basic controls complete.

Through cooperation between browser vendors and standards bodies in the recent past, numerous standards are created to enforce stronger ‘client side’ control for web applications.

Any new standard adds another layer of defense for attack patterns previously accepted as risks, as web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls.

Of the drive to control for these threats clientside, standards like SubResource Integrity, Content Security Policy, and HTTP Public Key Pinning carry larger implementation risks than others just like HTTP Strict Transport Security. Ad networks like Doubleclick can also reveal pages the user has visited. In practice, with that said, this approach is prone to flaws that can expose sensitive information or functionality to third parties.

‘e commerce’ vendors similar to Amazon and EBAY expose the user’s purchase history, and almost nearly any website exposes the user’s name and email address.

Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.

In this work, we conduct a ‘in depth’ assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked an user’s HTTP cookies. While mechanisms similar to the EFF’s HTTPS Everywhere extension can reduce the attack surface, we also explore how users can protect themselves and find that, HTTP cookies are still regularly exposed. Basically the separation of functionality across multiple cookies with different scopes and ‘interdependencies’ further complicates matters, as imprecise access control renders restricted account functionality accessible to ‘non session’ cookies. While Bing and Baidu expose the user’s complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user’s account, Our cookie hijacking study reveals a lot of severe flaws, attackers can obtain the user’s home and work address and visited websites from Google. Accordingly the privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. We explore multiple sides of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars, to fully evaluate the practicality and extent of cookie hijacking. a lot of websites still avoid ubiquitous encryption due to performance or compatibility problems.

While allowing more innocuous functionality to be accessed over HTTP, the prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections.

Service personalization inadvertently results in the exposure of private information, We identify a recurring pattern across websites with partially deployed HTTPS.

We run IRBapproved measurements on a subset of our university’s public wireless network for 30 days, and detect widespread demand for online privacy, furthermore fueled by widelypublicized demonstrations of session hijacking attacks against popular websites, has spearheaded the increasing deployment of HTTPS. Read Only Domain Controllers, security impact, and potential problems with RODC implementation. Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features. Even exploit developers have demonstrated that these results enable bugbounty arbitrage.

So there’re loads of surprises like these that are finally revealed through quantified measurements.

Sometimes the more secure product was the cheaper, and quite often the security product is the most vulnerable.

Insurance groups are already engaging CITL, as are organizations focused on consumer safety. Organizations and consumers can finally make informed purchasing decisions when it comes the security of their products, and measurably realize more hardened environments, with this information. Vendors will see how significantly better or worse their products are in comparison to their competitors. Presenters will provide examples of where these services are offered for sale, how they are purchased, and the individuals who operate them. On p of best practices for conducting live DDOS attack testing, presenters will discuss the usage of honeypots to gather historical attack details. DDOS attack usage had been accelerating, in regards to both attack volume and frequency. Representative PCAPs may be shown, dissected, and explain. Presenters will discuss loads of novel techniques utilized by law enforcement and the private sector, to measure, study, and attribute attacks originating from sources just like embedded device botnets and booter/stresser services.

Such attacks present a major threat to enterprises worldwide.

We propose a radical change to this onesizefits all approach.

Using the SCAM, we propose the development of an employee Cyber Risk Index. That’s akin to making an attempt to teach people to drive by constantly causing accidents and later pointing out why they had an accident any time. I am sure that the CRI based approach we present will lead to individualized, cognitive behavioral training and an evidencebased approach to awarding users’ admin privileges. Recent human factors researchthe Suspicion, Cognition, Automaticity Model identifies a small set of factors that lead to individual phishing victimization. Now this gotcha game presumes that users merely lack knowledge, and if they are ld often enough and repeatedly shown what they lack, they will become better at spear phishing detection. With a system that is on the basis of individuals’ quantified cyber risk propensity, the CRI will also allow security analysts to identify which users get administrative access. Rolebased apportioning method, where individuals are given access depending on their organizational role and responsibilities.

a solitary proactive solution being used against spear phishing is user training and education.

Today’s leading cybersecurity training programs focus on hooking people in repeated simulated spear phishing attacks and after all showing them the nuances in the emails they missed.

Whenever training appears to be limited in its effectiveness, judging from the tal number of continued breaches. Similar to how financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak links in organizations and identify who will fall victim, who needs training, how much training, and in addition what the training must focus on. There are paradigmchanging solutions that will altogether improve individual cyber resilience and blunt the effectiveness of spear phishing. Solving the people problem of cyber security requires us to understand why people fall victim to spear phishing. Our family/similarity detection system is the first to use deep neural networks for code sharing identification, automatically learning to see through adversary tradecraft, thereby staying up to date with adversary evolution.

