Subscribe to the RSS Feed

Subscribe to the RSS Feed

Speakers

Adam Donenfeld & Daniel Brodie – OEMs considered harmful: Hello new 0days!
Amit Serper – OSX.Pirrit: The Blue Balls of Mac Adware
David Sharpe – Intrusion Hunting for the Masses – A Practical Guide
Geoffrey Janjua – Kerberos Party Tricks
Herbert Icasiano – Investigating HIPAA Breaches and Identifying Vulnerabilities
Ignat Korchagin – Enforcing Web security and privacy with zero-knowledge protocols
IrishMASMS – Hackers Hiring Hackers: How to Hack the Interview Process and Attract Talent
Machinist – Photogrammetry – 3D imaging techniques with a plain old camera
Sander Smith – Won’t Somebody Please Think of the Routers
Sean T. Malone – Planning Effective Red Team Exercises
Viss – Attacking OSX for Fun and Profit
XCC & Alex – Hacking Commercial ATMs and Safes

OEMs considered harmful: Hello new 0days!

Adam Donenfeld & Daniel Brodie

“Due to the high amount of vulnerabilities, Google has tightened Android’s security in multiple layers. From integrating SELinux to delivering monthly security patches, the security status of the Android Open Source Project (AOSP) has improved by leaps and bounds compared to just a few years ago. But is this enough?

However, this does not account for a central actor in the Android security landscape. Google has been trying to force OEM’s to increase the security on Google approved Android devices, but the situation there still leaves much to be desired.

Most OEMs make significant modifications to Android for their devices to give them their distinguishing features. In this presentation we will show how these modifications can be more trouble than they are worth, undermining many of the security measures taken by Google.

We will introduce and analyze multiple zero-day vulnerabilities, including remotely exploitable ones in OEM customization code that affects hundred of millions of Android devices worldwide. In addition, we will demonstrate live exploitation of these vulnerabilities.

Adam Donenfeld is a lead mobile security researcher at Check Point with vast experience in the mobile research field. From a young age he has been hacking and reverse engineering for fun and profit. Prior to Check Point Adam served in an Israeli elite intelligence unit, as a security researcher. In his free time, Adam studies German.

Daniel Brodie is the Head of Mobile Security Research at CheckPoint. His in-depth research findings and corresponding demos have been presented at various conferences world-wide. Daniel has done vulnerability research and exploitation for low level vulnerabilities for a decade, in both PC and Mobile environments.


(^Top)


OSX.Pirrit: The Blue Balls of Mac Adware

Amit Serper

Not a lot was said about adware, especially not about adware for Mac. Adware is usually dismissed for being too benign and not interesting. After all – it just displays ads. But what if you were hit with an aggressive variant with malware-like features that has root access to your machine and has the ability to do what ever its creators wanted it to do?

A Mac OS X port of the Pirrit adware includes properties like hidden users, traffic redirection, persistence, and weird DGA-looking domains, all showing that an aggressive malvertiser is now targeting Macs. In the case of OSX.Pirrit, it uses simple social engineering to escalate its privileges and eventually take total control of your Mac. And with control of your machine, Pirrit’s creators could have done pretty much anything, like stolen your company’s secret sauce or installed a keylogger to capture the log-in credentials for your bank account. The creators of Pirrit were trying very hard to avoid being detected by antiviruses, personal firewalls and even from some advanced users.

In this talk, we’ll review OSX/Pirrit, dissect its methods and show it could have carried out much more sinister activities besides bombard a browser with ads.

Amit Serper (@0xAmit) leads Mac OS X and Linux security research at Cybereason, an endpoint detection and response startup. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. Prior to joining Cybereason, Amit spent nine years leading security research projects for an Israeli government agency.


(^Top)


Intrusion Hunting for the Masses – A Practical Guide

David Sharpe

So, mature CIRTs are supposed to have people hunting for targeted intrusions, right? Don’t have a hunt team yet? Don’t know what to hunt for, or how or where to hunt? You are not alone. This talk will cover a range of effective and practical techniques that have worked over the years for finding targeted intrusions. This talk will stay focused on ideas that you can take back to your own organization and put in place right away. We will stay away from the more math-y and hypothetical hunting approaches, in favor of simpler yet effective methods that have worked in real world practice.

David (@sharpesecurity) is currently an Incident Handler with GE-CIRT. David has a wide range of IT experience spanning 20 years serving in a variety of roles in Fortune 10 and Fortune 500 companies, starting in systems programming and large scale systems administration. David has spent the last 10 years focused on IT security.


