Tag: BlackHatUSA

EDITORIAL | July 29, 2015

Black Hat and DEF CON: Hacks and Fun

By IOActive

The great annual experience of Black Hat and DEF CON starts in just a few days, and we here at IOActive have a lot to share. This year we have several groundbreaking hacking talks and fun activities that you won’t want to miss!

For Fun
Join IOActive for an evening of dancing

Our very own DJ Alan Alvarez is back – coming all the way from Mallorca to turn the House of Blues RED. Because no one prefunks like IOActive.
Wednesday, August 5th
6–9PM
House of Blues
Escape to the IOAsis – DEF CON style!
We invite you to escape the chaos and join us in our luxury suite at Bally’s for some fun and great networking.  
Friday, August 7th12–6PM
Bally’s penthouse suite
·      Unwind with a massage 
·      Enjoy spectacular food and drinks 
·      Participate in discussions on the hottest topics in security 
·      Challenge us to a game of pool! 
FREAKFEST 2015
After a two year hiatus, we’re bringing back the party and taking it up a few notches. Join DJs Stealth Duck, Alan Alvarez, and Keith Myers as they get our booties shaking. All are welcome! This is a chance for the entire community to come together to dance, swim, laugh, relax, and generally FREAK out!
And what’s a FREAKFEST without freaks? We are welcoming the community to go beyond just dancing and get your true freak on.
Saturday, August 8th
10PM till you drop
Bally’s BLU Pool
For Hacks
Escape to the IOAsis – DEF CON style!
Join the IOActive research team for an exclusive sneak peek into the world of IOActive Labs. 
Friday, August 7th
12–6PM
Bally’s penthouse suite
 
Enjoy Lightning Talks with IOActive Researchers:
Straight from our hardware labs, our brilliant researchers will talk about their latest findings in a group of sessions we like to call IOActive Labs Presents:
·      Mike Davis & Michael Milvich: Lunch & Lab – an overview of the IOActive Hardware Lab in Seattle
Robert Erbes: Little Jenny is Export Controlled: When Knowing How to Type Turns 8th-graders into Weapons 
·      Vincent Berg: The PolarBearScan
·      Kenneth Shaw: The Grid: A Multiplayer Game of Destruction 
·      Andrew Zonenberg: The Anti Taco Device: Because Who Doesn’t Go to All This trouble? 
·      Sofiane Talmat: The Dark Side of Satellite TV Receivers 
·      Fernando Arnaboldi: Mathematical Incompetence in Programming Languages 
·      Joseph Tartaro: PS4: General State of Hacking the Console
·      Ilja Van Sprundel: An Inside Look at the NIC Minifilter
 
 
Black Hat/DEF CON
 
Speaker: Chris Valasek
Remote Exploitation of an Unaltered Passenger Vehicle
Black Hat: 3PM Wednesday, August 5, 2015
DEF CON: 2PM Saturday, August 8, 2015
In case you haven’t heard, Dr. Charlie Miller and I will be speaking at Black Hat and DEF CON about our remote compromise of a 2014 Jeep Cherokee (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/). While you may have seen media regarding the project, our presentation will examine the research at much more granular level. Additionally, we have a few small bits that haven’t been talked about yet, including some unseen video, along with a 90-page white paper that will provide you with an abundance of information regarding vehicle security assessments. I hope to see you all there!
Speaker: Colin Cassidy
Switches get Stitches
Black Hat: 3PM Wednesday, August 5, 2015
DEF CON: 4PM Saturday, August 8, 2015
Have you ever stopped to think about the network equipment between you and your target? Yeah, we did too. In this talk we will be looking at the network switches that are used in industrial environments, like substations, factories, refineries, ports, or other homes of industrial automation. In other words: DCS, PCS, ICS, and SCADA switches.
We’ll be attacking the management plane of these switches because we already know that most ICS protocols lack authentication and cryptographic integrity. By compromising the switches an attacker can perform MITM attacks on a live processes.

