Matt Posted July 10, 2013 Report Posted July 10, 2013 1.THE INNER HTML APOCALYPSE : HOW MXSS ATTACKS CHANGE EVERYTHING WE BELIEVED TO KNOW SO FARDescription This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its often unknown capabilities - every single one of them. We analyzed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability. 2.REMOTING ANDROID APPLICATIONS FOR FUN AND PROFITDescriptionFino is a brand new tool we designed to perform dynamic android applications analysis in a pythonic and scriptable way. We ended up with a very powerful tool, allowing any reverse-engineer to remotely control any android application, from its main component (user interface) to every internal and obscure class. This talk focuses on how Fino may makes the Android reverse-engineer's life easier and to use it to perform effective and powerful assessments on Android applications. Summary of research: We recently presented and released a tool called Fino during the 29C3 event last December, which allows to dynamically and remotely interact with android applications by injecting a small piece of code into them. We focused our presentation on how we designed this tool and quickly showed some cool features is provides us with. Fino is a brand new (and young) tool providing many ways to remotely interact with a target application installed on a smartphone or even in an emulator, and also a dedicated Python API. Android applications may be scripted, internal components remotely instanciated and used in a pythonic way and much more. With Fino, no need to understand how a protocol was designed and used by the application (and the remote server), just reuse the core components implemented in the application itself to get a working client in order to fuzz the server. With Fino, even text string obfuscation is useless since the methods retrieving the clear text strings may be called directly. Fino is a great and powerful tool to perform dynamic analysis of android applications from a connected computer and to automate the whole process. This talk will not focus on the tool itself (even if Fino will be shortly presented) but more on the practical aspects of this tool from a reverse-engineer's point of view. That is, we will demonstrate this tool may be used when performing Android application assessments, how this tool may help the reverse-engineer to solve some of the recurrent problems he encounters during his assessments and eventually how to improve the tool itself to fit his needs. 3.THE CONTROL OF TECHNOLOGY BY NATION STATE : PAST, PRESENT AND FUTURE - THE CASE OF CRYPTOLOGY AND INFORMATION SECURITYDescriptionSince the end of WWII, strong controls have been enforced to prevent the spread of military-grade technology or dual use technologies and, since the end of the seventies, especially of Information Security science. The rises of the Internet phenomenon as well as the rise of terrorism make this control even stronger yet more subtle. Contrary to widely belief, the freedom of technology and science is just an illusion. Recently the emerging hacker phenomenon has upset and thwarted this balance between the need of freedom and the need of State security requirements. The main issue lies in the fact that these controls originally focus on homeland and international security purposes (e.g. protection against terrorism or mafia activities). But the fall of the iron curtain and of the Soviet block has dramatically changed the rules of the game. The enforced controls aim at first organizing an economic dominance of a very few Nation States (e.g. G-8 countries) whose real intent is to organize the strategic dominance over the ever-growing technological societies. As an example (among many others), we could mention the case of Cisco vs Huawei/ZTE companies. Based on his own military experience and on his research work, the author is going to explain how this control has been and is organized and will explain the role of the four major actors: Nation State, Industry, Academics and Hackers. Without loss of generality, we will take the domain of cryptography and of network equipment as illustrating cases. 