(^Top)


Kerberos Party Tricks

Geoffrey Janjua

What if I told you that as an unprivileged user on a domain I can:

  • Port-scan without sending packets
  • Crack domain account passwords without triggering lockouts, etc.
  • Manipulate kerberos tickets to impersonate users

With a privileged account I can recover hashes from domain controllers without code execution. No new vulnerabilities will be discussed, but I will show various techniques to abuse kerberos using both Windows and Linux non-domain connected systems. These techniques can be combined to impersonate users and compromise the domain without arbitrary code execution on any system.

Geoff is the founder of Exumbra Operations Group, a cyber and physical penetration testing and training firm. His technical and covert-entry skills were honed during the last 12 years of real-world field operations. He is currently executing physical and cyber penetration tests to secure the Intellectual Property and Trade Secrets of an S&P 500 company.


(^Top)


Investigating HIPAA Breaches and Identifying Vulnerabilities

Herbert Icasiano

An overview of identifying vulnerabilities in an entity’s healthcare information system, with examination of case studies and consideration of the legal and regulatory background. Special attention will be given to technical safeguards and social engineering. This talk will also discuss steps to take in the investigation of a suspected HIPAA breach.

Herbert Icasiano has over a decade of experience in healthcare and has assisted in compliance issues and investigations for HIPAA covered entities. His adventures have ranged from EMS to emergency departments to academia. As a computer hobbyist since childhood, Herbert examines intersections between tech and the practice of medicine.


(^Top)


Enforcing Web security and privacy with zero-knowledge protocols

Ignat Korchagin

Zero-knowledge proofs are effective cryptographic primitives which may provide additional properties and guarantees to security systems and communication protocols. However, they are still being underused in modern world. Unfortunately, even with today’s strong cryptography solutions and increased user security awareness information leaks still happen. As the data on the Web becomes more valuable, attackers develop more sophisticated attacks often involving more than just technical assets, but also other techniques like social engineering. The talk presents possible ways of using zero-knowledge proofs to improve authentication and phishing prevention on the Web taking novel implementation of well known technique (socialist millionaires’ protocol) as an example.

Ignat is a security engineer at CloudFlare working mostly on platform and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before CloudFlare, Ignat worked as senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.


(^Top)


Hackers Hiring Hackers: How to Hack the Interview Process and Attract Talent

IrishMASMS

There are few talks that address what some consider to be the hardest part of getting a job in InfoSec: the hiring process. Information security is in desperate need of people with the technical skills hackers have to fill a myriad of roles within organizations across the world. However, both sides of the table are doing horribly when it comes to hiring and interviewing. Organizations are doing poorly trying to communicate expectations for a job, there are people going to interviews without knowing how to showcase their (limited or vast) experience, and some people posture themselves so poorly that the hiring managers don’t think the candidates are really interested in the job. This talk takes the experiences of the speakers as both interviewers & interviewees (as well as from others) in order to help better prepare to enter (or move within) “the industry” as well as hiring managers know what they can do to get the people & experience they need for their teams.

IrishMASMS is an old school hacker, fighting the good fight in Computer Network Defence (CND)/blue team efforts for over 16 years. Been lurking about since DEFCON 10, DJing the B&W ball at DEFCON 18 (with quite a few AP pool shindigs and private parties along the way). Panel member at HOPE 5, presenter at a couple of Notacon’s, and some other conferences that are hard to remember what really happened. Having progressed through the ranks to hiring manager and director level, he has experienced the pain from both sides of the hiring process and desires to improve the situation for the InfoSec community. Is this where we mention cyberderp?


(^Top)


Photogrammetry – 3D imaging techniques with a plain old camera

Machinist

“Hi, I’m machinist. You may remember me from such hacker talks like, “3D Printing our Way to Skynet”, or, “CNC for Dummies”. In those talks we’ve been orbiting around how to use 3D models of objects, and how to manifest those files into reality. Many of those techniques require extensive domain knowledge and smashing your face into the keyboard repeatedly, hoping for usable results. What’s different now is that advances in software have enabled high quality 3D imaging with nothing more than an ordinary camera and a stack of software.

Photogrammetry techniques allow you to process models that are otherwise troublesome for typical 3D scanners. Reflective surfaces, huge objects, or even crowdsourced images are no longer a problem with photogrammetry. In this talk, we’ll walk you through a few basic techniques on how to do large and small scale 3D imaging, with less expertise and equipment than ever!

machinist started hacking with a heart of steel. Now he’s replaced it with one made of ABS plastic at 15% infill, no need for support.


(^Top)


Won’t Somebody Please Think of the Routers

Sander Smith

Poorly secured home routers have quickly gone from a topic that no one even thought about to a platform that can easily be used to launch high-profile attacks. The fate of SOHO routers has become a popular topic on many fronts. We’d like to discuss the current state of home networking security and what must be done to fix the problems. Our research provides us with loads of data on how real people are using real devices and the types of things that are going wrong. This leads us into an approach for addressing the problem that’s different from how others may see it.

