IB along and across ZeroNights

    image

    Friends, do you really think that we have already submitted all the news of the ZeroNights program? And no! Today we have many pleasant surprises and unrealistic announcements.

    First, we’ll talk in detail about updates in the main program.

    1) Our other keynote speaker, Gregor Kopf (Germany), will show you what is happening with cryptography today: main directions, problems, popular errors and interesting vectors of near-cryptographic studies.

    Cryptography state
    In recent months, a lot of problems related to cryptography have been discovered. Can she still be trusted, or are we all doomed, and were the skeptics right from the start? In this report, we will try to better understand what is happening. To this end, the current situation will be analyzed and the problems that we face will be touched upon. We will investigate popular errors and identify interesting directions for near-cryptographic surveys.

    2) Gal Diskin (Israel) from Cyvera will present an overview of hardware virtualization technology, the existing techniques for attacking virtualization systems, and also explain why creating a secure hypervisor is a daunting task.

    Virtually Impossible: The Reality of Secure Virtualization
    From this report, you will find out why virtual machines are not properly secured.
    The speaker will give an overview of the basics of hardware virtualization technology, existing techniques for attacking virtualization systems, and also explain why creating a secure hypervisor is such a difficult task. Then there will be a smooth transition to discussing the prospects of attack methods on hypervisors.
    After this talk, you will surely overestimate your attitude to the security of virtualized cloud platforms and VMM mechanisms such as XEN, RVM and VMware, as well as virtualization-based sandboxes.
    The report also mentions the following topics / attack methods / virtualization flaws:
    • SMM as a shared component of virtual machines. Why is this dangerous?
    • STM - why is it never used?
    • Shared MSRs and why they are dangerous (think of TSC)
    • Fundamental SR-IOV problem
    • VT-d / IOMMU problems
    • About memory configuration, display and how difficult it is to manage memory (reallocation, PEG, System, IGD, ...)
    • MMIO
    For those who are not too familiar with the architecture of computers: do not worry. The report includes a brief introduction to the topic, which will allow you to understand the technical issues discussed.

    3) A report by Peter Hlavaty (Slovakia) from ESET will be dedicated to the DbiFuzz framework.

    DbiFuzz framework
    Code coverage in fuzzing, dynamic unpacking and emulation depends on tracers and utilities for DBI (dynamic binary instrumentation). Some of them are intended for debugging, some change binary code and add instrumentation. This talk is about the DbiFuzz framework. DbiFuzz uses an alternative approach, allowing you to traverse not the target application, but another area. This out-of-the-box framework supports binary 64, multi-threading and tracing of multiple applications from under one tracer user.

    4) And Google’s Mateusz 'j00ru' Jurczyk (Switzerland), a big fan of memory corruption, in his presentation will focus on interesting kernel mode flaws.

    Handler for Invalid Windows Kernel Operations and NTVDM Vulnerabilities: Case Study
    Belief in the security of client applications, which are now widely used, slowly but surely depends on the stability of the kernels of operating systems, and risk mitigation mechanisms such as sandboxes and forced access control are becoming increasingly important. Although the study of the zero defense ring is steadily gaining popularity in the hacker community, due to the incredibly huge field of possible attacks characteristic of the kernel, covering all security threats with manual audit is simply unrealistic. In this presentation, we will highlight a number of interesting kernel mode flaws discovered using automatic and manual testing techniques and recently fixed by Microsoft, including appropriate operating techniques and operational exploits for clarity. We will discuss, among other things, low-level processor mechanisms,

    5) A report by Meder Kydyraliev (Australia) will be devoted to mining Mach services inside the OS X sandbox.

    Extraction of Mach services inside the OS X sandbox
    Sandbox technology has been developing recently and is gaining popularity among manufacturers. Therefore, the day is not far off when memory corruption vulnerabilities will be used primarily for cookie theft. But today there are still interesting ways from inside the applications locked in the sandbox to the “hidden” attack surface and, ultimately, to escape from the sandbox. After a brief overview of sandboxes in OS X, I will talk about one of these paths and introduce fuzzing tools that can help with this task.

