During this talk we're going to discuss the security of the so called internet-of-things (IOT),and have a better understanding of what it's all about. This talk will give a broad overview of IOT , the major vulnerabilities that are out there, challenges that exist in securing the things , and what we as security people can do about it.
If you'd ever heard the IOT buzzword, and you want to know what it's all about, this talk is for you.
Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.
For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers.
This was the main motivation in creating DIE.
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen.
Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA.
DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit.
DIE was first introduced to the public at RECON-2015 and received amazing feedbacks. Today, we will introduce its secrets to the respected Israeli research community.
During this talk I will explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process.
The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.
We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.
Attacks include:
This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.
How can we really automate secure coding? Agile, DevOps, Continuous Integration, Orchestration, Static, Dynamic - There's an endless feed of Buzzwords, but how can we turn this into a practice that really works? In this session we will review real world examples of building a successful automation process for delivery of secure software in fast paced development environments.
In the proverbial game of cat-and-mouse between endpoint security vendors and malware writers, malware attacks have recently grown more sophisticated. More enterprises are losing ground to hackers, who are able to outmaneuver static and runtime solutions by constantly changing their attack strategies. In his presentation, Yair will break down the current set of techniques (signatures, static analysis, dynamic analysis, social cyber-intelligence) used to identify malware on mobile devices, and identify the pros and cons of these approaches. He will also explain why attackers constantly succeed in fooling these technologies, and explore the problem of false positive/false negative tradeoffs in such solutions. In order to demonstrate the aforementioned, Yair will create on stage a malicious mobile app live, which can bypass signatures, static and dynamic analysis approaches.
Audience will learn:
Side channel analysis is a remarkably powerful cryptanalytic technique. It allows attackers to extract secret information hidden inside a secure device, by analyzing the physical signals (e.g., power, heat) that the device emits as it performs a secure computation. While the potency of side-channel attacks is established without question, their application to practical settings is debatable. The main limiting factor to the practicality of side-channel attacks is the problematic attack model they assume; with the exception of network-based timing attacks, most side-channel attacks require the attacker be in “close proximity” to the victim.
In this work, we challenge this limiting assumption by presenting a successful side-channel attack that assumes a far more relaxed and practical attacker model. In our model, the victim merely has to *access a website* owned by the attacker using his personal computer. Despite this minimal model, we show how the attacker can still launch a side-channel attack in a practical time frame and extract meaningful information from the system under attack. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.
Joint work with Vasileios P. Kemerlis, Angelos D. Keromytis and Simha Sethumadhavan.
When attacking web applications, what do you do when there are no injection points? No false-assumptions? No logical errors? Most of the times you just move on, perhaps look for bad code in a different component or third party plugin. What if that target is just too important to give up on? What if your target is the most popular web platform in the world?
This talk will focus on the recent vulnerabilities found in WordPress core, one of the most securely written web apps in the world. We will begin with a carefully orchestrated race condition leading to Privilege Escalation, and all the way to SQL injection and persistent XSS attacks, in 20% of the top 1M sites on the Internet. We will dive deep into a system that seems un-penetrable, and analyze a chain of bugs no one thought exploitable, in order to describe one of the most interesting WebApp vulnerabilities in CMS history.
Join us for a journey through the eyes of one researcher who made it to core WordPress and lived, to get a glimpse of how one searches for vulnerabilities in massive code and how to catch oh-so-important developer misses.
File synchronization services, such as GoogleDrive, DropBox and others are becoming widespread, both with private and corporate use. These applications, while offering great convenience to their users, also provide a hacker with ideal platform for C2 infrastructure. Instead of setting up a new C2 server, an attacker simply needs to open a new cloud storage account, or even use the victims account as the platform.
In our presentation we will examine how common cloud synchronization services can be used by hackers to steal private and corporate data, remain persistent on infected machines and avoid perimeter detection mechanisms. All of this could be done from the attacker’s laptop, without any exploits and without writing server side code.
Objective: Understand risks & mitigations of MitC attacks
Cross-site search (XS-search) attacks circumvent the same-origin policy and extract sensitive information, by using the time it takes for the browser to receive responses to search queries. This side-channel is usually considered impractical, due to the limited attack duration and high variability of delays. This may be true for naive XS-search attacks; however, we show that the use of better tools facilitates effective XS-search attacks, exposing information efficiently and precisely.
We present and evaluate three types of tools: (1) appropriate statistical tests, (2) amplification of the timing side-channel, by `inflating' communication or computation, and (3) optimized, tailored divide-and-conquer algorithms, to identify terms from large `dictionaries'. These techniques may be applicable in other scenarios.
We implemented and evaluated the attacks against the popular Gmail and Bing services, in several environments and ethical experiments, taking careful, IRB-approved measures to avoid exposure of personal information.
The first is in the Android Platform and Google Play Services. The Platform instance affects Android 4.3-5.1, M (Preview 1) or 55% of Android devices at the time of writing. This vulnerability allows for arbitrary code execution in the context of many apps and services and results in elevation of privileges. In this talk we also demonstrate a Proof-of-Concept exploit against the Google Nexus 5 device, that achieves code execution inside the highly privileged system_server process, and then either replaces an existing arbitrary application on the device with our own malware app or changes the device’s SELinux policy. For some other devices, we are also able to gain kernel code execution by loading an arbitrary kernel module. We had responsibly disclosed the vulnerability to Android Security Team which tagged it as CVE-2015-3825 (internally as ANDROID-21437603/21583894) and patched Android 4.4 / 5.x / M and Google Play Services.
For the sake of completeness we also made a large scale experiment over 32,701 of Android applications, finding similar deserialization vulnerabilities, identified by CVE-2015-2000/1/2/3/4/20, in 6 SDKs affecting multiple apps. We responsibly (privately) contacted the SDKs’ vendors or code maintainers so they would provide patches. Further analysis showed that many of the SDKs were vulnerable due to weak code generated by SWIG, an interoperability tool that connects C/C++ with variety of languages, when fed with some bad configuration given by the developer. We therefore worked closely with the SWIG team to make sure it would generate more robust code — patches are available.
Buzzwords about Agile are flying around in overwhelming speed, talks about Scrum, Kanban, XP and other methodologies and practices are thoroughly discussed while security is still left as a 'high level' talk or sometimes as understanding how to adapt from traditional development methodologies. Some best practices will leave you scratching your head, unsure what was the original intention and without understanding how to implement security in Agile, effectively. This lecture will bring the all the undocumented failures during such process, and best ways of avoiding them prior to experiencing them.
We created “Game of Hacks”– a viral web app marketed as a tool to train developers on secure coding – with the intention of building a honeypot. Game of Hacks, built using the node.js framework, displays a range of vulnerable code snippets challenging the player to locate the vulnerability. A multiplayer option makes the challenge even more attractive and the leaderboard spices up things when players compete for a seat on the iron throne.
Within 24 hours we had 35K players test their hacking skills...we weren't surprised when users started breaking the rules.
Join us to: • Play GoH against the audience in real time and get your claim for fame. • Understand how vulnerabilities were planted within Game of Hacks. • See real attack techniques (some caught us off guard) and how we handled them. • Learn how to avoid vulnerabilities in your code and how to go about designing a secure application. • Hear what to watch out for on the ultra-popular node.js framework.
Hundreds of millions of Android devices, including those running Lollipop, the latest and most secure version of Android OS, can be hijacked. A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack.
These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice.