RESEARCH | January 26, 2016

More than a simple game

By Daniel Correa & NullLifeTeam

EKOPARTY Conference 2015, one of the most important conferences in Latin America, took place in Buenos Aires three months ago. IOActive and EKOPARTY hosted the main security competition of about 800 teams which ran for 32 hours, the EKOPARTY CTF (Capture the Flag).

Teams from all around the globe demonstrated their skills in a variety of topics including web application security, reverse engineering, exploiting, and cryptography. It was a wonderful experience.

If you haven’t competed before, you may wonder: What are security competitions all about? Why are they essential for information security?

Competition, types, and resources

A security competition takes place in an environment where the contestants try to find a solution to specific problems through the systematic application of knowledge. Each problem (or challenge) is worth a different number of points. The number of points for each challenge is based on its level of difficulty and the time needed to reach the solution (or flag).

Security competitions help people to develop rare skills as it requires the use of lateral thinking and a low-level technical knowledge of many topics at once, this is a small list of some of their benefits:

Fun while learning.
Legally prepared environments ready to be hacked; you are authorized to test the problems.
Recognition and use of multiples paths to solve a problem.
Understanding of specialized attacks which are not usually detectable or exploitable by common tools.
Free participation, typically.
Good recruiting tool for information security companies.

You will find two types of competitions:

CTFs (Capture the Flag) are restricted by time:
1. Jeopardy: Problems are distributed in multiple categories which must be solved separately. The most common categories are programming, computer and network forensics, cryptography, reverse engineering, exploiting, web application security, and mobile security.
2. Attack – defense: Problems are distributed across vulnerable services which must be protected on the defended machine and exploited on remote machines. It is the kind of competition that provides mostly a vulnerable infrastructure.
Wargames are not restricted by time and may have the two subtypes above.

Two main resources can help you to get started:

Also, you can see solutions for many CTF problems in the following github repository:

CTFs github repository

EKOPARTY CTF 2015

We proposed thirty challenges across six categories:

Trivia problems: questions about EKOPARTY.
Web application security: multiple web application attacks.
Cryptography: classical and modern encryption.
Reversing: problems with the use of different technologies and architectures.
Exploiting: vulnerable binaries with known protections.
Miscellaneous: forensic and programming tasks.

To review the challenges, go to the EKOPARTY 2015 github repository.

Category	Task	Score	Description and references
Trivia	Trivia problems	~	Specific questions related to EKOPARTY
Web	Pass Chek	50	PHP strcmp unsafe comparison using an array Type Juggling
	Custom ACL	100	ACL bypass using external host
	Crazy JSON	300	Esoteric programming language with string encryption JSON esoteric programming language
	Rand DOOM	400	Insecure use of mt_rand, recover administrator token via seed leak PRNG seed leak PHP mt_rand seed cracker
	SVG Viewer	500	XXE injection with UTF-16 bypass and use of PHP strip_tags vulnerability to disclose source code XXE injection UTF-16 bypass PHP strip_tags bug
Crypto	SCYTCRYPTO	50	Scytale message decryption Scytale
	Weird Vigenere	100	Kasiski analysis over modified vigenere Beaufort cipher
	XOR Crypter	200	XOR shift message decryption Reversing shift XOR operation
	VBOX DIE	300	VBOX encrypted disk password recovery VirtualBox Disk Image Encryption password cracking
	Break the key	400	Use of CVE-2008-0166 to get the plaintext from an encrypted message CVE-2008-0166
Reversing	Patch me	50	MSIL code patching
	Counter	100	Dynamic analysis of a llvm obfuscated binary
	Malware	200	Break RSA key to send malicious code to the C&C server
	Dreaming	300	SH4 binary
	HOT	400	Blackberry Z10 application and exploitation of a SQL injection which was protected through a modified HMAC algorithm
	Backdoor OS	500	Custom kernel where you need to find the backdoor authentication key
Exploiting	Baby pwn	50	Buffer overflow with restricted input format
	Frequency	100	BSS buffer overflow with a directory traversal which leaks data from files through character frequencies
	OTaaS	200	ARM syscall override which leaks information if appropriate parameters are passed
	File Manager	300	Stack based buffer overflow produced by strncat while listing files inside a folder, need to bypass multiple protections such as ASLR, NX, PIE, and FULL RELRO
Miscellaneous	Olive	50	VNC client key event recovery VNC KeyEvent
	Press it	100	Scancodes recognition Key Scan Codes
	Onion	200	Use of CVE-2015-7665 to leak user’s IP CVE-2015-7665
	Poltergeist	300	AM frequencies generator using screen waves Tempest

Example of reversing problem – HOT 400 points

We provided competitors with a BlackBerry 10 binary with the following description:

Our Blackberry application can accurately show you the weather status of the city! may you be able to get something more?