    There is more and more information; protecting it is becoming more and more difficult. ZeroNights speakers will talk about the dangers of information arrays and what to expect from office documents. We continue about the main program:

    6) Ivan Novikov, also known as Vladimir 'd0znpp' Vorontsov (Russia) from ONsec, will talk about time-based attacks on file systems.

    Time Attack File System Attacks
    Gathering information about the file system is the basis of black-box security audits. The classical technique of such an attack is called dirbusting: full names of files and folders are brute-force to extract their contents. In this report, the author explores new time-based attack methods that can significantly save time viewing files and directories. The synthesis problem, characteristic of brute force, is reduced to the problem of analysis, characteristic of a search. The methods of calculating time for hardware and software components are investigated. A general theory of such effects is also considered.

    7) From the report of Anton Dorfman (Russia) you will find out what the data can tell.

    Reversing data formats: what data can tell
    Any program in one way or another works with data: it takes it to the input, processes it and gives it to the output. Understanding the data formats used in the program greatly simplifies its reversal, and also allows you to effectively carry out its fuzzing. There are many patterns in data formats that will be discussed in the report. Methods and utilities for automatic analysis of data structures in network protocols and files of various formats will also be considered. The author will offer his vision of the problem and demonstrate all the concepts with examples.

    8) Vlad Ovchinnikov (United Kingdom) from SensePost will present a report with the eloquent title “When documents bite”

    When documents bite
    In 1999, the Melissa virus changed the entire industry's perception of the spread of malware. At first glance, safe formats, such as Microsoft Word and Adobe PDF, began to be used to transfer malicious data. A recent report on this subject showed that attackers now prefer to transmit viruses precisely with the help of malicious documents. In the “diplomatic cyber attack” of the Red October virus, Word and PDF files were used as the main method for transmitting the virus. This attack vector is characterized by successful attempts at social engineering, primarily due to the ability to bypass mail filters by transmitting information in widespread formats (for example, * .doc - supposedly a secure format, which is the industry standard), and in most cases they reach the recipient.
    So, the analysis of real-life examples of attacks using malicious documents from the office suite is the key to protecting against targeted attacks, which are one of the most important IT security problems in corporate networks.
    This report examined the details of these attack techniques and revealed some methods for detecting them that can help corporations counter these threats.

    9) And Alexey Troshichev (Russia) will tell an exciting story about the static analysis of 10,000 iOS applications

    Impact on infrastructure. A story about analyzing thousands of mobile apps
    Modern applications are often just an interface between the user and some kind of infrastructure, which, from the point of view of an attack, can be much more appetizing than any one person with his phone. I will present a tool that automatically extracts data that is potentially suitable for attack, as well as the result of an analysis of 10,000 applications from the App store with an overview of both statistics and special cases.

    10) Vladimir Kropotov (Russia) and Vitaliy Chetvertakov (Russia) will introduce students to the practice of applying methods and theory of pattern recognition to detect attacks.

    The practice of applying methods and theory of pattern recognition to detect attacks. C a ... adaptable examples!
    Pattern recognition methods and other interesting mathematics can give quite interesting results in practice. In this presentation, the speakers will share their experience in driving algorithms on network traffic and talk about the use of wavelets, pattern recognition theory and other interesting things to detect and classify suspicious traffic. The work of some methods will be shown on the example of modern threats, examples of the search for patterns and characteristic signs in malicious traffic, training the system on vitally interesting “case studies” and much more. The report is based on the personal practice of the speakers on the real traffic 2012-2013, the complete absence of button accordions is guaranteed. Some open-source creativity in codes will be released (sp?).

    11) Denis Makrushin (Russia) will talk in detail about load testing services.