Using an advanced set of features that we specifically designed for malware classification, our approach has 98percent accuracy.

This particular database is difficult to deploy, and hard and expensive to maintain for smaller organizations.

While meaning they will continuously fall out of date with adversary tradecraft, requiring, periodically, a manually intensive tuning in case you are going to adjust the formulae used for similarity between malware, and foremost, these systems do not learn to adapt to new malware obfuscation strategies. These ols compare new malware samples to a large databases of known malware samples, with intention to identify samples with shared code relationships. Whenever helping develop a general mitigation strategy against that family of threats, when unknown malware binaries are found to share code fingerprints with malware from known adversaries, they provides a key clue into which adversary is generating these new binaries. In case you are going to address these problems we developed a brand new malware similarity detection approach. Using traditional string similarity features our approach increased accuracy by 10percent, from 65percentage to 75percentage. In this presentation we describe how our method works, why I know it’s able to significantly improve upon current approaches, and how this approach can be easily adapted and tuned to individual/organization needs of the attendees.

These systems are nearly impossible to maintain, deploy, and adapt to evolving threats.

Also allows for significantly smaller deployment footprint and provides significant increase in accuracy, now this approach, not only significantly reduces the need for manual tuning of the similarity formulate.

In recent years, cyber defenders protecting enterprise networks have started incorporating malware code sharing identification ols into their workflows. These systems require an up to date, well maintained database of recent threats with intention to provide relevant results. As new family of threats are discovered, the efficacy of code sharing identification systems is demonstrated any day and countermeasures are rapidly developed for them. With that said, this presentation will discuss criteria for designing and evaluating security automation ols for your organization. What criteria should decide p approach for security automation, whenit gets to your organization. Which ols do you need? Goal is provide audience members with effective small scale and large scale automation techniques for securing their environments. Security teams need to deploy automation that can scale their processes. Where do you deploy? Organizations often scale at a faster pace than their security teams.

How do you ensure that your implementation will effectively enable teams versus just creating false positives at scale? Are there simpler alternatives to building a complex, custom built, automation environment? With that said, this approach replaces traditional software security design and implementation reviews with a true ‘endtoend’ simulation of attacks in the wild by spanning vulnerability discovery, exploit development, and mitigation bypass identification. In this presentation, we’ll share more details on how this analysis is performed at Microsoft, how it has helped drive improvements, and how we have measured the success of those improvements. In this presentation, we’ll describe plenty of the new ways that Microsoft is tackling software security and a lot of new mitigation improvements that are made to Windows 10 thence. Did you know that the various mitigation technologies that been created have played a key role in helping to keep people safe online even as the general number of vulnerabilities that are found and fixed every year has increased. Continuous improvements was made to Windows and similar Microsoft products over the past decade that have made it more difficult and costly to exploit software vulnerabilities. That said, this portion of the presentation can be seen as a followon to our Exploit Mitigation Improvements in Windows 8″ presentation which was given at Black Hat USA 2012. Now this presentation will also describe Microsoft’s unique proactive approach to software security assurance which embraces offensive security research and extends traditional redish team operations into the software security world.

Now this approach enables Microsoft to concretely evaluate the effectiveness of mitigations, identify gaps in protection, and provide concrete metrics on the cost and resources required to develop an exploit in a given scenario.

This category of analysis and insight has driven a series of mitigation improvements that has broken widely used exploitation techniques and in to that said, this presentation will describe heaps of mitigation improvements that was made in Windows 10 and the upcoming Windows 10 anniversary edition. Now this talk will cover a brand new data driven approach to software security at Microsoft. We will show how these improvements were supported by the afore-mentioned methods and what impact we expect these improvements to have going forward. So this approach involves proactive monitoring and analysis of exploits found inthewild to better see the kinds of vulnerabilities types that are being exploited and exploitation techniques being used. Now this provides concrete data to we’re looking at known in literature as Import Address Table obfuscation techniques.

Whenever taking care of modern packing techniques like unpacking on dynamic memory allocated areas and tries to defeat the most used IAT obfuscation techniques, our ol tries to reconstruct a working PE from its packed version.

Whenever helping and speeding up the analysis of an obfuscated binary, our system can extract and reconstruct the original program from a packed version of it.

