Sessions 2020

Practical security in the brave new Kubernetes world

Dive into a typical Kubernetes cluster by messing with the default security controls, popular sidecar containers and supporting infrastructure.

Kubernetes' broad adoption has triggered a growth of frameworks, tools and technologies supporting it. It also means a growth in the attack surface. Instead of taking Kubernetes clusters head on, learn how to do a recon on a real-world k8s cluster and the common sets of sidecar containers that it relies on. Then see what it takes to pwn ingress point, service mesh, network infrastructure, package manager and performance monitoring tools. From there, get persistence in Docker registries and images.

  • Alex Ivkin





AMITT - Adversarial Misinformation Playbooks

We describe the use of adversarial misinformation playbooks to detect and counter disinformation, and explore advances in misinfosec tooling appropriated from the infosec community.

Adversarial Misinformation Influence Tactics and Techniques (AMITT) framework is a common language for describing organized communication attacks.

Misinformation, and more nefariously disinformation, has become a hot button issue as the public and private sector struggle to contain influence operations which threaten to degrade political and social fabrics.

Using well-established information-sharing standards and tooling appropriated from the InfoSec community, we explore the use of the AMITT for the detection and disruption of influence operations. Where response to disinformation has been largely reactive, we discuss left-of-boom operational playbooks and strategies for working with disinformation at scale.

  • Roger Johnston

  • Sara-Jayne Terp





Unicode vulnerabilities that could byͥte you

Transformation of Unicode characters can lead to various side effects. In this talk, you will learn why normalization and capitalization can be misused and affect modern applications.

The number of Unicode code points has never stopped growing just like its integration in modern technologies. Web applications you have developed or used are likely to support input and output formatted in UTF-8 character encoding.

In this talk, you will learn about the security implications of encoding conversion. Normalizing a UTF-8 string to ASCII only character has numerous potential side effects. The latest research affecting Unicode will be summarized including the HostSplit and HostBond attacks. The HostSplit attack abuses minor characters conversion to trigger open redirect or Server-Side Request Forgery (SSRF). While HostBond is a risk affecting service provider giving subdomain to account created by users. Aside from normalization, uppercase and lowercase transformation can introduce vulnerability. Encoding can be used to circumvent security controls such as Web Application Firewalls. Punycode is the new representation to support domains with special characters outside of ASCII. This representation can be used to create visual confusion to end users.

While some issues were patched in major software, many risks remain or are likely to resurface. Get ready for a complete summary of everything security professionals should know about Unicode!

  • Philippe Arteau





IOMMU and DMA attacks

_Direct Memory Access technology_ allows peripherals to access RAM without relying on CPU. DMA increases performances but bring up security issues. An IOMMU was incorporated to address these concerns.

This talk presents the current knowledge on Direct Memory Access attacks aiming to unlock a user logon session. The Input Output Memory Management Unit (IOMMU)[1] functioning and its integration within the main operating systems (Windows, macOS and Linux) is firstly addressed. Then, the existing DMA attacks using an external peripheral on a switched on computer are explained with a particular focus on IOMMU bypassing on macOS until 10.12.4 version. These attacks give an access to a valid logon session even if the computer is locked. This research was performed in order to prepare the upcoming french RAPID project by Synacktiv: DMArvest.

[1] Only Intel VT-d technology will be discussed in this document

[2] https://www.defense.gouv.fr/aid/deposer-vos-projets/subventions/rapid

  • Jean-Christophe Delaunay





Designing Customer Account Recovery in a 2FA World

This session will show how to securely accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

At Twilio, we provide a free consumer 2FA service via the Authy App. We've spent over seven years thinking about account recovery, refining the process, and designing our system to balance the support burden with necessary friction. During that time I've tracked dozens of other account recovery procedures to learn how everyone from utility companies to crypto startups attempt to re-verify identity when life happens. This talk will look at that research and outline best practices you can use depending on your industry and customer risk profile.

