Sessions 2018

A Journey into Red Team

This talk will describe many issues that a redteamer may face during a Red Team exercise. Being stealth is one of them; avoiding detection of your lateral movements, phishing campaign and post exploitation are crucial to succeed. Over the years I've developed tools and different approaches that can be used during standard engagement and Red Team to remain stealth and move more efficiently into your victim network.

During the presentation several techniques will be described and analyzed to understand the idea behind them.

  • Charles Hamilton





Stupid Purple Teamer Tricks

Stupid tricks for everyone! This talk will present very simple, low tech attacks to better achieve your goals, both attack and defense. From a defense standpoint, this talk will present simple tricks to identify Responder on your network, pinpoint BurpSuite activities, block some active crimeware and other simple tricks. Offensive tricks include a very simple NAC bypass, even more physical pentesting tricks and some very simple changes to social engineering that can help a lot.

  • Laurent Desaulniers





Quick Retooling with .NET Payloads

PowerShell gave us a super-highway of convenient building blocks for offensive toolkits and operational automation. In the post offensive PowerShell world, a move in the direction of .NET implants may be a desirable option in some cases.

However, Red Teams are faced with challenges when moving automation down into managed code. Can .NET based toolkits maintain flexibility, quick in-field retooling and operational security in the face of current detection mechanisms?

We think the answer is yes.

In this talk, we will focus on quick in-field retooling and dynamic execution aspect of .NET implants as the crucial trait to overcome static defensive mechanisms.

We will dive deeper into OpSec lessons learned from dynamic code compilation. We will attempt to move beyond static nature of .NET assemblies, into reflective .NET DLR.

We will showcase on-the-fly access to native Windows API and discuss methods of hiding sensitive aspects of execution in the managed code memory.

All that, with the help of the DLRium Managed Execution toolkit we have in development.

  • Dimitry Snezhkov IBM





Ichthyology: Phishing as a Science

Many companies consider phishing inevitable: the best we can do is run training for our employees, and cross our fingers. But does phishing training actually work?

In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing.

  • Karla Burnett Stripe





Logic against sneak obfuscated malware

Malware is sneaky. Malicious codes are implemented to stay hidden during the infection and operation, preventing their removal and the analysis of the code. Most samples employ some sort of packing or obfuscation techniques in order to thwart analysis. Similar techniques are also used to protect digital assets from intellectual property theft.

Analysis tools help getting new insights that can be used to secure software and hardware by identifying vulnerabilities and issues before they cause harm downstream. Tools and techniques beyond standard debuggers can enhance analysts capabilities with better adaptability and automation.

This talk will give you a small taste on some practical applications of SMT solvers in IT security, investigating the theoretical limitations and practical solutions, focusing on their use as a tool for binary static analysis and code deobfuscation.

  • Thaís aka barbie Moreira Hamasaki





Binary analysis, meet the blockchain

Ethereum is a novel, decentralized computation platform that has quickly risen in popularity since it was introduced in 2014, and currently controls the equivalent of one hundred ten billion dollars. At its foundation is a virtual machine which executes “smart contracts”: programs that ultimately control the majority of the value transfer within the network. As with most other types of programs, correctness is very important for smart contracts. However, somewhat uniquely to Ethereum, incorrectness can have a direct financial cost, as evidenced by a variety of high profile attacks involving the loss of hundreds of millions of dollars. The error-prone nature of developing smart contracts and the increasing amounts of capital processed by them motivates the development of analysis tools to assist in automated error and vulnerability discovery.

In this talk, we describe our work towards smart contract analysis tooling for Ethereum, which focuses on a modern technique called symbolic execution. We provide context around both Ethereum and symbolic execution, and then discuss the unique technical challenges involved with combining the two, touching on topics including blockchains, constraint solvers, and virtual machine internals. Lastly, we present Manticore: an open source symbolic execution tool which we have used to enhance smart contract security audits.

