Bill Arbaugh [keynote]
Red Team Deadwood: Why Red Teams are useless
Bio: Bill Arbaugh joined the Computer Science department at the University of Maryland College Park in 2000 after serving sixteen years with the U.S. Department of Defense. During those sixteen years, he served in several leadership positions in different areas ranging from tactical communications to advanced research. In 2004, Arbaugh founded Komoku Inc. Komoku furthered research, Semantic Integrity, developed by him and his students into a product to detect sophisticated malware. Microsoft purchased Komoku in 2008. Komoku technology currently runs over 500 million hosts.
Richard "Dickie" George [keynote]
Life at both ends of the barrel: an NSA targeting retrospective
Bio: Richard M. (Dickie) George joined the National Security Agency in 1970 as a mathematician, and remained at NSA until his retirement in 2011. While at NSA, he wrote more than 125 technical papers on cryptomathematical subjects, and served in a number of positions: analyst, and technical director at the division, office, group, and directorate level. He served as the Technical Director of the Information Assurance Directorate for eight years until his retirement. Mr. George remains active in the security arena; he is currently the Senior Advisor for Cyber Security at the Johns Hopkins University Applied Physics Laboratory where he works on a number of projects in support of the U.S. Government. He is also the APL representative to the I3P, a consortium of universities, national labs, and non-profit institutions dedicated to strengthening the cyber infrastructure of the United States.
Hacking US traffic control systems
Abstract: Probably many of us have seen that scene from "Live Free or Die Hard" (Die Hard 4) were the "terrorist hackers" manipulate traffic signals by just hitting Enter key or typing a few keys, I wanted to do that! so I started to look around and of course I couldn't get to do the same, that's too Hollywood style! but I got pretty close.
I found some interesting devices used by traffic control systems on important cities such as Washington DC, Seattle, New York, San Francisco, Los Angeles, etc. and I could hack them :) I also found that these devices are also used in cities from UK, France, Australia, China, etc. making them even more interesting.
This presentation will tell the whole story from how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks (or should I say cyberwar style attacks?) Oh, I almost forgot, after this presentation anyone will be able to hack these devices and mess traffic control systems since there is no patch available (sorry didn't want to say 0day ;)) I hope that after this I still be allowed to enter (or leave?) the US.
Bio: Cesar Cerrudo is a professional hacker and CTO at IOActive Labs, where he leads the team in producing ongoing cutting-edge research in the areas of SCADA, mobile device, application security, and more. Formerly the founder and CEO of Argeniss Consulting - which was acquired by IOActive - Cesar is a world-renowned security researcher and specialist in application security.
Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft Windows, Yahoo! Messenger, Twitter, etc.. He has a record of finding more than 50 vulnerabilities on Microsoft products including more than 20 on Microsoft Windows operating systems. Cesar also has authored several white papers on database and application security, and attacks and exploitation techniques based on novel research.
He has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Infiltrate, BlueHat, 8.8, Hackito Ergo Sum, NcN and Defcon. Cesar collaborates with and is regularly quoted in print and online publications.
SQL Injections to MIPS Overflows: Part Deux
Abstract: A while back, I showed how to combine SQL injection vulnerabilities with MIPS Linux buffer overflows in order to pop root on Netgear SOHO routers. I decided to revisit the "ReadyDLNA" UPnP server that ships on nearly all Netgear routers, to see what has changed since then. Short version: a lot and not so much.
There have been changes in Netgear's code that seem to target the classes of vulnerabilities I demonstrated previously. Raising to the challenge, I wanted to see if I could find a fresh, new SQL injection and buffer overflow that I could once again pair up to get root. While I wasn't disappointed, the code has gotten even gnarlier, which is saying a lot. Graceful exploitation without crashing was even more complicated than before.
In this talk I describe describe changes Netgear has made to the DLNA server in hopes of reduced pwnage, and why they didn't work. I'll describe some techniques for statically and dynamically analyzing binaries unpacked from SOHO router firmware. I'll tell a story of exploiting unadvertized SOAP actions and masquerading as a popular brand of television on the way to root prompt nirvana. Exploitation of buffer overflows on MIPS still hasn't seen a lot of public discussion, so I'll go into that as well. Of course, as they say, root or it didn't happen. If, like me, you want to see a live demo on real gear, I won't disappoint. Demos are my favorite part of any talk.
Bio: Zachary Cutlip is an embedded vulnerability researcher at Tactical Network Solutions, in Columbia, MD. At TNS, Zach develops exploitation tools and techniques targeting embedded devices. Zach holds a master’s degree from Johns Hopkins University and a bachelor’s degree from Texas A&M University.
