Jacob Torrey: Bootstrapping an Architectural Research Platform

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Jacob Torrey – Bootstrapping an Architectural Research Platform

This talk aims to provide the fundamental architectural knowledge and resources for a security research interested in misuse of the x86 platform to conduct their own research with less “boiler-plate”. Covering the privileges and architectural events that different CPU rings can monitor, a few basic research hypervisors, and new technologies coming into the mainstream; this talk will aid researchers to rapidly focus on the research questions and not the setup.

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. In addition to his research, Jacob volunteers his time organizing conferences in Denver (RMISC & BSidesDenver) and regular meet-ups across the front range.

You can follow Jacob on Twitter @JacobTorrey

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Rogan Dawes & Dominic White: Universal Serial aBUSe: Remote Physical Access Attacks

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Rogan Dawes & Dominic White: Universal Serial aBUSe: Remote Physical Access Attacks.

In this talk, we’ll cover some novel USB-level attacks that can provide remote command and control of air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.

In 2000, Microsoft published its 10 immutable laws of security [1]. One of which was: “If a bad guy has unrestricted access to your computer, it’s not your computer any more”. This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, “evil maid” attacks [4] and malicious firmware [5].

Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple’s secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces.

In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to “chewy” internal networks [10] ripe for lateral movement.

While most people are familiar with USB devices, many don’t realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.

Additionally, existing attacks are predominantly “send only” with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often “spray and pray”, unable to account for variations in the user’s behaviour or computer setup.

Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.

Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for meterpreter was developed to allow metasploit payloads to be used instead.

Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area.

[1] “10 Immutable Laws of Security

[2] “Physical memory attacks via Firewire/DMA – Part 1: Overview and Mitigation” 

[3] “Thunderstrike 2” 

[4] “Evil Maid goes after TrueCrypt!” 

[5] “Turning USB peripherals into BadUSB” 

[6] “Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic” 

[7] “How bank hackers stole £1.25 million with a simple piece of computer hardware” 

[8] “Apple vs FBI” 

[9] “Users Really Do Plug in USB Drives They Find”

[10] “The Design of a Secure Internet Gateway” 

[11] “USB Rubber Ducky Wiki” 

[12] “USBDriveBy”

[13] “Cylance, Math vs Malware” 

[14] “Carbon Black, Next Generation Endpoint Security

[15] “NSA Playset, TURNIPSCHOOL” 

[16] “Facedancer2” 

[17] “The Shikra

Rogan is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleagues’ frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools and is credited as having built one of the first and most widely used intercepting proxies: WebScarab.

In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

Dominic works at SensePost and tweets as @singe.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Keynote Talk: Haroon Meer – Light at the End of the Tunnel. (Hope for Team Defence)

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is for our second Keynote Haroon Meer – Light at the End of the Tunnel. (Hope for team Defence)

The former Deputy Director of the NSA (Chris Inglis) is reputed to have said that “if we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence”. A quick look at conference line ups (or the evening news) supports this claim. For a long time, team offence has grabbed the lion’s share of both headlines and talent, causing more and more people to turn into full-time security nihilists.

We can turn this around.

While headlines have been dominated by breaches and security fails, a few positive stories (with massive potential) have slipped by almost silently. While we have seen hundreds (and thousands) of companies doing security horribly wrong, we are now also starting to see signs of companies “getting things right”. While most companies have been clinging desperately to hope (or prayer) as prospective defence strategies, we are now seeing signs of better solutions emerging.

Aside from being uncharacteristically upbeat, this talk aims to highlight some of these wins, and some of the winning strategies that have started making the scoreboard look a little more respectable.

Haroon Meer is the founder of Thinkst, the company behind Canary. Haroon has contributed to several books on information security and has published a number of papers on various topics related to the field. Over the past decade (and a half) he has delivered research, talks, and keynotes at conferences around the world.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Philippe Arteau: Advanced Java Application Code Review

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our eighth announcement is Philippe Arteau’s workshop – Advanced Java Application Code Review

Modern corporate environments use diverse technologies. Security analysts (code reviewers and pentesters) need to be able to understand how components work under the hoods. This workshop will cover various classes of vulnerabilities with a Java twist. The exercise will be on the code analysis of a custom sample application. The open-source tools Find Security Bugs and SonarQube will be used. This training will cover the following classes of vulnerabilities: XXE (XML eXternal Entity), expression injection, deserialization vulnerability, Path Traversal, HQL injections and XSS.

