April 12, 2010 at 01:32Report Topics at Black Hat Europe 2010 / Barcelona
- Transfer
Good afternoon,% username%. Black Hat Europe 2010 is starting in Barcelona today, and it would be very interesting to know what we have prepared this time. In this translation, the topics of the reports and their brief description will be given.
In some places, translation may be a little bad, but as they say, the wealthier they are. On translation, comments / corrections are welcome.
The authors):
Andre Adelsbach (Telindus)Title:
Misusing Wireless ISPs for Anonymous Communication (Misuse of wireless providers to create anonymous communications)Description:
Most wireless techniques are inherently simple broadcasts at the physical level, that is, in fact, the signal can be received by either side in a specific coverage area. To provide a secure p2p connection, such wireless infrastructures typically use cryptographic protocols so that both sides of the connection (for example, the user and the storage medium) establish a session key, which is used to create a private and authentic connection by encrypting the information and the authentication code. Today, thoughts on creating and analyzing such communication protocols come down to the fact that both sides of the connection must behave correctly with respect to the crypto protocol if they want to maintain their confidentiality with respect to outsiders.However, if the storage media have large capacities / resources in terms of bandwidth, then users may not be interested in protecting their connection from outsiders, but instead may try to expand their capacities / resources by insider attacks on the communication protocol. And as far as the author of the report knows, such new threats from a proxy have still been neglected.
This report will introduce several types of insider attacks that disrupt secure communications initiated by the resource carrier. Satellite Internet providers can serve as a vivid example, because users have a tight connection with the service provider, and on the other hand, Internet providers have the ability to transmit signals over vast areas. That is why the report will mainly illustrate attacks related to satellite Internet providers, but WiMAX will also be touched.
The strongest attack to be presented allows the end user to broadcast data in clear text through their provider, despite the fact that all data sent from the satellite to the user must be encrypted.
In the end, the author intends to discuss how the presented results can be used to establish communication channels, achieving perfect anonymity of the recipient.
The authors):
Iftach Ian Amit (Security & Innovation)Title:
Cyber [Crime | War] charting dangerous water (Charts of Cyber [Crime | War])Description:
Cyberwar has been a pretty controversial topic for the past couple of years. Some say that this term is generally erroneous. Cybercrime, on the other hand, was a major source of concern, as the lack of jurisdiction and law enforcement made it one of the best sources of income from organized crime. In this report, the author will explore the differences between Cybercrime and Cyberwar, along the way highlighting the main actors (mainly on the state side), and linking past attacks on the opposition with the Cybercrime Syndicate. The author will also examine the connection between Cyberwar and conventional war and the methods that are used in modern campaigns that use cybersecurity.The authors):
Patroklos Argyroudis (Census, Inc)Title:
Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation (FreeBSD Kernel and Stack Operation)Description:
FreebsdIt is widely recognized as one of the most reliable efficient operating systems available in both free and proprietary software. Although the exploitation of kernel vulnerabilities has been studied within the framework of Windows and Linux operating systems, FreeBSD and BSD systems in general have not received so much attention. This presentation will first demonstrate the operation of the FreeBSD kernel stack overflow. The exploit development process for privilege escalation will be documented under CVE-2008-3531. The second part of the presentation will show a detailed analysis of the security of the memory management mechanism in FreeBSD - Universal Memory Allocator (UMA). It will also consider a situation where UMA overflow can lead to the execution of arbitrary code in the context of the latest stable FreeBSD kernel (8.0-RELEASE).The authors):
James Arlen (Push The Stack Consulting)Title:
SCADA and ICS for Security Experts: How to avoid being a Cyber Idiot (SCADA and ICS for Security Experts: How to Avoid Becoming a Cyberidiot)Description:
The author of the report wants to tell us that for some reason the traditional security industries decided that they, like knights on a white horse, should save everyone from the horror of unsafe pipelines, chemical plants and other cookie factories. But suddenly, every consultant suddenly becomes an expert, and each product widely advertises its capabilities to address the issue of SCADA security. But mainly because they don’t know what they are saying, they make us all look like idiots. Therefore, the author suggests everyone to sit peacefully and talk about SCADA and ICS, and thus, together solve the problems that have arisen. The author argues that it is time to stop being cyberidiots and you need to start making some positive contributions to the overall solution.The authors):
Christiaan Beek (TenICT BV)Title:
Virtual ForensicsDescription:
This report will talk about the problems we face when we investigate virtualized environments. The author raises such questions as “What are the differences in investigation techniques and tools on virtualized and standard systems”, “What files are most important when conducting an investigation on Citrix and VMWare systems”, “What about the VMDK file system and its future research”.The authors):
Marco Bonetti (Cutaway srl)Title:
Surviving your phone: protecting mobile communications with TorDescription:
The author will remind us that Tor is a software product that helps us protect ourselves from the analysis of network traffic, as from a form of supervision, which threatens our personal freedom and confidentiality of relations. Tor provides protection by routing network traffic packets over a distributed network of servers launched by volunteers from around the world, thus preventing you from knowing your real geographic location.Unfortunately, the new HTML5 features and geolocation technologies built into the browser make it more and more difficult for users to maintain privacy.
