44CON 2017 Talks

The Internet of Us

Presented by: Don A. Bailey

The Internet of Things has devolved into a four letter word on the tongues of information security researchers. As a result, we’ve endured the nonsensical rants of would-be hacker-pundits exclaiming every new technology must be junk that certainly can be hacked. Even if they’re right, they’re missing the point: the world is changing out from under them.

IoT isn’t simply a trend that splices any given thing with a communications chip and rudimentary application. IoT is the next wave of computing. The boundaries between endpoints and cloud services is blurring into new abstractions with trendy names like ‘the fog’. As the blurring of resources continues, IoT won’t simply be things connecting to services, it will represent services extended inward toward our fingertips.

This shift in computing has already started to upend the way we think about the effects of information security gaps. For example, most implementers and even auditors of IoT technology don’t understand that the greater risk to an insecure deployment isn’t to the consumer, it’s actually to the business. Many standard IoT models actually put the business at risk of bankruptcy due to the way services are exposed to endpoints, and how these services can be abused to create massive surges in fees.

Yet, instead of identifying these shifts in architectural models, infosec pundits would rather shake their fist at the sky. We, as an industry, must do better not only for ourselves, but for the global community. Our job is to lift up the community and support it in its efforts to evolve our world. Otherwise, we will succeed in securing relics, leaving brave new worlds without an atmosphere.

Without pointing fingers, this keynote presentation calls out the negative behaviours in IoT security punditry by demonstrating not only how new security models have slipped through the infosec community’s fingers, but how these gaps can be combatted and resolved with cost-effective strategies.

At the end of this keynote, the audience should feel a new commitment toward infosec principles, and to new technological models. I hope to empower everyone to realize that The Internet of Things isn’t about stuff, it’s about Us. The Internet of Us.

Linux Containers Made of Steel

Presented by: Jessie Frazelle

It is a well known fact that today Linux containers do not “contain.” This talk will cover the steps we have taken and can take in order to change the scepticism surrounding containers. This talk will cover active developments in the Linux kernel that are being worked on to get to this goal. It will go in depth into the design decisions of other similar technologies, such as Solaris Zones, VT-D, and VT-X, and how they can be applied to the primitives in Linux to reach a state of real “contained” sandboxes.

Cracking HiTag2 Crypto – Weaponising Academic Attacks for Breaking and Entering

Presented by: Kevin Sheldrake

HiTag2 is an RFID technology operating at 125KHz.  It is distinguished from many others in the same field by its use of 2-way communications for authentication and its use of encryption to protect the data transmissions – the majority of RFID technologies at 125KHz feature no authentication or encryption at all.  As a result it has been widely used to provide secure building access and has also been used as the technology that implements car immobilisers.

In 2012, academic researchers Roel Verdult, Flavio D. Garcia and Josep Balasch published the seminal paper, ‘Gone in 360 Seconds: Hijacking with Hitag2’ that presented three attacks on the encryption system used in HiTag2.  They implemented their attacks on the Proxmark 3 device (an RFID research and hacking tool) and gave several high-profile demonstrations, but didn’t release any of their code or tools.  Since then, the forums supporting Proxmark 3 and RFIDler (another RFID hacking tool) have received many requests for implementations of these attacks, but so far none have been forthcoming.

This talk covers implementation of all three attacks on RFIDler, supported by desktop computers.  The first attack uses a nonce replay to misuse the integrity protection of the comms in order to allow access to the readable RFID tag pages without needing to know the key.  The talk will cover how HiTag2 RFID works and will describe the first attack in detail plus the implementation challenges.  The attacks are weaponised and permit cloning of tags, which will be demonstrated.

The tools used will be released after the talk.

There is a workshop accompanying this talk which builds on the material covered and goes into further detail on a number of attacks, “Cracking HiTag2 Crypto: A Detailed Look at the Academic Attacks”. Attending this talk is a pre-requisite for the workshop.

Chkrootkit: Eating APTs for breakfast since 1997

Presented by: Nelson Murilo

Chkrootkit will be 20 years old in 2017!

The first chkrootkit release was 1997 and it was written by Klaus (CERT.br team) and the presenter. Chkrootkit is a suite of POSIX shell scripts and some tools written in ANSI C, and runs like a charm in virtually all Unix environment without dependencies. It can detect several rootkits, malicious activity (some APTs included) and can do post mortem forensic analysis to detect kernel module activities and related indicators of compromise.  This tool currently detects ~70 known Rootkits, Worms and many malicious activities. This talk will discuss the features and methods used to detect rootkits and malware in general, the limitations and potential options to improve it. Chkrootkit is an open source tool, so suggestions are always welcome.

Biting the Apple that feeds you – macOS Kernel Fuzzing

Presented by: Alex Plaskett and James Loureiro

This talk details the use of MWR’s platform agnostic kernel fuzzing techniques to automatically identify critical flaws within Apple macOS.

This talk will focus on how the researchers approached developing fuzzing automation to test the core subsystems of the XNU kernel and the insights gained, and also highlight architectural differences between other supported platforms which had to be addressed during this work.

The old adage of ‘different fuzzers find different bugs’ will also be explored, as we looked into the effectiveness of using targeted fuzzing for specific components considered most likely to yield vulnerabilities.  

An in-memory fuzzer based on a combination of static and dynamic analysis was also constructed to target these components with the aim to achieve greater code coverage, efficiency and to allow attacks on other privileged components within macOS via IPC.

Finally we will discuss the issues discovered by the fuzzers and highlight future improvements which could be made to the tooling going forward to increase coverage and effectiveness.

Various tools used during the research will be released after the talk.

Breaking Historical Ciphers with Modern Algorithms

Presented by: Klaus Schmeh

Many old encryption methods are still hard to break today. For instance, cryptanalyzing a Turning Grill (a cipher device already known in the 18th century) is far from trivial. Many other encryption methods of historical importance can nowadays be broken, for instance Enigma messages from WW2, ADFGVX -ciphertexts from WW1, bigram substitutions, cipher slide messages, and double column transpositions.

This presentation will introduce a number of non-trivial ciphers that played an important role in history and explain how they can be broken with modern means. This will be demonstrated with original ciphertexts from past centuries, some of which were deciphered only recently. A number of interesting improvements in this area have been developed in recent years. Research is still going on.

In spite of all these efforts, there are still surprisingly many historical encryption methods (and original ciphertexts) that are unbroken to date. Among others, Enigma messages with less than 70 letters, double column transpositions with long key words, and numerous cold war ciphers still baffle cryptanalysts. However, research goes on and we might see further improvements in the near future.

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Presented by: Gabriel Ryan

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defence mechanism. In a wireless network, EAP plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Red Team Revenge : Attacking Microsoft ATA

Presented by: Nikhil Mittal

Microsoft Advanced Threat Analytics (ATA) is a defence platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is performed using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behaviour as well. It slowly builds an organizational graph and can detect deviations from normal behaviour.

This talk focuses on identifying and attacking ATA installations. Can ATA be attacked to suppress alerts? How noisy is it to attack ATA? How can alerts related to a particular identity (user and computer) be exempted? How can ATA be controlled and crippled remotely?

The talk will be full of live demonstrations

BaRMIe – Poking Java’s Back Door

Presented by: Nicky Bloor

Java’s Remote Method Invocation (RMI) enables developers to seamlessly interact with objects that reside within another Java Virtual Machine (JVM), potentially on a remote server. As is often the case, the trade-off for seamless remote method invocation is security. While many consider RMI to be outdated and uninteresting, many in-service implementations remain trivial to exploit, and there are many questions to consider. How common is RMI? How many RMI services are making the same mistakes when it comes to security? What else could I do with arbitrary RMI services? Can RMI services be secured, and if so, how?

I set about finding answers to those questions. Along the way I wrote a tool to help with enumeration of RMI services, called BaRMIe, which eventually became an exploitation tool following the discovery of vulnerabilities within Java itself.