    Web is under pressure: denial of service as a Service
    Any web project has an important indicator of its performance - the maximum load. The report will examine load testing services from a non-standard position: we will see how a harmless tool can be turned into a means of carrying out DDoS attacks.

    12) The report of Inbar Raz (Israel) will sound a lot of words with the prefix "cyber-".

    Physical (in) security: not ONLY cyber
    The current set of threats includes cyber threats, cyber security, cyber warfare, cyber intelligence, cyber espionage ... The prefix "cyber" is almost unanimously understood as the "Internet", but in fact the Internet can have nothing to do with it. The emphasis on Internet access generates some false assumptions and hides other attack vectors, even simpler and no less dangerous. Namely: physical access to your network and devices.

    13) Dmitry Bumov (Russia) will talk about vulnerabilities in the logic of the web applications of the control panels of hosting providers.

    Vulnerabilities in the logic of the web applications of the control panels of hosting providers
    The report is devoted to vulnerabilities in the logic of web applications of the control panels of hosting and other providers. These vulnerabilities, as well as a simple inattention of users when managing an account, can lead to unauthorized access to manage domains. The author of the report is trying to draw a fine line between a user error while managing an account and logic vulnerabilities on the side of the hosting provider.

    14) Alexander Timorin (Russia) and Alexander Tlyapov (Russia) will delve deeper into SCADA.

    SCADA Depths: Protocols, Security Mechanisms, Software Architecture
    The report will present a technical description, a detailed analysis of the common industrial protocols Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101 / 104 with real examples. The potential capabilities that these protocols provide to an attacker, as well as the authentication mechanism in Siemens' proprietary S7 protocol, will be revealed.
    In addition to protocols, Siemens Simatic WinCC research results will be presented. The general architecture of the interaction of components, protocols and mechanisms of interaction through HTTP, vulnerabilities of authorization and internal logic of the system are shown.
    In conclusion - a methodological approach to the analysis of network protocols, recommendations and release scripts.

    And now - attention! Our cool Workshops !

    1) Do not miss the excellent “Breaking HTML5” workshop from Krzysztof Kotowicz (Poland).

    Breaking HTML5
    The HTML5 era has arrived, bringing with it a ton of advanced functionality and a galaxy of new glitches. Innovative applications are created, browser developers compete in the implementation of advanced features. History shows that security suffers from the rapid development of new technologies, and now this is happening to us again.
    In this workshop you will get acquainted with the stack of HTML5 technologies and get a good idea about modern web applications and their operation. The emphasis is on practical solutions, demonstration of tools, techniques for bypassing security and attack. This is not another OWASP TOP 10, where they show you using XSS
    . In this lesson, you will learn completely new techniques: for example, you will have to bypass the browser’s XSS filters, intercept the correspondence, use the FTP servers through the browser and plan your own clickjacking campaign.
    Plan:
    - Same Origin Policy: features, oddities and security bypass
    - XSS in HTML5: looping vectors and awesome exploits
    - We exploit Web Messaging
    - Attack through Cross Origin Resource Sharing
    - We aim at the client-side data warehouse and poison the cache
    - We use web sockets for attacks
    - Intra-browser exploits for tunneled TCP servers
    - Sandboxes and clickjacking for iFrame
    - Bypass Content Security Policy
    - Webkit XSS Auditor and Anti-XSS Filter from IE: Behind the Scenes
    Audience: Pentesters, Security Specialists, Web Developers (Front End), JavaScript Developers
    Requirements for workshop participants:
    - 4 hours
    - Requires knowledge in the field of web security (knowledge of the basics of TCP / IP, HTTP, HTML, XSS, CSRF, client-side security) and practical skills in using common toolkits (intercepting proxies, Linu command line, scripts, netcat), since the program the workshop will be very eventful. The ability to program in JavaScript and familiarity with a number of tools for debugging browsers (Firebug and others) are recommended. Participants will be provided with a virtual machine (VirtualBo) with the necessary tools, although for a start, just normal Linux with modern browsers installed (Chrome / Firefo / Opera) is enough.