Not only will we reveal new vulnerabilities, along with the methods and techniques for finding them, we will also share defensive techniques and mitigations that can be applied now, to protect against the average 1-3 year patching lag (or even worse, “forever-day” issues that are never going to be patched).

 

Speaker: Damon Small
Beyond the Scan: The Value Proposition of Vulnerability Assessment
DEF CON: 2PM Thursday, August 6, 2015
It is a privilege to have been chosen to present at DEF CON 23. My presentation, “Beyond the Scan: The Value Proposition of Vulnerability Assessment”, is not about how to scan a network; rather, it is about how to consume the data you gather effectively and how to transform it into useful information that will affect meaningful change within your organization.
As I state in my opening remarks, scanning is “Some of the least sexy capabilities in information security”. So how do you turn such a base activity into something interesting? Key points I will make include:
·      Clicking “scan” is easy. Making sense of the data is hard and requires skilled professionals. The tools you choose are important, but the people using them are critical.
·      Scanning a few, specific hosts once a year is a compliance activity and useful only within the context of the standard or regulation that requires it. I advocate for longitudinal studies where large numbers of hosts are scanned regularly over time. This reveals trends that allow the information security team to not only identify missing patches and configuration issues, but also to validate processes, strengthen asset management practices, and to support both strategic and tactical initiatives.

I illustrate these concepts using several case studies. In each, the act of assessing the network revealed information to the client that was unexpected, and valuable, “beyond the scan.”

 

Speaker: Fernando Arnaboldi
Abusing XSLT for Practical Attacks
Black Hat: 3:50PM Thursday, August 6, 2015
DEF CON: 2PM Saturday, August 8, 2015
XML and XML schemas (i.e. DTD) are an interesting target for attackers. They may allow an attacker to retrieve internal files and abuse applications that rely on these technologies. Along with these technologies, there is a specific language created to manipulate XML documents that has been unnoticed by attackers so far, XSLT.

XSLT is used to manipulate and transform XML documents. Since its definition, it has been implemented in a wide range of software (standalone parsers, programming language libraries, and web browsers). In this talk I will expose some security implications of using the most widely deployed version of XSLT.

 

Speaker: Jason Larsen
Remote Physical Damage 101 – Bread and Butter Attacks

Black Hat: 9AM Thursday, August 6, 2015

 

Speaker: Jason Larsen
Rocking the Pocket Book: Hacking Chemical Plant for Competition and Extortion

DEF CON:  6PM Friday, August 7, 2015

 

Speaker: Kenneth Shaw
The Grid: A Multiplayer Game of Destruction
DEF CON: 12PM Sunday, August 9, 2015, IoT Village, Bronze Room

Kenneth will host a table in the IoT Village at DEF CON where he will present a demo and explanation of vulnerabilities in the US electric grid.

 

Speaker: Sofiane Talmat
Subverting Satellite Receivers for Botnet and Profit
Black Hat: 5:30PM Wednesday, August 5, 2015
Security and the New Generation of Set Top Boxes
DEF CON: 2PM Saturday, August 8, 2015, IoT Village, Bronze Room
New satellite TV receivers are revolutionary. One of the devices used in this research is much more powerful than my graduation computer, running a Linux OS and featuring a 32-bit RISC processor @450 Mhz with 256MB RAM.

Satellite receivers are massively joining the IoT and are used to decrypt pay TV through card sharing attacks. However, they are far from being secure. In this upcoming session we will discuss their weaknesses, focusing on a specific attack that exploits both technical and design vulnerabilities, including the human factor, to build a botnet of Linux-based satellite receivers.

 

Speaker: Alejandro Hernandez
Brain Waves Surfing – (In)security in EEG (Electroencephalography) Technologies
DEF CON: 7-7:50PM Saturday, August 8, 2015, BioHacking Village, Bronze 4, Bally’s

Electroencephalography (EEG) is a non-invasive method for recording and studying electrical activity (synapse between neurons) of the brain. It can be used to diagnose or monitor health conditions such as epilepsy, sleeping disorders, seizures, and Alzheimer disease, among other clinical uses. Brain signals are also being used for many other different research and entertainment purposes, such as neurofeedback, arts, and neurogaming.

 

I wish this were a talk on how to become Johnny Mnemonic, so you could store terabytes of data in your brain, but, sorry to disappoint you, I will only cover non-invasive EEG. I will cover 101 issues that we all have known since the 90s, that affect this 21st century technology.

 

I will give a brief introduction of Brain-Computer Interfaces and EEG in order to understand the risks involved in brain signal processing, storage, and transmission. I will cover common (in)security aspects, such as encryption and authentication as well as (in)security in design. Also, I will perform some live demos, such as the visualization of live brain activity, sniffing of brain signals over TCP/IP, as well as software bugs in well-known EEG applications when dealing with corrupted brain activity files. This talk is a first step to demonstrating that many EEG technologies are vulnerable to common network and application attacks.
INSIGHTS | August 8, 2012

Impressions from Black Hat, Defcon, BSidesLV and IOAsis

By Cesar Cerrudo

A week has passed since the Las Vegas craziness and we’ve had some time to write down our impressions about the Black Hat, Defcon and BSidesLV conferences as well as our own IOAsis event.

It was great for me to meet lots of people—some of who I only see once a year in Las Vegas. I think this is one of the great things about these events: being able to talk for at least a couple of minutes with colleagues and friends you don’t see regularly (the Vegas craziness doesn’t allow long chats most of the time). I also got to meet people personally for the first time after working together and/or communicating just by email, Twitter, or chat. The IOActive team delivered a lot of successful talks that were well received by the public, which makes me proud of our great team and reflects well our constant hard work.

By Fernando Anaboldi

 

Fwknop at IOAsis:

The “Single Packet Authorization” term was first mentioned by MadHat at the BlackHat Briefings in July 2005; however, the first available implementation of SPA was the release of fwknop in May 2005 by Michael Rash. Basically, it grants access to a service upon receiving a particular packet.

We had the opportunity at the IOAsis to attend a fwknop presentation given by Michael Rash. The tool is currently capable of performing several useful things:

·         It allows you to hide a service on a “closed” port.
·         It lets you create a “ghost service” where a port switches for a short period of time to whatever service is requested within an SPA packet (e.g. SSHD)—and it doesn’t seem to be susceptible to replay attacks like a normal port knocking implementation would.
·         And the list goes on.

 

Hidden and obscuring available services on external networks looks like a first interesting line of defense, and fwknop seems to be the leader in that field.

 

By Ian Amit @iiamit

 

BlackHat/BSides/Defcon Week: Finding My Peace

 

After finally recovering from a week (which felt like a month) in Vegas, I can safely say that I found my peace. Although it was one of the more hectic weeks I’ve had this year—and the most successful BlackHat/BSides/Defcon personally—I managed to find myself in a better place professionally, socially, and generally. How did this come about?

 

Although BlackHat has been wandering the past few years between what it used to be—a highly professional security conference—and what it started to become (for me at least)—a vendor dog-and-pony show—I thought the new format of tracks focused on different security elements made a difference in how attendees approached the topics. Additionally, the arsenal pods allowed more free-form presentations and discussions on new technologies and ideas while capitalizing on the hallway-track that conferences so famously miss out on.

 

My schedule really put me in a position to appreciate the entire spectrum of our amazing community: speaking at BlackHat first thing in the morning after the keynote, switching gears to volunteer for the security staff at BSidesLV, and then speaking at BSides. From the more polished feel of BlackHat to the relaxed atmosphere of BSides, from a stressful speaking slot to giving back to the community, it just made perfect sense…

 

Having a chance to get together with people I consider friends online and offline was another critical aspect of my week in Vegas. Although some of these meetings were ridiculously short, the energy, and the relationship boost they gave was invaluable. A critical part of being in information security is the ability to work with industry peers in ways that nurture critical thinking, innovation, and peer-support (and criticism). Being able to throw around research initiatives; explore new elements of the information security world; and talk about business, government, international relations, law, economics, physical security, and other crazy aspects that we all need to take into account is a must-have in an industry that has almost zero-tolerance for failure.

 

Wrapping it up with a massive Defcon attendance, talks, and of course the occasional party was the cherry on top. Although some nights felt more like work than play, you won’t hear me complaining because even though party hopping between 4–5 venues to catch up with everyone really took its toll physically, I got to see a beautiful sunrise over the desert.

 

Last but definitely not least, getting the chance to meet with co-workers from around the globe was a great experience made possible by working for a company large enough to have people in almost every time zone. So, being able to do that against the backdrop of an amazing Freakshow party (thanks again to Keith Myers and Infected Mushroom) just made all the talks about exploits, kernel space vulnerabilities, counter-intelligence, and social engineering that much more appropriate ?

 

Until the next Vegas, stay safe!
INSIGHTS | July 19, 2012

IOActive Las Vegas 2012

By IOActive

That time of the year is quickly approaching and there will be nothing but great talks and enjoyment. As a leading security and research company, IOActive will be sharing a lot of our latest research at BlackHat USA 2012, BSidesLV 2012, and IOAsis.  And, of course, we’ll also be offering some relaxation and party opportunities, too!

This year we are proud to be one of the companies with more talks accepted than anyone else at BlackHat USA 2012, an incredible showing that backs up our team’s hard work:
·         SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
·     EASY LOCAL WINDOWS KERNEL EXPLOITATION, by Cesar Cerrudo
·     THE LAST GASP OF THE INDUSTRIAL AIR-GAP, by Eireann Leverett
·     HERE BE BACKDOORS: A JOURNEY INTO THE SECRETS OF INDUSTRIAL FIRMWARE, by Ruben Santamarta
We also will be showing interesting tools at BlackHat Arsenal:
·         BURP EXTENSIBILITY SUITE by James Lester and Joseph Tartaro
…and we will be presenting at BSidesLV 2012, too:
·         SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
·         OCCUPY BURP SUITE: Informing the 99% What the 1% are Taking Advantage Of, by James Lester and Joseph Tartaro
But wait, that’s not all—at same time as BlackHat and BSidesLV we will be running IOAsis, where VIPs can meet with our team and also attend exclusive talks, where our team will present their latest research. 
Enough already? No, there’s still more. For the second year IOActive will be sponsoring BarCon, an exclusive, invitation-only event where the great hacking minds get together to talk about who knows what. And to drink. 
And last, but certainly not least, IOActive will present the fifth annual Defcon Freakshow, the freakiest party for celebrating Defcon 20!  More information is available on the Facebook page: http://www.facebook.com/events/409482889093061/

 

If you are not tired of reading yet, continue and find more information about our talks at BlackHat USA 2012 and BSidesLV 2012:

 HERE BE BACKDOORS: A JOURNEY INTO THE SECRETS OF INDUSTRIAL FIRMWARE, by Ruben Santamarta
July 25, 2012. 5:00–6:00pm. BlackHat USA 2012

PLCs, smart meters, SCADA, Industrial Control Systems…nowadays all those terms are well known for the security industry. When critical Infrastructures come into play, the security of all those systems and devices that control refineries, and water treatment or nuclear plants pose a significant attack vector.

For years, the isolation of that world provided the best ‘defense’ but things are changing and that scenario is no longer valid. Is it feasible to attack a power plant without ever visiting one? Is it possible to hack into a smart meter…without having that smart meter? Yes, it is. This talk discusses the approach followed to do so, mixing theory and practice.

This presentation pivots around the analysis of firmware through reverse engineering in order to discover additional scenarios such as backdoors, confidential documentation or software, and vulnerabilities. Everything explained will be based on real cases, unveiling curious ‘features’ found in industrial devices and disclosing some previously unknown details of an interesting case: a backdoor discovered in a family of smart meters.

We will navigate through the dark waters of Industrial Control Systems, where security by obscurity has ruled for years. Join us on this journey, here be backdoors…

THE LAST GASP OF THE INDUSTRIAL AIR-GAP, by Eireann Leverett
July 25, 2012. 2:15–3:15pm. BlackHat USA 2012

Industrial systems are widely believed to be air-gapped. At previous Black Hat conferences, people have demonstrated individual utilities control systems directly connected to the internet. However, this is not an isolated incident of failure, but rather a disturbing trend. By visualizing results from SHODAN over a 2-1/2–year period, we can see that there are thousands of exposed systems around the world. By using geo-location and vulnerability pattern matching to service banners, we can see their rough physical location and the numbers of standard vulnerabilities they are exposed to.

This allows us to look at statistics about the industrial system security posture of whole nations and regions. During the process of this project, I worked with ICS-CERT to inform asset-owners of their exposure and other CERT teams around the world. The project has reached out to 63 countries, and sparked discussion of convergence toward the public internet of many insecure protocols and devices.
The original dissertation can be found here:  /wp-content/uploads/2012/07/2011-Leverett-industrial.pdf

EASY LOCAL WINDOWS KERNEL EXPLOITATION, by Cesar Cerrudo
July 26, 2012. 5:00–6:00pm BlackHat USA 2012

For some common local kernel vulnerabilities there is no general, multi-version, reliable way to exploit them. While there have been interesting techniques published, they are neither simple nor do they work across different Windows versions most of the time. This presentation will show easy and reliable cross-platform techniques for exploiting some common local Windows kernel vulnerabilities. These new techniques even allow exploitation of vulnerabilities that have been considered difficult or almost impossible to exploit in the past.

SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
July 25, 2012. 10:15–11:15am.BlackHat USA 2012
July 25, 2012. 5:00–6:00 pm. BSidesLV 2012

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that’s hard. After the penetration testers (or worse, the red team) leaves, there’s usually a whole lot of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time—can you fix this so your security posture will actually be better the next time these guys come around?

This talk focuses mainly on what should be done, not what should be BOUGHT—you probably have most of what you need already in place and you just don’t know it yet.
The talk will show how to expand the spectrum of defenders from a reactive one to a proactive one, will discuss ways to perform intelligence gathering on your opponents, and will model how that can assist in focusing on an effective defense rather than a “best practice” one. Methodically, defensively, decisively. The red team can play ball cross-court, so should you!

BURP EXTENSIBILITY SUITE, by James Lester and Joseph Tartaro
July 25, 2012. 3:30–4:30 pm BlackHat USA 2012 – Arsenal

Whether it be several Class B Subnets, a custom web application utilizing tokenization, or the integration of third-party detection/exploitation software, there comes a time when your go-to testing application is insufficient as is. With Burp Suite Extensibility you can push these requirements to the next level by building functionality that allows you to perform your required task while maintaining efficiency, value, and, most of all, detection/exploitation of the specified target. Several extensions along with a common extensibility framework will be on display to demonstrate its ability, adaptation, and ease of use while still reaching your testing requirements. Along with the demonstration, these extensions will be released to the public during the week of BlackHat to encourage further development and extensibility participation.

OCCUPY BURP SUITE: Informing the 99% What the 1% are Taking Advantage Of, by James Lester and Joseph Tartaro
July 26, 2012. 3:00–4:00 pm BSidesLV 2012

In this presentation, James Lester and Joseph Tartaro will focus on building demand, support, and an overall desire around the creation of Burp Suite extensions with the hope of bringing extensibility to the forefront of web application testing. Lester and Tartaro will introduce up to a dozen extensions they’ve created that utilize currently-accessible functionality within the extensibility suite. Along with the release of these extensions, a campaign will be presented to organize and develop an extension community that documents tool primers, lessons learned, and tips/tricks; and hosts extensions and tools catered to Burp. Something learned isn’t research until it’s shared—putting this statement into practice, the duo believes that BSides is the perfect environment to help collect data, convey interests, and share results.