During this talk I’ll look at the work I did and present the results of my research including answers to my original questions and the exploitation tool I wrote, BaRMIe.

Persisting with Microsoft Office: Abusing Extensibility Options

Presented by: William Knowles

One software product that red teamers will almost certainly find on any compromised workstation is Microsoft Office. This talk will discuss the ways that native functionality within Office can be abused to obtain persistence.

A wide range of techniques for abusing various add-in mechanisms will be covered. Each persistence mechanism will be discussed in terms of its relative advantages and disadvantages for red teamers. In particular, with regards to their complexity to deploy, privilege requirements, and applicability to Virtual Desktop Infrastructure (VDI) environments which hinder the use of many traditional persistence mechanisms.

The talk will finish with approaches to detection and prevention of these persistence mechanisms.

See no evil, hear no evil: Hacking invisibly and silently with light and sound

Presented by: Matt Wixey

Traditional techniques for C2 channels, exfiltration and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost from an attacker’s perspective – we constantly see examples of attackers creatively bypassing such protections – it is always beneficial to have more weapons in one’s arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk presents and demonstrates a number of techniques and attacks which utilise light and/or sound, covering everything from C2 channels and exfiltration using light and near-ultrasonic sounds, to disabling and disrupting motion detectors; from a DIY laser microphone to sending a drone into the stratosphere; from trolling friends, to jamming speech, and demotivating malware analysts.

This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, particularly for on-site engagements, but also demonstrates – in a hopefully fun and practical way – how these techniques work, their pros and cons, and possible future developments.

I also consider mitigation against some of these attacks, where applicable, and encourage defenders to consider how and why some of these attacks might work where traditional methods fail.

Secrets Of The Motherboard (Shit My Chipset Says)

Presented by: Graham Sutherland

Modern motherboards are fairly daunting pieces of hardware. They’re full of closed-source firmware, undocumented and obscure parts, incredibly complex components, and are developed by people with vast domain-specific knowledge. They’re also full of exciting security-impacting technologies like IME, AMT, SMM, TPM, and UEFI. But, despite the apparent difficulty, what if we took a stab at trying to understand these devices and what security looks like at the bare-metal level? The real secret is that it’s not as hard as it looks.

This talk runs through a list of weird and wonderful things I found while reading datasheets for Intel chipsets and other motherboard parts. Along the way we’ll explore unusual functionality not intended for production use, features we can exploit to build more open platforms, potential security pitfalls in motherboard design, and the challenges faced by certain industries in attempting to secure hardware for reuse.

Cisco ASA Episode 2: Striking back – Internals and Mitigations

Presented by: Cedric Halbronn

In 2016, two critical vulnerabilities were published that targeted Cisco ASA (Adaptive Security Appliance) firewalls. Even though the exploits for both are public, they are restricted to specific ASA versions and there is no public tool to understand how they work. This talk is about ASA internals, the reverse engineering involved and tools we have developed to better weaponize exploits.

In addition to covering previously unpublished details of Cisco ASA internals and how the exploit was generalised to apply to over 100 versions and made 100% reliable, the talk will cover a number of tailor-made tools developed to assist in the reverse engineering and exploit production. The tools will be released after the talk.


Inside Android’s SafetyNet Attestation: What it can and can’t do lessons learned from a large scale deployment

Presented by: Colin Mulliner

There are many reasons for protecting your mobile applications against modification and tampering. Until recently you had to use third party tools or implemented your own app integrity checks and device rooting checks. Today you can use Android’s SafetyNet Attestation infrastructure to ensure the integrity of your application and the user’s device. Unfortunately, SafetyNet Attestation is not well documented by Google.

This talk provides a deep dive into SafetyNet Attestation. We show what level of attestation SafetyNet provides and what it can’t do. The talk is based on the lessons learned from implementing SafetyNet Attestation for an app with a large install base. We turned SafetyNet upside down to find its flaws and shortcomings. This talk will provide you with everything you need to know about Android’s SafetyNet Attestation and will help you to implement and use it in your app.

