44CON 2013 Presentations

A talk about (info-sec) talks

Presented By: Haroon Meer

Last year there was an Information Security conference taking place for almost every day of the year. This translates to about 15 information security talks per day, every day. The question is, is this a bad thing? Even niche areas of the info-sec landscape have their own dedicated conference these days. Is this a good thing?

The conference scene is actually a reasonable proxy for the state of information security as a discipline.. i.e. theres a lot of activity but with questionable results (and dodgy metrics).

This talk aims to change (some of) that.

Surviving the 0-day – Reducing the Window of Exposure

Presented By: Andreas Lindh

According to the NIST National Vulnerability Database, 1772 software vulnerabilities with a CVSS score of 7 or higher were disclosed in 2012, and 2013 is so far (at the time of writing) not looking any better.

A lot of times the window of exposure – from when a vulnerability is discovered to when a patch has been deployed – is very long. In a corporate environment, it’s not unusual to rely solely on patch management and semi-static security tools such as firewalls, IPS and antivirus for protection, and because of various reasons patch deployment might take a long time or may not even be possible.

This talk will discuss why patch management is insufficient for protection against new vulnerabilities, how the traditional “defense in depth” model needs to be re-architected, and finally how the window of exposure can be reduced by active response before incidents occur.

Evading Identification and Detection by Messing with Binary Formats

Presented By: Ange Albertini

Malwares and exploits rely on many different file formats. It’s critical for security softwares to accurately identify and parse them, and ideally tell if they are corrupted, clean or malicious. Some formats can sadly be combined, making it possible to create files that evade filtering or detection. Moreover, the gap between the documentation and the possible implementations leave room for valid files to entirely evade detection.

Honey I’m Home!! – Hacking Z-Wave Home Automation Systems.

Presented By: Behrang Fouladi & Sahand Ghanoun

“Smart homes” employing a variety of home automation systems are becoming increasingly common. Heating, ventilation, security and entertainment systems are centrally controlled with a mixture of wired and wireless networking. In 2011 the UK market for home automation products was estimated at £65 million, an increase of 12% on the previous year, with the US market exceeding $3 billion. Zigbee and Z-Wave wireless protocols underpin most home automation systems. Z-Wave is growing in popularity as it does not conflict with existing 2.4GHz wifi and Bluetooth systems. Our talk describes the Z-Wave protocol and a number of weaknesses, including how to build a low-cost attack kit to perform packet capture and injection, along with potential attacks on the AES crypto implementation.

Reverse Engineering with HackRF

Presented By: Michael Ossmann

Software Defined Radio (SDR) has given us an unprecedented ability to perform over-the-air reverse engineering of proprietary digital radio systems. This entire presentation is one long demonstration, a case study in SDR reversing. I’ll show how I use HackRF to perform radio protocol security analysis without any prior knowledge of the target system required.

Breaking Bad Programs

Presented By: Don A. Bailey

Offensive tactics against executable code have traditionally been measured in repeatable predictable steps. This is suitable for an attack against a single processes, thread, or kernel function path. As exploitation evolves, so must our methodologies. Today’s offensive tactics are getting more robust. However, we are seeing very few attacks against moving targets in computer systems. In this presentation, the speaker intends to demonstrate the technical strategies for building attacks based on causality; or, the ability for one action to affect one or more known or unknown objects. Also, I may prank call Bryan Cranston just to be a dick.

A Fast Hard Disk with Active Antiforensics

Presented By: Travis Goodspeed

When a computer reads from a hard disk, it is actually speaking over the bus to a program that runs inside of that disk’s CPU. In this presentation, I will demonstrate a practical antiforensics hard disk that is fast enough to boot from and to work from. While the disk functions normally for a legitimate user, it will erase itself in response to any attempt to image the disk with DD(1) or similar disk imaging tools. To be fair to both attackers and defenders, this presentation will also demo expected vulnerabilities that can be exploited to allow for complete imaging.

Punking Punkbuster

Presented By: Isaac Dawson

This presentation will cover the methods and process used while trying to understand how PunkBuster works. From writing custom tools, to coming up with novel ways of overcoming many obstacles, this personal project has been an enlightening journey. I will cover the various components, how they interact, their anti-debugging and analysis tricks and will give the attendees a greater understanding of how this anti-cheating service was implemented. I will cover how and why I have taken the paths I did, as that is far more important than any code or disassembly listing.