This presentation will describe all of the above problems and the methods by which they can be implemented even for Tor users. Ways to solve privacy problems for mobile users will also be described.
The authors):
Stephan Chenette (Websense Security Labs)Title:
Fireshark - A tool to Link the Malicious Web (Fireshark - collect all malicious network programs)Description:
Thousands of legitimate sites contribute to the spread of malicious content to millions of visitors. Attempts to combine all the studies together in order to find any patterns between sites seem to be a rather difficult task, and sometimes unsolvable when using some freely distributed tools.The author will present a research project called Fireshark (fire shark), which is able to visit a huge number of sites while at the same time performing, saving and analyzing the contents of each of them. Based on the analysis of this program, it will be possible to draw conclusions about the security of a site.
The authors):
Mariano Nuñez Di Croce (ONAPSIS)Title:
SAP Backdoors: A ghost at the heart of your business (SAP backdoors: ghosts at the very heart of your business)Description:
In any company, ERP (Enterprise Resource Planning) is the heart of your business. These systems are designed to organize processes such as procurement, billing, human resources, resource management, financial planning; Among these systems, SAP stands out most clearly, with more than 90,000 customers in more than 120 countries.The information stored in such systems has the highest degree of significance for the company, the unauthorized manipulation of which can lead to economic losses and loss of reputation.
This presentation will focus on backdoors in SAP, the author will talk about various methods that cybercriminals can use to create and install a backdoor in an SAP system, thereby allowing them to go unnoticed and install other malicious components that generally lead to financial fraud. After that, the author will introduce some countermeasures aimed at avoiding such attacks, and will also introduce a new free tool, Onapsis, which allows security managers to automatically detect unauthorized changes in SAP systems.
The authors):
Andrzej Dereszowski (3M)Title:
Verifying eMRTD Security ControlsDescription:
With the transition to electronic travel documents in Europe, there was an urgent need to verify the correct implementation of authentication technology. Based on this, the author wants to consider the security control of an electronic document (eMRTD - electronic Machine Readable Travel Document, approx. Per.), Will offer, in his opinion, the most correct implementations of the identification mechanism, and also show the whole danger of incorrect implementation and all the ensuing from problems consequences.The authors):
Raoul D'Costa (SIGNAL 11)Title:
Targeted attacks: from being a victim to counter attacking (Targeted attacks: moving from victim to attacker)Description:
This presentation is an analysis of the targeted attacks currently underway against many organizations. As it turns out, the free remote access system (RAT) is often used to maintain control of the victim after successful penetration. The presentation does not focus on specific attack methods, but instead focuses on RAT.The presentation will tell about the methods of finding out which particular trojan was used (architecture, capabilities, methods of hiding the presence in the system). At the end, a search for vulnerabilities in the attacking tool will be shown, and the attacker could become a victim himself.
The authors):
Thai Duong & Juliano Rizzo (VNSECURITY)Title:
Practical Crypto Attacks Against Web ApplicationsDescription:
In 2009, the authors already showed the possibility of an attack on MD5, respectively, on sites such as Flickr, Vimeo, Scribd. In this presentation, the authors want to present the latest results of their research aimed at another equally powerful crypto attack.The authors will show that many widely used modern web development frameworks use encryption incorrectly, and therefore allow attackers to read and modify sensitive data. Examples will be given such as Padding Oracle attack, eBay Latin America, Apache MyFaces, SUN Mojjara, Ruby On Rails and so on. The authors claim that all these are 0-day (zero-day) vulnerabilities.