While representing the unpacked program with a log about the unpacking process, that can be really useful to a malware analyst to accelerate his work as it was useful for us throughout the development of this tool, when it’s not possible to reconstruct a fully working PE, we provide all the memory dumps. Nowadays malware authors employ multiple obfuscation and packing techniques to hinder the process of reverse engineering and bypass the anti virus signature based analysis. Obfuscation can be increased by hiding the function imported by the program which is usually a valuable source of information throughout the process of reverse engineer, not only the packing strategy can be really different. By the way, the source code of our ol can be found at https.// I’m sure that the first one demonstrate the generality of our unpacking process with respect to fifteen different packers. To validate our work we have conducted two experiments. The real problem of unpacking is well studied in literature and a couple of works been proposed both for enhancing the end user’s protection and supporting the malware analysts in their work.

I know that the second experiment demonstrates the effectiveness of our system against malware samples packed with both known and unknown packers.

That’s a significant threat for end user’s PCs since this voids part of the AV analysis, and it’s also a serious problem for professional reverse engineers that have to invest lot of time with intention to unpack and study a single packed malware sample.

In this thesis we explore the possibility to exploit the functionality of a DBI framework since it provides great functionality useful in the course of the analysis process. Different approaches exist with an eye to build a generic unpacker. Our system been actually able to reconstruct a working unpacked binary for 63\ of the collected samples. Starting from this we have designed a generic unpacking algorithm that can correctly detect this behaviour and defeat the most popular of packing techniques. APIs, that gives the analyst full control of the program being instrumented. All of them must share one common behavior throughout the runtime unpacking, the packers employ different techniques with various levels of complexity. Malware developers are constantly looking for new ways to evade the detection and prevention capabilities of security solutions.

Our research demonstrates our Certificate Bypass ol and the Reflective EXE Loader.

We will take a closer look at the certificate table and how we can inject data to the table without damaging the certificate itself.

Throughout the presentation, we will focus on the research we conducted on the PE file structure. Security solution would not be able to identify that So it’s facing malware, if the security solution can not unpack the compressed or encrypted malicious content. Whenever using a benign executable, to further complicate the matter, we present a brand new technique for hiding malware inside a digitally signed file and executing it from the memory. We will examine the ol we wrote to execute PE files from memory. Last, we will conclude the demonstration with a live example and show how we bypass security solutions on the basis of the way they look at the certificate table. In recent years, we have seen many different tools, similar to packers and new encryption techniques, must use to stay safe? Well, you can finally see if you chose a hard or soft target… with the data to back it up. By equipping the monkey with advanced exploitation abilities, it can spread to any vulnerable machine within reach. Infection Monkey spins up an infected virtual machine inside random parts of your data center, to test for potential security failures. That said, this calls for a new approach to testing network security resilience. Now look, an organization’s infrastructure will withstand a breach of its perimeter security layer, and in addition handle the infection of internal servers. Our ol draws its inspiration from Netflix’s Chaos Monkey released in Netflix’s Monkey was designed to randomly delete servers in Netflix’ infrastructure to test a service’s ability to withstand server failures.

Penetration tests are limited to specific parts of a network, are expensive, and may become obsolete within months, while there’s no replacement to a highly skilled human ‘pen test’ hacker.

Gether with the ability to spread onwards from its victims, the monkey can detect surprising weak spots throughout the network.

We will focus on vulnerabilities that up until now have stayed in the industry’s ‘collective blind spot’. Whenever infecting your network to test your defenses capabilities, we have leveraged Netflix’s Chaos Monkey concept to address the challenges of the network defense community, we think that a similar approach applies to network security. Result is network blind spots which is where security threats often arise. Accordingly an ideal ol must be easy to use, budgetary conscious, autonomous and scalable. Actually the security community can greatly benefit from a disruptive, modern ol that helps verify security solution deployments and shed light on the weaker parts of the security chain. Automatic vulnerability scanners have limited accessibility and can not simulate today’s advanced lateral movement attack methods. These ols were designed for traditional, relatively static networks and can no longer address ALL the possible vulnerabilities of today’s dynamic and hybrid network. Security breaches never happen exactly the way you expected or planned for.

In our talk we will show how our Infection Monkey uncovers blind spots and argue that ongoing networkwide security testing adds strong capabilities to the security team.

The security testing olset available to security professionals day consists mainly of penetration testing and vulnerability scanners.

We propose using the Infection Monkey, a tally new open source cyber security testing tool, designed to thoroughly test a network from an attacker’s viewpoint. By inside, we mean behind the firewall and any other perimeter defense you are deploying for your computing infrastructure. Today, the dark side is capable of assembling an unprecedented massive attacking force of an unimaginable scale and magnitude. It must be an impossible mission for us to navigate through the Internet, without DNS. On p of local and global escalations, we will discuss techniques like multiple extent of random domains. Innovative use of timestamps as unique domain names. DNS is an essential substrate of the Internet, responsible for translating ‘user friendly’ Internet names into machinefriendly IP addresses.

