Videos uploaded by user “Black Hat”
Black Hat USA 2013 - OPSEC failures of spies
By: Matthew Cole The CIA is no more technologically sophisticated than your average American, and as a result, has suffered serious and embarrassing operational failures. This is a rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job. In 2005, news organizations around the world reported that an Italian court had signed arrest warrants for 26 Americans in connection with an extraordinary rendition of a Muslim cleric. At the heart of the case was the stunning lack of OPSEC the team of spies used while they surveilled and then snatched their target off the streets of Milan. The incident, known as the Italian Job inside the CIA, became an international scandal and caused global outrage. What very few people ever understood was that the CIA's top spies were laughably uneducated about cell phone technology and ignorant of the electronic fingerprints left behind. The story would be startling, though old, if not for the fact that eight years after the debacle in Milan, history repeated itself. In 2011, an entire CIA network of Lebanese informants was busted by Hezbollah. The reason: cell phone OPSEC failures. After receiving a warning from Mossad, who had lost their network a year earlier the same way, the CIA dismissed Hezbollah's ability to run analytic software on raw cell phone traffic. But they did. And with a little effort, the CIA's network of spies, as well as their own officers, were identified one by one. This is the true story of American Intelligence's Keystone Kops.
Views: 25080 Black Hat
The Memory Sinkhole - Unleashing An X86 Design Flaw Allowing Universal Privilege Escalation
by Christopher Domas In x86, beyond ring 0 lie the more privileged realms of execution, where our code is invisible to AV, we have unfettered access to hardware, and can trivially preempt and modify the OS. The architecture has heaped layers upon layers of protections on these negative rings, but 40 years of x86 evolution have left a labyrinth of forgotten backdoors into the ultra-privileged modes. Lost in this byzantine maze of decades-old architecture improvements and patches, there lies a design flaw that's gone unnoticed for 20 years. In one of the most bizarre and complex vulnerabilities we've ever seen, we'll release proof-of-concept code exploiting the vast, unexplored wasteland of forgotten x86 features, to demonstrate how to jump malicious code from the paltry ring 0 into the deepest, darkest realms of the processor. Best of all, we'll do it with an architectural 0-day built into the silicon itself, directed against a uniquely vulnerable string of code running on every single system.
Views: 74055 Black Hat
Pulling Back the Curtain on Airport Security: Can a Weapon Get Past TSA?
By Billy Rios Every day, millions of people go through airport security. While it is an inconvenience that could take a while, most are willing to follow the necessary procedures if it can guarantee their safety. Modern airport security checkpoints use sophisticated technology to help the security screeners identify potential threats and suspicious baggage. Have you ever wondered how these devices work? Have you ever wondered why an airport security checkpoint was set up in a particular configuration? Join us as we present the details on how a variety of airport security systems actually work, and reveal their weaknesses. We’ll present what we have learned about modern airport security procedures, dive deep into the devices used to detect threats, and we’ll present some the bugs we discovered along the way.
Views: 194285 Black Hat
Breaking the x86 Instruction Set
A processor is not a trusted black box for running code; on the contrary, modern x86 chips are packed full of secret instructions and hardware bugs. In this talk, we'll demonstrate how page fault analysis and some creative processor fuzzing can be used to exhaustively search the x86 instruction set and uncover the secrets buried in your chipset. Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#breaking-the-x86-instruction-set
Views: 218891 Black Hat
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUs
This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors. By Christopher Domas Full Abstract & Presentation Materials: https://www.blackhat.com/us-18/briefings/schedule/#god-mode-unlocked---hardware-backdoors-in-x86-cpus-10194
Views: 146096 Black Hat
Ichthyology: Phishing as a Science
In this talk we'll cover the psychology of phishing, then walk through a series of real-world attacks conducted against a Bay Area tech company - including conversion rates for each attack, and ways in which existing protections were bypassed. We'll cover recent technological advancements in this area, then combine these with our case studies to provide evidence-based techniques on how to prevent, not just mitigate, credential phishing. By Karla Burnett Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#ichthyology-phishing-as-a-science
Views: 22617 Black Hat
Black Hat USA 2013 - Lessons from Surviving a 300Gbps Denial of Service Attack
