(TBU) Managing Director of e-Estonia Showroom at Enterprise Estonia.
For the past 5 years she is working with e-Government marketing projects and export promotion for ICT sector to bring Estonian IT technology and know-how to the world. Her specialties: eGovernment, ICT, Cyber security, branding and marketing, public speaking, project management, relationship building and networking, business communication, sales, client service.
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.。
Keynote: How much security is too much?
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
Amihai Neiderman is a security researcher in the field of vulnerability research. Amihai has worked on everything from embedded devices, IoT, OS exploitation and web security. In past years he has worked as an independent researcher for various companies and now works as the head of research at Equus Technologies, Israel – a company that specializes in mobile security.
[0day][TV Broadcasting Standard][Wireless attack]DVB-T Hacking
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. In the talk I will cover the research steps from the firmware extraction from the flash chip to the development of an ad-hoc debugger and finally the exploitation of the device.
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
[Web]Esoteric Web Application Vulnerabilities
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
He has been researching and developing state-of-the-art data recovery technology for malfunctioning HDDs which had suffered platter damage from head crash, natural disaster and crime.
Dai, as a digital forensic investigator, has also examined digital evidences of murder, abandonment of corpse, internal corporate fraud, and labor management problems and been cooperating with law enforcement and lawyers.
Moreover, as a cyber security researcher, he has been a speaker at CODEBLUE, Matcha139 Workshop, seminars for law enforcement and cyber security companies and HTCIA International Conference & Training Expo ( Aug 2016 ).
[Forensic][Hardware] EXOTIC DATA RECOVERY & PARADAIS
Hard Disk Drives (HDD) have a hidden space for storing data. If malicious software is stored in this hidden area, it could lead to attacking computers even if they are air-gapped.
By abusing surplus space of HDD, such cyber attack against off-line industrial control systems could become possible.
Moreover, the software or any data in this hidden space can survive against formatting, OS reinstallation, malware destruction software and any conventional cybersecurity framework.
Let us call it "PARADAIS"
While the PARADAIS stays unactivated, LBAs are not mapped to the hidden data area. Therefore, even if the HDD is wiped several times such as 3-pass, 7-pass or 35-pass, it remains there as it is.
There has been no way to detect or erase the unidentified software at PARADAIS in advance when the HDD had been modified prior to your purchase or its installation. However, new solutions are being discovered by my ongoing research.
Who can predict that Windows OS may boot after the HDD is wiped by Enhanced Secure Erase ? It would be you at CODEBLUE2016.
The 2nd part of my presentation would be on DATA RECOVERY from HDD the platter surface of which has been damaged because of head crash, natural disaster or intentional destruction at crime scenes. Survey results of 12 cases show how effective the disk surface cleaning by DDRH was.
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
[Obfuscation][Monitor Attacker’s activity]Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em'
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
Degree in Computer Science from Fumec University, Security Analyst and Researcher at Epam Systems. Certified by Offesinve Security(OSCP) and Elearn(WPT) as Pentester, Ewerson has published articles in the Brazilian Information Security/Computers magazines H4ck3r and GEEK, moreover, posted exploits and advisory on SecurityFocus found in big companies like: IBM, McAfee, Skype, Technicolor, Tufin, TrendMicro and others. Contrib to develop some modules to Metasploit Framework Project. Founder of BHack Conference and Area31, the first hackerpsace in Minas Gerais and is an active Kali Linux Community Contributor
[Network][Hardware][Backdoor]Who put the backdoor in my modem?
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.<
Chen-yu Dai [GD]
Chen-yu Dai (GD) is CTO at Team T5 Research, providing Digital Forensics & Incident Response services, developing Threat Intelligence Program and Platforms, consulting enterprise cyber defenses.
He is studying at the graduate school of Department of Information Management in the National Taiwan University of Science and Technology.
He also volunteered as deputy coordinator of HITCON, the largest hacker community and security conference in Taiwan.
He has received many prizes from domestic and international CTFs, as well as bug bounty programs.
Shi-Cho Cha [CSC]
Shi-Cho Cha (CSC) is currently an associate professor at the Department of Information Management in the National Taiwan University of Science and Technology, where he has been a faculty member since 2006. He received his B.S. and Ph.D. in Information Management from the National Taiwan University in 1996 and 2003. He is a certified PMP, CISSP, CCFP and CISM. From 2000~2003.