‘record breaking’ 300gbps DNS amplification DDoS attack against Spamhaus presented by Cloudflare at Black Hat 2013 is still vivid in our minds.

Starting as a simple primitive ol used to disrupt competitors’ gaming sites to win more users among the Chinese online gaming community about five years ago, random subdomain has become amongst the most powerful disruptive weapons nowadays.

In this talk, we will present and discuss an array of new secret weapons behind the emerging ‘DNSbased’ attacks from the dark side. Random subdomain weapon also becomes much sophisticated by blending attacking traffic with legitimate operations, as the attack targets move wards more high profile and p level domains. Some real use cases could be shown to illustrate the domain surges’ impact on the Internet’s availability and stability, especially with spikes up to 5billion domains. I know it’s a challenge for the cyber security community to distinguish bad traffic from benign ones in a ‘costeffective’ manner. We will demonstrate and compare different solutions for the accurate detection and effective mitigation of random subdomain and identical active ongoing DNSbased attacks including DNS tunneling of data exfiltration on some most restricted networks being that the pervasiveness of DNS.

We will focus on the evolution of random subdomain weapon which can generate a large number of queries to nonexistent fully qualified domain names like and to overload and knock down both authoritative name servers and cache servers along the query paths.

We will analyze the root causes for the recent surges of the Internet domain counts from 300million a year ago to over ‘2 billion’.

Thanks to the dark force’s continuous innovations, the dark side of the DNS force is getting a lot more pernicious, since therefore. Leveraging up to 10X of the Internet domain names, a modern DNS based attack can easily take down any powerful online service, disrupt well guarded critical infrastructure, and cripple the Internet, despite all the existing security postures and hardening techniques we have developed and deployed, as an example. We will address this challenge by dissecting the core techniques and mechanisms used to boost attack strength and to evade detection. DNSbased attacks launched by adversaries remain a constant lethal threat in various forms, as we have seen in recent years. It was just the first one that worked.

What we call the Internet, was not our first attempt at making a global data network that spanned the globe.

The price for seeking to protect its users’ Fourth Amendment rights?

That they can handle demands effectively even if they do not have Apple level resources, with that said, this talk. Will teach an enterprise audience what they need to know about technical assistance orders by law enforcement. Advance preparation for handling technical assistance demands is especially important now since the Department of Justice was so aggressive with companies that resist broad or novel surveillance orders. So this issue has entered the public consciousness being that the FBI’s demand in February that Apple write software to that lost its legal battle and shuttered its operations after its legal defeat.

In 2007, Yahoo unsuccessfully battled warrantless wiretapping in secret before the Foreign Intelligence Surveillance Court. DOJ argued that Yahoo might be fined $ 250000 a day for ‘non compliance’ while the litigation was pending. Write custom code; allow the installation of government equipment on their systems; or hand over encryption keys, Companies that take seriously the task of securing of their users’ information and communications must be prepared to respond to demands to disclose, proactively begin storing, or decrypt user data. In the Apple or FBI case, America’s richest company faced a motion for contempt of court and derisive rhetoric from officials before it enlisted the nation’s p lawyers in its defense and ultimately fought off the case. What kind of surveillance assistance can the government force companies to provide? It’s increasingly likely that there gonna be attempts to change the fundamentals of the net, and the reality is that widespread hacking is the exact sort of force that brought us this workingish system first and foremost.

In this talk, I’ll lay out what I see as how the Internet actually works.

We will pinpoint where vulnerabilities are hidden in FIDO deployments, how difficult they are to exploit, and how enterprises and organizations can protect themselves.

One avenue to authentication improvement is offered by the FIDO Alliance’s open specifications built around public key cryptography. I know that the state of authentication is in such disarray day that a grey hat is no longer needed to wreak havoc. Are there security soft spots for potential exploitation, like maninthemiddle attacks, exploits aimed at supporting architecture, or compromises targeting physical hardware? Does FIDO present a better mousetrap? Additionally, document file formats are more stable than document processors themselves. Accordingly, we assert that ‘o checker’ can continue detecting malware with a high detection rate for long periods. We focus on deviations from file format specifications and examine stealth techniques for hiding executable files. We examine various document formats for files used in targeted attacks from 2009 to 2012 in Japan. Documents containing executable files are often used in targeted email attacks in Japan. We classify eight anomalous structures and create an ol named ‘o checker’ to detect them.