Joshua J. Drake
Researching Android Device Security with the Help of a Droid Army
Abstract: In the last few years, Android has become the world's leading smart phone operating system. Unfortunately, the diversity and sheer number of devices in the ecosystem represent a significant challenge to security researchers. Primarily, auditing and exploit development efforts are less effective when focusing on a single device because each device is like a snowflake: unique.
This presentation centers around the speaker's approach to dealing with the Android diversity problem, which is often called "fragmentation". To deal with the issue, Joshua created a heterogeneous cluster of Android devices. By examining and testing against multiple devices, you can discover similarities and differences between devices or families of devices. Such a cluster also enables quickly testing research findings or extracting specific information from each device.
When you leave this presentation, you will understand why the diversity problem exists and how to tackle it by creating a cluster of your own. Joshua will show you how to build such a cluster, provide a set of tools to manage one, and show you all the ways to leverage it to be more successful in your auditing and exploit development tasks.
Bio: Joshua J. Drake is a Director of Research Science at Accuvant LABS and lead author of the Android Hacker's Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience auditing and exploiting a wide range of application and operating system software with a focus on Android since early 2016.
In prior roles, he served at Metasploit and VeriSign’s iDefense Labs. Joshua previously spoke at BlackHat, RSA, CanSecWest, REcon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include exploiting Oracle's JVM for a win at Pwn2Own 2013, successfully compromising the Android browser via NFC with Georg Wicherski at BlackHat USA 2016, and winning the DefCon 18 CTF with the ACME Pharm team in 2010.
Legacy Sandboxing: Escaping IE11 Enhanced Protected Mode
Abstract: In June 2013 Microsoft started the first of their new bug-bounty programs, focusing on finding vulnerabilities in IE11 on the upcoming Windows 8.1 OS. Rather than spending my time fuzzing for RCEs I instead focused on pure logic bugs and the best place to find them was in the sandbox implementation. As IE11 defaults to using Microsoft’s new Enhanced Protected Mode (EPM) sandbox that repurposes Windows 8’s App Container mechanism to more heavily restrict access to securable resources it would seem to be a tough challenge, but it turned out not to be the case.
This presentation will fully detail 4 sandbox escapes I discovered during the 30 day bug bounty period, some which have been present since Vista and IE7. Each one has a different root cause; none requiring any memory corruption or kernel vulnerabilities. I’ll also given a bit of background about how I found these issues, how to start probing the IE sandbox attack surface and some interesting behavior in the way EPM is implemented which might lead to further vulnerabilities being discovered.
Bio: James is the Head of Vulnerability Research at Context Information Security in the UK. He has been involved with computer hardware and software security for over 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis and exploitation.
He has numerous public vulnerabilities disclosures in many different products including web browser issues and virtual machine breakouts as well as being a Pwn2Own and Microsoft bounty winner. He has spoken at a number of security conferences in the past, on a range of different topics such including managed language security at Blackhat USA, CanSecWest and Bluehat, Sony Playstation Portable hacking at Chaos Computer Congress, WebGL exploitation at Ruxcon and Citrix network exploitation at Blackhat Europe. He is also the developer of the free CANAPE networking analysis and exploitation tool.
Ghosts of Christmas Past: Fuzzing Language Interpreters using Regression Tests
Taking inspiration from previous work , this approach makes use of existing regression tests to provide information on language syntax, semantics, and API usage. From there, it employs a variety of different mutation and generation strategies to produce new inputs that are, ideally, syntactically valid, semantically complex, and, even more ideally, break the interpreter in new and interesting ways.
During the talk I will cover three primary extensions over earlier research:
In the interest of self-flagellation, I will also discuss a few tragic failures of both intellect and implementation that occurred along the way.
Bio: Sean is the founder of Persistence Labs, where he spends his days working on tools related to reverse engineering, bug finding, and exploit development. Prior to this, he was a security researcher at Immunity Inc.
Python, deflowered: Shangrila!
Abstract: The use of dynamic languages in sophisticated persistent frameworks is not new. In the past, Lisp, Forth and Lua have all been used successfully to that effect. This talk will discuss how a complete Python environment can be transformed into a staged, flexible payload that can operate entirely in memory, without loss of functionality, and also present examples of using the payload as a building block for intricate offensive tools.
Bio: Christos is a senior security researcher at Immunity, where he specializes in building layered systems. He is the lead developer of Immunity's flagship CANVAS product, and the architect of its massively distributed component, SWARM.