He was a senior consultant in eLand technologies and played the role of project leaders to develop several systems about e-marketing. From 2003~2006, he was a manager at PricewaterhouseCoopers, Taiwan and helped several major government agencies to develop their information security management systems.
Recently, he helped NTUST to establish security analysis workforce and help several organizations to evaluate their system security. His current research interests are in the area information security management, identity management, smartphone security, and IoT security.
[Smart Auto Mobile][IoT][Bluetooth]BLE authentication design challenges on smartphone controlled IoT devices: analyzing Gogoro Smart Scooter
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
[SNS][Phishing][Exploit][Botnet]Facebook Malware: Tag Me If You Can
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
In Hyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a M.S course researcher of Security Analysis aNd Evaluation Lab (Lead by Pf.Seungjoo Gabriel Kim who was a speaker of CODE BLUE 2015), Graduate school of Information security in Korea University. Recently he participated in IT Security Certification Center’s research project about foreign security evaluation policy & technique trend and participated CCUF(CC User forum), ICCC(International Common Criteria Conference) 2015 held in United Kingdom. He is interested in assurance of IT system, Threat risk modeling and Common Criteria.
[Software Testing][Automation][Vulnerability Detection][Security Evaluation] Using the CGC’s fully automated vulnerability detection tools in security evaluation and its effectiveness
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
Isaac Dawson is a Principal Security Researcher at Veracode, Inc. where he leads the R&D efforts of Veracode's dynamic analysis offerings. Prior to Veracode, he was a consultant for @stake and then Symantec. In 2004 he moved to Japan to start their application security consulting team.
After leaving for Veracode, he decided Japan was just too comfortable and has stayed ever since.
An avid go programmer, he has an interest in distributed systems and in particular, scanning the web.
[Web][scanner][distributed]Around the Web in 80 Hours: Scalable Fingerprinting with Chromium Automation
Building a distributed scanner can be challenging, building one using real browsers even more so.
Web security engineer at Mitsui Bussan Secure Directions, Inc. CISSP.
I have worked on the detection of vulnerabilities on the web applications (web applications diagnosis) for seven years. In these days, I have been hoping to detect more vulnerabilities, but I feel the limitation of human resources. So, I am focused on the machine learning for web applications diagnosis, and have tried to develop the AI called SAIVS. In future, I really want SAIVS to take over my tasks of web applications diagnosis. Furthermore, SAIVS has been introduced at Black Hat Asia 2016 Arsenal at Singapore, and was well received.
[Machine Learning][Web][Auto Vul Scan]Method of detecting vulnerability in WebApps using Machine Learning
In Japan, information security engineers are lacking. So, I am focused on artificial intelligence (AI) technology to solve the lack of human resources. And, I have developed the AI to detect vulnerabilities on web apps called SAIVS (Spider Artificial Intelligence Vulnerabilities Scanner). The goal of SAIVS is to obtain ability of equal or higher than vulnerability diagnosis members. Currently, SAIVS is prototype.
But, it is possible to detect vulnerabilities on web apps like a human.
1. It can crawl web apps.
SAIVS can crawl web apps that include dynamic pages such as "login," "create account".
For example, SAIVS recognizes the type of the page. If it crawls the login page without having a login credential, it creates login credential in the create account page. After it login with the created login credentials, it crawls the rest of the pages.
2. It can detect vulnerabilities.
SAIVS can detect vulnerabilities efficiently by observing the behavior of web apps.
I achieve these actions by simulate the thinking pattern of vulnerability diagnosis members using multiple machine learning algorithms.
My presentation will explain how this ability was made possible by the machine learning algorithms and show a demo (detecting reflected XSS).
Jason Donenfeld is an independent security researcher and software developer, with a broad background of experience, well-known in both the security community and the open source world, and has pioneered several exploitation techniques. He has worked with many severe vulnerabilities in widespread software projects, including working on 0-day vulnerabilities in the Linux kernel, as well as extensive hardware reverse engineering. His security work spans advanced mathematical and geometric algorithms, cryptography, and remote exploitation.
Jason founded Edge Security (www.edgesecurity.com), a highly capable security consulting firm, with expertise in vulnerability discovery, security assessments, reverse engineering, hardened development, and physical security.