Security keys and app based authentication are great until the user loses the device but SMS 2FA is too insecure to use as the only account recovery mechanism. Since phone support is commonly used for account recovery, we'll highlight how to build guardrails for your call center agents to minimize costs and delight customers. You'll leave understanding the trade-offs of mechanisms for 2FA recovery (like government ID verification, forced waiting periods, security questions) and debating the value of recovery tokens.

  • Kelley Robinson





Defending Human Rights in the Age of Targeted Attacks

In this talk, we will see what type of attacks are targeting Human Rights Defenders, how they evolved over the past years and how we are trying to respond to these attacks at Amnesty International.

Since 2010 and the Aurora attacks, the infosec community has largely improved the skills, methods and tools available to protect large organizations against targeted attacks by well-resourced adversaries. The same tools and methods are not available to Human Rights Defenders (HRDs) yet we have ample evidence that they face the exact same attacks from the same groups.

Human Right Defenders very often have a hard threat model : little resources, limited technical skills and a high risk of being targeted by different forms of surveillance. The latest expensive security middle-box won’t help here, and they may be infected by a malware listed in your favorite threat feed without them knowing.

Within Amnesty International we have been doing technical investigations on these attacks and tracking several attack groups targeting HRDs for a few years. We are seeing some trends into these attacks, for instance more and more of them targeting smartphones, but also a wider gap between technical levels. We have developed new tools to help identify phishing emails (such as PhishDetect) or easing forensic investigations during research mission (focusing more on live forensic than cold forensic).

In this talk, we will share technical details of malware and phishing attacks against HRDs, from low/medium level of sophistication in Pakistan to highly technical attacks in Morocco, and we will see how these attacks are evolving today. We will talk about the challenges of investigating such attacks and the solutions we are developing within Amnesty International to identify and block them. Finally, we’ll see how people in the infosec community can help supporting HRDs

  • Etienne Maynier





High speed fingerprint cloning: myth or reality?

During this presentation, we will explain how the democratization of resin 3D printers impacts the fingerprint cloning. And the security implications on devices such as phones, laptops or padlocks.

Fingerprint scanners have become a default feature on most mobile devices. They give users a sense of security and are usually a convenient way to unlock a mobile device.

But all of this biometric data can be a security risk. Suprema Corp. was in the news earlier this year when it was discovered the company exposed more than 1 million users’ biometric information, including fingerprints and facial recognition data. It is unclear if the data allowed attackers to reconstruct users’ fingerprints, or if any of the data was exfiltrated Still, this information was sure to be attractive to threat groups.

In July, news broke that China was installing malware on tourists’ phones. So we started to wonder how hard would it be to silently install malware into users’ devices silently.

We wanted to find out how much time is needed to go from fingerprint scanning to malware deployment on mobile devices. Could it be fast enough to be the equivalent of someone being stopped at the border having their fingerprints scanned during an interview while their devices are in the “x-ray machine”? Or would the amount of time needed to be a couple of hours? In this real-world scenario, time is only important for foreign opportunistic targets. Most country’s citizens will have their fingerprints on file, meaning that everything can be prepared in advance. Fingerprint authentication — like other biometric authentication mechanisms — has been broken before. Now that it’s grown in popularity, it’s time to test how to bypass the authentication, and more importantly, test a real-world attack scenario and the level of sophistication needed to execute it. Finally, our research showed that technology has not advanced enough to be considered generally safe. These practical attacks don’t require state-level resources to be executed, they can be performed by motivated attackers with a budget under $2,000.

  • Vitor Ventura

  • Paul Rascagnères





Regions are types, types are policy, and other ramblings

Compilers and interpreters make use of *types* to ensure a degree of semantic sanity. I will describe how *types* can be used outside this narrow paradigm to apply policies across address spaces.

Semantically related objects often get grouped together in memory, and it is about time we take advantage of this in developing software hardening measures. Types can be naturally assigned to regions of memory in a flexible manner. Such types can form the basis of a practical and intelligible access control policy. This observation allowed me to retroactively harden an instance of the U-Boot bootloader, to model the bootloader's intentions and build an access control policy that mediated its behavior.

