44CON 2014 Presentations

Chicken of the ‘APT’: Using Shadowlab Incubation for Targeted Attack Attribution

Presented By: Kyle Wilhoit

Attribution of attackers and motives is often difficult. Trying to understand what tactics they use, malware they utilize, and what groups they belong to can be a tedious task. These attackers are often targeting specific organizations, individuals, and countries things that sandboxes and dynamic analysis techniques rarely have the ability to emulate. In this talk, we’ll cover targeted malware incubation and present two case studies of never released details on how attackers have fallen victim to incubation. The talk will finally finish with the release of an open source incubator Shadowlab, giving everyone the ability to incubate malware.

GreedyBTS: Hacking Adventures in GSM

Presented By: Hacker Fantastic

There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.

Chopping Down Mountains

Presented By: Don A. Bailey

Most people thought the destruction of digital currency would come from vulnerabilities identified in the protocol or end-user software. The decentralized nature of the technology implies that there is no one vector for attacking Bitcoin, Dogecoin, and other currencies. However, there are much easier ways to kill a coin. The fall of Mt. Gox proved that centralization occurs in the exchange and other companies attempting to facilitate trade. Attacks against these exchanges and merchant payment systems can easily destroy not only a digital currency business, but the coin itself.

In this presentation, the presenter will reveal undiscovered security risks that have not yet been disclosed or mitigated by digital exchanges. After explaining how these risks can cripple not only exchanges but the currencies themselves, the presenter will discuss the real and practical methods for solving these issues.

Digital currency is an exciting revolution in the way wealth is distributed among worldwide populations. Solving the underlying security issues that hinder its widespread adoption may assist in enabling the distribution of wealth to the regions and individuals that need it most.

To the moon!

Researching Android Device Security with the Help of a Droid Army

Presented By: Joshua J. Drake

In the last few years, Android has become the world’s leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.

This presentation centers around the speaker’s approach to dealing with the Android diversity problem, which is often called “fragmentation”. To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.

Social Engineering Your Own – Developing An Awareness Training Program That Actually Works

Presented By: Valerie Thomas

Organizations must establish an effective security awareness program. As security professionals we’ve likely heard (and said) it more times than we can count. But how often do we stop to think about what it actually means or how it can be implemented? The media is littered with reports of attacks, which emphasizes that it’s time to change the way we approach awareness training. It’s time to lose the never-changing slide deck and think outside the box. In this talk we’ll examine the art of influence at a group level and use social engineering to create positive change.

What Did You Just Say To Me?

Presented By: Jerry Gamblin

Imagine you have to explain a newly discovered vulnerability in the human resources software your company uses to the director of human resources who forgets his password 3 times a week. How would you approach that talk?

It takes many skills to be an effective security professional but arguably the most important trait for a security professional is the ability to communicate effectively. In this talk we will discuss the best methods to explain complex security issues with non-technical people and I will share the tools and tips I have used to become better at this.

Flushing Away Preconceptions of Risk

Presented By:  Thom Langford

Risk is often seen as a dirty word in business. It is a thing that needs to be reduced to nothing, and has no possible good use in an organization, especially a security programme.

This couldn’t be more wrong! Risk is an inherent part of any business, and yet it is often poorly recognized and leveraged in the security organisation. In this presentation Thom will look at three areas of the risk conundrum to open the veil on the elusive art of understanding and ultimately measuring risk.

Security Analytics Beyond Cyber

Presented By: Phil Huggins

A quick summary of the current state of big data technology and data science approaches used in cyber / network defender security analytics including summary use cases, a walk through of a reference architecture and breakdown of the required skills. Focus is on the knowledge needed to run a proof of concept and establish a programme for early benefits. Will then also include a view on the future of extending the platforms and capabilities of security analytics to cover performance metrics and data-driven security management approaches.

Hot or not, the hacker way

Presented By: Dan Tentler

Thermal imaging has been a subject that not many people get the opportunity to research, without an exceedingly high number of dollars on the table. This pet project of mine began in 2010 when I asked FLIR for a demo unit to do a series of tests in an effort to see how infrared could be used in the world of information security. Their PR people replied to me saying that they didn’t think a FLIR device could be used to read heat signatures from a computer because they weren’t sensitive enough. This year I got my hands on a FLIR E4, and hacked it to have 4x the resolution. Boy was that PR guy wrong.


Using Hadoop for Malware, Network, Forensics and Log analysis

Presented By: Michael Boman

The number of new malware samples are over a hundred thousand a day, network speeds are measured in multiple of ten gigabits per second, computer systems have terabytes of storage and the log files are just piling up. By using Hadoop you can tackle these problems in a whole different way, and “Too Much Data to Process” will be a thing of the past.


I gave a talk about robots and hardware!

Presented By: Josh Thomas

”…and therein lies the Android problem…” Vendors, service providers, handset manufacturers, an insane number of different devices, patch stagnation, lack of updates, blah, blah, blah. We get it, and honestly it’s starting to be a tad boring. So why would you want to sit through yet another Android talk? You don’t, and I don’t want to give that talk anyway.

Instead, let us spend some time talking about the roots of all smartphones: The hardware design, the system on chip internals, the problematic linux kernels. Let’s chat about design reuse and how to take advantage of lazy electronic engineers. Let’s converse about generational design flaws and how they can be exploited. In short, let’s talk about breaking a bunch of expensive toys.

This talk will cover multiple handset manufacturers internal PCB designs, a fair bit of Qualcomm exploration, some witty banter about the fossil-esque linux kernel we drag about daily and probably some childish poking at the trusted boot process

Payment applications handle lots of money. No, really: lots of it.

Presented By: Mark Swift & Alberto Revelli

A medium-sized bank will funnel hundreds of billions through payment gateways every year. A larger one will easily be deep in ‘trillions’ territory. You work for a company with significant revenue? Chances are that your company shoves lots of money through one of these applications.

Surprisingly, however, the security of these apps is often flaky: people who understand the business process rarely understand the technical risks. Vendors and consultants often recommend business-level defences but then make horrible technical mistakes, and very often the overall defence strategy boils down to “DBAs do not understand the business” comedy. When it comes to crypto, hilarity ensues: shared private keys and broken algorithms become the norm, with self-proclaimed “experts” proving to have problems with exotic concepts like “hash function” and “birthday paradox”, leading CISOs to a false sense of security that only makes things worse.

Our presentation is a mix of attack and defence, combining descriptions of business-level and tech-level threats with crypto-based countermeasures. It is the result of a project we have been working on for the past year, with the goal of using crypto to secure our payment applications.

The presentation will start describing how payment applications work, what is their workflow, what a payment file “really looks like”, how it is created, handled and processed. We will then describe the attack surface of the whole process, how an employee in the right role can easily steal large amounts of money, and what checks and countermeasures he/she would need to bypass.

In the second part of the presentation, we will then describe a real-world example of how to properly employ crypto (via an HSM-based infrastructure) to greatly reduce the risks, and how to integrate such a solution with existing applications. We will also include some examples of things that are easy to get wrong while designing the solution.

10 GBP simple hardware side channel attacks

Presented By: Joe FitzPatrick

Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.

By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts.

Manna from Heaven; Improving the state of wireless rogue AP attacks

Presented By: Dominic White

The current state of theoretical attacks against wireless networks should allow this wireless world to be fully subverted for all but some edge cases. Devices can be fooled into connecting to spoofed networks, authentication to wireless networks can either be cracked or intercepted, and our ability to capture credentials at a network level has long been established. Often, the most significant protection users have are hitting the right button on an error message they rarely understand. Worse for the user, these attacks can be repeated per wireless network allowing an attacker to target the weakest link.

This combination of vulnerable and heavily used communications should mean that an attacker needs just arrive at a location and setup for credentials and access to start dropping from the sky. However, the reality is far from this; karma attacks work poorly against modern devices, network authentication of the weakest sort defeats rogue APs and interception tools struggle to find useful details.

This talk is the result of our efforts to bring rogue AP attacks into the modern age. The talk will provides details of our research into dramatically increasing the effectiveness of spoofing wireless networks, and the benefits of doing so (i.e. gaining access). It includes the release of a new rogue access point toolkit implementing this research.

On Her Majesty’s Secret Service: GRX and a Spy Agency

Presented By: Stephen Kho

GPRS Roaming eXchange (GRX) has been in mainstream media recently as part of the high profile Edward Snowden revelations. The leaked documents indicated that the UK government’s intelligence organisation, Government Communications Headquarters’ (GCHQ) hacked the Belgian GRX provider, Belgacom International Carrier Services (BICS). They did this by targeting the GRX provider’s employees with the ultimate aim of gaining access to Belgacom’s Core GRX routers. Allegedly, GCHQ hacked the GRX routers in order to carry out man-in-the middle “traffic sniffing” attacks against mobile users who are roaming with smartphones or other devices capable of handling data.

Automatic Reverse Compilation & Semantic Comprehension

Presented By: Christopher Abad

The machine code to source code problem can be simplified by relaxing the problem constraints and allowing translation from machine code to any reasonably sound higher-level code interpretation instead of expecting a close approximation of the original source code. As a corollary, any solution to the problem also demonstrates semantic comprehension of the machine code.Automatic reverse compilation of machine code to source code and the semantic comprehension of machine code without code execution or emulation can be achieved by combining techniques used in data compression, automatic differentiation, linear algebra, mathematical logic, syntactic analysis and statistical classification. A simplified application of the same tools can be applied to predict pseudo-random numbers and sequences of other mathematical objects.

Darshak: how to turn your phone into a low cost IMSI catcher device

Presented By: Ravishankar Borgaonkar & Swapnil Udar

It is said that 80% of the world’s population now has a mobile phone. They use mobile devices to make call, send SMS message, to access internet via the cellular network infrastructure. End-users carrying mobile phones 24 hr trust cellular network operators and believe that provided mobile communication link is secure.

However, on the other hand, mobile operators, device manufacturers, OS providers, baseband suppliers do little to provide best security and privacy features to them. In particular, security capabilities of mobile communications are not shown to the end-users. Hence it is easy for malicious attackers to mount subsequent attacks using IMSI catcher equipments. Further some hidden features for example ‘silent SMS’, are supported in currently used mobile telephony systems but not notified to the end users when in use. Attackers or illegitimate agencies exploit this weakness to track user movements regularly without user’s consent.

Stupid PCIe Tricks

Presented By: Joe FitzPatrick

Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS – all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.

Lessons Learned from Black Hat’s Infrastructure: The Tweets Must Flow

Presented By: Conan Dooley

Let’s take a quick trip across the sea to the halls of Black Hat. What made the training network tick? How was it created, who was attacking the network, and how was it defended? How do you keep the wired training network up and reliable when you have nearly two thousand people hammering on it? What tricks kept the wireless running for all those tweets?

Side Channel attacks in the cloud

Presented By: Gorka Irazoqui Apecechea

This presentation exposes isolation vulnerabilities in cloud environments. First we present Bernstein’s attack applied in virtualization envionments and show that, for most crypographic libraries, the attack success on recovering part of the information of an AES key. Second we present an attack that exploits deduplication in cloud settings, which is used to share resource and save memory. We use flush and reload to recover the entire AES key in less than one minute. This work shows that more effort has to be done when designing isolation techniques and cryptographic libraries.

A Year in Recap: I Am The Cavalry

Presented By: Beau Woods

In the face of clear & present threats to Body, Mind & Soul from our accelerating adoption of technology into our society it is clear: The Cavalry Isn’t Coming… it falls to us… the willing & able… and we have to try to have impact. Over the past year, the I Am The Cavalry initiative reduced its focus and increased its momentum. With a focus on public safety & human life we did our best collecting, connecting and collaborating to ensure the safer technology dependence in: Medical, Automotive, Home Electronics & Public Infrastructure.

This will take place on the Wednesday Evening of 10th September

I Hunt TR-069 Admins: Pwning ISPs Like a Boss

Presented By: Shahar Tal

Residential gateway (/SOHO router) exploitation is a rising trend in the security landscape – ever so often do we hear of yet another vulnerable device, with the occasional campaign targeted against specific versions of devices through independent scanning or Shodan dorking. We shine a bright light on TR-069/CWMP, the previously under-researched, de-facto CPE device management protocol, and specifically target ACS (Auto Configuration Server) software, whose pwnage can have devastating effects on critical amounts of users. These servers are, by design, in complete control of entire fleets of consumer premises devices, intended for use by ISPs and Telco providers. or nation-state adversaries, of course (sorry NSA, we know it was a cool attack vector with the best research-hours-to-mass-pwnage ratio). We investigate several TR-069 ACS platforms, and demonstrate multiple instances of poorly secured deployments, where we could have gained control over hundreds of thousands of devices. During the talk (pending patch availability), we will release exploits to vulnerabilities we discovered in ACS software, including RCEs on several platforms.

Meterpreter Internals

Presented By: OJ Reeves

Everyone has heard of Metasploit, the Open Source exploitation framework, and most have probably come into contact with it on the attacking and/or receiving end. Meterpreter, Metasploit’s most frequently used payload for Windows systems, enables a tester who has gained control of one machine to perform further exploitation, pivoting and penetration with relative ease. But how does Meterpreter work? What goes on ‘under the hood’ when certain commands are executed? How does it avoid touching the disk and survive happily in memory? How does it hide from the operating system, and how could you locate it if it’s running? Let’s dive into the plumbing that makes Meterpreter tick. I will explain in relative detail its lifecycle, along with some of the ins and outs of topics such as Reflective DLL Injection and Migration. Bring your low-level knowledge and interest in technical details as we pop the hood of one of the most loved parts of Metasploit.

Top 5 Media Fails

Presented By: Dan Raywood

It is very easy to criticise the media for getting their facts wrong, for talking to the wrong people and for a lack of knowledge of the more technical terms.

In this presentation, one of the media’s own will look at the top five (in their opinion) media fails when it comes to security, try and understand why it was incorrect, what the mitigating factors were and ask the important question – are IT security and security journalists even on the same page?

STOP! Don’t make that NOOB Incident Handling mistake

Presented By: Steve Armstrong

In the heat of an incident, when the boss is screaming as to what has happened, when and why, mistakes happen.

Evidence is lost, compromised systems forgotten and data is not analyzed. During the last 20 years the speaker has fought APT attackers, Russian Cyber Criminals and internal Hacking Administrators. Each of these incidents has been an ‘enhanced experience’ because someone didn’t think just before some routine action was being completed. The result was the delayed closure of an incident, the destruction of evidence, the leaking of counter-hacking strategies to the attackers of just the wrong briefing.

As developers of Security Operation Centres procedures and Incident Management Teams, we have seen many simple errors wreaking havoc mid incident. To prevent these we developed the Cyber Crisis Planning Room. A web based application to enable Incident Responders to work together and to have the computers doing more of the work. CyberCPR enables management to see progress and to dig into some of the details should they desire.

When Documents Bite

Presented By: Vlad Ovtchinikov

In 1999, the Melissa virus changed the industries attitude on how malware could be spread. Seemingly safe formats, such as Microsoft Word and Adobe PDF were now being used to deliver the payload. A recent report on the subject found that malicious documents, as a method for delivering malware, are now the preferred method of delivery amongst attackers. In the Red October Diplomatic Cyber Attacks, Microsoft Office and PDF document files were used as the primary malware delivery vector.

The primary reason why this attack vector has had such a high rate of success in social engineering attack campaigns is directly linked to its ability to effectively circumvent email and virus filtering solutions. By distributing a ubiquitous file type (such as *.doc, which is considered to be safe and an industry standard in document formats) that in most cases, able to reach the intended target.

An analysis of the real world attack techniques used in malicious documents, is key in defending against targeted attacks; attacks that are one of the major IT security concern for enterprise networks.

Hacking an Internet Enabled Lagomorph

Presented By: Alex Chapman

So, I have to admit, I got a little obsessed with this project. Who would have thought an internet enabled, hyperkinetic, 9.6-inch rabbity thing could hold so much intrigue. Little did I know that in procuring this geek toy I’d be delving down the proverbial rabbit hole of ARM exploitation, including reverse engineering, cross compiling, protocol analysis, 0days and producing exploits from vulnerability advisories. All this in an attempt to get remote code execution… on a rabbit… seriously!

Throughout this talk I will discuss the processes and procedures used to identify and eventually exploit vulnerabilities on the Karotz “smart companion” (what else would I be talking about?). Vulnerabilities identified include authentication bypass, jump table corruptions and heap overflows which eventually lead to unauthenticated ear wiggling exploits. I wonder if this qualifies for a CVE? A couple of remote code execution bugs will also be discussed.

Why TV news gets tech security wrong – and why it matters

Presented By: Geoff White

Tech security has become such a hot topic that even the most Luddite of TV news editors have been forced to include it in their running orders.

The results have been a mixed bag, ranging from noble-yet-confusing attempts to convey accurate information, to downright ill-informed sensationalism.

There are some good reasons why television news struggles with such stories: it’s a medium based on pictures, and technology is a subject chronically deprived of the kind of compelling imagery that makes headlines.

Yet it’s a challenge with which journalists must engage. Firstly because we have a duty to give the public accurate, timely information about the issues which potentially affect them.

Secondly, and more importantly for the 44CON audience, the more understanding there is of tech security and the issues around it, the easier it will be to win the boardroom battle for resources to protect individuals, businesses and the wider world from threats.

Pentesting NoSQL DB’s Using NoSQL Exploitation Framework

Presented By: Francis Alexander

The rise of NoSQL databases and their simplicity has made corporates as well as end users have started to move towards NoSQL,However is it safe?.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework.

Breaking AV Software

Presented By: Joxean Koret

Antivirus software is a common component of today’s computer systems ranging from home users to corporate and government servers. However, security issues related to the AV software itself are not usually considered when deploying such security solutions. Users are not fully conscious of the issues related to using AV software and some AV vendors do not put the required effort in securing their products. In this talk we will cover vulnerability discovery and remote exploitation of AV software. During the talk the details of a number of vulnerabilities will be published. The talk aims to raise the level of awareness about the security of AV software to both users and vendors.

Bug Bounties – Relationship Advice for the Hunters & the Hunted

Presented By: Katie Moussouris

Bug bounties seem like simple enough concepts – put up some money, write up some rules of engagement, and off you go into the sunset hand in hand with hackers who love you all of a sudden. Except like all relationships, the ones forged between those offering a bug bounty and those looking to help them by reporting bugs and getting paid require some work to maintain. Join Katie Moussouris as she leads you on a brief relationship counseling session on bounties with tips on how to structure them, and how to reap the rewards from them, in ways that leave both parties feeling like they benefitted from the interaction.