By: Matthew Prince On Saturday, March 23, 2013, a distributed denial of service (DDoS) attack against Spamhaus that had been growing for weeks culminated with over 300 Gigabits per second of attack traffic targeting the anti-spam organization's network. At that point it became the largest such attack ever reported in history — at least 4x the size of the attacks that crippled US banks just a few months earlier. The attackers launched the full range DDoS methods at Spamhaus — simultaneously targeting Layer 3, Layer 4, and Layer 7. Spamhaus has given us permission to tell the full, behind-the-scenes story of what happened, show how the attacks were launched, outline the techniques the attackers used, and detail how Spamhaus.com was able to stay online throughout. While the Spamhaus story has a happy ending, the massive DDoS exposed key vulnerabilities throughout the Internet that we will need address if the network is to survive the next,
Views: 105918 Black Hat
Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev
Best of Black Hat USA 2017 Briefings Winner How did the Feds catch the notorious Russian computer hacker Roman Seleznev - the person responsible for over 400 point of sale hacks and at least $169 million in credit card fraud? What challenges did the government face piecing together the international trail of electronic evidence that he left? How was Seleznev located and ultimately arrested? This presentation will begin with a review of the investigation that will include a summary of the electronic evidence that was collected and the methods used to collect that evidence. by Harold Chun & Norman Barbosa Read More: https://www.blackhat.com/us-17/briefings/schedule/index.html#ochko123---how-the-feds-caught-russian-mega-carder-roman-seleznev-6677
Views: 255428 Black Hat
The Epocholypse 2038: What's in Store for the Next 20 Years
It's the 20th Black Hat, and it's been a wild ride from 1997 to 2017. So, what will happen over the NEXT 20 years? Let's ask Mikko. In this talk he will outlane the changing landscape of computer security and what are likely to be the most important upcoming developments. By understanding attackers and their motives, we can best protect our computers. And in the future, there's much more to protect than just computers. by Mikko Hypponen Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#the-epocholypse-2038-whats-in-store-for-the-next-20-years
Views: 6606 Black Hat
Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years. By James Kettle Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#cracking-the-lens-targeting-https-hidden-attack-surface
Views: 31699 Black Hat
Digital Vengeance: Exploiting the Most Notorious C&C Toolkits
Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants' skill set is well beyond what defenders are capable of. By Waylon Grange Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#digital-vengeance-exploiting-the-most-notorious-candc-toolkits
Views: 4028 Black Hat
Cybersecurity as Realpolitik by Dan Geer presented at Black Hat USA 2014
Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.
Views: 54806 Black Hat
SirenJack: Cracking a 'Secure' Emergency Warning Siren System
SirenJack is a vulnerability that was found to affect radio-controlled emergency warning siren systems from ATI Systems. It allows a bad actor, with a $30 handheld radio and a laptop, to set off all sirens in a deployment. By Balint Seeber Full Abstract: https://www.blackhat.com/us-18/briefings/schedule/#sirenjack-cracking-a-secure-emergency-warning-siren-system-11691
Views: 40591 Black Hat
Beyond the Mcse: Active Directory for the Security Professional
by Sean Metcalf Active Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and management capabilities. This means that both Red and Blue teams need to have a better understanding of Active Directory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active Directory components which are critical for security professionals to know in order to defend AD. Properly securing the enterprise means identifying and leveraging appropriate defensive technologies. The provided information is immediately useful and actionable in order to help organizations better secure their enterprise resources against attackers. Highlighted are areas attackers go after including some recently patched vulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group Policy Man-in-the-Middle (MS15-011 & MS15-014) and how they take advantages of AD communication. Some of the content covered: Differing views of Active Directory: admin, attacker, and infosec. The differences between forests and domains, including how multi-domain AD forests affect the security of the forest. Dig into trust relationships and the available security features describing how attack techniques are impacted by implementing these trust security features. AD database format, files, and object storage (including password data). Read-Only Domain Controllers (RODCs), security impact, and potential issues with RODC implementation. Key Domain Controller information and how attackers take advantage. Windows authentication protocols over the years and their weaknesses, including Microsoft's next-generation credential system, Microsoft Passport, and what it means for credential protection. Security posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office 365). Key Active Directory security features in the latest Windows OS versions - the benefits and implementation challenges. Let's go beyond the standard MCSE material and dive into how Active Directory works focusing on the key components and how they relate to enterprise security.