    2) Further, Alexander Matrosov and Evgeny Rodionov (Russia) during their workshop entitled “Reversing complex threats” will devote the audience to especially software reversing developed in object-oriented programming languages.

    Reverse complex threats
    This workshop is devoted to the analysis of software developed in object-oriented programming languages. In recent years, there has been a sharp increase in the number of malicious programs that have a complex object-oriented architecture, including the most prominent representatives: Stunet, Flamer, Duqu. The analysis of such software requires a different approach than the analysis of programs in procedural programming languages. Basically we will look at examples implemented in C ++ and compiled using the MS Visual C ++ development environment.
    In this workshop, the authors will share their experience in reverse engineering of object-oriented and base-independent code accumulated while working on the analysis of complex malicious programs.
    The program includes:
    - Introduction to the analysis of object-oriented code: calling conventions, compiler transformations, service data structures (vftables, RTTI), etc.
    - using static analysis tools to restore complex data types (structures, classes, objects)
    - automation of C ++ code analysis using IDApython and He-Rays Decompiler SDK
    - method for recovering complex data types using He-Rays Decompiler decompiler extensions (HeRaysCodeXplorer)
    - analysis of malicious software developed using object-oriented programming languages ​​(C ++), as well as using base-independent code (PIC): Stunet, Flamer, Gapz.
    The participant will receive:
    - an idea of ​​object-oriented and base-independent code from the point of view of reverse engineering
    - practical skills in working with IDA Pro and He-Rays Decompiler for recovering complex data types
    - basic idea of ​​developing extensions for He-Rays Decompiler
    - practical experience in analyzing complex threats with examples Flamer, Stunet, Gapz
    Requirements for participants:
    - 4 (5) hours
    - laptop with preinstalled IDA Pro, He-Rays Decompiler

    Do not forget about the FastTrack section !

    1) Alexey Matrosov and Evgeny Rodionov will surprise you in the FastTrack section. They will tell you how HeRaysCodeXplorer makes reversing object-oriented code easier.

    HeRaysCodeXplorer: makes reversing object-oriented code easier
    HeRaysCodeXplorer simplifies the analysis of object-oriented code in the process of using the He-Rays decompiler. The following plugin features are currently supported:
    - automatic recovery of complex data types for C ++ code (type REconstruction);
    - visualization of the c-tree graph for the selected section of the decompiled code;
    - navigation on calls to virtual functions;
    - visualization of information about virtual functions (Object Explorer).
    This report will talk about the functionality of the plugin and the profit from its use. An algorithm for recovering complex types for position-independent code will also be presented in detail and an explanation of how this works in HeRaysCodeXplorer.
    The authors will present a special release of the plugin (ZeroNights edition) with new features and will commit a new version right from the scene.

    2) Andrey Danau will talk about session management errors in cloud solutions and on classic hosting.

    Session management errors in cloud solutions and on classic hosting
    The problem of sharing sessions on shared hosting has been known for a long time. To isolate the context of sessions of various users, file system restrictions are usually used - access rights to various directories. Sessions of different hosting clients are stored in different files. With the development of cloud technologies, this problem again becomes relevant on the other hand. There is a need to isolate the context of the sessions that are currently running on this cloud node, while taking into account its simultaneous use by several clients. The practice of conducting information security audits shows that isolation of the session context in modern cloud solutions is most often implemented inadequately. The methods of exploitation of these kinds of problems will be discussed in the report.
    The report discusses various mechanisms for storing sessions, their identification and methods of protection against attacks bypassing access restrictions for modern cloud services. Additional attention is paid to the classification of session keys used in popular PHP web applications, in order to search for intersections of these keys. The results are of interest from the point of view of practical application when conducting information security audits. Special attention is paid to the methods of searching and preventing such problems.

    3) Anton Cherepanov (Russia) will analyze the Hesperbot banking Trojan in detail.