[Network][VPN][Crypto]WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel
The state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. The talk will examine both the cryptography and kernel implementation particulars of WireGuard and explore an offensive attack perspective on network tunnels.
Jonathan Levin is the founder and CTO of Technologeeks, a group of experts devoted to tackling the toughest problems and most challenging technologies in software today. Focusing on operating system internals and networking, we aim to deliver expert solutions for the Big Three (Windows, Linux and Mac OS), and the leading mobile derivatives - Android and iOS. Jonathan is the author of "Android Internals" and "Mac OS X and iOS Internals", the two definitive works on the inner workings of today's mobile operating systems.
[Mobile][Kernel]The ARMs race for kernel protection
iOS was the first to introduce Kernel Patch Protection (KPP) as a method meant to mitigate tampering with kernel code. Samsung followed suit with TIMA/KRP. Both of these, however, remain undocumented to this day.
With Apple's recent relaxing of the iOS encryption, a rare first glance has been provided into the workings of KPP. At last, it can be compared and contrasted with Samsung's implementation.
This talk will present the theoretical aspects (TrustZone, ARM ELx and secure monitor), and then discuss the two implementations - Apple and Samsung - side by side. Full examples with decompilation (using author's free tools) will be provided.
He works at SecureBrain Corporation and belongs to Advanced Research Center and Security Response Team. Senior Software Engineer.
2014, He joined SecureBrain Corporation. As a software engineer, he works on the software development while doing security research.
Mainly he focused on the analysis of the cyber crimes caused by financial Malware and phishing and its developing its technological countermeasures.
Major lectures in the past
2015/2016 Practical Anti-Phishing Guideline Seminar Lecturer
2016 IEICE requested symposium “Analysis methods and the results from Malware Long-term observation and taint analysis”.
[Police][Bot][Neutralize]Background Story of "Operation neutralizing banking malware" and highly developed financial malware
Financial damages caused by remittance fraud in Japan has been increasing since year 2013, and this has become a critical problem in our society.
In April 2015, Tokyo Metropolitan Police Department conducted its very first unique takedown operation called "Operation Banking Malware Takedown”.
Tokyo Metropolitan Police Department had asked us to cooporate with this operation, so we developed a technology that would takedown the banking malware called "VAWTRAK".
In this presentation, I will give an overview of the operation and a background of our involvement.
Then, I will introduce and demonstrate the technology that we developed to takedown “VAWTRAK”.
I will also provide a description of ongoing banking malware attacks this year based on our investigation.
Mingyen Hsieh is an threat researcher with Trend Micro.
He is also an enthusiast in APT investigation, threat intelligence, reverse engineering and sandboxing.
Now his goal is to dig more quality intelligence and to develop an efficient intelligence processing system for the team.
Joey Chen is currently working as an threat researcher with Trend Micro. His major areas of research include APT investigation, reverse engineering and cryptography.
Now his goal is to dig more quality intelligence and to develop decryption tools that helps him and his team getting more sleep time at night.
[APT][Malware][Reverse Engineering]BLACKGEAR: A cyber espionage campaign both targeting Japan and Taiwan
BLACKGEAR is a cyber-espionage campaign which has been targeting users in Taiwan for many years. First discovered by researchers in 2012, since then it has been the subject of multiple papers by various researchers.
BLACKGEAR has been known to take advantage of online blog services. The second-stage command-and-control (C&C) configuration information is saved within articles posted on these sites. If the threat actor wants to change the second-stage C&C, he can easily do so by modifying the content of these articles.
Like most other campaigns has evolved over time. It has recently started targeting users in Japan with similar tactics. Japanese blogging services are being used for saving encrypted configuration of second-stage C&C servers as well. In this presentation, we discuss the new tools we found used in this attack, their components, the C&C communications method use, and the roles of what we found in the overall attack picture.
7 years of security production development RD Leader of Sandcastle core engine of DD(Deep Discovery) production for Gateway 0day exploit detection.
Current focusing on research about Mac/Windows kernel vulnerability and exploit Staff Developer of Trend Micro Inc.
10 years of anti-malware solution development Familiar with Windows/Mac kernel technology, browser and document exploit.
Current focusing on research about Mac vulnerability and exploit
Senior Staff Developer of Trend Micro Inc.