Suzanne E. Kecmer
A Curious Cyber War: Business Owners vs Investors
Abstract: This presentation will discuss recent market and valuation trends of offensively-focused cyber companies. The audience will be exposed to an unvarnished look at the financial condition of the sector and its (in)ability to stand up to the inescapable recapitalization (re-tooling) required to compete in a post-Snowden environment. Yet, we have witnessed a mixed response, reluctance, and skepticism from the investment community to fund these activities—resulting in a valuation gap with business owners. We will examine the main drivers of this schism and offer suggested catalysts to break the logjam and swiftly innovate next generation solutions.
Bio: Based in Washington, DC, Sue is co-lead of the investment banking practice focused on mergers and acquisitions of cyber security, data analytics and intelligence firms at Teneo Capital, with over fifteen years of experience within the aerospace & defense industry. Before a career in investment banking, she spent eight years with the Raytheon Company as a member of the Washington, DC based Corporate Strategy operation.
She led the enterprise-wide strategy for Information Operations / Information Assurance (including Raytheon’s formation of this business area and restructuring of Corporate IT and Security) and formerly led the enterprise-wide strategy for Federal Information Technology (including Raytheon’s formation of this business area), as well as many cross-company classified and merger/acquisitions initiatives.
Prior to joining Raytheon, Sue was an Assistant Vice President within the Merrill Lynch Equity Research Department, based in New York City, as a member of the Global Aerospace and Defense research team ranked by Institutional Investor and Greenwich surveys for six years. Sue received a B.A. in International Affairs from Lafayette College and an M.B.A. from Columbia University. She has had an SBI within the past three years, and holds Series 7, 79 and 63 certifications.
Matthias Luft & Felix Wilhelm
Abstract: In this presentation we will describe our research on the architecture and security of the Hyper-V hypervisor and its role in the Microsoft Azure cloud. Besides a deeply technical discussion of the hypervisor implementation and its attack surface, we will show how we discovered MS13-092 a vulnerability that allows permanent DoS of the hypervisor and the potential compromise of other VMs on the same host.
We will describe the challenges involved in reversing, debugging and understanding an hypervisor and plan to release several tools, IDA scripts and POCs we developed as part of our research.
Our presentation shows that even seemingly bullet proof software still contains critical bugs and we hope to motivate more researchers to start active research inso hypervisor security in general and especially Hyper-V.
Bio: Matthias and Felix are security researchers at ERNW, they are specialized in testing and breaking complex IT environments. Together they performed an extensive research project on the security of a leading cloud provider, which resulted in the discovery of multiple vulnerabilities including MS13-092.
Pedro Guillén Núñez & Josep Pi Rodriguez
Fuzzing, reversing and Maths
Abstract: We want to presentate several 0days using fuzzing and reverse engineering and maths. 1 Critical remote 0day in an EMC application. 2 Critical remote 0day in a novosoft famous backup application.The main idea is to present 0days found by us and this 0days are not typical, are different, specially one of them which implies protocol/binary reverse engineering and complex maths and show to the audience how other kind of vulnerabilities can be found.
We think that the idea of presenting different kind of 0days, which are critical, and explain how to discover this kind of vulnerabilities can be really interesting for the audience and they will have a new perspective in application security.
In our research in these last months we were searching vulnerabilities in important backup servers applications.We were using reverse engineering and fuzzing and we found different kind of vulnerabilities which are really interesting.
1-The critical remote 0day in the EMC application is really interesting, found with reversing engineering the protocol and the binary files and it was necessary to apply some mathematics in order to understand the vulnerability and we had to implement some mathematics algorithms in order to exploit the vulnerability.It's a different vulnerability, it's not the typical buffer overflow, heap overflow, etc, and we want to show to the audience how we found this vulnerability and show how this kind of vulnerabilities can be found.
2- The 0days of the other backup application, were found with protocol fuzzing. Both of the 0days are critical and interesting, one is an authentication bypass to the backup server and the other 0day is a "permament" denial of service which is really curious and funny.Our idea is to show how we found both vulnerbilities and show how this kind of vulnerabilities can be found with protocol fuzzing.
Bio: Pedro Guillén Núñez has been interested in security since he was young, researching and searching all kind of vulnerabilities in his free time. He does Web penetration testing, exploit development, fuzzing, reverse engineering, network penetration test, social engineering, mobile app testing, botnets intrusion and so on. He acquired some certifications as GXPN, OSCE and also assisted to some security trainings. He really enjoys going to many security conferences. He is working for Telefonica Ingeniería y Seguridad (Security Engineering of Telefonica).