The authors):
Eric Filiol (ESIEA)Title:
How to operationally detect and break misuse of weak stream ciphers (and even block ciphers sometimes) - Application to the Office Encryption Cryptanalysis (How to quickly detect the use of weak stream ciphers - Office cryptanalysis application)Description:
Despite the widespread use of block ciphers, stream ciphers are still widespread in areas such as satellite communications, civil telecommunications, and software. But the use of stream ciphers is unsafe due to improper operation with encryption keys, this is exactly what the author of the report claims. The presentation will tell you how to identify such errors and recover texts in a fairly short time.For example, the author of the report will demonstrate the cryptanalysis of encryption used in Office, up to the 2003 version (RC4), mainly Word and Excel will pay attention. In a few seconds it will be possible to recover more than 90% of the source code.
The authors):
FX (REcurity Labs)Title:
Defending the Poor (Protecting the Poor)Description:
It's about a simple but effective approach to securing rich Internet Application Content (RIA) content. Some internal Adobe Flash mechanisms that will allow attacks on the entire technology as a whole will be discussed. Some of these aspects make you smile, others make you flinch. Along with the presentation of these mechanisms, ideas for protection will be shown, not only in theory but also in practice, in the form of implemented code, as well as the results of its application in the real world.The authors):
Thanassis Giannetsos (REcurity Labs)Title:
Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks (Weaponizing Wireless Networks: Attacks on Sensor Networks)Description:
The ubiquitous combination of autonomous touch devices has spawned a wide class of new applications. But at the same time, the automatic nature and limited resources of the sensor nodes created the same number of vulnerabilities that an attacker could use to gain access to the network. Although much has been done to protect such networks, much less has been done to create tools to prove vulnerabilities in sensor networks.In this paper, we will present such a tool that allows us not only to conduct passive reconnaissance in networks, but also to test the strength of network protection by attacking it in various ways. As far as the author knows, this tool is the first of its kind. The results show that this tool is quite flexible, easily adapts to various sensor networks and various protocol stacks. The author hopes that its development will help to identify weaknesses in the new network protocols, and thereby increase their level of security.
The authors):
Joe Grand (Grand Idea Studio)Title:
Hardware is the New SoftwareDescription:
Society is thriving due to the steady growth of technology. Electronics is already in everything we touch. Hardware products currently rely on security-related applications, they have to be trusted, although often they do not protect against even the simplest classes of attacks that have been known for decades.DIY hobbies, easy access to equipment, instant information retrieval from the Internet, have led to the fact that hardware can no longer be discounted when considering computer security. In the report, the author will present a hacking hardware process and demonstrate several attacks on electronic devices.
The authors):
Vincenzo Iozzo (Zynamics GmbH)Title:
0-knowledge fuzzing (Fuzzing without pre-training)Description:
Fuzzing is currently a fairly common technique used by both attackers and developers. Usually it includes knowledge of the protocol or format of the input data, as well as a general understanding of how this input is processed inside the application.In the past, using fuzzing, you could get impressive results with a little effort; Now searching for bugs requires getting into code and user code due to the fact that common, widespread vulnerabilities have already been identified and fixed by developers.
The report will discuss the effective use of fuzzing without knowledge of the user input format. In particular, it will be demonstrated that techniques such as code coverage, data tainting and fuzzing in memory allow you to build a smart fuzzer without any special tools.
// Translator's
note Fuzzing is a technology for testing programs when random data is transmitted to the program instead of the expected input data. If the program freezes or crashes, it is considered to be a defect in the program that could lead to the discovery of a vulnerability. The big advantage of fuzzing is its simplicity and the ability to automatically analyze.
The authors):
Haifei Li & Guillaume Lovet (Fortinet Inc)Title:
Adobe Reader's Custom Memory Management: a Heap of Trouble (Adobe Reader: heap in trouble)Description:
Vulnerabilities in PDF - it's always gorgeous. Some antivirus companies, in their forecasts for 2010, speak of an increase in the number of vulnerabilities in PDF caused by cybercriminal requests. But how serious can this be compared to what is predicted, and what is the share of FUD (FUD - Fear-Uncertainty-Doubt - fear-uncertainty-doubt) in this? In the end, many PDF vulnerabilities are related to file structure (format), and therefore lead to heap corruption situations. And everyone knows that heap damage rarely goes into the category of serious vulnerabilities for which exploits are written. So, the MS Windows heap is hardly predictable, and is also protected by mechanisms such as safe-unlinking.The most popular PDF reader, Adobe Reader, has a specific architecture that can make us review our previous statements. To increase productivity, it implements its own heap management system, on top of the system one. But sometimes it happens that performance becomes an enemy of security, and this heap management system is much easier to exploit vulnerabilities. Together with the recent events related to the DEP bypass in Flash (JIT-spraying), which will be briefly shown at the presentation, the operation of the heap becomes quite easy prey.