Philippe is a security researcher working for GoSecure. He is the author of the Java static analysis tool Find Security Bugs. He is actively doing research to find new attack vectors and develop new tools. His experiences are both in the offensive and the defensive side, having the chance to do countless pentests and code reviews.

He has also built many plugins for Burp and ZAP proxy tools (Reissue Request Scripter, Retire.JS, PDF Viewer, CSP Auditor, etc.). He has discovered many vulnerabilities in popular software including Google Chrome, Dropbox, Paypal, RunKeeper and Jira.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Graham McKay: Data Protection, Privacy and Cloud Computing: Navigating Legal Compliance

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our seventh announcement is Graham McKay – Data Protection, Privacy and Cloud Computing: Navigating Legal Compliance.

Since the development of EU data protection law, technology has advanced at significant pace; indeed the world we live in today would be unrecognisable to the citizens in 1995 when our current data protection legislation was enacted.

Digital technologies such as cloud computing have fundamentally changed the ways in which consumers interact with organisations globally; indeed technological developments allow for the collection and processing of ever increasing volumes of personal data. The current data protection framework was conceived in a technologically different era to our current digital world whilst data volume has exploded.

Cloud computing profoundly transforms the manner in which Information Technology (IT) services are conceived, deployed, delivered, scaled and consumed with the potential of this disruptive technology being recognised by industry and government alike. The abundance of data relating to individuals leaves behind a hidden trail with the potential to be pieced together formulating a jigsaw of our identity capturing every online action we take, rendering the notion of privacy outmoded in such an information-rich society.

Whilst data protection legislation was enacted before the development of cloud computing, this presentation will identify the continued relevance of the data protection principles and recognise that cloud computing can be exploited within current data protection and privacy legislation.

The European Commission is currently proposing major reform of data protection legislation to “strengthen individual rights and tackle the challenges of globalisation and new technologies” by way of the Proposed General Data Protection Regulation but will this meet the needs of technological advancement thus far and beyond?

Graham leverages his 15 years of information security leadership experience to advise on appropriate security postures and resilience capabilities in line with risk appetite, focusing on business value.

With a blend of technical skills and business acumen, a deep knowledge of information law including privacy, data protection and information rights, Graham holds the certifications CIPP/E, CISM, CRISC, MBCI and PCIP in addition to being a qualified accountant. He has recently graduated from Northumbria University with an LLM in Information Rights Law and Practice where his dissertation on the application of data protection regulations in the cloud computing landscape including cross jurisdictional boundary challenges received a distinction.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Graham Sutherland: Saving Nostalgia: Modding an Old Z80 Computer

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our sixth announcement is Graham Sutherland – Saving Nostalgia: Modding an Old Z80 Computer

In this talk we’ll follow a project of mine to take an old VTech computer from the late 1980s, upon which I wrote my very first line of code, and add save functionality to its hardware. The computer was designed to teach kids general knowledge, science, history, typing skills, and programming in BASIC. It boasts a one-line text based LCD display, 2KB of SRAM, and a Z80 processor. The one thing that always bothered me, though, is that I couldn’t ever save code I wrote on it — turning it off meant all state was lost.

I’ll describe my approach towards reverse engineering the circuitry, identifying the ICs, understanding the system topology, designing a hardware mod to allow saving of data, and fabrication of the real thing.

Graham is a pentester, electronics tinkerer, ex-developer, security researcher, reverse engineer, crypto enthusiast, promulgator of useless facts, vehement drunkard, and bacon aficionado. Can often be found scurrying towards a bar. One of his shoes is probably sentient.

