44CON 2016 Talks

Thank you to all of our awesome Speakers this year!

Three decades in security. What’s changed, and what hasn’t.

Presented by: Robert Schifreen

Cybercrime has changed greatly in the last 30 years.  People still hack, but for many different reasons.  The rewards available to hackers are much greater, as are the risks.  But many of the techniques that hackers employ, both technical and psychological, have not changed at all.  Victims still fall for the social engineering tricks and the fake emails.  They still write down passwords.  Compilers still fail to protect programmers from buffer overruns. Programmers still fail to protect themselves from being vulnerable to database injection attacks.

Have we learned anything in 32 years?  If so, how much, and is it enough?

Not only frogs can hop

Presented by: Daniel Compton

The presentation will cover new research conducted into the novel methods of VLAN hopping using SNMP alone. An overview of SNMP VLAN hopping works will be covered, including live manual demos of the process. A new version of the Frogger 2 VLAN hopping tool will be demonstrated to automate and improve the traditional methods of VLAN hopping, whilst adding the new function to VLAN hop using SNMP. Frogger 2 will be released the same day as the talk.

Trusts you might have missed

Presented by: Will Schroeder

Red teams have been abusing Windows domain trusts for years with great success, but the topic is still under-represented in public infosec discussions. While the community has started to talk more about Active Directory exploitation, there isn’t much information out there discussing domain trusts from an offensive perspective. This talk aims to demystify domain trusts and show how they can be enumerated and abused during the course of an engagement. I’ll conclude with a complex demo showing how to enumerate, visualize, and abuse the trust relationships in an example environment, leading to total domain takeover without throwing a single exploit.

Advanced incident remediation techniques

Presented By: Steve Armstrong 

When working in large network breaches, the technique of removing the infected hosts immediately and one-by-one is not the best or only option. 

In this presentation we will look at the other methods of used; “mass remediation” and “outrunning the attacker”.  We will look at the conditions necessary to make them work (team, profile, target, network and attacker), how they scale, the sort of resources you need to make the effective and how the attacker may respond if you don’t maintain control.

This is a ‘from the trenches’ session and not an academic theses, the presenter has implemented various techniques and faced different results, both good and bad.  This session is your opportunity to learn from their experience.

Saving Nostalgia: Modding an Old Z80 Computer

Presented By: Graham Sutherland

In this talk we’ll follow a project of mine to take an old VTech computer from the late 1980s, upon which I wrote my very first line of code, and add save functionality to its hardware. The computer was designed to teach kids general knowledge, science, history, typing skills, and programming in BASIC. It boasts a one-line text based LCD display, 2KB of SRAM, and a Z80 processor. The one thing that always bothered me, though, is that I couldn’t ever save code I wrote on it — turning it off meant all state was lost.

I’ll describe my approach towards reverse engineering the circuitry, identifying the ICs, understanding the system topology, designing a hardware mod to allow saving of data, and fabrication of the real thing.

Data protection, privacy and cloud computing: navigating legal compliance

Presented ByGraham McKay

Since the development of EU data protection law, technology has advanced at significant pace; indeed the world we live in today would be unrecognisable to the citizens in 1995 when our current data protection legislation was enacted.

Digital technologies such as cloud computing have fundamentally changed the ways in which consumers interact with organisations globally; indeed technological developments allow for the collection and processing of ever increasing volumes of personal data.The current data protection framework was conceived in a technologically different era to our current digital world whilst data volume has exploded.

Cloud computing profoundly transforms the manner in which Information Technology (IT) services are conceived, deployed, delivered, scaled and consumed with the potential of this disruptive technology being recognised by industry and government alike. The abundance of data relating to individuals leaves behind a hidden trail with the potential to be pieced together formulating a jigsaw of our identity capturing every online action we take, rendering the notion of privacy outmoded in such an information-rich society.

Whilst data protection legislation was enacted before the development of cloud computing, this presentation will identify the continued relevance of the data protection principles and recognise that cloud computing can be exploited within current data protection and privacy legislation.

The European Commission is currently proposing major reform of data protection legislation to “strengthen individual rights and tackle the challenges of globalisation and new technologies” by way of the Proposed General Data Protection Regulation but will this meet the needs of technological advancement thus far and beyond?