Views: 7452 Black Hat
Bypassing Local Windows Authentication To Defeat Full Disk Encryption
by Ian Haken In 2007, starting with Windows Vista, Microsoft began shipping a full disk encryption feature named BitLocker with professional and enterprise versions of Windows. Full disk encryption helps protect users from threats that include physical access. This can, for example, prevent the exposure of proprietary information and account credentials if a company laptop is lost, stolen, or even left temporarily accessible to an attacker. Under the hood, BitLocker utilizes a system's Trusted Platform Module (TPM) to store the secret key used for full disk encryption, and is able to use the features of the TPM to safely provide transparent, passwordless decryption of the disk on boot. Because BitLocker can work transparentlywithout any extra passwords or prompts on bootmany enterprises have opted to enable this form of full disk encryption as a part of their data loss prevention strategy. However, in this presentation, I will demonstrate how one can abuse physical access in order to bypass Windows authenticationthus accessing all of a user's dataeven when the disk is fully encrypted by BitLocker. This platform-independent attack effectively bypasses all of the protection offered by BitLocker, reliably and quickly allowing an attacker to retrieve all of the sensitive data on the machine, all without having to perform any cryptographic brute-forcing or hardware manipulation.
Views: 19745 Black Hat
Hacking the Wireless World with Software Defined Radio - 2.0
By Balint Seeber "Ever wanted to communicate with a NASA space probe launched in 1978, or spoof a restaurant's pager system? There are surprising similarities! How about use an airport's Primary Surveillance RADAR to build your own bistatic RADAR system and track moving objects? What sorts of RF transactions take place in RFID systems, such as toll booths, building security and vehicular keyless entry? Then there's 'printing' steganographic images onto the radio spectrum... Wireless systems, and their radio signals, are everywhere: consumer, corporate, government, amateur - widely deployed and often vulnerable. If you have ever wondered what sort of information is buzzing around you, this talk will introduce how you can dominate the RF spectrum by 'blindly' analysing any signal, and then begin reverse engineering it from the physical layer up. I will demonstrate how these techniques can be applied to dissect and hack RF communications systems, such as those above, using open source software and cheap radio hardware. In addition, I'll show how long-term radio data gathering can be used to crack poorly-implemented encryption schemes, such as the Radio Data Service's Traffic Message Channel. I'll also look briefly at some other systems that are close to my heart: reversing satellite communications, tracking aircraft using Mode S and visualising local airspace in real-time on a 3D map, monitoring the health of aircraft with ACARS (how many faults have been reported by the next plane you'll be travelling on, e.g. do the toilets work?), and hunting down the source of an interfering clandestine radio transmission. If you have any SDR equipment, bring it along!"
Views: 116865 Black Hat
Incident Response @ Scale-Building a Next Generation SOC
by Omer Cohen When the ratio of security personnel to endpoints/users/customers is so low, managing the amount of incidents that come in becomes impossible. In this talk we will discuss these Monitoring & Incident Response challenges, and how most of the processes can be (semi-)automated to lower the initial triage and full resolution timeline, increase visibility and over ability to protect your organization.
Views: 2808 Black Hat
Practical Web Cache Poisoning: Redefining 'Unexploitable'
Modern web applications are composed from a crude patchwork of caches and content delivery networks. In this session I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage. By James Kettle Full Abstract & Presentation Materials: https://www.blackhat.com/us-18/briefings/schedule/#practical-web-cache-poisoning-redefining-unexploitable-10200
Views: 10690 Black Hat
Black Hat Asia 2014 - The Machines That Betrayed Their Masters
By: Glenn Wilkinson The devices we carry betray us to those who want to invade our privacy by emitting uniquely identifiable signals. The most common example is the wireless signals emitted by your mobile phone (even whilst tucked safely into your pocket). Such signals may be used to track you, or be used toward more malicious intent. This talk will discuss the process the author has gone through to build a resilient, modular, reliable, distributed, tracking framework - originally spawned as a PoC tool in 2012 by the name 'Snoopy'. The dog is back, and with more bite - looking beyond just Wi-Fi. Also, he's now airborne via a quadcopter.