Security Lessons from Dictators

Presented By: Jerry Gamblin

What do the Grand Ayatollah Seyyed Ali Hosseini Khamenei, Kim Jong-un, Julius Caesar, Abraham Lincoln, Napoleon Bonaparte and Adolph Hitler have to do with network security? Come and discover the mistakes these dictators made and what they can teach us about network security and how to apply them to our companies and coworkers.

.Net Havoc – Manipulating Properties of Dormant Server Side Web Controls

Presented By: Shay Chen

Most modern web application frameworks use Server-Side Web Controls to enhance the development process; components that other platforms require the developer to implement can be dragged and dropped into the page design view.

These components are also protected using a variety of mechanisms, including digital signatures, content restrictions and even invisibility.

However, developers that use these components improperly can expose their application to a variety of different attacks that can be executed despite, and sometimes due to the existence of security mechanisms.

The Forger’s Art: Exploiting XML Digital Signature Implementations

Presented By: James Forshaw

Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted.

This presentation is about research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature which is independent of their usage.

A Captive Audience

Presented By: Jaime Cochran

In modern societies we perceive prisons and jails as places where well deserving citizens endlessly ponder the wrongs they’ve enacted. But, as we all readily admit, history tells us a far different story about prisons. In this lecture, the presenter will discuss the effects of imprisonment in the technological age. Technology can be used to pin down the weak and ensnare alternative voices. Electrically controlled gates, video cameras, biometrics, and other technologies can enforce confinement to a seemingly rigid pace. But, what if technology can be used to flip the scales in the favor of the condemned? We intend to discuss technologies to help inmates communicate with the outside, empowering voices from within the World’s darkest dictatorships. High speed light communication, clever phone tricks, and even astonishing every day objects can be subverted for use in confinement scenarios. The take away from this talk? No matter how you feel pinned down in life, there is always a weakness waiting to be exploited for the benefit of your voice. Let freedom ring!

Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware

Presented By: Patrick Stewin

In this work we present a stealthy malware that exploits dedicated hardware on the target system and remains persistant across boot cycles. The malware is capable of gathering valuable information such as passwords. Because the infected hardware can perform arbitrary main memory accesses, the malware can modify kernel data structures and escalate privileges of processes executed on the system.

The malware itself is a DMA malware implementation referred to as DAGGER. DAGGER exploits Intel’s Manageability Engine (ME), that executes firmware code such as Intel’s Active Management Technology (iAMT), as well as its OOB network channel. We have recently improved DAGGER’s capabilites to include support for 64-bit operating systems and a stealthy update mechanism to download new attack code.

I miss LSD

Presented By: Tim Brown

A wise man once said (paraphrased) “if you want to find UNIX bugs, compare and contrast the Linux and Solaris man pages”. Following on from my previous work on linker bugs and more recently AIX (at 44CON 2012), we’ll look at some of the more interesting areas of the POSIX specification, focusing on the various IPC mechanisms that can be found in modern POSIX alike OS as well as kernel land more generally. I’ll present some new tools I’ve written to aid in this analysis along with some discussion around how I uncovered potentially exploitable bugs in ~400 Debian GNU/Linux packages in a single day.

Building Antibodies – The Phishing program at Twitter.

Presented By: Dan Tentler

I run the internal phishing program at Twitter. It was built from scratch and uses open source tools. It’s custom tailored to our organization. This talk will describe the objective of running an internal phishing program at your organization, what to track, how to measure, and how to grow the program. This is not an awareness program, this program is designed to imbue antibodies into the culture that will promote the growth of a security culture and help make people more security aware overall. Since the instantiation of this program at twitter we have seen dramatic changes that make the whole organization safer. There are some configurations an org can employ to dramatically decrease the influx of spam and phishing mails on top of a program such as this. If more orgs had a program like this, phishing would start to become much harder to do. The measurements that come from this program allow us to have a much better view of the risks attached to phishing as well, so we have a tangible, measurable result we can work with. You want to be the guy who designs attack models for your company, then lobs them at employees? This is how to do it.

Best Practices and the Future of Adaptive Authentication

Presented By: Robert Weiss & Ben Gatti

The talk is a deep-dive into the details of authentication focused on best practices and future technologies.

Even More Tamagotchis Were Harmed in the Making of this Presentation

Presented By: Natalie Silvanovich

You might remember Tamagotchi virtual pets from the 1990’s. These toys are still around and just as demanding as ever! This talk covers my latest efforts at hacking Tamagotchis. First, I will detail methods for executing code on and dumping code from a Tamagotchi, and then delve into the deep secrets of Tamagotchi life that only code can tell. Finally, I will describe the internals of the Tamagotchi’s GeneralPlus microcontroller and demonstrate some projects that can be built using a modified Tamagotchi.