    Hesperbot: analysis of a new banking Trojan
    In August 2013, ESET specialists discovered a campaign against Internet banking users in the Czech Republic, Turkey and Portugal. The study revealed that the attack uses a previously unknown banking Trojan - Win32 / Spy.Hesperbot. A feature of this malicious family is its modular architecture, a unique technique for changing the web content of banking sites, as well as the use of mobile components for various platforms - Android, Symbian, Blackberry.

    This is not all the news! First time at ZeroNights: business application security in detail.

    This year, for the first time, a separate section dedicated to business application security will be presented at ZeroNights. This event is timed to coincide with the update of the EAS-SEC (Enterprise Application Systems Security) project, which will now receive a new life. Until recently, it was part of the OWASP consortium and was called OWASP-EAS. Since the security of business applications has already gone beyond WEB, it was decided to isolate this area as an independent project.
    So, during the section, short reports will be presented on vulnerabilities and interesting architectural errors in various business applications. In addition to traditional ERP systems, personnel systems (HR), business intelligence (BI) applications, accounting, banking software, development systems and many other applications from key manufacturers of business systems, including SAP, Oracle, Microsoft, 1C, etc. will be hacked. etc. Only in this section will there be a unique opportunity to hear the presentations presented at the BlackHat cult conference.
    It will also present the results of the EAS-SEC project in the field of protection against the listed problems in two areas: guides for analyzing the security of critical systems during operation and guides for the safe development of critical systems taking into account the specifics of business applications. A list of key weaknesses in developing business applications, similar to OWASP Top 10, which applies only to WEB applications, will also be presented.
    We have no doubt that this unique event will be of interest to both researchers and hackers, as well as to specialists responsible for protecting information systems, including heads of security departments, administrators and programmers. We will not only show real examples of interesting attacks, but also provide detailed protection guides.
    Section Leader -Alexander Polyakov . All reports are exclusive from Digital Security experts.

    Section reports

    1. Alexey Tyurin “Accounting hacking - arch bugs in MS Dynamics GP”

    Description
    Dynamics GP is a large and powerful accounting / ERP software solution from Microsoft, which is widely distributed in Server America. The report will talk about how it was analyzed in the framework of the EAS-SEC project, as well as about what results were achieved. Examples will be shown of how to attack the system based on existing Dynamics GP architecture solutions; how to raise your privileges from minimum to maximum and how to take complete control of the system.

    2. Evgeny Neyolov “Dev system hacking - arch bugs in SAP SDM”

    Description
    Why hack critical systems themselves if you can attack application deployment servers, where does the source code spread across all systems? In SAP ERP, this task includes the NetWeaver Development Infrastructure, which consists of the SDM, DTR, CBS, CMS subsystems.
    Is this the ideal target for an attack? Who cares about the security of an application deployment server with dozens of servers and thousands of client machines? That's why such solutions have architectural vulnerabilities that allow anonymously embedding their code in applications on production servers. As a result, the attacker's malicious code spreads over any selected systems, providing the ability to control each of them.

    3. Alexey Tyurin “HR Hacking - bugs in PeopleSoft”

    Description
    This report reveals the details of the analysis of one of the top HRMS solutions from Oracle - PeopleSoft, which has thousands and thousands of deployments around the world as part of the EAS-SEC project. Using the example of this product and the vulnerabilities identified in it, the importance of an integrated approach to security will be shown. It will be demonstrated how, by mixing vulnerabilities of medium and low criticality some six months ago, it was possible to take control of almost any system based on PeopleSoft. The ascent path from an anonymous user to the system administrator will be shown.

    4. Gleb Cherbov "DBO Hacking - arch bugs in BSS"

    Description
    The time of banking magic.
    Features of the architecture of banking systems will be presented on the example of a number of vulnerabilities in RBS solutions from a leading domestic vendor.
    The fascinating details of the useless use of strong cryptography and the nuances of implementing authentication. Mysterious disappearances and augmentation of client capital are attached.

