44CON 2018 Talks

For a full list of 44CON 2018’s confirmed speakers, please click here.

They’re All Scorpions – Successful SecOps in a Hostile Workplace

Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.

The UK’s Code of Practice for Security in Consumer IoT Products and Services

Presented by: David Rogers

In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety.

The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?

Weak analogies make poor realities – are we sitting on a Security Debt Crisis?

Presented by: Charl van der Walt

Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.

Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.

In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.

Catch Me If You Can: Ephemeral Vulnerabilities in Bug Bounties

Presented by: Shubham Shah and Michael Gianarakis

The internet is changing, at a much faster pace today with cloud computing being so easily accessible. As the attack surface of the internet (IPv4) changes there are periods of time where vulnerabilities are present but dissipate quickly.

By being able to monitor an organisation and effectively determine these changes, we’ve found a number of critical vulnerabilities within networks and applications that are only present for a short period of time. This presentation will detail multiple critical vulnerabilities found by participating in bug bounty programs that we classify as ephemeral vulnerabilities, and the details on how we identified and exploited them in the first place.

For the Love of Money: Finding and exploiting vulnerabilities in mobile point of sales systems

Presented by: Leigh-Anne Galloway and Tim Yunusov

These days it’s hard to find a business that doesn’t accept faster payments. Mobile Point of Sales (mPOS) terminals have propelled this growth lowering the barriers for small and micro-sized businesses to accept non-cash payments. Older payment technologies like mag-stripe still account for the largest majority of all in-person transactions. This is complicated further by the introduction of new payment standards such as NFC. As with each new iteration in payment technology, inevitably weaknesses are introduced into this increasingly complex payment eco-system.

In this talk, we ask, what are the security and fraud implications of removing the economic barriers to accepting card payments; and what are the risks associated with continued reliance on old card standards like mag-stripe? In the past, testing for payment attack vectors has been limited to the scope of individual projects and to those that have permanent access to POS and payment infrastructure. Not anymore!
In what we believe to be the most comprehensive research conducted in this area, we consider four of the major mPOS providers spread across the US and Europe; Square, SumUp, iZettle and Paypal. We provide live demonstrations of new vulnerabilities that allow you to MitM transactions, send arbitrary code via Bluetooth and mobile application, modify payment values for mag-stripe transactions, and a vulnerability in firmware; DoS to RCE. Using this sampled geographic approach, we are able to show the current attack surface of mPOS and, to predict how this will evolve over the coming years.

New to this talk, we will demonstrate how anyone can carry out an attack to send arbitrary code to an mPOS device using simple hardware costing less than £8. The automation of this process allows an attacker to select from a variety of pre-generated messages to send to the mPOS during the transaction process. With this an attacker can tamper with the process to give the appearance that a transaction has been completed when it has not been authorized. Or, a fraudulent merchant could manipulate the process to force a victim to approve multiple transactions.

Finally, for audience members that are interested in integrating testing practices into their organisation or research practices, we will show you how to use mPOS to identify weaknesses in payment technologies, and how to remain undetected in spite of anti-fraud and security mechanisms.

Ghost in the Locks – owning electronic locks without leaving a trace

Presented by: Tomi Tuominen and Timo Hirvonen

A little over ten years ago, a friend of ours returned to his hotel room to find that his laptop was gone. The door to his room showed no signs of forced entry; there was no record that the electronic lock had been accessed while he was away; and there was certainly no evidence that this electronic lock, deployed on millions of doors in more than 150 countries worldwide, could have been hacked.

Sometimes hacking boils down to spending more time on something than anyone could reasonably expect. This talk is an ode to that cliché. It is the culmination of a decade-long quest to find out whether the most widely used electronic lock in the world can be bypassed without leaving a trace. And in this adventure, breaking into hotel rooms is only the beginning. But lucky for all of us, unlike most cases of theft from hotel rooms, this story has a happy ending.

Pwning the 44CON Nerf gun

Presented by: Chris Wade and Dave Lodge

Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.

That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.

At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.

This puppy is so over-specced it would drive you to tears.

The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.

Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.

We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.

This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.

JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and face recognition – and frankly, everywhere else

Presented by: Guy Barnhart-Magen and Ezra Caltum

Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:

Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output

In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!