Rank 35 in Microsoft Security Response Center (MSRC) Bounty Program Top 100 list in 2015
Rank 16 in Microsoft Security Response Center (MSRC) Bounty Program Top 100 list in 2016
[OSX][Kernel][Fuzzing][root exploit](P)FACE into the Apple core and exploit to root
OSX security vulnerability study is gaining more and more popular recently because Mac devices become more and more popular. OSX IOKit exposes large attacking surface for hackers compromising kernel extension and kernel itself from user mode. Many researcher do research on this domain (see Reference section). We will share some research results about this domain.
1. One passive fuzzing framework with context enlightenment to hunt kernel vulnerability.
2. Exploit tricks for how to occupy kernel memory from user mode program to bypass SMAP&SMEP.
3. Utilizing the vulnerabilities which found by our fuzzing method and the new exploit trick to root OSX successfully 2 times.
We introduce a new method ｡ｰPassive Fuzzing And Context Enlightenment for OSX IOKit｡ｱ which names PFACE.PFACE has following highlight points. Firstly it can meet the condition dependency and permit code execution deeper and wider to hit more codes and get more system crash. And secondly it can output the modules which contains ｡ｰContexts｡ｱ which is indicator for suspicious vulnerability. These indicators will lead reviewer to review these modules firstly.
If you have a bunch of kernel vulnerabilities, the big problem is how to transfer your ROP gadgets to the kernel space from user mode program because recent OSX already enable SMAP and SMEP. The famous security researcher Stefan Esser proposed that OSData be a good structure to occupy kernel memory [Refenece section 5]. Yes, OSData is a good data structure. But in practice, there are some problems causing OSData not to work. We find a new method that let OSData does work for occupy kernel memory from user mode program. We use the method to exploit the vulnerabilities we found and root OSX (10.11.3) successfully.
In practice, we find tens of vulnerabilities with CVE number, and many kernel crashes which fuzzing effect has been approved. And also we construct two different Local Privilege Escalation exploit to root by using some vulnerabilities of them on Mac OSX (10.11.3 ).
Here below is the CVE and ZDI list until now(NOT including submitted but pending):CVE-2015-3787, CVE-2015-5867, CVE-2015-7021,CVE-2015-7020, CVE-2016-1716,ZDI-CAN-3536,ZDI-CAN-3558, ZDI-CAN-3598,ZDI-CAN-3596,ZDI-CAN-3603,CVE-2015-7067, CVE-2015-7076,CVE-2015-7106,CVE-2015-7109,CVE-2016-1718,CVE-2016-1747,CVE-2016-1749,CVE-2016-1753, ZDI-CAN-3693, ZDI-CAN-3694, CVE-2016-1795, CVE-2016-1808, CVE-2016-1810, CVE-2016-1817, CVE-2016-1820, CVE-2016-1798, CVE-2016-1799, CVE-2016-1812, CVE-2016-1814, CVE-2016-1818, CVE-2016-1816
Mordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem. Guri is a lead researcher and lab manager at the Ben Gurion Cyber Security Research Center and has been awarded with the prestigious IBM PhD International Fellowship (2015-2016). He manages academic research in various aspects of cyber-security to the commercial and governmental sectors. In the past few years Mordechai has led a number of breakthrough research projects in cyber-security, some of them have been published worldwide. His research focuses on state-of-the-art challenges in the field of cyber-attack and cyber-defense. Mordechai examines current paradigms and develops new methods for improved mitigation of security problems in the modern cyber environment. His research topics include OS security, advanced malware, Moving Target Defense (MTD), mobile security and embedded systems. He is the Head of R&D of the Cyber Security Center at BGU and Chief Scientist Officer at Morphisec Endpoint Security Solutions
Yisroel Mirsky is a Ph.D. candidate supervised by Prof. Bracha Shapira and Prof. Yuval Elovici, in the department of Information Systems Engineering in Ben-Gurion University. Over the last two years he has taught cyber security machine learning at international venues, and has published works in the domains of anomaly detection, isolated network security, and machine learning. He currently manages two multi-year research projects in the Cyber Security Research Center (CSRC) at BGU: Context-based Data-leakage Prevention for Smartphones (funded by the Israeli Ministry of Science), and Machine Learning solutions for IoT security (in cooperation with the industry). His research interests include: machine learning, time-series anomaly detection, isolated network security, smartphone security and physical signal cryptography.
Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Information Systems Engineering at BGU. He holds B.Sc. and M.Sc. degrees in Computer and Electrical Engineering from BGU and a Ph.D. in Information Systems from Tel-Aviv University. For the past ten years he has led the cooperation between BGU and Deutsche Telekom and in 2014 he established the BGU Cyber Security Research Center. His primary research interests are computer and network security, cyber security, web intelligence, social network analysis, and machine learning. Prof. Elovici consults professionally in the area of cyber security and most recently, he, along with several colleagues, established a startup that focuses on cyber-security.
[Forensic][APT][Malware]Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation
Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against.
New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap.
But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well.
In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici.
Naohide Waguri joined FFRI in 2013. Before he joined FFRI, he had participated in software quality assurance, software development and promotion of test automation of network equipment (Gigabit Ethernet or Multilayer switches) as a network engineer. After joined FFRI, he participated in penetration testing, analysis and investigating the trend of cyber attacks. He is currently researching threat/risk analysis and evaluation method for a security of embedded systems such as in-vehicle devices. He was a speaker at CODE BLUE 2015.
[Automobile][Current status and Future countermeasure]Security in the IoT World: Analyzing the Security of Mobile Apps for Automobiles
Recently, services that provide remote control and acquire vehicle location information (GPS) is increasing. (As far as we know, it has been especially popular in the EV cars.)
These services are the challenging business for the automotive industry and OEMs because these have a potentially huge market or an additional value to their products in the future.
On the other hands, these services may lead to new threats and risks for the automobiles. This is because the Internet connection did not consider it was not necessary for automobiles so far.
Further, some researchers have already reported vulnerabilities in the remote services that are provided by various OEMs.
These issues are all reported in a foreign territory. Then, how about in Japan?
Therefore, we analyze the client apps for Japan provided by the various OEMs. But we also targeted analyzing apps for the US because apps for Japan is not many yet.
Specifically, we analyzed vulnerabilities (cooperation between apps, certificate verification, etc...) and whether these apps are using anti-analysis techniques such as obfuscation.
In this talk, we'll introduce about a potential for abusing of remote service apps in the future and countermeasures for these risks.
Olga is interested in how various devices interact with cash or plastic cards. She is a senior specialist for the penetration testing team at Kaspersky Lab. Olga has authored multiple articles and webinars about ATM security. She is also the author of advisories about various vulnerabilities for major ATM vendors and has been a speaker at international conferences, including Black Hat Europe, Hack in Paris, Positive Hack Days, Security Analyst Summit, Nuit Du Hack, Hack In The Box Singapore and others.
Lead Expert on a Penetration Testing Team at Kaspersky Lab. An author of variety of techniques and utilities exploiting vulnerabilities in XML protocols and telecom equipment security. Author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat, Hack in Paris (presenting the paper on ATM vulnerabilities), NoSuchCon Paris, Nuit du Hack, Hack In The Box Singapore, Positive Hack Days, Chaos Communication Congress.
[ATM][Hardware]ATMS how to break them to stop the fraud.
The most common story that we hear: something happens with ATM that makes it empty, leaving no forensic evidence. No money and no logs.
We have collected huge number of cases on how ATMs could be hacked during our researches, incidents responses and security assessments. A lot of malware infects ATM through the network or locally. There are black boxes, which connect to communications port of devices directly. There are also network attacks, such as rogue processing center or MiTM.
How to stop the ATMs fraud? How to protect ATMs from attacks such as black box jackpotting? How to prevent network hijacking such as rogue processing center or MiTM? Some of these issues can be fixed by configuration means, some fixed by compensation measures, but many only by vendor. We will tell you about what bank can do now and what we as a community of security specialists should force to vendors. Before we spoke about vulnerabilities and fraud methods used by criminals. Now we would like to combine our expertise to help financial and security society with more direct advices how to implement security measures or approaches to make ATMs more secure.
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
Jin Long 金龙
Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).
[Windows][Kernel][Exploit][Vulnerability Hunt]DeathNote of Microsoft Windows Kernel
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot.
Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.
[Exploit][Incident Response][Hardware Control] COFI break – Breaking exploits with Processor trace and Practical control flow integrity
One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available.
In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors.
The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features.
Tyler has been a computer hacker for several years. While an undergraduate student at Carnegie Mellon University, Tyler was one of the initial members of the hacking team known as the Plaid Parliament of Pwning. This team rose from a small group of students to the number one competitive hacking team in the world. After traveling around the world competing in hacking competitions, Tyler settled down and now works on making humans and computers think more like hackers at ForAllSecure. In 2016, the automated system he helped create won the DARPA Cyber Grand Challenge.
[Auto Security System][Cyber Grand Challenge (CGC)]About the cyber grand challenge: the world’s first all-machine hacking tournament
The Cyber Grand Challenge (CGC) was announced in 2013--a first-of-its-kind competition in which fully autonomous systems would compete in a Capture The Flag (CTF) tournament. Starting from over 100 teams consisting of some of the top security researchers and hackers in the world, only 7 teams qualified to the final round. These 7 teams competed against eachother to guard their own software with IDS rules and software patches while attacking the other systems. All of this was done without access to program source code nor access to humans.
This never-before-seen level of autonomy demonstrated the state of the art in areas of computer security including static analysis, automated bug finding, automatic exploit generation, and automatic software patching. Over the course of just 10 hours, these systems competed to analyze over 80 totally new pieces of software, showing capabilities beyond what anyone has ever seen before.
In this talk we will discuss the Cyber Grand Challenge, explaining what it entailed, what the results mean, and how these advances will influence software security in the near future. Additionally, we will share lessons learned from the winning CGC team, and take a look at the future of automatic software analysis.
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
Hiroki MATSUKUMA is a web pentest rookie at Cyber Defense Institute, Inc. in Japan, a member of TokyoWesterns.
He was an electrical engineering student at NITTC(National Institute of Technology, Tokyo College). /* However, his interest has been in a computer security before thus he often neglected studying and participated in CTF competitions :P */
Sometimes he gets a good feeling the moment he got a control of an application, when listening EDM and he likes having something good to eat with a girl;)
Now his interest is towards heap implementations, exploitation of embedded systems and suchlike technology related to pwn.
[U24][Buffer Overflow]House of Einherjar — Yet Another Heap Exploitation Technique on GLIBC
If any susceptible application data to a buffer overflow like a function pointer was on the memory block allocated by the target program, we can assume that Heap-based Buffer Overflow is as amenable to attacks as Stack-based Buffer Overflow. Although the remote attackers have no way to figure out whether it is really exploitable or not because the memory layout is conditional on a target application. Thus, an exploitation to Heap-based Buffer Overflow is not so practical. However it is so interesting and we focus on it.
One objective of attackers is gaining the program counter to lead to an arbitrary code execution and they usually realize that with "write-what-where primitive", an arbitary data write to anywhere, to the susceptible data. An ancient technique called "Unlink Attack" provides direct "write-what-where primitive" but it is not available today thus the recent exploit writers excogitate indirect "write-what-where primitive" by forcing malloc() to return a nearly-arbitrary address. There are several Heap Exploitation techniques like Malloc Maleficarum, a paper with some great techniques published by Phantasmal Phantasmagoria, which provides such indirect "write-what-where primitive". Some of them have been fixed but some others like House of Force and so on have been still available today.
This paper propose the "House of Einherjar", a new technique as an indirect "write-what-where primitive" on the latest GLIBC.
Sophia D’Antoine is a security engineer at Trail of Bits in NYC and a graduate of Rensselaer Polytechnic Institute. She is a regular speaker at security conferences around the world, including RECon, HITB, and CanSecWest. Her present work includes techniques for automated software exploitation and software obfuscation using LLVM. She spends too much time playing CTF and going to noise concerts.。
[U24][Binaly Analysis][Auto Exploit]Be a Binary Rockstar: An Introduction to Program Analysis with Binary Ninja
This talk will explore program analysis on compiled code, where source is not available. Many static program analysis tools, such as LLVM passes, depend on the ability to compile source to bytecode, and cannot operate on binaries. A solution to this problem will be explained and demonstrated using the new Intermediate Language (IL) in Binary Ninja. Binary Ninja IL will be described, providing a basic understanding of how to write analyses using it.
This talk will describe and release a tool in Binary Ninja IL for automated discovery of a simple memory corruption vulnerability and demonstrate it on a CTF binary. The concepts of variable analysis, abstract interpretation, and integer range analysis will be discussed in the context of vulnerability discovery.