Light at the End of the Tunnel. (Hope for Team Defence)

Presented By: Haroon Meer

The former Deputy Director of the NSA (Chris Inglis) is reputed to have said that “if we were to score cyber the way we score soccer, the tally would be 462-456 twenty minutes into the game, i.e., all offence”. A quick look at conference line ups (or the evening news) supports this claim. For a long time, team offence has grabbed the lion’s share of both headlines and talent, causing more and more people to turn into full-time security nihilists.

We can turn this around.

While headlines have been dominated by breaches and security fails, a few positive stories (with massive potential) have slipped by almost silently. While we have seen hundreds (and thousands) of companies doing security horribly wrong, we are now also starting to see signs of companies “getting things right”. While most companies have been clinging desperately to hope (or prayer) as prospective defence strategies, we are now seeing signs of better solutions emerging.

Aside from being uncharacteristically upbeat, this talk aims to highlight some of these wins, and some of the winning strategies that have started making the scoreboard look a little more respectable.

Universal Serial aBUSe: Remote Physical Access Attacks

Presented By: Rogan Dawes & Dominic White

In this talk, we’ll cover some novel USB-level attacks that can provide remote command and control of air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.

In 2000, Microsoft published its 10 immutable laws of security [1]. One of which was: “If a bad guy has unrestricted access to your computer, it’s not your computer any more”. This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, “evil maid” attacks [4] and malicious firmware [5].

Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple’s secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces.

In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to “chewy” internal networks [10] ripe for lateral movement.

While most people are familiar with USB devices, many don’t realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.

Additionally, existing attacks are predominantly “send only” with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often “spray and pray”, unable to account for variations in the user’s behaviour or computer setup.

Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.

Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for meterpreter was developed to allow metasploit payloads to be used instead.

Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area.

[1] “10 Immutable Laws of Security

[2] “Physical memory attacks via Firewire/DMA – Part 1: Overview and Mitigation” 

[3] “Thunderstrike 2” 

[4] “Evil Maid goes after TrueCrypt!” 

[5] “Turning USB peripherals into BadUSB” 

[6] “Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic” 

[7] “How bank hackers stole £1.25 million with a simple piece of computer hardware” 

[8] “Apple vs FBI” 

[9] “Users Really Do Plug in USB Drives They Find”

[10] “The Design of a Secure Internet Gateway” 

[11] “USB Rubber Ducky Wiki” 

[12] “USBDriveBy”

[13] “Cylance, Math vs Malware” 

[14] “Carbon Black, Next Generation Endpoint Security

[15] “NSA Playset, TURNIPSCHOOL” 

[16] “Facedancer2” 

[17] “The Shikra

Bootstrapping an Architectural Research Platform

Presented ByJacob Torrey

This talk aims to provide the fundamental architectural knowledge and resources for a security research interested in misuse of the x86 platform to conduct their own research with less “boiler-plate”. Covering the privileges and architectural events that different CPU rings can monitor, a few basic research hypervisors, and new technologies coming into the mainstream; this talk will aid researchers to rapidly focus on the research questions and not the setup.

The Malware CAPE: Automated Extraction of Configuration and Payloads from Sophisticated Malware

Presented ByKevin O’Reilly

Within the fields of malware research and threat intelligence, one of the biggest challenges faced by the security industry is the significant time and skill required to reverse engineer new malware samples. This has led to the emergence of a number of systems designed to automate this process, but such solutions are often limited in their ability to implement the skilled techniques required to unravel the malware’s secrets.

For nation-state malware research in particular there is often a dependency on skilled analysts, who, even when faced with a familiar malware family, will often have to repeat time-consuming and highly skilled procedures in order to extract useful information from a new sample. In conflict with this, consumers of threat intelligence demand indicators of compromise (IOCs) from new samples instantaneously, with the indicators being at their most useful to the defender in the time immediately following the malware’s discovery.

In this talk we will unveil the open-source launch of our solution CAPE, which automates many of the complex tasks routinely performed by skilled analysts when dissecting common nation state malware families. This solution allows for the extraction of payloads, configuration and other indicators from these malware families via a single intuitive malware analysis platform.

We will begin by describing the techniques and stand-alone tools that were combined to create CAPE and demonstrate the capabilities of this system when deployed against some of the most prevalent state-sponsored malware families. We will show how support for additional malware families can be added to the system via the open-source launch of CAPE. Our hope is that CAPE will be used by the community, and further expanded, in the ongoing battle against malware of ever-increasing sophistication.

2016: The Infosec Crossroads

Presented By:Saumil Shah

2016: The Infosec Crossroads Today’s attacks succeed because the defense is reactive. I have been researching attacks and offensive techniques since the past 16 years. As the defenses kept catching up and closing open doors, we attackers looked for new avenues and vectors. This talk looks back on the state of defenses during my days of One-Way Web Hacking in 2001 to Stegosploit in 2016, and a common pattern emerges. Defense boils down to reacting to new attacks and then playing catch-up. It is time to take another look at defense strategy. In this talk I present the basics of what should be the next evolution of pro-active defense architecture.

101 Ways To Brick Your Hardware

Presented By: Joe FitzPatrick 

Spend some time hacking hardware and you’ll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we’ve got decades of bricking experience that we’d like to share. We’ll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We’ll also talk about tips on how to avoid bricking your projects in the first place. If you’re getting into hardware hacking and are worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did.

What it Means to Have the C Word in the National Security Agenda

Presented By: Emil Tan

This is a highly non-technical talk.

What is the meaning of ‘security’? Words like ‘information security’, ‘cyber security’ and ‘critical (information) infrastructure protection’ have found their way into many countries’ national security agenda over the past few years. When, how and why did that happen?

Many countries have developed and published ‘National Cyber Security Strategies’ which outline how cyber threats are dealt with at the national level. Everyone is facing the same threats in cyberspace, yet we are all approaching it differently. Why?

My talk is not a linear narration of history. My talk aims to explore and explain this phenomenon, from a policy analysis angle, of how ‘cyber security’ became a national security issue and what impact this has on the future.

 The Frugal Girl’s Guide to Threat Intelligence

Presented By: Rebekah Brown

Threat intelligence can support incident prevention, detection, and response and contribute to an organization’s risk-based security posture, but unfortunately it has a reputation for being expensive and complicated to implement. Fortunately for those without bottomless pockets, threat intelligence doesn’t have to be a budget breaker, but building a cost effective capability does takes time, effort, and good old fashioned elbow grease. This talk will cover how to determine what level and aspect of threat intelligence to focus on, given your team, time, and goals. It will discuss how to identify the best open source, free, and low-cost intelligence resources for your organization and how to integrate them into operations. Attendees will leave this presentation with an understanding of some of the budget-friendly tools available to them, including threat intelligence platforms, information sources, analytic tools, and how to assess whether or not they are providing value to the organization.

Attacks on SAP HANA Platform

Presented By: Juan Perez-Etchegoyen & Nahuel Sanchez

Companies nowadays are choosing between on-premise, cloud and hybrid deployment models. The common factor across all of these scenarios is the underlying platform, used in the background to run all on-premise and cloud-based applications developed by SAP. This platform is called SAP HANA, which is an in-memory database integrated with an application server that provides a new paradigm for vulnerabilities and risks, serving an increasing number of business applications, providing cutting edge features and overwhelming performance.

With the rise of IoT, many features and interfaces are integrated into SAP HANA and the HANA Cloud Platform, enabling it as a central point for IoT communications and making it an interesting target for anyone trying to access the information of several millions of devices across the world. Vulnerabilities affecting SAP HANA now have an increased attack surface, as these could be abused to compromise many diverse deployments and many customers, if the customers are not properly taking care of these risks.

Join us for this presentation to learn about diverse attack vectors affecting current SAP solutions, on-premise and cloud-based. You will not only learn technical details about these vulnerabilities, but also understand how to prevent and detect attacks to our crown jewels, running on HANA.

Effortless, Agentless Breach Detection in the Enterprise: Token all the Things!

Presented ByAzhar Desai & Nicholas Rohrbeck

Using honeytokens to detect breaches is an old idea that has been sporadically spoken about (and implemented less often). Despite recommendations from the occasional consultant, honeytokens have not been adopted as widely as they should have. This needed to change. In 2015, we released Canarytokens (http://canarytokens.org) to bring about wider use of tokens.

Canarytokens natively supports web bugs, DNS tripwires, SQL row tokens, document tokens and a handful of other friends. Via a simple web interface, several thousands of these tokens have been deployed worldwide (and a number of breaches have been reliably discovered). Considering that most tokens can be deployed in under 5 seconds, this was already pretty good ROI.