    5. Dmitry Chastukhin "Business Intelligence hacking - Breaking ICCube"

    Description
    Option 1.
    Business analytics is a vital process of any large company, which is based on a large amount of data collected, as a rule, over a long period of time. The results of this analytics make it possible to make various kinds of managerial decisions to company managers, on whom its future fate directly depends. Should I worry about the security of this data? Sure, yes. Are the technologies used to build business intelligence systems safe?
    This report will examine the vulnerabilities of the popular icapube OLAP server and how an attacker using the MDX query language can compromise the OS of the OLAP server and all business data.
    Option 2
    Boys! Boys !!! I learned a new abbreviation! MDX Have you heard of this? Not? What about OLAP? So I have not heard. So, maybe you need to poop this strange thing? After all, people love reports related to hacking abbreviations incomprehensible to them. So after all, it will be possible to go to the conference either, such as BlackHat, or to speak at ZeroNights (at least on a fast track). I’ll tell you something about OLAP and MDX and show a couple of bugs using icCube as an example, and they will feed me for this on a conf. Well cool, huh?

    6. Alexander Polyakov “EAS-SEC - Guidelines for the Safe Implementation of Business Applications”

    Description
    The report will present the result of the EAS-SEC project. The project has two directions: guides for analyzing the security of critical systems during operation and guides for the safe development of critical systems taking into account the specifics of business applications. This report will cover the field of analysis of business applications at the stage of implementation and operation. As a result, a list of key security issues for business applications at all levels will be presented: from network to specific application problems. A security guide for the SAP platform will also be presented as a first step in this project.

    7. Alexander Minozhenko “EAS-SEC - Guidelines for the Safe Development of Business Applications”

    Description
    Report on the latest results of the EAS-SEC (Enterprise Application Systems Security) project. The project, which was part of the OWASP consortium for 3 years and was called OWASP-EAS, now has a new life, and has gotten rid of the framework exclusively of WEB. This report will present a guide to safe development and a list of nine key weaknesses encountered in developing business applications, from code injection to covert data leakage channels. Most importantly, you will see examples of real vulnerabilities discovered through the use of manual analysis and automated tools applicable to SAP systems, and, of course, ways to eliminate them.

    And you will find the hot talk show " Clash of the Titans: Hackers ZeroNights vs. Microsoft vs. Cisco ."

    Hackers against vendors. Vendors vs vendors. Vendors against hackers.
    All versus all or strong versus weak? Is it possible to win this game, and how soon can the inscription “Game over” appear? Are you sure about the winner? Place your bets! And come November 8 to ZeroNights 2013. The
    talk show promises to be interesting and completely politically incorrect! Let the vendors answer for everything.
    Only with us vendors can be asked any questions. Do you have a couple in a clip? Then welcome.
    - Who is leaky: Cisco or Microsoft?
    - Who introduced SDLC to anyone - Cisco at Microsoft or Microsoft at Cisco?
    ... and so on!
    There will be no concessions, we will not forgive weaknesses, questions will not remain unanswered.
    Leading: ... Vladimir Solovyov! .. But why do we need him ?!
    Digital Security - Ilya Medvedovsky and Oleg Kupreev
    Microsoft - Andrey Beshkov
    Cisco - Vasily Tomilin
    We are waiting for your hot and sensitive questions to questions@zeronights.ru.

    Only with us - a competition exclusively for the participants of the conference " Long and Long"will make you feel like an agent of the secret service. Imagine that the leadership instructed you to hack the computer network of the S-Lab company. It is not so simple, since the S-Lab company perfectly protects its resources. In addition, a similar task was set and other employees of the Z-Hack division that you are a member of. You will find a token on each server. The winner will be the agent who collects all tokens first.

    Well? Isn't that armor-piercing news? But that's not all! Wait not very long left!

    Also popular now: