In this talk, I’ll lay out what I see as how the Internet actually works. We need to talk about the values of cryptography, of open software and networks, of hackers being a force for measurable good. We need to talk about how infrastructure like DNS — it was there 25 years ago, we can imagine it will be there 25 years from now — acts as foundation for future development in a way that the API of the hour doesn’t. Things do need to be better, and data Protection with Cryptography of Microsoft .NET Framework 3.5 and CryptoAPI: Next Generation need to talk about the role of Government in that.
The things that need to be better are technical in nature, and guide research priorities that are outright not being addressed at present. We can’t keep screwing this up forever. Let’s talk about how it really works, so we can discuss how we can do it better. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented. Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise.
Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice. The same principles can be applied to attack web applications running JNDI lookups on names controlled by attackers. The talk will first present the basics of this new vulnerability including the underlying technology, and will then explain in depth the different ways an attacker can exploit it using different vectors and services. We will focus on exploiting RMI, LDAP and CORBA services as these are present in almost every Enterprise application. LDAP offers an alternative attack vector where attackers not able to influence the address of an LDAP lookup operation may still be able to modify the LDAP directory in order to store objects that will execute arbitrary code upon retrieval by the application lookup operation.
This may be exploited through LDAP manipulation or simply by modifying LDAP entries as some Enterprise directories allow. Could a worm spread through a smart light network? This talk explores the idea, and in particular dives into the internals of the Philips Hue smart light system, and details what security has been deployed to prevent this. Examples of hacking various aspects of the system are presented, including how to bypass encrypted bootloaders to read sensitive information. Details on the firmware in multiple versions of the Philips Hue smart lamps and bridges are discussed.
My Talk at MIT: Beyond Finance, Considering Business and Social Impact of Blockchains
HPKP to cover previously unforeseen scenarios. In this talk, we present an adaptive Android kernel live patching framework, which enables open and live patching for kernels. It enables online hotpatching without interrupting user-experience. Unlike existing Linux kernel hotpatching solutions, it works directly on binaries and can automatically adjust to different device models with different Android kernel versions. Unfortunately, these systems are hard to maintain, deploy, and adapt to evolving threats.
First and foremost, these systems do not learn to adapt to new malware obfuscation strategies, meaning they will continuously fall out of date with adversary tradecraft, requiring, periodically, a manually intensive tuning in order to adjust the formulae used for similarity between malware. Security guarantees or guaranteeing security is almost a taboo subject in the industry. They’re technically right, of course, but they’re also missing the bigger picture. Just like we all buy electronics, cars, tools, or toys for the kids, all of these items sometimes break – yet, every manufacturer still provides some kind of guarantee. Also, one does not simply launch a security guarantee program. A great many things must be discussed, analyzed, and accounted for first.
Besides a lot of theory, we will also demonstrate actual exploits: one against VBS itself and one against vulnerable firmware. Before attending, one is encouraged to review the two related talks from Black Hat USA 2015: “Battle of the SKM and IUM: How Windows 10 Rewrites OS Architecture” and “Defeating Pass-the-Hash: Separation of Powers. The goal of this presentation is to help researchers, analyst, and security enthusiast get their hands dirty applying machine learning to security problems. We will walk the entire pipeline from idea to functioning tool on several diverse security related problems, including offensive and defensive use cases for machine learning.
Our Connection to the Broad Ripple community
Attacking SDN Infrastructure: Are We Ready for the Next-Gen Networking? In this briefing, we explore the attack surface of SDN by actually attacking each layer of SDN stack. The SDN stack is generally composed of control plane, control channel and data plane: The control plane implementations, which are commonly known as SDN controllers or Network OS, implementations are commonly developed and distributed as an open-source project. Opendaylight: Towards a model-driven sdn controller architecture. 2014 IEEE 15th International Symposium on. ONOS: towards an open, distributed SDN OS. Proceedings of the third workshop on Hot topics in software defined networking.
B4: Experience with a globally-deployed software defined WAN. When augmenting analysis by importing runtime data, much of the information is displayed using a color scheme. This allows the info to be passively absorbed making it useful, rather than obtrusive. Ablation makes it simple to diff samples by and highlight where the samples diverge.
This is achieved by comparing the code executed rather than just comparing data. Consider comparing a heavily mutated crash sample, and the source sample. The root cause of the crash is normally tedious and unrewarding. Using Ablation, the root cause can often be determined simply by running each sample, and using the appropriate color scheme. Recent findings have indicated that highly traversed code is not particularly interesting, and code infrequently executed or adjacent is more interesting.
Ablation could be used to identify undocumented features in a product given a sample set. Vulnerability research is all about the details. Having this information passively displayed could be the difference between confusion and discovery. Ablation will be made open source at BH2016.
Emulator fingerprints may be discovered through painstaking binary reverse engineering, or with time consuming black box testing using binaries that conditionally choose to behave benignly or drop malware based on the emulated environment. AVLeak significantly advances upon prior approaches to black box testing, allowing researchers to extract emulator fingerprints in just a few seconds, and to script out testing using powerful APIs. This survey of emulation detection methods is the most comprehensive examination of the topic ever presented in one place. Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. This presentation will introduce a new threat model. We will also show you how to defend against this threat, particularly on those systems are no longer supported by Microsoft.
It is primarily used in networks where clients are only allowed to communicate to the outside through a proxy. Attendees will hear the rather surprising results that this experiment yielded: The DNS portion of the experiment revealed more than 38 million requests to the WPAD honeypot domain names from oblivious customers – while the intranet Free-WIFI experiment proved that almost every second Wifi spot can be utilized as attack surface. Mac from an Apple Watch, and the user’s passwords and credit card information, respectively. Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target. Differing views of Active Directory: admin, attacker, and infosec.
The differences between forests and domains, including how multi-domain AD forests affect the security of the forest. Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features. Key Domain Controller information and how attackers take advantage. Windows authentication protocols over the years and their weaknesses, including Microsoft’s next-generation credential system, Microsoft Passport, and what it means for credential protection. Key Active Directory security features in the latest Windows OS versions – the benefits and implementation challenges. Let’s go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.
We propose a radical change to this “one-size-fits all” approach. Breaking FIDO: Are Exploits in There? The state of authentication is in such disarray today that a black hat is no longer needed to wreak havoc. Problems with these technologies have surfaced not as design issues but during implementation.
China to turn off cheap power for bitcoin mining
This session will be targeted at small to medium companies that have small or overstretched security teams, and will share content and best practices to support these teams’ product incident response programs. Attendees will be provided with templates and actionable recommendations based on successful best practices from multiple mature security response organizations. This talk focuses on the entirety of the mobile ecosystem, from the hardware components to the operating systems to the networks they connect to. We will explore the core components across mobile vendors and operating systems, focusing on bugs, logic, and root problems that potentially effect all mobile devices.
We will discuss the limitations of mobile trusted computing and what can be done to protect both your data and the devices your data reside on. Security auditors are used to dealing with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly.
In this talk, we present CANSPY, a platform giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy. It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. In this talk we’ll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we’ll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor.
This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. In this talk, we will cover our research methodology, results, and limitations. Most recently, the FCC formally proposed new Internet security and privacy rules. The Commission recommended that, if your Internet service provider wants to share information from or about you, it should first obtain your affirmative, opt-in consent. We will explain how the rulemaking process functions, and how you can file comments on FCC proceedings.
It discusses the underlying data structures, and how to extract both the keys and other useful information that provides forensic context about connection. This information is then leveraged to decrypt a session that uses ephemeral key exchanges. In this talk, we will show that such flaws could have serious security implications, that is, a malicious app can acquire critical system capabilities by pretending to be the owner of an attribute who has been used on a device while the party defining it does not exist due to vendor customizations. Dark Side of the DNS Force DNS is an essential substrate of the Internet, responsible for translating user-friendly Internet names into machine-friendly IP addresses.
In this talk, we will present and discuss an array of new secret weapons behind the emerging DNS-based attacks from the dark side. We will analyze the root causes for the recent surges of the Internet domain counts from 300-million a year ago to over 2-billion. Some real use cases will be shown to illustrate the domain surges’ impact on the Internet’s availability and stability, especially with spikes up to 5-billion domains. We will address this challenge by dissecting the core techniques and mechanisms used to boost attack strength and to evade detection. We will discuss techniques such as multiple level of random domains, mix use of constant names and random strings, innovative use of timestamps as unique domain names, as well as local and global escalations.
This talk describes the results of a recent task force to identify the top technologies, operational innovations and public policies which have delivered security at scale for the defense to catch up with attackers. All of these innovations have one thing in common: a dollar of defense buys far more than a dollar of offense. Now that we’ve recognized what has been most effective, the community has to repeat these successes at hyperscale, and the talk gives recommendations. Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP. In this presentation, we aim to shed some light on the secure enclave processor and SEPOS.
1. Get Referral Link
In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Design Approaches for Security Automation Organizations often scale at a faster pace than their security teams. Does Dropping USB Drives in Parking Lots and Other Places Really Work? Given the need to improve the existing tools and methodologies in the field of program crash analysis, our research speeds-up dealing with a vast corpus of crashes.
We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. We all arrive to the same conclusion – we need to train people to the computer security stakes. This briefing will propose a new way to train a neophyte audience to the basic principles of Computer Security. The training is developed around a role playing game consisting in attacking and defending a building. A debriefing is done after the game to highlight all the similarities between the game and computer security stakes.
‘Gamers come first’
The presentation will focus on the main feature of the training, and a white paper explaining how to conduct such a training will be available. However, statistical analysis showed that this was not connected to their reported clicking behavior. Moreover, while sending employees fake spear phishing messages from spoofed colleagues and bosses may increase their security awareness, it is also quite likely to have negative consequences in an organization. People’s work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust.
Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic – without consent of the mobile app or device. And here it finally becomes interesting – just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! I had chosen my prey carefully. GoodFET, the preferred open source tool of discriminating hardware hackers around the world, consisted of too many disparate hardware designs. The Facedancer variant alone had at least three different and incompatible code bases! The hardware designs were easy to build one at a time but needlessly costly for volume manufacturing. The project was ripe for a takeover.
I struck when Travis Goodspeed was most vulnerable, his faculties diminished by the hordes of Las Vegas. With GoodFET in my control I moved quickly to replace the entire project with something superior, something greater! The talk discusses the paradigm of Incident Response in the cloud and introduces tools to automate the collection of forensic evidence of a compromised host. It highlights the need to properly configure an AWS environment and provides a tool to aid the configuration process.
How long does it take to get to Decentral + Bitcoin Atm from TTC 505 Dundas Streetcar, Toronto by public transit?
Cloud IR How is it Different? Incident response in the cloud is performed differently than when performed in on-premise systems. Specifically, in a cloud environment you can not walk up to the physical asset, clone the drive with a write-blocker, or perform any action that requires hands on time with the system in question. The same features in cloud platforms that create the ability to globally deploy workloads in the blink of an eye can also add to ease of incident handling. An AWS user may establish API keys to use the AWS SDK to programmatically add or remove resources to an environment, scaling on demand.
And while these stories are sensational, they are preventable by placing limits on a cloud account directly. More concerning is the risk of a compromised key being used to access private data. AWS environments can be hardened by following traditional security best practices and leveraging AWS services. AWS Config provides historical insight into the configuration of AWS resources including users and the permissions granted in their policies. API keys associated to AWS accounts should be delegated according to least privilege and therefore have the fewest number of permissions granted in its policy as possible. Furthermore, API keys should be tightened to restrict access only to the resources they need. Managing of these policies is made easier by the group and role constructs provided by AWS IAM, but it still leaves to the user having to understand each of the 195 policies currently recognized by IAM.
We present custom tooling so the entire incident response process can be automated based on certain triggers within the AWS account. With very little configuration users could detect a security incident, acquire memory, take snapshots of disk images, quarantine, and have it presented to an examiner workstation all in the time it takes to get a cup of coffee. Additional tooling is presented to aid in the recovery of an AWS account should a AWS key be compromised. The tool attempts to rotate compromised keys, identify and remove rogue EC2 instances and produce a report with next steps for the user. Finally, we present a tool that examines an existing AWS environments and aides in configuring that environment to a hardened state.