4.WINDOWS PHONE 8 APPLICATION SECURITYDescriptionMicrosoft is expanding its presence on smartphone OS market. With Windows Phone 8 release we got brand new mobile operating system. Users got new devices and a lot of cool features (like NFC), so developers too. Windows Phone 8 platform allows to create applications with rich functionality, and for some of them security issue is very important. In this presentation we want to summarize Windows Phone 8 security model and talk about applications security. This is important both for developers and security auditors. Also we will demo a tool that allows you to analyze Windows Phone applications. We will also show on real examples how to find vulnerabilities with this tool. Windows Phone 8 is a new mobile platform and there is not so much information about security issues out there. This presentation will cover Windows Phone 8 security model. We will especially cover applications security. During our research we examined number of Windows Phone applications and learned where developers have to be careful when developing applications and where auditors may find vulnerabilities. Application analysis requires number of tools, from generic tools like disassembler to more specific tools like .NET decompiler. There are few tools targeting Windows Phone 7 platform and applications, offering some features like decompiling, logging method calls and deploying app to Windows Phone emulator. But all of these features are basic and does not offer a lot, and none of these tools support Windows Phone 8 applications. During our work we created a tool that makes application analysis easier. It supports both Windows Phone 7 and 8 applications and offers significant number of features that helps to understand application’s logic and find vulnerabilities. Auditors can use both static and dynamic analysis to achieve this. This is logical continuation of our talk “Inspection of Windows Phone applications” at BlackHat. This presentation will be focused on Windows Phone 8 and applications security. 5.ANALYSIS OF A WINDOWS KERNEL VULNERABILITY : FROM ESPIONAGE TO CRIMINAL USEDescriptionA series of targeted attacks, now known as "Duqu", was discovered in 2011. The initial vector for these attacks was a Windows TrueType Font 0-day vulnerability [CVE-2011-3402]. A year later, this exploit begins to appear in Russian exploit kits. These exploit kits use the *exact* same exploit code as "Duqu". (Right down to the metadata.) This presentation explains the technical details of this exploit. It is not about "Duqu" nor Russian exploit kits. The vulnerability itself only allows the attacker to perform an "OR" operation on a value of their choice, at a memory location of their choice. This exploit leverages the functionality of the TrueType Font Finite State Machine itself to manipulate memory to provide for a reliable execution of the shellcode. > Reason why this material is innovative or significant or an important tutorial. It's an advanced kernel exploit, used in a real world targeted attack against a certain unnamed commercial or government entity. And now that very same kernel exploit is being used by criminals. The exploit technique is unique as well. I believe that it is the only exploit which uses the TrueType graphics operators to manipulate kernel memory into reliable, multi-platform, shellcode execution. (It even does sanity checks on itself to avoid a blue-screen of death.) The current draft of the presentation is already over 200 slides, but most of those are code walkthrouh animations. I still need to add information about the similarities and differences between the original Duqu sample, and the current exploit kit. And details about the kernel shellcode. There are a bunch of slides about how to reverse engineer a kernel exploit, which I'll probably cut out for time. (And safe to assume audience already knows how?) 6.THE SECURITY OF MDM (MOBILE DEVICE MANAGEMENT) SYSTEMSDescriptionMore and more corporates are deploying mobile devices like smartphones and pads. To manage these devices, several solutions are available like MobileIron, Good Technology, Symantec and several others. I have installed and studied two of these solutions from a security point of view. More precisely, my goal was to determine if it is possible for the administrator of these solutions to steal data, to read mails of employees (and employers), etc. The result were very surprising as I discover serious security defects in those products. During this presentation, I will share my experience with the audience, how I have setup the lab environment, the kind of tests I have made, how I discover the vulnerabilities and which ones. 7.DBI FRAMEWORKS APPLIED TO COMPUTER SECURITYDescriptionThe main goal of this talk is to show how Dynamic Binary Instrumentation (DBI) works, and what for it can be applied in Computer Security. As proof of concepts, it will be shown how DBI can be useful for detecting vulnerabilities (e.g., buffer overflow or taint analysis) in Windows executables. A DBI framework allows you to easily program a tool using DBI concepts. There are very different DBI frameworks on the market, each one has its advantages and disadvantages. In this talk, moreover, a performance analysis is shown comparing some DBI frameworks (namely, Pin, Valgrind and DynamoRIO). The main goal of this comparison is to be able to