This year, tokens go much further. From abusing native OS functionality to bending cloud infrastructure, this talk covers work done in our new quest to “token all the things”. We’ll show infrastructure we built for users to easily set tripwires around their network without installing agents, deploying hardware or spending a cent. Along with file format chicanery and old fashioned web-app-abuse, we will show new techniques (and defensive hacks) that you can use to detect breaches on your networks.

Meaningful Measurement: It’s About Time We Got This Right

Presented By: Ian Trump

That cyber-crime has driven the rise of malware during the last decade is not in doubt; how large that increase has been most certainly is. This measurement has, I would argue, been more speculative than evidential. The problem being that attempts to quantify malware usage are lacking any meaningful industry accepted standard when it comes to the metrics concerned.

When the numbers put forward by vendors, industry bodies and the media all vary so widely (not just between those sectors but within them as well), is it any wonder that any serious attempt to establish the scale, the cost or the impact of such attacks is doomed to failure? The disconnect between the reporting of cyber-crime and the actual metrics that are most important for both businesses under attack and the industry that exists to mitigate them will remain until the difficulties of comparing oranges with apples become apparent.

Attempting any such comparative exercise is fraught with peril and serves to highlight where we, as an industry, are getting our metrics wrong; the largely accepted cost per record breach metric is far too broad a brush to paint any kind of recognizable real world picture. When reporting and discussing the scale and impact of cyber-crime it is imperative that we move away from sensationalizing of one part of the story or consequence of the breach, that which will create the biggest search engine feeding frenzy. Who the criminals were is of less import than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim.

The measurement metric dial has, ultimately, moved too far towards attribution and needs to be reset to prevention and a business-based analysis of risk once more. That business-based analysis itself needs to be more realistic, so there also has to be a move away from the kind of threat intelligence reporting which is almost exclusively dominated by data derived from the large enterprise sector and consequently of little relevance to the Small and Medium Enterprise (SME) market.

The data upon which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to become more relevant across all business sectors. If we continue to go down the road of never disclosing or identifying the security components that failed or the components that were not in place when a breach happened, we will never make any progress against an elusive enemy.

Jittery MacGyver: Lessons Learned from Building a Bionic Hand out of a Coffee Maker

Presented By: Evan Booth 

In May of 2015, it was estimated that a pod-based coffee maker could be found in nearly one in three American homes. Despite the continued popularity of these single-cup coffee conjurers at home as well as in the workplace, it has become clear that these devices are not impervious to mechanical and/or electrical failure. It was this intersection of extremely prevalent hardware and relatively short lifespan that prompted me to begin exploring the upper limits of what could be created by repurposing one of the most popular pod-based machines: the Keurig.

In this session, we will walk through some real-world examples of “MacGyver”-style creative problem-solving, we’ll go hands on (yes, pun intended) with stuff made from repurposed Keurigs, and finally, I’ll reflect on lessons learned from looking for potential in things most people deem common and unremarkable.

Frictionless Security

Presented By: Jerry Gamblin 

“Frictionless Security” is the process of building your security program into your company’s infrastructure stack so that it is automated, non-intrusive, and non-negotiable.  Over the last year as I have implemented this program I have written custom API calls, CHEF scripts, slack bots and more in order to make my security program as frictionless as possible.

In this talk we will discuss:

What went well.
What went wrong. (Hint: A LOT)
What we will do differently to improve.

Leverage One-shot UAF to a Minigun

Presented By: Guanxing Wen

Adobe Flash has become a favourite target for exploit developers since 2013. One of the most common exploitation techniques against Flash 0days, especially for Use-After-Free (UAF), is to corrupt the length filed of an array-like object, which eventually leads to arbitrary memory read/write and then arbitrary code execution. Since the Vector/ByteArray primitive is so simple and powerful that lately in 2015, Adobe has introduced mitigation into Flash with the goal of making this old method a history.

Under new circumstances, gaining arbitrary memory access is not easy anymore, not to mention implementing a universal method. Unfortunately, most UAF exploits need to read process memory and then collect required ROP gadgets to achieve code execution.

This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion in which full memory access is gained again. More importantly, this talk will illustrate UAUAF by CVE-2016-1097, a real UAF 0day that we discovered in April. The whole detailed exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final arbitration code execution will be presented.