Garbage In, RCE Out 🙂

Kill All Humans… Bugs! : Machine Learning to the rescue of code review

Presented by: Philippe Arteau

Security code reviews with static analysis tools have inherent problems. While many potential vulnerabilities are found quickly, the number of false positives can be overwhelmingly high on large applications (think millions of lines of code). Even with just a few dozen findings, the human fatigue can have a big impact on the triage. Our research addresses these issues by applying machine learning (ML) to automatically triage the output of static analysis tools.

The objective is to classify vulnerabilities, such as SQL injection or Cross-Site Scripting, using supervised machine learning algorithms. Supervised learning implies that a subset of issues has been classified as false positives or real vulnerabilities. Since algorithms need more than just basic attributes to be efficient, datasets are enriched with various indicators that human look at when reviewing code. Attributes fall in four categories: location (class names, packages, module), data flow sources (method calls, variables’ flow), API (sink, source) and dynamic expression. This talk uncovers the level of effectiveness of these various attributes with common algorithms (random forest, naive Bayes and tree) and releases “Find Security Bugs ML”, a set of open-source tools that builds enriched datasets and classify findings using ML algorithms.

Additionally, demonstrations will be made to cover the tools’ main functionalities. These include large-scale vulnerability scanning while prioritizing issues presented to reviewers and double checking classification made by developers.

Applying the tool on Java libraries, including the Spring Framework, allowed us to find some interesting 0-day vulnerabilities. Attendees should be able to replicate similar findings on their enterprise applications or third party’s libraries, even when they don’t have the application’s source code due to Java’s bytecode support.

So You Want to Red Team?

Presented by: Lawrence Munro and Matt Lorentzen

So, you want to be a Red Teamer, but you can’t get into it because you’re not a big enough name, or you lack the opportunities and experience to develop the skill-set? It’s extremely hard to develop your red teaming skills without access to legitimate work within this sphere (or legal, at least!). The skills are advanced and require hours spent in enterprise environments honing your tradecraft, but access to this world can be a chicken and the egg situation.

In this talk, we discuss the skill differences between pen testing and red teaming and how to break into a red team. We approach the topic from both a career / tactical angle as well as how to close the upskilling gap. We introduce a new open source lab (Fortis), which provides a new approach to simulating user interactions (using unique ‘Digital People’) to help you develop the right skillsets without going out-of-scope and staying on the right side of the law.

Automating myself out of a job – A pentesters guide to left shifting security testing

Presented by: Jahmel Harris

Security is big business. Between security companies trying to sell “security-in-a-box” and infosec professionals charging a fortune to tell devs “you’re doing it wrong”, is it any wonder security is an area that is often deprioritised?

In this talk, we’ll look at what we should be doing to left shift security testing i.e. make it easier to perform security tests during development. By working harder to integrate ourselves into the development process, we can start to see what can and should be automated (and where a security specialist should actually fit in). We’ll look to understand that writing secure applications does not need to be costly and not all applications need to have the same level of security.

By using actual vulnerabilities found during pen tests as examples, we will look at the tools and techniques we can use to detect vulnerabilities automatically and early in the development lifecycle, ultimately allowing us to release software often and quickly while still having a good understanding of the application’s risk.

The aim of this talk will be to understand why security has not kept current with modern development practices and give developers the ability to integrate security into the development pipeline.

Using SmartNICs to Provide Better Data Center Security

Presented by: Jack Matheson assisted by Ahmad Atamlh

Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.

In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.

To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.

The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.

Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.

A live demo will showcase this capability.

Bypassing Port-Security In 2018 – Defeating MacSEC and 802.1x-2010

Presented by: Gabriel Ryan

Existing techniques for bypassing wired port security are limited to attacking 802.1x-2004, which does not provide encryption or the ability to perform authentication on a packet-by-packet basis [1][2][3][4]. The development of 802.1x-2010 mitigates these issues by using MacSEC to provide Layer 2 encryption and packet integrity check to the protocol [5]. Since MacSEC encrypts data on a hop-by-hop basis, it successfully protects against the bridge-based attacks pioneered by the likes of Steve Riley, Abb, and Alva Duckwall [5][6].

In addition to the development of 802.1x-2010, improved 802.1x support by peripheral devices such as printers also poses a challenge to attackers. Gone are the days in which bypassing 802.1x was as simple as finding a printer and spoofing address, as hardware manufacturers have gotten smarter.