You can follow Graham on Twitter @gsuberland

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Steve Armstrong: Advanced Incident Remediation Techniques

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our fifth announcement is Steve Armstrong – Advanced Incident Remediation Techniques

When working in large network breaches, the technique of removing the infected hosts immediately and one-by-one is not the best or only option. In this presentation we will look at the other methods used: “mass remediation” and “out running the attacker”. We will look at the conditions necessary to make them work (team, profile, target, network and attacker), how they scale, the sort of resources you need to make this effective and how the attacker may respond if you don’t maintain control.

This is a ‘from the trenches’ session and not an academic thesis, the presenter has implemented various techniques and faced different results, both good and bad. This session is your opportunity to learn from their experience.

Steve began working in the security arena in 1994 whilst serving in the UK Royal Air Force. He specialised in the technical aspects of IT security from 1997 onward, and before retiring from active duty, he lead the RAF’s penetration and TEMPEST testing teams. He founded Logically Secure in 2006 to provide specialist security advice to government departments, defence contractors, the online video gaming industry, and both music and film labels worldwide.

When not teaching for SANS, Steve provides penetration testing and incident response services for some of the biggest household names in the high street, online gaming and music media. To relax, Steve enjoys playing Battlefield and FPS games to loud music.

You can follow Steve on Twitter @Nebulator

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Will Schroeder: Trusts You Might Have Missed

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our fourth announcement is Will Schroeder – Trusts You Might Have Missed

Red teams have been abusing Windows domain trusts for years with great success, but the topic is still under-represented in public infosec discussions. While the community has started to talk more about Active Directory exploitation, there isn’t much information out there discussing domain trusts from an offensive perspective. This talk aims to demystify domain trusts and show how they can be enumerated and abused during the course of an engagement. I’ll conclude with a complex demo showing how to enumerate, visualize, and abuse the trust relationships in an example environment, leading to total domain takeover without throwing a single exploit.

Will Schroeder is a security researcher and red-teamer for Veris Group’s Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red teaming, offensive PowerShell, and more.

You can follow Will on Twitter @harmj0y

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Saumil Shah: ARM Shellcode Basics

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our third announcement is Saumil Shah’s workshop: ARM Shellcode Basics

This is a 2 hour workshop on writing ARM Shellcode from scratch. I will cover some simple ARM assembly, and then we will work on two shellcode examples. A simple execve() shell and a fully working Reverse Shell. We will then test this with two ARM exploits. Attendees are required to bring in their laptops with a working copy of VMWare (Player/Workstation/Fusion). ARM images running on QEMU will be distributed to the participants.

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients worldwide. Saumil is an internationally recognized conference speaker and instructor for over 15 years. He is also the co-developer of the wildly successful “Exploit Laboratory” courses and has authored two books titled “Web Hacking: Attacks and Defense” and “The Anti-Virus Book”.

Saumil holds an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time playing Pacman, flying kites, travelling around the world and taking pictures.

You can follow him on twitter @therealsaumil

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!

Daniel Compton: Not Only Frogs Can Hop

Over the next few weeks we’re going to announce the 44CON talks and workshops. Don’t forget to get your tickets!

Our next announcement is Daniel Compton – Not only Frogs can hop

The presentation will cover new research conducted by Daniel Compton into the novel methods of VLAN hopping using SNMP alone. An overview of how SNMP VLAN hopping works will be covered, including live manual demos of the process. A new version the Frogger 2 hopping tool will be demonstrated to automate and improve the traditional methods of VLAN hopping, whilst adding the new function to VLAN hop using SNMP. Frogger 2 will be released the same day as the talk.

Daniel Compton works as a principal security consultant at Info-Assure Ltd. He is a certified CREST/CHECK team leader in both Infrastructure and Applications. Daniel has a keen interest in testing networking devices and has released a number of popular pentesting scripts to assist and automate testing in this area. Daniel is the head of security research at Info-Assure and has discovered over 70 security advisories in applications and network security appliances to date.

You can follow him on twitter @commonexploits or visit his website.

Details of all of our talks, workshops and speakers are being announced daily. Don’t forget to book your tickets before they’re sold out!