As a result, the report will examine the heap management system and identify key weaknesses in order to shed light on the issue of PDF vulnerability.
// Translator's note
FUD - Fear-Uncertainty-Doubt - fear-uncertainty-doubt.
The name of the method of unfair competition, which consists in the dissemination of statements that are designed to cause the consumer (or potential consumer) of a competitor's product to doubt the correct choice and the absence of undesirable consequences. It is assumed that a consumer who doubts a competitor’s products is unlikely to acquire them, guided by the well-known principle: “Doubt - refuse”, thus facilitating the process of crowding out a competitor from the market or, at least, reducing its market share.
Safe-unlinking is a technology aimed at protecting heaps. It consists in checking, before removing a free block from the bidirectional list, the reliability of pointers to the previous and subsequent memory blocks.
The authors):
David Lindsay & Eduardo Vela Nava (Cigital)Title:
Universal XSS via IE8s XSS Filters (Universal XSS to bypass IE8 XSS filters)Description:
As we all know, IE8 has built-in XSS detection and prevention filters. The authors will show details of how filters detect attacks, discuss their main advantages and disadvantages. Also, the authors will show several ways in which filters become victims and allow XSS on sites on which there were no vulnerabilities. It will demonstrate how this vulnerability makes most sites vulnerable to XSS using IE8.The authors):
Moxie Marlinspike (Institute For Disruptive Studies)Title:
Changing Threats To Privacy: From TIA to Google (Changing Privacy Threats: From TIA to Google)Description:
We won the war for cryptography, there are still anonymous underground networks, decentralized networks have appeared to become a reality. Such a network communication strategy was conceived in anticipation of a bleak future, but somehow these efforts did not lead to protection from the privacy threat that we all faced.Instead, there are centralized state databases of all our correspondence and movements, and modern privacy threats are taking on an increasingly ominous connotation. The author suggests talking about new trends in this area, and will present some interesting solutions.
The authors):
Steve Ocepek & Wendel G. Henrique (Trustwave)Title:
Oracle, Interrupted: Stealing Sessions and Credentials (Oracle: stealing sessions and credentials)Description:
In the world of free, widespread encryption libraries, many pentesters still find quite interesting things in communication channels. If the database traffic is transmitted, then it’s good, but if the data also includes PAN, Track, CVV, then this makes you stop and think why this whole thing is not encrypted by default. However, we still need someone to query the database. Or maybe not…The authors propose to pay attention to one of the most popular relational databases - Oracle. Using a combination of downgrade attacks and exploits designed to intercept sessions, the authors will present a unique approach to hijacking database accounts. Using a new tool, thicknet, which will be introduced directly to BH, the team will demonstrate how deadly injection-based attacks can be.
The authors):
Christian Papathanasiou (Trustwave Spiderlabs)Title:
Abusing JBoss (JBoss abuse)Description:
JBoss application server is an open source implementation of the Java EE services suite. Ease of use and high flexibility make JBoss the ideal choice for both beginners with J2EE and experienced developers looking for a custom middleware platform.The widespread prevalence of JBoss in enterprises becomes the reason that it becomes a tidbit for both blackhat (crackers?) And pentesters. JBoss is usually run by the SYSTEM user, which automatically means obtaining super privileges when it detects an implemented vulnerability.
The developed tool allows you to compromise the security of unprotected JBoss. It allows you to load the payload of the Metaspleit, and as a result, execute it in the context of JBoss. On Windows platforms, using the Metasloit framework, you can get a full VNC shell.
Depending on the platform that is being operated on and the privilege level obtained, the developed tool is able to deploy a backdoor in combination with the hide-and-seek technology from the antivirus.
Due to the cross-platform nature of Java technology, the author is confident that he can do the same with JBoss for Linux, MacOSX.