Views: 27539 Black Hat
The State of Incident Response by Bruce Schneier
The last of the protection-detection-response triad to get any real attention, incident response is big business these days. I plan on stepping back and looking at both the economic and psychological forces that affect incident response as both a business and a technical activity. Nothing seems to be able to keep sufficiently skilled and motivated attackers out of a network. Can incident response save the day?
Views: 29771 Black Hat
Quantum Key Distribution and the Future of Encryption
By Konstantinos Karagiannis Quantum computing will bring tumultuous change to the world of information security in the coming decade. As multi-qubit systems use quantum algorithms to slice through even 4096-bit PK encryption in seconds, new Quantum Encryption will be required to ensure data security. Join Konstantinos for a look at real world experiments in Quantum Key Distribution that BT and partners have recently performed that show what the future of encryption will look like. Remember the panic after Heartbleed when SOME passwords needed to be changed? Imagine a day when ALL communications are at risk of eavesdropping via Quantum Computers - a day when only new systems that exploit the weirdness of quantum mechanics can ensure privacy.
Views: 7750 Black Hat
Side-Channel Attacks on Everyday Applications
by Taylor Hornby In 2013, Yuval Yarom and Katrina Falkner discovered the FLUSH+RELOAD L3 cache side-channel. So far it has broken numerous implementations of cryptography including, notably, the AES and ECDSA in OpenSSL and the RSA GnuPG. Given FLUSH+RELOAD's astounding success at breaking cryptography, we're lead to wonder if it can be applied more broadly, to leak useful information out of regular applications like text editors and web browsers whose main functions are not cryptography. In this talk, I'll briefly describe how the FLUSH+RELOAD attack works, and how it can be used to build input distinguishing attacks. In particular, I'll demonstrate how when the user Alice browses around the top 100 Wikipedia pages, the user Bob can spy on which of those pages she's visiting. This isn't an earth-shattering attack, but as the code I'm releasing shows, it can be implemented reliably. My goal is to convince the community that side channels, FLUSH+RELOAD in particular, are useful for more than just breaking cryptography. The code I'm releasing is a starting point for developing better attacks. If you have access to a vulnerable CPU running a suitable OS, you should be able to reproduce the attack within minutes after watching the talk and downloading the code.
Views: 10130 Black Hat
BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell
"USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe - until now. This talk introduces a new form of malware that operates from controller chips inside USB devices. USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user. We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses. We then dive into the USB stack and assess where protection from USB malware can and should be anchored."
Views: 122466 Black Hat
Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
Meet Broadpwn, a vulnerability in Broadcom's Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction. The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices - from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices. By Nitay Artenstein Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
Views: 94756 Black Hat
Web Cache Deception Attack
Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts. By Omer Gil Read More and Download Presentation Materials: https://www.blackhat.com/us-17/briefings.html#web-cache-deception-attack
Views: 8528 Black Hat
How Smartcard Payment Systems Fail
By Ross Anderson "The USA is starting to introduce EMV, the Europay-Mastercard-Visa system for making payments using chip cards instead of the old mag strip variety. EMV is already in wide use in Europe, and has started to appear in countries from Canada to India. In theory, smartcards should have reduced fraud by making bankcards much harder to copy and by enabling banks to authenticate users at the point of sale using PINs rather than signatures. The practice has been different. In Britain, for example, fraud first went up, then down, and is now headed upwards again. There have been many fascinating attacks, which I'll describe. The certification system wasn't fit for purpose, so terminals that were certified as tamper-resistant turned out not to be. We even saw Trojans inserted in the supply chain. A protocol flaw meant that a crook could use a stolen card without knowing the PIN; he could use a man-in-the-middle device to persuade the terminal that the card had accepted the PIN, while the card was told to do a signature-only transaction. Merchant refunds were not authenticated, so a crook could pretend to the bank that he was a merchant, and credit his card back after making a purchase. The most recent series of attacks exploit the freshness mechanisms in the EMV protocol. To prevent transaction replay, the terminal generates an ""unpredictable number"" while the card supplies an ""application transaction counter"" or ATC that is supposed to increase monotonically and never repeat. Yet the unpredictable numbers often aren't (in many of the terminals we looked at, they seem to be just counters) while many banks don't bother to check the ATC, as writing code to deal with out-of-order offline transactions is too much bother. As a result, we've seen some interesting attacks where cardholders unlucky enough to shop at a dishonest merchant find themselves dunned for a lot of large transactions later. In fact these ""preplay"" attacks behave just like card cloning, and make all the fancy tamper-resistant electronics almost irrelevant. At heart these are problems of governance and regulation. The vendors sell what they can get away with; the acquiring banks dump liability on merchants and card-issuing banks; they in turn dump it on the cardholder where they can; and the regulators just don't want to know as it's all too difficult. This wonderful system is now being rolled out at scale in the USA."
Views: 38347 Black Hat
Keynote: What Got Us Here Wont Get Us There
by Haroon Meer It's no secret that we have huge challenges in InfoSec: Every day we seem to pump out more code, connect more machines, and collect more data than ever before. Malicious actors have been making out like bandits and intelligence agencies have been owning (and pre-owning) the planet while your average large-company InfoSec team is still struggling with problems that we "knew about" in the 90's. This is not for a lack of effort: Security teams are bigger, security budgets are larger, and there is a security conference going on for almost every day of the year. Lots of the fault here lies squarely with us. This talk will discuss the problems we should be tackling, (the distractions we should be ignoring,) and then, riffing on the Marshall Goldsmith best seller (What Got You Here Won't Get You There) will aim to explore those activities that we are currently engaged in (as individuals and an industry) that are doing us all more harm than good.
Views: 8217 Black Hat
Mission mPOSsible by Nils + Jon Butler
Mobile Point-of-Sale (mPOS) systems allow small businesses and drug dealers to accept credit card payments using their favourite iDevice (Disclaimer: other mobile devices are available). During our research, we had a look at the security of the leading solutions for mobile Chip&Pin payments. If you saw our previous PinPadPwn research, you won't be surprised to hear we discovered a series of vulnerabilities which allow us to gain code execution on these devices through each of the available input vectors. We will discuss the weaknesses of current solutions and have live demonstrations for multiple attack vectors, our favourite being a malicious credit card which drops a remote root shell on an embedded mPOS device.
Views: 5003 Black Hat
Bring Back the Honeypots
by Haroon Meer, Marco Slaviero Honeypots were all the rage in the 90's - A raft of tools (and even a world-wide alliance) sprung up extolling their virtues but they never managed to live up to their hype. They were largely relegated to researchers and tinkerers on the fringes. At the same time, we have the Verizon DBIR telling us that most companies are first informed by 3rd parties that they are breached. This is a stupid situation to be in. Well deployed honeypots can be invaluable tools in the defenders arsenal, and don't need to look anything like the honeypots of old. From application layer man-traps, to booby-trapped documents. From network-level deception, to cloud based honeypottery, we are bringing honeypots back! During this talk, we will discuss and demonstrate the current state of the art regarding honeypots. We will explore the factors that limit adoption (and will discuss how to overcome them.) We will demonstrate new techniques to make your honeypots more "hacker-discoverable" & will share data from running actual honeypots in real organizations. We will also discuss (and release) OpenCanary, our new open source honeypot (along with supporting scripts and utilities). Over the past few years, honeypots have gotten a bit of a bad rap. We will give you tools, techniques and takeaways, to move them from geeky time-wasters, to the most useful pieces of kit you will deploy.
Views: 12946 Black Hat
Hopping on the CAN Bus
by Eric Evenchick Controller Area Network (CAN) is found in a number of systems, and is the main form of networking used in the automotive industry. Every new car has multiple CAN buses that let controllers communicate. This bus controls everything from the camshaft on your engine to your power seats. In this talk, we will present and release CANard, an open-source toolkit which allows easy scripting of CAN bus tasks. This toolkit allows us to easily work with CAN, to talk to automotive controllers, perform diagnostic actions, and fuzz the protocols. We will start with a brief introduction to CAN, look at the required hardware, and then start sending and receiving messages. We will explore CANard's features, and see several demos of real world vulnerabilities using our tool. We'll demonstrate how to read and clear fault codes, crack diagnostics security, and fuzz controllers to take over vehicle operation. The talk will focus on practical applications. By the end of the talk, attendees will not only gain an understanding of automotive systems, but will also have the tools to attack them.