  • Overview of the home networking security problem
  • Unfortunately, everyone seems to be focusing on the wrong things
  • The push for more user education isn’t working so well
  • Hold vendors accountable
  • Third-Party Firmwares
  • How the Average Guy is set up to fail when building his home network
  • Why so many networking devices are flawed right out of the box
  • What we can learn from peoples’ Network Names (SSIDs)
  • How to really solve the problem

Sander Smith is the Founder and President of Sericon Technology, a software company in Toronto, Canada. He holds a Master’s Degree in Computer Science from The Johns Hopkins University, and has 31 years of experience developing software in three different countries. In his career he’s worked on developing diverse projects from embedded systems all the way up to large-scale command and control applications. Sander has an interest in computer security and feels fortunate to have been around to see how society and the early Internet managed to fundamentally change each other.


(^Top)


Planning Effective Red Team Exercises

Sean T. Malone

An effective red team exercise is substantially different from a penetration test, and it should be chartered differently as well. The scenario, objective, scope, and rules of engagement all need to be positioned correctly at the beginning in order to most closely simulate a real adversary and provide maximum value to the client.

In this presentation, we’ll review best practices in each of these areas, distilled from conducting dozens of successful red team exercises – along with some war stories highlighting why each element matters. Those in offensive security will gain an understanding of how to manage the client’s expectations for this process, and how to guide them towards an engagement that provides a realistic measurement of their ability to prevent, detect, and respond to real attacks. Those in enterprise security will gain a deeper understanding of this style of assessment, and how to work with a red team to drive real improvement in their security programs.

Sean Malone (@SeanTMalone) has conducted full real-world red team attacks against dozens of different organizations. He knows how the adversary thinks and operates, because he has been that adversary countless times in his work as a consultant. Sean works with these organizations to improve their security far beyond check-box requirements and compliance minimums. His reshaping of enterprise security architecture consistently results in significantly decreased attacker success rates. This comprehensive knowledge of an attacker’s mindset, combined with his in-depth understanding of the landscape of a corporate security environment, leaves him uniquely suited to design and implement effective security programs for any corporation.


(^Top)


“Cyber” Attacking OSX for Fun and Profit

Viss, Cyber Professional

I was approached by Fusion to be part of their ‘Real Future’ documentary – specifically, and I quote, to ‘see how badly I could fuck his life up, while having control of his laptop’. They wanted me to approach this scenario from how a typical “cyber” attacker would see it. This journalist was San Francisco Bay Area based, so that meant he was using a mac, an iphone, and his office was using google apps and likely 2 factor authentication for everything. No windows, no powershell, no ms08_067, no netbios, no backdoored ms office documents – how was I supposed to get in? Well, I did get in, but then I was faced with another problem – metasploit doesn’t work so well when “cyber” attacking osx. And outside of that, there really arent ANY tools (at least public ones) that are built for attacking osx. I had to build a “cyber” toolkit for myself ON THE VICTIMS MACHINE, LIVE during the engagement. And I’m going to tell you all how I did that, what I did, what worked and what didn’t work. The one thing I can say is now I understand why the NSA does surveillance the way they do. You learn 10x more from watching someone via screenshots than you will from any shell, hands down, every time. “Cyber”.

Dan “Cyber” Tentler (@Viss) is the founder and CEO of The Phobos Group, a boutique “cyber” information security services company. Previously a co-founder of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to “evil hacker for a camera crew”. When not obtaining shells or explaining against how to get shelled, Dan enjoys FPV racing.


(^Top)


Hacking Commercial ATMs and Safes

XCC & Alex

In this talk we will discuss the analysis and discovered vulnerabilities in a modern “High Security” ATM/Safe that is commonly used in commercial facilities (banks, grocery stores, retail stores, etc.).

Our talk will cover the following:

  • Modern safe cracking techniques
  • Safe security design weaknesses
  • New vulnerabilities in commercial ATMs/Safe installations
  • Hardware reversing, software reversing, exploit development and wireless security analysis of a commonly used commercial ATM/Safe
  • Defensive measures to protect against physical security threats

XCC is a penetration tester and has been working in the information security industry for 12 years. He’s performed various security assessments against embedded devices, mobile applications, web applications and SCADA equipment. An avid lock picker, ctf player, reverse engineer and safe security enthusiast, XCC has spoken at various security conferences including Toorcon and RSA conference. XCC learned how to lockpick from Datagram at Toorcon many many years ago (datagram says: <3).

Alex is an avid hardware enthusiast, lock picker, CTF player and reverse engineer. He works as a full time penetration tester who works at an information security startup company in San Diego called Somerset Recon. Alex enjoys disassembling, modding and re-flashing different types of hardware devices.


(^Top)