  • Mark Mossberg Trail of Bits





Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)

Skilled attackers continually seek out new attack vectors and effective ways of obfuscating old techniques to evade detection. Active defenders can attest to attackers’ prolific obfuscation of JavaScript, VBScript and PowerShell payloads given the ample availability of obfuscation frameworks and their effectiveness at evading many of today’s defenses.

However, advanced defenders are increasingly detecting this obfuscation with help from the data science community. This approach paired with deeper visibility into memory-resident payloads via interfaces like Microsoft’s Antimalware Scan Interface (AMSI) is causing some Red Teamers to shift tradecraft to languages that offer defenders less visibility. But what are attackers using in the wild?

In the past year numerous APT and FIN (Financial) threat actors have increasingly introduced obfuscation techniques into their usage of native Windows binaries like wscript.exe, regsvr32.exe and cmd.exe. Some simple approaches entail randomly adding cmd.exe’s caret (^) escape character to command arguments. More interesting techniques like those employed by APT32, FIN7 and FIN8 involve quotes, parentheses and standard input.

The most interesting obfuscation technique observed in the wild was FIN7’s use of cmd.exe’s string replacement functionality identified in June 2017. This discovery single-handedly initiated my research into cmd.exe’s surprisingly effective but vastly unexplored obfuscation capabilities.

In this presentation I will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never- before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries.

I will conclude this talk by performing a live demo of my new cmd.exe obfuscation framework called Invoke-DOSfuscation that obfuscates payloads using these multi-layered techniques. I will also share detection implications and approaches for this genre of obfuscation.

  • Daniel (DBO) Bohannon FireEye





Non-Crypto Constant-Time Coding

Cache attacks are a class of side-channel attacks that have been used since 2005 to break implementations of cryptographic algorithms. However, they do not impact only cryptography; if a given context makes cache attacks applicable, then everything that handles confidential data is potentially vulnerable. The SGX technology offers such a context where all the code in an enclave, not only its encryption code, shall be made robust to such attacks. In this talk, we present a summary of cache attacks, SGX, and a toolkit of C functions designed to help with writing generic, non-crypto, constant-time code.

  • Thomas Pornin NCC Group





Smart contract vulnerabilities: The most interesting transactions on the Ethereum blockchain

Smart contract security is a brave, new, and sometimes terrible field. This presentation will take you through some of the most famous vulnerabilities of these first few years (from the Dao hack, to the Parity wallet vulnerabilities ... and including less-well-known but very interesting events like the DDOS attacks from late 2016). We'll explain the details of how these attacks work(ed), some of the idiosyncrasies of Ethereum, and through these examples some general principles of smart contract security.

  • Sarah Friend

  • Jon Maurelian ConsenSys Diligence





Not the Droid You're Looking For: Evading Vulnerability Exploitation Through Secure Android Development

The first commercially-available Android device was released in 2008. Despite its nearly 10-year public lifespan, the OS still poses numerous security challenges. Now, as mobile becomes an increasingly popular platform for consumers, we're faced with the challenge of protecting these consumers from new, quickly evolving threats. We’ll discuss why Android security is so much more challenging for software developers compared to iOS and the web, look at the most common attack vectors for the operating system, and walk through best practices for guarding against them.

  • Kristina Balaam Shopify





Cell Site Simulators From the Ground Up

IMSI-catchers, also known as cell-site simulators, are devices that let their operators track cell users, interfere with their calls/texts, and mount other privacy-invasive attacks. While research around IMSI-catchers has been gaining traction over the years, there hasn’t been much effort into making the more technical results accessible outside of academia and niche hardware hacking circles. The goal of this talk is to remedy that.

This talk will be a deep technical dive into how cell networks interact with user equipment, the details of how IMSI-catchers exploit their design flaws, what goes into building an IMSI-catcher (hypothetically, of course!), the relationship Canadian & American law enforcement have with these devices, and steps one can take to protect themselves.

  • Yomna Nasser





Exploits in Wetware

Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence.

Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff.

With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired?

Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift

  • Robert Sell (Creep)





Data Breaches: Barbarians in the Throne Room

Often defenders worry about the intangible security problems. Defenders need to concentrate their efforts defending the enterprise by focusing on the fundamentals. Too often issues such as patching or system configuration failures lead to system compromise. These along with issues such as SQL injection are preventable problems. Defenders can best protect their digital assets by first understanding the sheer magnitude that a data breach can have on an enterprise.

In this talk I review my findings after analyzing hundreds of data breach disclosures as it pertains to what went wrong.

  • Dave "gattaca" Lewis Akamai Technologies





Surprise Supplies!

Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach.

2017 has truly marked itself as 'The Year Of The Supply Chain Attack' and marked a turning point concerning supply chain attacks.

Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers.

In this presentation we will first present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims.

For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc.

Concerning the CCleaner compromise, we will provide some data and statistics from the attacker's database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it's not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks.

  • Paul Rascagnères Talos

  • Warren Mercer Talos





Prototype pollution attacks in NodeJS applications

Prototype pollution is a term that was coined many years ago in the JavaScript community to designate libraries that added extension methods to the prototype of base objects like "Object", "String" or "Function". This was very rapidly considered a bad practice as it introduced unexpected behavior in applications. In this presentation, we will analyze the problem of prototype pollution from a different angle. What if an attacker could pollute the prototype of the base object with his own value? What APIs allow such pollution? What can be done with it?

  • Olivier Arteau





What are containers exactly and can they be trusted?

Everyone's talking about containers these days.

But how many actually know what they are?

Do you know there are two big families of containers and that even within those, there are countless different runtimes to set them up and manage them?

Is a VM safer than a container? What about those containers that are using VM technology for containers?

Those are all questions anyone who's dealing with containers in production should know answers to. You should be able to decide whether to use containers at all and if so, what kind of container is the best fit for your particular task.

During this presentation, we'll be going over 15 years of container technologies on Linux (10 years in mainline Linux), how the security features they're built on top have evolved and what's the current state of things. We'll be comparing application containers to system containers, actual containers to lightweight virtualization and briefly cover some of the higher level management tools that come with them and what to keep in mind when trying to keep all of that safe.

  • Stéphane Graber Canonical





Only an Electron away from code execution

Over the decades, various security techniques to mitigate desktop specific vulnerabilities have been developed which makes it difficult to successfully exploit traditional desktop applications. With the rise of Electron framework, it became possible to develop multi-platform desktop applications by using commonly known web technologies. Developed by the Github team, Electron has already become amazingly popular (used by Skype, Slack, Wire, Wordpress and so many other big names), bringing adventurous web app developers to explore the desktop environment. These same developers who make the XSS to be the most common web vulnerability are now bringing the same mistakes to a whole new environment.

While XSS in the web applications is bounded by the browser, the same does not apply to Electron applications. Making the same kind of mistakes in an Electron application widens the attack surface of desktop applications, where XSS can end up being so much more dangerous.

So in this talk, I will discuss the Electron framework and the related security issues, its wonderful “features” getting me a bunch of CVE’s, possible attack vectors and the developers in the dark about these issues.

AND as Electron apps do not like to play in the sandbox, this talk will DEMO Electron applications found to be vulnerable, gaining code execution from XSS.

  • Silvia Väli Clarified Security OÜ





The Blackbear project

In typical enterprise networks today, ingress filtering is taken care of by firewall or similar devices. Unfortunately, the ability of devices and applications to reach the outside world is often overlooked or intentionnaly left open as Web services might need to be reacheable.

We will present a fork of an OpenSSH daemon, that is able to exploit the often loose egress filtering and maneuver around network restrictions.

Designed for more comfortable post-exploitation, it also extends regular forwarding and tunneling abilities in order to circumvent network rules that may otherwise hinder lateral movement.

In addition, it can also act as a regular SSH server listening for an incoming connection, and provides reliable interactive shell access (must be able to run top, sudo, screen, vi, etc) as opposed to crafted reverse shells or even meterpreter which allow basic commands but fail at interactive ones.

  • Marc-André Labonté





From Hacking Team to Hacked Team to…?