Views: 32893 Black Hat
Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges
by Mark Seaborn, Halvar Flake "Rowhammer" is a problem with DRAM in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. While the industry has known about the problem for a while and has started mitigating the problem in newer hardware, it was rarely mentioned in public until the publication of Yoongu Kim et al's paper in the summer of 2014 which included hard data about the prevalence of the problem. In spite of the paper's speculations about the exploitability of the issue, most people still classified rowhammer as only a reliability issue - the probabilistic aspect of the problem seems to have made people think exploitability would be impractical. We have shown that rowhammer is practically exploitable in real-world scenarios - both in-browser through NaCl, and outside of the browser to escalate to kernel privileges. The probabilistic aspect can be effectively tamed so that the problem can be reliably exploited. Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue. We will discuss the details of our two exploits cause and use bit flips, and how the rowhammer problem can be mitigated. We will explore whether it is possible to cause row hammering using normal cached memory accesses.
Views: 15515 Black Hat
Infecting the Enterprise: Abusing Office365+Powershell for Covert C2
As Enterprises rush to adopt Office365 for increased business agility and cost reduction, too few are taking time to truly evaluate the risk associated with this decision. This briefing will attempt to shine a light on the potential hazards of Microsoft's SaaS offerings while also demonstrating a practical example of what a malicious actor can do when Office365 is allowed into the Enterprise. By Craig Dods Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#infecting-the-enterprise-abusing-office365-pluspowershell-for-covert-c2
Views: 6268 Black Hat
802.1x and Beyond!
By Brad Antoniewicz IEEE 802.1x has been leveraged for a long time for authentication purposes. Up until this point, little has been done to help researchers expose vulnerabilities within the systems that implement the protocol. In this talk, we'll dissect IEEE 802.1x, its surrounding protocols (RADIUS/EAP), provide testing tools, and detail a number of vulnerabilities identified in popular supporting systems. We'll wrap up demonstrating a vulnerability within a RADIUS server that allows for remote code execution over 802.11 wireless using WPA Enterprise before the user is authorized to join the network.
Views: 9439 Black Hat
Black Hat USA 2013 - Million Browser Botnet
By: Jeremiah Grossman & Matt Johansen Online advertising networks can be a web hacker's best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this "feature" to show ads, to track users, and get clicks, but that doesn't mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it... in-the-wild. With a few lines of HTML5 and javascript code we'll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn't intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks. Before leveraging advertising networks, the reason this attack scenario didn't worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That's what we want! At a moment's notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.
Views: 7397 Black Hat
48 Dirty Little Secrets Cryptographers Don’t Want You To Know
By Thomas Ptacek and Big Ol Al "Over the past year, more than 10,000 people participated in the Matasano crypto challenges, a staged learning exercise where participants implemented 48 different attacks against realistic cryptographic constructions. In the process, we collected crypto exploit code in dozens of different languages, ranging from X86 assembly to Haskell. With the permission of the participants, we've built a ""Rosetta Code"" site with per-language implementations of each of the crypto attacks we taught. In this talk, we'll run through all 48 of the crypto challenges, giving Black Hat attendees early access to all of the crypto challenges. We'll explain the importance of each of the attacks, putting them into the context of actual software flaws. Our challenges cover crypto concepts from block cipher mode selection to public key agreement algorithms. For some of the more interesting attacks, we'll step-by-step the audience through exploit code, in several languages simultaneously."