choose the best suitable DBI framework for each user, depending on his/her needs. * Summary of the research: The main idea is to give a general overview of DBI, how it works, and its applicability to Computer Security domain. Different known vulnerable source code are going to be shown, and several tools using DBI are also shown proving how these vulnerabilities can be caught and reported. Finally, and as different DBI frameworks are available in the market, a performance analysis between the most-known DBI frameworks is shown. This work is the result of a collaboration with my PhD. advisor, José Merseguer, and a former student of mine, who made his Final Project Degree on this topic, entitled 'Estudio comparativo de frameworks de Instrumentación Dinámica de Ejecutables' (in Spanish, sorry for that!) and that it can be viewed here: Estudio comparativo de frameworks de instrumentación dinámica de ejecutables | Trabajos academicos - Repositorio Digital de la Universidad de Zaragoza http://webdiis.unizar.es/~ricardo/files/PFC.Estudio.Frameworks.DBI/Memoria_PFC_EstudioDBI.pdfThe content of this talk has been recently presented on NoConName 2012, a Spanish security conference (more precisely, on 3rd November 2012). 8.BYOD : THE PRIVACY AND COMPILANCE RISKS FROM BRINGING YOUR OWN MOBILE DEVICE TO WORKDescriptionBYOD is a Disaster. It is a privacy fiasco. It will cause massive data breaches and privacy violations. PLUS -n BYOD is more expensive than running two separate devices. This will be a highly charged debate on to BYOD or not… and is is worth the risk?BYOD is a Disaster. It is a privacy fiasco. It will cause massive data breaches and privacy violations. PLUS -n BYOD is more expensive than running two separate devices. This will be a highly charged debate on to BYOD or not… and is is worth the risk? 9.ORIGIN POLICY ENFORCEMENT IN MODERN BROWSERSDescriptionThe Same Origin Policy is the foremost security policy in all browsers. Like most browser code, it underwent a significant amount of changes to keep up with the recent development for HTML5. This talk covers the Same Origin Policy implemented in modern browsers. It goes into detail where browsers behave similarly and where differences occur. The presentation of noteworthy exceptions, regardless of whether they are intended or have evolved out of legacy features, is then followed by an analysis of previous flaws. We identify parsing mismatches as the key source of policy bypasses and suggest methods to analyze and test browser code with regard to this discovery. The talk also gives an outlook into things that may come and evaluates the origin as a measure to bind authority for HTML5 APIs. Using our methods we have also identified security issues in the Java Runtime Environment and Mozilla Firefox, which will be presented in the end. 10.THE REALEX PAYMENTS APPLICATION SECURITY STORY, NARRATED BY SECURITY NINJADescriptionAs the old British Telecom adverts used to say it's good to talk so I thought now was a good time to talk about how we do application security at Realex Payments. Rather than just talk about where we are today this talk will focus on the lessons learned over the past five years and what I'd do differently if I could it all again. I will tell the story of how application security has worked and evolved in a fast growing technology company from the day we created our first application security role in the business to our current application security approach. The story will include how we scaled application security to keep up with the changes in a fast growing business, how playing card games with developers was one of the best things we've ever done and how following the KISS principle in the early days of an application security program is vital. You will see how we have progressed from having no dedicated application security resources to our current staffing levels and how our goals have evolved from simply security reviewing our applications to more grand goals such as wanting to provide free application security training for anyone in Ireland. This isn't an application security talk focusing on the theory and approaches that seem good on paper. You will have the opportunity to learn the lessons from five years of real world application security from the person who was at the centre of application security in Realex Payments. Following on from the success of Agnitio I will be releasing three new open source application security tools I have developed in this talk. These tools have helped improve application security reviews, reporting and visibility in Realex and I hope they will do the same for you! The Ninja News Daily said "5 stars! The Realex Payments Application Security story is a gripping story of one ninjas journey through five years of application security. Do not miss!" 11.MALWARE VS VIRTUALIZATIONDescriptionVirtualization tools plays cat and mouse. Malware are studied into virtual environments, thus modifying their behavior to mimic inoensive programs and avoid detection. They discover more accurately their execution environment. Detection tools are stealthier, and tries to be as close as possible to real hardware behavior. A technological breakthrough happened when malware became the hypervisors, and lever-aged seamless virtualization.This paper analyzes the actual state of this race. Detection techniques and counter measures are detailled.Virtualization leverages security tools isolation and stealth. Malwares are able to virtualize the whole operating system on-they, and control all interactions with hardware without any hook. On the other side, it is a powerfull tool to analyze processes behaviors seamlessly.The virtualization detection race is far from ended. Malware research shows that some tries to detect while other tries to be as seamless as possible.http://www.youtube.com/watch?feature=player_embedded&v=L-c22iQUG7k12.ARE WE GETTING BETTER? - HACKING TODAYS TECHNOLOGYDescriptionAre we getting better as an industry? We have NextGen firewalls, APT prevention, DLP, and technology that can solve our technological needs from hackers. Why do we continue to see an increase in data breaches if the technology is working. Let's take a look at todays technology and hack it. This talk will cover some advanced techniques used to infiltrate a number of organizations during real world penetration tests. The talk will also discuss why these technologies fail us and why the reliance has to be on a proactive security strategy versus trying to patch it with a band aid. Lets find out if we are getting better or if its the same old struggle. Hackers are here to stay, are we going to be able to withstand an attack?http://www.youtube.com/watch?feature=player_embedded&v=lZmh8LuVDH413.NEXT GENERATION ROOTKITS DOR ARM BASED DEVICESDescriptionSecurity of mobile operating systems is one of the most researched topics of today - iOS & co use mandatory code signing, ASLR and NX/DEP to make sure that no malicious code can be executed. While most attacks target the operating system itself, this talk will take a look at a new approach for mobile rootkits, using operating system independent hardware features of the CPU itself which make it almost impossible to be detected from the operating system. http://www.youtube.com/watch?feature=player_embedded&v=8dYzv7_hKyE14.I'M IN YOUR BROWSER, POWNING YOUR STUFF - ATTACKING GOOGLE CHROME EXTENSIONSDescriptionBrowser extensions can let you easily make notes, entertain you with a game, or take an annotated screenshot of the website you're visiting. They can also XSS any website you're visiting, harvest your browsing history, replace your cookies, silently change your proxy or execute code on your machine. Even benign, legitimate extesions can do this, just because they were poorly coded. These flaws are fairly common, and the attacks are easy. In this talk meterpreter sessions will be opened, Google will be XSSed, all your mailbox will belong to us and your PGP private keys will be extracted. But as constructing attack payloads is so boring, we'll present tools that help you find vulnerable extensions, confirm the vulnerabilities and exploit them. After the talk you'll be set to go to either attack Chrome extensions or code them properly as multiple code examples will be given. Research summary: The presentation will consist of technical overview of Google Chrome extensions architecture, its built-in security mechanisms, inluding Content Security Policy to prevent XSS attacks. Focus will be given into bypassing the protections by leveraging poor extension coding, UI redressing attacks or side-channel attacks. I've developed a Chrome Extension Exploitation Framework - XSS CheF (https://github.com/koto/xsschef ) that gives a pentester the possibility to leverage flaws in extensions to conduct further attacks (tool is similar to BeEF in that respect). Several flaws in popular Chrome extensions will be demonstrated, with varying consequences from universal XSS flaw to Remote Code Execution on clients machine. Some of the research has been introduced on Black Hat USA 2012 workshops I've given with Kyle Osborn ( http://media.blackhat.com/bh-us-12/Briefings/Osborn/BH_US_12_Osborn_Koto... ), multiple other real-world examples have been added though plus the research now focuses on exploiting extensions with v2 manifest, that are obligatory protected by Content Security Policy. http://www.youtube.com/watch?feature=player_embedded&v=ATJqa3Vvl_0Sursa HackinParis2013// Noaptea asta sigur nu dorm. Enjoy. 1 Quote