Bio: Josep Pi Rodriguez has involved in the offensive security field several years as an enthusiast and a professional. He has experience in web penetration testing, system/ network penetration testing, exploit development, reverse engineering, mobile app penetration testing and so on. He is working for Telefonica Ingeniería y Seguridad (Security Engineering of Telefonica). He loves learn new things and of course share his knowledge to everyone, because one of his mottos is the same as Corelan: Knowledge is not an object, it's a flow.
Analytics, and scalability, and UEFI exploitation! Oh my!
Abstract: We use UEFI and commodity PC manufacturer "firmware" as a use case for vulnerability discovery and exploit development powered by analytics. BIOS, UEFI, and embedded firmware are recent focus areas for vulnerability analysis and exploit research. There are great offensive-security presentations and research on ring < 0 rootkits, failed implementations of trusted computing concepts, and hardware-assisted exploitation.
This talk complements existing firmware research by applying data-science to UEFI code analysis. This does not attack the UEFI platform or secure boot implementations; it does consider UEFI applications, drivers, and associated environments as attack surface. Analytics of code-usage, features, pervasiveness, update frequency, and vulnerabilities will help determine viability of homogeneous exploit development for seemingly-heterogeneous environments. The talk will review data-science approaches to vulnerability discovery in UEFI code, demonstrate the scalability of UEFI exploitation, and explore the potential for persistence as well as similar fun exercises.
Code and frameworks for replicating the approach will be released, unfortunately vulnerabilities cannot accompany, but hopefully demos will suffice.
Bio: Teddy Reed is a senior researcher on an enterprise security team working for a US national laboratory. Prior to enterprise security, he has held several R&D positions with focuses on large scale system assessments, application penetration testing, and system and hardware emulation. He has published and presented at security conferences on trusted computing, hardware trusted systems, UAVs, botnet development, human performance engineering, competition game theory, biometric vulnerabilities, and PaaS API vulnerabilities. He is trying to overcome an unhealthy obsession with network analysis.
Digital Rights Management for Malicious Software
Abstract: To process and extract intelligence from large volumes of suspect executables collected in networks each day, numerous automated malware analysis systems (now represented by various threat detection appliances and multi-billion dollar companies) have been created. In an effort to avoid detection and increase time on target, malware authors have designed, developed and commoditized analysis environment detections. In response, researchers and practitioners have sought to make an analysis environment look like a normal system (e.g., via baremetal malware analysis). Such responses often enable a successful automated analysis because the instrumentation and virtual machine-detection techniques employed by malware represents a model that is fundamentally brittle and hence easily defeated.
In this presentation I introduce techniques that, if widely adopted by malware authors, would permanently disadvantage automated analysis systems. To do so, I explore the ramifications of inverting the canonical approach to preventing a sample's execution in an analysis environment. That is, instead of examining techniques that detect specific malware analysis sandboxes or virtualization containers, I consider malicious software that will fail to execute correctly on any environment other than the originally compromised system.
To better understand the details of "digital rights management" for malicious software, I present a design of anti-analysis techniques that make the successful execution of a malware sample dependent on the unique properties that identify the originally infected host. To highlight the relevance of this idea's application by malware authors, I discuss both common and targeted malware instances' (e.g., Flashback, Gauss) use of conceptually similar techniques to prevent automated analysis of their samples.
Bio: Paul Royal is a Research Scientist in the College of Computing at Georgia Tech and Associate Director of the Georgia Tech Information Security Center (GTISC). In these roles, he engages in collaborative, technical research on the operation and analysis of malicious software. As part of applying his research, Royal has served on various working groups whose efforts lead to the takedown of crime-oriented botnets and the arrest of the actors behind them.
Fun attacks using a compromised random number generator
Abstract: Many information security systems rely on cryptographic schemes that need truly random numbers be secure. In recent months there have been several high profile news stories about weaknesses or potential compromises in both software and hardware random number generators. A compromised random number generator is difficult to catch because it can output random looking data that is predictable to an attacker only.
In this talk I describe how to go from knowledge of a weakness in a random number generator to a full security compromise. We will look at examples including how to fully decrypt a TLS stream, how to compromise a bitcoin wallet by looking at the ECDSA signatures on the public block chain, how to factor improperly generated RSA keys and more.
Bio: Nick is a software engineering leader working to build a better and more secure Internet at CloudFlare. He is also a respected digital rights management pioneer, having built many of the content security mechanisms for Apple’s multi-billion dollar iTunes store. He previously worked as a security analyst worked at Symantec analyzing large scale threat data. He holds an MSc in Cryptography and a BMath in Pure Mathematics and is the author of over a dozen computer security patents.