My quest into FM-RDS

Presented By: Oona Räisänen

This talk will concentrate on my experiences with FM-RDS (Radio Data System), a digital subcarrier embedded in FM broadcast transmissions, and also cryptanalysis of traffic messages contained therein.

I originally found about the existence of such transmissions in a roundabout way, by using a spectrum analyzer program to examine intermodulation distortion in my radio’s Line Out audio. As it turned out, the inaudibly quiet distortion, probably caused by the radio’s stereo demuxer circuitry, contained all the information needed to decode all RDS data present in the transmission. I will demonstrate the journey I took and give a short introduction to how the data is actually encoded. Live acquisition of local RDS data depending on signal conditions in the premises.

Reversing and Exploiting BT CPE Devices

Presented By: Zachary Cutlip

In this talk I’ll describe the process by which I reverse engineered the firmware for the BT HomeHub 3.0b and developed a remote exploit that yields root access. The BT HomeHub 3.0b was fairly challenging to reverse engineer and exploit compared to many SOHO routers on the market today. The talk will describe several strategies I pursued in search of an exploitable 0-day. Although some strategies were fruitful and some not, all were instructive.

Live demos and root prompts are the funnest part of any good security talk, and this one will not disappoint. I’ll demonstrate the exploit and pop root on a HomeHub 3.0b in front of the live audience. Then I’ll demonstrate how to upload tools to the device for instrumentation and attack. If all goes well, I’ll up the ante by attempting a parlor trick made possible by the technical nature of this specific exploit.

Signatureless Breach Detection Under The Microscope

Presented By: Olli-Pekka Niemi & Antti Levomäki

Signatureless attack detection is becoming the hot topic in threat prevention. Client side security vulnerabilities are often found in zero day exploits in the wild, meaning that signature based intrusion detection and prevention systems are not likely to catch these attacks. Signatureless detection systems are designed to detect these kinds of attacks and they do provide some additional layer of security. One of the techniques deployed by signatureless is called sandboxing. In sandboxing , the signatureless attack detection systems executes files that are being transferred in networks in sandbox. They carefully instrument the execution and based on that determine if the file was malicious. We have analyzed signatureless detection and particularly the sandboxing technique, and we have and found several issues in the concept. We have also found ways to completely evade sandboxing. We have taken some peeks into one of the market leading sandboxing product and will disclose our findings. In this presentation we will discuss the problems we have identified in signatureless attack detection and sandboxing, and disclose our findings regarding one of the market leading product. The attendees will better understands limits of these systems. Even though they will provide additional layer of security, there are issues on should know.

Browser bug hunting – Memoirs of a last man standing

Presented By: Atte Kettunen

Just like drinking is not a game in Finland; neither is browser bug hunting – it’s serious business! Browser bugs have been supporting Atte Kettunen (@attekett) traditional Finnish way of living since late 2011 and he’s going to tell you all about how he has been living the dream browser bug hunting – focusing on one of the most secure browser around, Google Chrome!

He’ll tell you a tale of his experiences with bounty programs and how those have evolved since he started way back (vendors can show the love too!) and how he’s managed to survive in the harsh environment of browser bug hunting. He’ll impart some important bug hunting social skills by showing you how and how NOT to step on the others guys toes – very competitive cottage industry is browser bug hunting. 😉

Atte is also going to share with you how and why he selected his current target feature *(still full of bugs!), how he built his fuzzer-module(s) and the results produced. We’ll all walk a mile in a bug hunters shoes together and take a peek at the tool sets, as well as the infrastructures that are used to find browser bugs by individuals and vendors!

Hack the Gibson – Exploiting Supercomputers

Presented By: John Fitzpatrick & Luke Jennings

We have had the luxury of conducting security research and penetration testing activities on a few Supercomputers on the world top 500 list. Having spent some time assessing the security of these awesome machines it’s fair to say that many of the technologies involved have been largely untouched by public security scrutiny and consequently the security bar is much lower than we have come to expect in 2013. This presentation will cover our research and demonstrate some of the most interesting and significant vulnerabilities we have uncovered so far. We will also be demonstrating 0-day exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once. There are many ways to hack the Gibson and today you’ll learn some.