Typed region-based hardening measures can be applied to other kinds of software to not only protect against low-level memory vulnerabilities but also to help protect and address high-level logic-based attacks (i.e., instances of weird machines).

  • bx





Look! There's a Threat Model in My DevSecOps

Threat Modeling is a crucial activity that often gets left out of DevSecOps. This session will present a fast-paced backlog-based approach that doesn’t require tools or slow down development.

What if I told you that you can bring threat modeling into a DevSecOps, CI/CD environment and that you can do it without buying another automated tool? When developers and security professionals alike think about threat modeling, all too often they become obsessed with frameworks like STRIDE, DREAD, PASTA, etc. Threat modeling is predominantly viewed as a heavy-weight, time-consuming exercise that is simply not compatible with high-paced development paradigms. As a result, as organizations shift into DevSecOps paradigms, they commonly scratch threat modeling off their Secure SDLC checklist as simply impossible to implement without breaking their DevSecOps model. They lose sight of the core purpose of threat modeling and as a result are unable to tailor an approach that fits their development lifecycle.

However, the importance of Threat Modeling cannot be understated. Recent surveys show us how effective Threat Modeling is in developing the culture of shared responsibility for security that is at the very foundation of DevSecOps. In this session, we’ll turn the misconceptions about Threat Modeling upside down. We’ll go back to the core purpose of threat modeling. We’ll discuss what components of threat modeling are most crucial, what questions we should be asking and who should be answering them. Ultimately, this will all culminate into presentation of an alternative approach to Threat Modeling. We’ll walk through the details of how to implement a backlog-based approach in any development paradigm and demonstrate how leveraging the user story can enable Threat Modeling to be done without affecting our development timelines.

  • Alyssa Miller





The Path to Software-Defined Cryptography via Multi-Party Computation

Exploring applied cryptography (Secure Multi-Party Computation) as an enabler of innovation, growth, and risk aversion in enterprise key management and protection.

Imagine a scenario where data is only kept on hard drives or disks you own. Welcome to 1999. Back then, cryptographic keys were secured only by hardware - that, for the most part, worked well. In 2019, hardware is still standard – even with the widespread adoption of cloud services and critical data stored on IoT devices. So why are we stuck in the past? This presentation will explore: • Why hardware fails when faced with rapid changes e.g. development process, regulation, and new security and privacy needs • The future of cryptography – as software-defined • Multi-party computation (MPC) for flexible, scalable key management

  • Prof. Yehuda Lindell





Stay quantum safe: future-proofing encrypted secrets

I present last year’s progress on the development of quantum-safe cryptography to protect communications susceptible to being intercepted today and decrypted later with the help of a quantum computer.

As the world prepares for the advent of quantum computers, the security community must also prepare to defend against it: most of the cryptography in used today succumb to quantum attacks. I'll present recent progress in the development of quantum-resistant cryptography, it’s (2nd round of) standardization by NIST, it’s implementation in our Open Quantum Safe project, and results from our recent experiments integrating and benchmarking it in TLS, SSH, and VPN. Last year’s work allows developers to start experimenting with post-quantum cryptography to protect encrypted data that could be recorded today and decrypted with a quantum computer within a decade; I'll conclude with guidance to help such efforts.

  • Christian Paquin





Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data

Dynamic Data Resolver IDA plugin – Extending IDA with dynamic data

This IDA Plugin is instrumenting the binary using the DynamoRIO framework. It can resolve most of the dynamic values for registers and memory locations which are usually missed in a static analysis. It can help to find jump locations e.g. call eax or interesting strings e.g. “PE” which are decoded at runtime. You can also instrument the binary in a way that it can dump interesting buffers and last but not least you have several options to patch the binary at runtime to avoid anti-analyzing functions.

The talk would first describe the basics about the DynamoRIO instrumentation framework and then the capabilities, architecture and features of the plugin, followed by a live demo. The plugin can significantly improve the analyzing time of malware samples.

  • Holger Unterbrink