Subgraph OS: Hardening a Linux Desktop (tentative)

Presented by: David Mirza Ahmad

Subgraph OS is an operating system designed to provide a hardened Linux desktop resistant to network and malware attacks.

Subgraph includes a hardened kernel, application sandboxing with per-application network rules, an application firewall and extensive security monitoring and alerting.

This presentation will outline the overall design and goals of the project and detail progress so far, including a detailed description of the sandboxing implementation.

Hypervisor-Assisted Ring0 Debugging with radare2

Presented by: Lars Haukli

Reverse engineering protected code operating in kernel mode can be challenging. More advanced protection mechanisms typically combine obfuscation or encryption with techniques that hinder dynamic analysis. Some code will not run at all when certain debugging features are enabled by the OS.

radare2 is a comprehensive open-source framework for reverse engineering, that takes you to a magical world where control flow graphs of disassembled code are displayed in ASCII art. The framework combines a vast set of code analysis capabilities, which you can make use of in a variety of ways.

Enter the idea of connecting radare2 to a virtual machine, giving it direct access to guest physical memory. The intent is to debug Ring0 code running inside the guest, with the debugging mechanism operating exclusively on the host.

This talk will cover the use of radare2 on a Linux host accessing a Windows VM.

Lessons Learned Hunting IoT Malware

Presented by: Olivier Bilodeau

Permeating the entire spectrum of computing devices, malware can be found anywhere code is executed. Embedded devices, of which many are a part of the Internet of Things (IoT), are no exception. With their proliferation, a new strain of malware and tactics have emerged. This presentation will discuss our lessons learned from reverse-engineering and hunting these threats.

During our session, we will explain the difficulty in collecting malware samples and why operating honeypots is an absolute requirement. We will study some honeypot designs and will propose an IoT honeypot architecture comprising several components like full packet capture, a man-in-the-middle framework and an emulator.

Additionally, reverse-engineering problems and practical solutions specific to embedded systems will be demonstrated. Finally, we will explore three real-world cases of embedded malware. First, Linux/Moose, a stealthy botnet who monetizes its activities by selling fraudulent followers on Instagram, Twitter, YouTube and other social networks. Second, a singular ELF binary of the MIPS architecture which serves as a dropper. Third, LizardSquad’s LizardStresser DDoS malware known as Linux/Gafgyt. Attendees will leave this session better equipped to hunt this next generation of malware using primarily open source tools.

So You Want to Hack Radios

Presented by: Marc Newlin and Matt Knight

The Age of the Radio is upon us: wireless protocols are a dime a dozen thanks to the explosion of the Internet of Things. While proprietary wireless solutions may offer performance benefits and cost savings over standards like 802.11 or Bluetooth, their security features are rarely well-exercised due to lack of access to these interfaces. The adoption of Software Defined Radio (SDR) by the security research community has helped shift this balance, however SDR remains a boutique skillset. Join us as we lift the veil on SDR and show that a PhD is not need to pwn the Internet of Things Radios.

This session offers a tutorial on how to apply Software Defined Radio, with an emphasis on the “Radio” part. Rather than glazing over RF basics, we will frame our entire discussion about reverse engineering wireless systems around digital radio fundamentals.

We begin with an offensively short crash course in digital signal processing and RF communication, covering just enough to be dangerous, before introducing a reverse engineering workflow that can be applied to any wireless system. We will show how to use this workflow to recover and inject packets from/into a variety of devices with proprietary modulations.

Attendees should expect to walk away with practical knowledge of how to apply SDR to examine proprietary wireless protocols. We will release GNU Radio flowgraph templates and shell scripts to get attendees started.

Checking BIOS protections offline with just the firmware updates

Presented by: Oleksandr Bazhaniuk and Yuriy Bulygin

Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software. System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems.

We’ve discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We’ll present the process, findings and limitations of such offline analysis of vendor firmware update images.