In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.

References:

Make ARM Shellcode Great Again

Presented by: Saumil Shah

Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.

In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques. There will be demonstrations of my shellcode on ARM IoT devices featuring different types of ARM architecture. A detailed article shall also be submitted to PoC||GTFO closer to the time of the conference.

Exploits with Scratch

Presented by: Kevin Sheldrake

Scratch is a programming language and IDE targeted at teaching young children how to code. The environment is sprite-based with all code residing behind each of the sprites and the stage (background). It is particularly good at developing games not unlike the flash-based games of the 90s/00s. Typically, the Scratch environment is a sandbox limiting all actions to objects within its own world. With the offline version of Scratch v2, however, it is possible to load ‘experimental HTTP extensions’ that can introduce new blocks linked to python functions via a web service API.

Using the experimental extensions, I have implemented a set of blocks that allow access to TCP/IP functions. With these blocks it is possible to fuzz and exploit vulnerable services on a network-accessible victim machine. As a demonstration I have developed a PoC for the web server running on Saumil Shah’s tinysploit (stack smash) plus PoCs for two echo servers I have added to it (stack smash and format string vulnerability).

The aims of the talk are to show that the (supposedly) sandboxed Scratch can be used to send evil packets to the network, and also to show that fuzzing and building exploits doesn’t have to involve coding abilities beyond those required to develop in Scratch. In other words, if you (or your child) wishes to learn how to write your own exploits, then this is all possible with Scratch and my experimental extension.

The talk will cover the intricacies of the Scratch extension API and the limitations that need to be overcome to make it usable, plus how these simple concepts can be strung together to create exploits.

Subverting Direct X Kernel For Gaining Remote System

Presented by: Rancho Han and Chen Nan

Since Edge introduced the win32k filter mechanism, the way of escaping the sandbox from kernel is getting narrower and narrower. In fact, on the latest win10 rs4, most types of GDI objects could not be created in the content process of Edge. In addition, the type isolation makes it very difficult to exploit a win32k bug. This is a huge challenge for breaking Edge sandbox now. However, Edge allows us to access the direct x kernel from the unfiltered syscall functions.

Last year, Tencent ZhanluLab began to study the Direct X subsystem, and we discovered 10+ bugs in few months. In the first part of this talk, we start with an overview of direct x subsystem and discuss how to analyze its interfaces and internal objects. After that, we explain three bugs representing three typical security flaws. Among the vulnerabilities we discovered, a few of them are very interesting, and it is a bit special to exploit them. We successfully leverage a vulnerability to break the Edge and escalate privilege to system. We will disclose all the details of this exploit in the second part of this talk.

Insight into fuzzing and pwning of Adobe Flash

Presented by: Jie Zeng

In recent years, more hacker attacks (Advanced Persistent Threat) for Adobe Flash Player have taken in the wild. Therefore, Adobe Flash manufacturers have higher security requirements. Various mitigations were added. At the same time more security researchers are also beginning to study the security issues of Adobe Flash, so more and more security vulnerabilities have been discovered.

This talk will discuss how I found vulnerabilities, and the main Flash attack surface I discovered.

And then I will carefully explain a few of the representative vulnerabilities that I have discovered, analyse the root cause of the vulnerability, and how the patches are patched.

Finally, when we have found a vulnerability that want to write exploit, we will encounter many mitigations. So I will talk about the major mitigations that Flash have added, including memory protect, isolators of heaps, CFG and Memory management of Flash.
So in order to bypass these mitigations the exploit becomes more and more complicated, and I will share a method of memory layout that is still feasible to bypass the isolators of heaps.

How to Explain Post-Quantum Cryptography to a Middle School Student

Presented by: Klaus Schmeh

One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.

Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.

Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.

The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:

Lattice-based systems:

The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.

Code-based systems:

McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.

Non-commutative systems:

There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.

Multivariate systems:

Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.

In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).

Security module for php7 – Killing bugclasses and virtual-patching the rest!

Presented by: Julien Voisin and Thibault Koechlin

Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.

Reverse Engineering and Bug Hunting on KMDF Drivers

Presented by: Enrique Nissim

Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.

Also check our list of Workshops for 44CON 2018.