Ochecker detects 96 dot 1 of the malicious files used in targeted email attacks in 2013 and There are far fewer stealth techniques than vulnerabilities of document processors. Almost all the examined document files contain executable files that ignore the document file format specifications. Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices. Nonetheless that’s interesting sorty we are already aware of, the BLE specification assures secure connections through link layer encryption, device whitelisting and bonding -a mechanisms not without flaws. Run it on a portable Raspberry Pi, carry around ‘BLEpacked’ premises, share your experience and contribute to the code. Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and later just proxy the traffic -without consent of the mobile app or device. Ladies and gentlemen -I give you the BLE MITM proxy.

Basing on a few examples, I’m quite sure I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not so random PRNG, excessive services, bad assumptions -which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch.

Guess what -the device GATT internals can also be easily cloned.

It’s an interesting fact that the connection from master in such cases is initiated by scanning to a specific broadcast signal, that by design can be trivially spoofed. Whenever reversing and debugging, a free open source ol which opens a whole new chapter for your IoT device exploitation. Here it finally becomes interesting -just imagine how many attacks you Did you know that the security is, as a matter of fact, provided on higher application layer of the data exchanged between the master and peripheral device. I will also suggest best practices to mitigate the attacks. Now look, a surprising number of devices do not utilize these mechanisms. In reality, there going to be multiple layers of security zones on the internal network, to protect the most critical assets. Basically the adversary often has to move through numerous additional phases in case you are going to access and manipulate specific systems to achieve his objective. We’ll review what actions are taken in any phase, and what’s necessary for the adversary to move from one phase to the next.

With that said, this model is incomplete and can lead to overfocusing on perimeter security, to the detriment of internal security controls.

We’ll discuss multiple kinds of controls types that you can implement day in your enterprise to frustrate the adversary’s plan at every stage, to avoid needing to declare game over just as an adversary has gained access to the internal network.

Whenever conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost, the primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage Actions on Objectives. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise. In this presentation, we’ll explore an expanded model including the Internal Kill Chain and the Target Manipulation Kill Chain. Cyber Kill Chain model provides a framework for understanding how an adversary breaches the perimeter to gain access to systems on the internal network. Therefore this survey of emulation detection methods is the most comprehensive examination of the pic ever presented in one place. While showing real world fingerprints discovered using the ol that can be used to detect and evade popular consumer AVS including Kaspersky, Bitdefender engine, AVG, and VBA, aVLeak may be demoed live.

While timing inconsistencies, process introspection, and CPU emulator dark red pills, aVLeak can be used to extract fingerprints from AV emulators that can be used by malware to detect that Undoubtedly it’s being analyzed and subsequently evade detection, including environmental artifacts, OS API behavioral inconsistencies, emulation of network connectivity.

AVLeak is an ol for fingerprinting consumer antivirus emulators through automated blackish write testing.

Whenever allowing researchers to extract emulator fingerprints in just a few seconds, and to script out testing using powerful APIs, aVLeak significantly advances upon prior approaches to blackish write testing. Over the past decade, the Islamic Republic of Iran was targeted by continual intrusion campaigns from foreign actors that sought access to the country’s nuclear facilities, economic infrastructure, military apparatus, and governmental institutions for the purpose of espionage and coercive diplomacy. Iranian intrusion sets appear to be primarily interested in a broader field of challenges to the political and religious hegemony of the Islamic Republic. In practice those targeted range from reformists operating within the establishment from inside of Iran to former political prisoners forced out of the country.

Since the propagandic defacements of international communications platforms and political dissident sites conducted by an organization describing itself as the Iranian Cyber Army beginning in late 2009, similarly Iranian actors are attributed to a recurrent campaigns of intrusions and disruptions of private companies, foreign government entities, domestic opposition, regional adversaries and international critics.

The intent of the CNO activities isn’t always discernable depending on the tactics used or the data accessed, as the end implications of the disclosure of particular information is often distant and concealed.

Iranian intrusion campaigns have also reflected an interest in internal security operations against active political movements that have historically advocated for the secession of ethnic minority provinces or overthrow of the political establishment through violence. Reasons for Iranian intrusion campaigns range from retaliatory campaigns against adversaries, where such intent is made evident to surveillance of domestic opposition in support of the Islamic Republic establishment. Across the records of hundreds of intrusion attempts of campaigns conducted by a distinct sets of actors, distinct patterns emerge in the kinds of individuals types and organizations targeted by Iranian actors by internal security operations. Previous reports on Iranian campaigns have referred to the targeting of Iranian dissident.

You Might Also Like

No Comments

Leave a Reply