Views: 63143 Black Hat
What's on the Wireless? Automating RF Signal Identification
Most organisations want to monitor wireless devices within their environment, but, with a growing number of disparate low cost wireless technologies appearing on the market, the scale of this task can be unmanageable. By Michael Ossmann & Dominic Spill Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#whats-on-the-wireless-automating-rf-signal-identification
Views: 4497 Black Hat
ZigBee Exploited The Good, The Bad, And The Ugly
by Tobias Zillner & Sebastian Strobl ZigBee is one of the most widespread communication standards used in the Internet of Things and especially in the area of smart homes. If you have, for example, a smart light bulb at home, the chance is very high that you are actually using ZigBee. Popular lighting applications, such as Philips Hue or Osram Lightify are based on this standard. Usually, IoT devices have very limited processing and energy resources, and therefore not capable of implementing well-known communication standards, such as Wifi. ZigBee is, however, an open, publicly available alternative that enables wireless communication for such devices. ZigBee also provides security services for key establishment, key transport, frame protection, and device management that are based on established cryptographic algorithms. So, is a ZigBee home automation network with applied security and smart home communication protected? No, absolutely not. Due to interoperability and compatibility requirements, as well as the application of legacy security concepts, it is possible to compromise ZigBee networks and take over control of all connected devices. For example, it is entirely possible for an external party to gain control over every smart light bulb that supports the ZigBee Light Link profile. This is made possible because the initial key transport is done in an unsecured way, and support of this weak key transport is, in fact, even required by the standard itself. Due to these shortfalls and limitations created by the manufacturers themselves, the security risk in this last tier communication standard can be considered as very high. This talk will provide an overview of the actual applied security measures in ZigBee, highlight the included weaknesses, and show practical exploitations of actual product vulnerabilities, as well as our recently developed ZigBee security-testing framework tool.
Views: 12295 Black Hat
Server-Side Template Injection: RCE For The Modern Web App
by James Kettle Simple inputs can conceal an {expansive} attack surface. Feature-rich web applications often embed user input in web templates in an attempt to offer flexible functionality and developer shortcuts, creating a vulnerability easily mistaken for XSS. In this presentation, I'll discuss techniques to recognize template injection, then show how to take template engines on a journey deeply orthogonal to their intended purpose and ultimately gain arbitrary code execution. I'll show this technique being applied to craft exploits that hijack four popular template engines, then demonstrate RCE zero-days on two corporate web applications. This presentation will also cover techniques for automated detection of template injection, and exploiting subtle, application-specific vulnerabilities that can arise in otherwise secure template systems.
Views: 9079 Black Hat
Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection
by Sean Metcalf Kerberos "Golden Tickets" were unveiled by Alva "Skip" Duckwall & Benjamin Delpy in 2014 during their Black Hat USA presentation. Around this time, Active Directory (AD) admins all over the world felt a great disturbance in the Force. Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right? The news is filled with reports of breached companies and government agencies with little detail on the attack vectors and mitigation. This briefing discusses in detail the latest attack methods for gaining and maintaining administrative access in Active Directory. Also covered are traditional defensive security measures that work (and ones that don't) as well as the mitigation strategies that can keep your company's name off the front page. Prepare to go beyond "Pass-the-Hash" and down the rabbit hole. This talk explores the latest Active Directory attack vectors and describes how Golden Ticket usage can be detected. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage! Some of the topics covered: How attackers go from zero to (Domain) Admin MS14-068: the vulnerability, the exploit, and the danger. "SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.). Exploiting weak service account passwords as a regular AD user. Mimikatz, the attacker's multi-tool. Using Silver Tickets for stealthy persistence that won't be detected (until now). Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network. Detecting offensive PowerShell tools like Invoke-Mimikatz. PowerShell v5 security enhancements Active Directory attack mitigation. Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members.
Views: 7717 Black Hat
Writing Bad @$$ Malware For OS X
by Patrick Wardle In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair! From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, [email protected] OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware. However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware. So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
Views: 5800 Black Hat
Repurposing OnionDuke: A Single Case Study Around Reusing Nation State Malware
by Joshua Pitts The news media is awash with nation-states and criminals reusing malware. Why should they have all the fun? This is a case study about reversing the suspected Russian government made OnionDuke MitM patching system, discovered by the speaker in October 2014. During this talk we will seek to understand its inner workings, selecting desirable features, and repurposing it for use in other tools. This is pure malware plagiarism.