Hacking Team came into the spotlight of the security industry following its damaging data breach in July 2015. The leaked data revealed several 0-day exploits being used and sold to governments, and confirmed Hacking Team’s suspected business with oppressive regimes. But what happened to Hacking Team after one of the most famous hacks of recent years?

Hacking Team’s flagship product, the Remote Control System (RCS), was detected in the wild in the beginning of 2018 in fourteen countries, including those contributing to previous criticism of the company’s practices. We will present the evidence that convinced us that the new post-hack Hacking Team samples can be traced back to a single group – not just any group – but Hacking Team’s developers themselves.

Furthermore, we intend to share previously undisclosed insights into Hacking Team’s post-leak operations, including the targeting of diplomats in Africa, uncover digital certificates used to sign the malware, and share details of the distribution vectors used to target the victims. We will compare the functionality of the post-leak samples to that in the leaked source code. To help other security researchers we’ll provide tips on how to efficiently extract details from these newer VMProtect-packed RCS samples. Finally, we will show how Hacking Team sets up companies and purchases certificates for them.

  • Filip Kafka ESET





Video game hacks, cheats, and glitches

Ron built his security career in a unique way: writing cheats for video games. In highschool, while others were having fun, he was trying to find new and creative ways to confuse Starcraft.

In this presentation, he will look at some of the major hacks, cheats, and glitches in video games, from famous ones (like arbitrary code execution in Super Mario World) to obscure ones (like stacking buildings in Starcraft).

But more importantly, he will tie these into modern vulnerabilities: the Legend of Zelda "bottle glitch" is a type-confusion vulnerability, for example: similar vulnerabilities in normal software could lead to remote code execution.

This talk will bridge video game cheating with real-world security vulnerabilities, and explore the history of both!

  • Ron Bowes





Tightening the Net in Iran

How do Iranians experience the Internet? Various hurdles and risks exist for Iranians and including outside actors like American technology companies. This talk will assess the state of the Internet in Iran, discuss things like the threats of hacking from the Iranian cyber army; how the government are arresting Iranians for their online activities; the most recent policies and laws for censorship, surveillance and encryption; and the policies and relationships of foreign technology companies like Apple, Twitter and Telegram with Iran, and the ways they are affecting the everyday lives of Iranians. This talk will effectively map out how the Internet continues to be a tight and controlled space in Iran, and what efforts are being done and can be done to make the Iranian Internet a more accessible and secure space.

  • Mahsa Alimardani Article 19





Brain Implants & Mind Reading

At a certain level of technological sophistication you gain the ability to grant others read, write, and execute permissions to your brain. That ability creates a unique set of security concerns. In this talk we will discuss the current state of both brain scanning and brain stimulation technology, the practical implications of merging brains with artificial intelligence, and the role infosec can play in shaping the dystopic cyberpunk future that we’re currently careening towards.

  • Melanie Segado





One Step Before Game Hackers -- Instrumenting Android Emulators

Commercial Android emulators such as NOX, BlueStacks and Leidian are very popular at the moment and most games can run on these emulators fast and soundly. The bad news for game vendors is that these emulators are usually shipped with root permission in the first place. On the other hand, cheating tools developers are happy because they can easily distribute their tools to abusers without requiring the abusers to have a physical rooted device, nor do they need to perform trivial tuning for different Android OS / firmware version. However, luckily for game vendors, commercial Android emulators usually use an x86/ARM mixed-mode emulation for speed-up. As a result, a standard native hooking/DBI framework won't work on this kind of platform. This drawback could discourage the cheating developers.

In this talk, I will introduce a native hooking framework on such a kind of mixed-mode emulators. The talk will include the process start routine of both command-line applications and Android JNI applications as well as how these routines differ on an emulator. The different emulation strategies adopted by different emulators and runtime environments (Dalvik/ART) will also be discussed. Based on these knowledge, I will explain why the existing hooking/DBI frameworks do not work on these emulators and how to make one that works.

Lastly, I will present a demo of using this hooking framework to cheat a game on emulator. With this demo, I will discuss how the dark market of mobile game cheating may develop in the foreseeable future.

  • Wan Mengyuan (Nevermoe) DeNA Co., Ltd.





Homeward Bound: Scanning Private IP Space with DNS Rebinding

DNS Rebinding attacks have re-entered the spotlight, largely owing to recent high-profile disclosures by Tavis Ormandy including RCE in the Blizzard Update Agent triggered from the browser. However, given the vast amount of consumer software in circulation today and the apparent frequency with which the design (anti)pattern of treating localhost as secure occurs, it is likely that many vulnerable services still exist. In this talk, we will present a set of tools we created to make performing DNS Rebinding attacks fast and easy at scale, discuss how these tools can be used to perform network reconnaissance from inside a browser, and present an opt-in “localhost census” page that uses DNS rebinding to enumerate localhost services listening for HTTP on the visitor’s computer, and adds the results to a database.

  • Danny Cooper Akamai

  • Allan Wirth Akamai





Getting ahead of the elliptic curve

Elliptic curves are relatively obscure mathematical objects: you can get a PhD in maths without ever having come across them. Yet these objects play an important role in modern cryptography and as such are found in most HTTPS connections, in Bitcoin, and in a large number of other places.

To really understand elliptic curve cryptography (ECC) to the point that you can implement algorithms, you'd have to study the maths behind it. This talk assumes that you haven't studied the maths, but just want to understand what ECC is about, how is works and how it is implemented.

It will discuss how 'point addition' works and how the Elliptic Curve Diffie-Hellman algorithm is used, for example in HTTPS - and how you can find it using Wireshark. It will explain how to use elliptic curve for digital signatures and why you don't want to be like Sony when it comes to implementing them. It will discuss how ECC was used in an infamous random number generator and, finally, will take a brief look at the use of elliptic curves in post-quantum algorithms.

The goal of this talk is to keep things simple and understandable and no knowledge of maths is assumed. The talk won't make you an expert on ECC -- that would take years of studying. But it might help you understand the context a bit better when you come across them in your research. And hopefully it will also be a little bit fun.

  • Martijn Grooten





Source code vulnerability research and browser exploitation

Every day, most people who uses a computer will either run applications on untrusted networks (like public wifi) or run application that will run untrusted scripts on their machine. Whether it is a browser running javascript, a cryptocurrency’s smart contracts or even a script from a map or game mod, scripting engines like these tend to have large attack surface for vulnerabilities and they are usually quite exploitable especially when they are use after free bugs. How ever, finding these bug in large open source projects can be a bit intimidating.

In this talk I will present various tools that I used for finding vulnerabilities in open source software. I will try to demonstrate the various bug patterns and how I look for them using examples in everyday software. I will explain how to go from a bug to a vulnerable bug.

Finally, I will explain what is use-after-free (auf) and the bug patterns to look for. Use uaf bugs can be quite tricky to find and quite complicated to exploit. But can be quite dangerous if an attacker understands them well. To demonstrate how powerful uaf in a scripting engine can be, I will walk the audience through a uaf in a modern browser bugs and the some techniques used to exploit them.

  • Jean-Marc Leblanc EWA-Canada





Python and Machine Learning: How to use algorithms to create yara rules with a malware zoo for hunting

Machine learning can be useful for helping analysts and reverse engineers. This presentation will explain how to transform data to use machine-learning algorithms to categorize a malware zoo. To cluster a set of (numerical) objects is to group them into meaningful categories. We want objects in the same group to be closer (or more similar) to each other than to those in other groups. Such groups of similar objects are called clusters. When data is labeled, this problem is called supervised clustering. It is a difficult problem but easier than the unsupervised clustering problem we have when data is not labeled. All our experiments have been done with code written in Python and we have mainly used scikit-learn. With the dataset the Zoo, we present how to use unsupervised algorithms on labeled datasets to validate the model. When the model is finalized, the resulting clusters can be used to automatically generate yara rules in order to hunt down the malware.

  • Sebastien Larinier