The authors):
Enno Rey & Daniel Mende (ERNW)Title:
Hacking Cisco Enterprise WLANsDescription:
The world of "corporate wireless network solutions" is full of ambiguities and "non-standard" elements and technologies. Cisco solutions, ranging from Structured Wireless-Aware Network (SWAN) to Cisco Wireless Unified Networking (CUWN), are just a few of them. In the report, the authors will describe the internal architecture of these solutions, analyze the vulnerable parts and discuss theoretical and practical attacks, while also showing a couple of demos. A new tool for carrying out automatic attacks will also be presented.The authors):
Manish Saindane (Attack & Defense Labs)Title:
Attacking JAVA Serialized CommunicationDescription:
Many Java applications use Object Serialization to transfer objects over the network as a stream of bytes or to place them on a file system. Currently, existing pentesting software, Serialized Objects, provides limited ability to intercept and modify requests and responses. The author will try to introduce a new technology for influencing such Serialized communication, and their modification will be no more difficult than working when testing a regular Web application. The author has developed a plugin for Burp Suite.The authors):
Peter Silberman & Ero Carrera (MANDIANT & SABER Security)Title:
State Of Malware: Family TiesDescription:
Over the past couple of years, there has been a tendency for malware to accumulate in large "families", which is fundamentally different from what it was before. Families of hundreds or even thousands of Malvari specimens are not uncommon. Such groups explicitly demonstrate the evolution of malware over time. Evolution can be expressed in simple corrections and small improvements, or in a radical change in all functionality based on existing code. The study of relationships within families and between families, provides information on the pace of development, the rate of improvement of technical equipment. The study of family growth rates identifies their main functions, and therefore allows you to create some kind of classification.The authors):
Paul Stone (Context Information Security)Title:
Next Generation Clickjacking (Next Generation Clickjacking)Description:
Clickjacking - a technique of deceiving a user to perform unintended actions on a website by formatting the web page so that the victim clicks on a hidden link, usually hidden inside an IFRAME. However, in comparison with other attacks, such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery), Clickjacking is seen as an attack with limited capabilities. During the lecture, the author wants to prove that this statement is incorrect, and that today's Clickjacking methods can be expanded to carry out new, more powerful attacks.In total, the report will raise the topics of Clickjacking fundamentals, ways to improve existing methods, and new ways to deceive the user will be shown. Using an example, the author will show several cross-browser attacks.
The authors):
Christopher Tarnovsky (Flylogic Engineering)Title:
Hacking the Smartcard ChipDescription:
No description given :(The authors):
Roelof Temmingh (Paterva)Title:
Unveiling Maltego 3.0 (Maltego 3.0 in true light)Description:
Over the course of the year, the Paterva team worked quietly and peacefully on Maltego 3.0 without any releases starting in March 2009. For the first time since BH 2009, Paterva will show what they have done - will introduce the new version of Maltego, completely built from scratch. You'll see Hollywood graphics and animations, limitless extension options, and new analytic opinions will make you cry.The authors):
Julien Tinnes & Chris Evans (Google, Inc)Title:
Security in depth for Linux softwareDescription:
In many projects, the smallest error in the code can become an exploitable vulnerability, giving the attacker almost or no limit access to the system. In the report, the authors, using the example of vsftpd and Google Chrome Linux, firstly, they will show how to create their code more resistant to known vulnerabilities, and secondly, how to mitigate the consequences of an attack by revoking privileges.There are an amazing amount of ways in Linux to manage privileges, but each of them has certain nuances. The report will discuss the technical aspects of various methods, explaining how to combine them in order to raise the bar of system security.
Although mandatory access control systems are easily accessible, and even three of them are included in the Linux kernel, the denial of privileges will lead to discretionary control, which in turn relies on fairly ancient mechanisms (which, moreover, may not have been designed to provide security) . The authors will show how, using standard mechanisms, a decent level of privilege reduction can be achieved, their main disadvantages will be considered, and how an incorrect use of them can be used by an attacker.
After that, the authors will explain and demonstrate projects that will allow developers to move the execution of their code into sandboxes, and as mentioned earlier, they will show it all with the example of vsftpd and Google Chrome Linux.
The authors):
Mario Vuksan, Tomislav Pericin & Brian Karney (ReversingLabs & AccessData Corporation)Title:
Hiding in the Familiar: Steganography and Vulnerabilities in Popular Archives Formats (Lurking in something very familiar: steganography and vulnerabilities in popular archive formats)Description:
Archives can be used for steganographic data hiding, but they are also of interest because of their popularity on any computer: PC, Apple. They are widespread, they are trusted, but can they somehow be used to the detriment of what has already been in progress for 10, and up to 20 years?Thanks to a deep analysis of the formats, the authors came to the conclusion that the specifications of these very formats are interpreted for some reason in different ways. Can you trust programs that work with archives? In general, can you trust your antivirus? The authors will try to answer these questions and submit 15 new vulnerabilities in formats such as ZIP, 7ZIP, RAR, CAB, GZIP to the public.
The report will also feature the ArchiveInsider program, a new tool that detects and retrieves hidden data, thereby confirming the vulnerability of the formats. The authors will also demonstrate steganography, change, and even “self-destruction” of data.