Views: 10122 Black Hat
Attacking Encrypted USB Keys the Hard(ware) Way
Ever wondered if your new shiny AES hardware-encrypted USB device really encrypts your data - or is just a fluke? If you have, come to our talk to find out if those products live up to the hype and hear about the results of the audit we conducted on multiples USB keys and hard drives that claim to securely encrypt data. By Elie Bursztein, Jean-Michel Picod & Rémi Audebert Full Abstract & Presentation Materials: https://www.blackhat.com/us-17/briefings.html#attacking-encrypted-usb-keys-the-hardware-way
Views: 10892 Black Hat
Fried Apples: Jailbreak DIY
In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection. by Max Bazaliy, Vlad Putin, and Alex Hude Full Abstract & Presentation Materials: https://www.blackhat.com/asia-17/briefings.html#fried-apples-jailbreak-diy
Views: 11423 Black Hat
How We Created the First SHA-1 Collision and What it Means for Hash Security
In this talk, we recount how we found the first SHA-1 collision. We delve into the challenges we faced from developing a meaningful payload, to scaling the computation to that massive scale, to solving unexpected cryptanalytic challenges that occurred during this endeavor. By Elie Bursztein Read More: https://www.blackhat.com/us-17/briefings/schedule/index.html#how-we-created-the-first-sha-1-collision-and-what-it-means-for-hash-security-7693
Views: 8429 Black Hat
Point of Sale System Architecture and Security
By Lucas Zaichkowsky To most people, Point of Sale (POS) systems with integrated payment processing are a black box where magic happens. Financial criminals breach hundreds of merchants each year, displaying a better understanding of how these systems operate than the dealer technicians that install and maintain them. With an understanding of POS architecture, integrated payment processing, and weaknesses in the technology, security professionals can better protect local businesses, major retailers, and developers handling payment card information. In this session, attendees will learn and see how POS components operate, their integration points, and the flow of payment data including where it's most vulnerable. A live demonstration will show exactly what sensitive data is passed in the clear by both magstripe and EMV chip readers, mapping it from peripheral all the way through the electronic payments infrastructure. Common attack vectors will then be presented, building on that architectural knowledge. Finally, top attack mitigations will be provided to save businesses from being breached and the disastrous losses that result.
Views: 5575 Black Hat
A Lightbulb Worm?
by Colin O'Flynn Could a worm spread through a smart light network? This talk explores the idea, and in particular dives into the internals of the Philips Hue smart light system, and details what security has been deployed to prevent this. Examples of hacking various aspects of the system are presented, including how to bypass encrypted bootloaders to read sensitive information. Details on the firmware in multiple versions of the Philips Hue smart lamps and bridges are discussed. This talk concentrates on examples of advanced techniques used in attacking IoT/embedded hardware devices.
Views: 9957 Black Hat
Key Reinstallation Attacks: Breaking the WPA2 Protocol
We introduce key reinstallation attacks. These attacks abuse features of a protocol to reinstall an already in-use key, thereby resetting nonces and/or replay counters associated to this key. We show that our novel attack technique breaks several handshakes that are used in a WPA2-protected network. By Mathy Vanhoef Full Abstract & Presentation Materials: https://www.blackhat.com/eu-17/briefings.html#key-reinstallation-attacks-breaking-the-wpa2-protocol
Views: 17195 Black Hat
Bringing a Machete to the Amazon
By Erik Peterson "Amazon Web Services (AWS) is billed as an amazingly secure and resilient cloud services provider, but what is the reality once you look past that pristine environment and the manicured forests give way to dark jungle as you start to migrate existing applications to the AWS Cloud or design new ones for AWS exclusively? In this talk, we will explore Amazon Web Services and the advent of ""full stack"" vulnerabilities and how they create new security pitfalls when migrating to and operating in an AWS world. From the unexpected to the unintended, many examples will be shared along side new techniques showing how you have likely already exposed your applications and infrastructure to attack through misunderstanding, ignorance, or bad actors. To address these challenges, this presentation will also reveal and demonstrate a free tool we have designed to assess AWS applications, map out the interactions between infrastructure and code, and help individuals and organizations get clarity and bring a machete to the Amazon Cloud."
Views: 8903 Black Hat
Black Hat USA 2013 - Pixel Perfect Timing Attacks with HTML5
By: Paul Stone Maybe you've heard it before - HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and dangerous side effects. In this presentation, I'll introduce a number of new techniques that use JavaScript-based timing attacks to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you're logged into. I'll also take a look at the difficulties involved in fixing these types of vulnerabilities.
Views: 2511 Black Hat
Behind the Scenes of iOS Security
by Ivan Krstic With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10. HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss. Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor. Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target.
Views: 98783 Black Hat

Actonel 150 mg efeitos colaterais lipostabil
Vascepa generic plavix
Betnovate cream 30 gr mexico
Plotadora 24h curitiba
Trandate 100mg precious metal prices