The binary uses a SOAP-based web service to retrieve weather information from the selected city (either Buenos Aires or Mordor), so we need to reverse the binary and find out if we are able to retrieve more information.

First, let see how the binary is composed:

Great, the binary is not stripped and it seems to contain debug information, so we can use an ARM disassembler and see its behavior:

The main execution flow starts within the requestWeatherInformation method from WeatherService class, and city zipcode is its unique argument. It is converted from QString to QByteArray for further processing:

QByteArray key is filled with a loop, key[i] = i:

Then a message authentication code is calculated using the key and zipcode MAC(key, zipcode):

The binary is using a slightly modified version of HMAC-SHA1 as a message authentication code, and outer and inner padding are now 0x13 and 0x37 respectively (instead of 0x5c and 0x36):

Then a SOAP message is built using the following data:
- Host: ctfchallenges.ctf.site
- Port: 10000
- Action: http://ctfchallenges.ctf.site:1000/ekoweather/GetCityWeatherByZIP (no longer active)
- Argument 1: ZIP
- Argument 2: verification

You can see an HTTP request with a valid SOAP message for the web service:

And its response:

Now let’s take a look at the web service source code (which was not available to the contestant):

You can notice two important things:

Zip argument is vulnerable to SQL injection.
Description is always trimmed to 16 chars.

The contestant need to be able to reverse engineer the binary and then inject SQL sentences to retrieve information from the database using valid verification codes within the SOAP message.

The answer for this problem is stored as the description for the city FLAG, however it exceeds 16 chars, so the web service only shows the first 16 chars (an incomplete answer):

Request:

ZIP: -1 or 1=1– –
verification: biNa0y7ngymXd6kbGMmNhOYiNQM=

Response:

Success: true
ResponseText: City Found
Description: EKO{r3v_with_web

After getting the correct number of columns and the tables and columns used by the database, you need to identify the column used as the description:

Request:

ZIP: -1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14– –
verification: B2LDiOPSSCOCK0tJvidyyo1d1HI=

Response:

Success: true
ResponseText: City Found
Description: 7

At last, an injection to get the other half of the flag could be as follows:

Request:

ZIP: -1 union select 1,2,3,4,5,6,substr(description,16),8,9,10,11,12,13,14 from data where zipcode != 1010 and zipcode != 1337– –
verification: r7WuMbNcbvncnJc8HwKnqM4q9kA=

Response:

Success: true
ResponseText: City Found
Description: b_is_the_best!}

The final answer for this problem was: EKO{r3v_with_web_is_the_best!}. It was solved by one team. Amazing job, More Smoked Leet Chicken team!

Some numbers

From the summary below of solves and failed attempts per each problem, we can infer three things:

Trivia challenges often involves guessing; failed attempts are higher on trivia problems.
The most difficult problems contain fewer failed attempts, and the number of solves are somehow proportional to failed attempts.
In this CTF, reversing and exploiting were the most difficult problems.

We also have some results from the competition:

Scoreboard

After 32 hard hours, we had the winners:

More Smoked Leet Chicken, from Russia, who led during the competition!
!SpamAndHex, from Hungary.
samurai, from United States.
Shellphish, from United States.
SecuritySignal, local winner from Argentina.

As you have seen, CTFs are more than a simple game. From the point of view of the organizer, they involve a lot of planning and monitoring, and from the point of view of the contestant they involve a lot of applied knowledge and fun. CTFs are getting harder and harder. Do not miss the chance to learn from them!

We hope you have enjoyed this and we hope to see you next year at EKOPARTY CTF 2016!

RESEARCH | July 2, 2015

Hacking Wireless Ghosts Vulnerable For Years

By Lucas Apa

Is the risk associated to a Remote Code Execution vulnerability in an industrial plant the same when it affects the human life? When calculating risk, certain variables and metrics are combined into equations that are rendered as static numbers, so that risk remediation efforts can be prioritized. But such calculations sometimes ignore the environmental metrics and rely exclusively on exploitability and impact. The practice of scoring vulnerabilities without auditing the potential for collateral damage could underestimate a cyber attack that affects human safety in an industrial plant and leads to catastrophic damage or loss. These deceiving scores are always attractive for attackers since lower-priority security issues are less likely to be resolved on time with a quality remediation.

In the last few years, the world has witnessed advanced cyber attacks against industrial components using complex and expensive malware engineering. Today the lack of entry points for hacking an isolated process inside an industrial plant mean that attacks require a combination of zero-day vulnerabilities and more money.

Two years ago, Carlos Mario Penagos (@binarymantis) and I (Lucas Apa) realized that the most valuable entry point for an attacker is in the air. Radio frequencies leak out of a plant’s perimeter through the high-power antennas that interconnect field devices. Communicating with the target devices from a distance is priceless because it allows an attack to be totally untraceable and frequently unstoppable.

In August 2013 at Black Hat Briefings, we reported multiple vulnerabilities in the industrial wireless products of three vendors and presented our findings. We censored vendor names from our paper to protect the customers who use these products, primarily nuclear, oil and gas, refining, petro-chemical, utility, and wastewater companies mostly based in North America, Latin America, India, and the Middle East (Bahrain, Kuwait, Oman, Qatar, Saudi Arabia, and UAE). These companies have trusted expensive but vulnerable wireless sensors to bridge the gap between the physical and digital worlds.

First, we decided to target wireless transmitters (sensors). These sensors gather the physical, real-world values used to monitor conditions, including liquid level, pressure, flow, and temperature. These values are precise enough to be trusted by all of the industrial hardware and machinery in the field. Crucial decisions are based on these numbers. We also targeted wireless gateways, which collect this information and communicate it to the backbone SCADA systems (RTU/EFM/PLC/HMI).

In June 2013, we reported eight different vulnerabilities to the ICS-CERT (Department of Homeland Security). Three months later, one of the vendors, ProSoft Technology released a patch to mitigate a single vulnerability.

After a patient year, IOActive Labs in 2014 released an advisory titled “OleumTech Wireless Sensor Network Vulnerabilities” describing four vulnerabilities that could lead to process compromise, public damage, and employee safety, potentially leading to the loss of life.

Figure 1: OleumTech Transmitters infield

The following OleumTech Products are affected:

All OleumTech Wireless Gateways: WIO DH2 and Base Unit (RFv1 Protocol)
All OleumTech Transmitters and Wireless Modules (RFv1 Protocol)
BreeZ v4.3.1.166

An untrusted user or group within a 40-mile range could inject false values on the wireless gateways in order to modify measurements used to make critical decisions. In the following video demonstration, an attacker makes a chemical react and explode by targeting a wireless transmitter that monitors the process temperature. This was possible because a proper failsafe mechanism had not been implemented and physical controls failed. Heavy machinery makes crucial decisions based on the false readings; this could give the attacker control over part of the process.

Figure 2: OleumTech DH2 used as the primary Wireless Gateway to collect wireless end node data.

Video: Attack launched using a 40 USD RF transceiver and antenna

Industrial embedded systems’ vulnerabilities that can be exploited remotely without needing any internal access are inherently appealing for terrorists.

Mounting a destructive, real-world attack in these conditions is possible. These products are in commercial use in industrial plants all over the world. As if causing unexpected chemical reactions is not enough, exploiting a remote, wireless memory corruption vulnerability could shut down the sensor network of an entire facility for an undetermined period of time.

In May 2015, two years from the initial private vulnerability disclosure, OleumTech created an updated RF protocol version (RFv2) that seems to allow users to encrypt their wireless traffic with AES256. Firmware for all products was updated to support this new feature.

Still, are OleumTech customers aware of how the new AES Encryption key is generated? Which encryption key is the network using?

Figure 3: Picture from OleumTech BreeZ 5 – Default Values (AES Encryption)

Since every hardware device should be unmounted from the field location for a manual update, what is the cost?

IOActive Labs hasn’t tested these firmware updates. We hope that OleumTech’s technical team performed testing to ensure that the firmware is properly securing radio communications.

I am proud that IOActive has one of the largest professional teams of information security researchers who work with ICS-CERT (DHS) in the world. In addition to identifying critical vulnerabilities and threats for power system facilities, the IOActive team provides security testing directly for control system manufacturers and businesses that have industrial facilities – proactively detecting weaknesses and anticipating exploits in order to improve the safety and operational integrity of technologies.

Needless to say, the companies that rely on vulnerable devices could lose much more than millions of dollars if these vulnerabilities are exploited. These flaws have the potential for massive economic and sociological impact, as well as loss of human life. On the other hand, some attacks are undetectable so it is possible that some of these devices already have been exploited in the wild. We may never know. Fortunately, customers now have a stronger security model and I expect that they now are motivated enough to get involved and ask the vulnerable vendors these open questions.

INSIGHTS | October 2, 2012

Impressions from Ekoparty

By Francisco Amato

Another ekoparty took place in Buenos Aires, Argentina, and for a whole week, Latin America had the chance to meet and get in touch with the best researchers in this side of the world.

A record-breaking number of 150 entries were received and analysed by the excellent academic committee formed by Cesar Cerrudo, Nico Waisman, Sebastian Muñiz, Gerardo Richarte, Juliano Rizzo.

There were more than 1500 people who enjoyed of 20 talks without any interruption, except when the Mariachis played.

Following last year’s ideas, when ekoparty became the last bastion of resistance to rebellion against machines, this resistance had to move out of the earth to fight the battle of knowledge sharing in another world.

IOActive again accompanied us with all their research team with an excellent stand that included a bartender and a bar throughout the event. IOActive went for more and also sponsored the VIP dinner to honor all exhibitors, organizers and sponsors, who accepted the challenge: Argentine asado vs. Tacos, prepared by their own research team. It was a head-to-head contest, but the advantage was that the meat was from Argentina 🙂

We would like to thank all the researchers, participants, sponsors that contribute to ekoparty’s growth! See you back next year to find out how this story goes on!

By Jennifer Steffens @securesun

For those who know me, I’m no stranger to the world of conferences and have attended both big and small cons around the world. I love experiencing the different communities and learning how different cultures impact the world of security as a whole. I recently had the pleasure of attending my second Ekoparty in Buenos Aires with IOActive’s Latin American team and it was again one of my all time favorites.

To put it simply, I am blown away by both the conference and the community. Francisco, Federico and crew do an amazing job from start to finish. The content is fresh and innovative. They offer all the great side acts that con attendees have grown to love – CTF, lock picking stations, giant robots with lasers, a computer museum as well as the beloved old school Mario Brothers game. Even the dreaded vendor area is vibrant and full of great conversations – as well as a bit of booze thanks to both our bar service and Immunity’s very tasty beer!

But the real heart of Ekoparty is the community. The respect and openness that everyone brings to the experience is refreshing and gives the conference a very “family-like” feel – even with 1500 people. I met so many interesting people and spent each day engaged in inspiring conversations about the industry, the culture and of course, how to be a vegetarian in Argentina (not easy AT ALL!).

A special thanks to Federico and Francisco for the invitation and generous VIP treatment throughout the week. It was a great opportunity for us to bring IOActive’s Latin American team together, which now includes 12 researchers from Argentina, Brazil, Colombia and Mexico; as well as meet potentially new “piratas” in the making. I am amazed every day at what that team is able to accomplish and am already looking forward to Ekoparty 2013 with an even bigger team of IOActive “piratas” joining us.

¡Gracias a los organizadores, speakers y asistentes de la Ekoparty 2012. La semana fue fantástica y espero verlos el año que viene!

By Cesar Cerrudo @cesarcer

This was my 5^th time presenting in Ekoparty (I just missed one Ekoparty when my son was born 🙂), Ekoparty is one of my favorites conferences, I feel like a part of it, it’s on my own country which makes it special for me. It’s nice to get together with all the great Argentinean hackers, which by the way are very good and many, and with a lot of friends and colleagues from around the world. During all these years I have seen the growth in quality and quantity, I can say that this conference is currently at the same level that the big and most known ones and every year gets better.

This year I had the honor to give the aperture keynote “Cyberwar para todos” where I presented my thoughts and views on the global Cyberwar scenario and encourage people to research the topic and get their own thoughts and conclusions.

We sponsored a VIP dinner where speakers, sponsors and friends enjoyed a great night with some long awaited Mexican tacos! Also we had a nice booth with free coffee service in the morning and open bar after noon, I don’t think it’s necessary to stress that it was a very, very popular booth 🙂

The talks were great and there was lot of research presented for the first time at Ekoparty, just take a look at recent news and you will see that this is not just “another“ conference. Last time I remember a security/hacking conference got so many related news was Black Hat/Defcon. We could say Ekoparty is becoming one of the most important world security/hacking conferences.

By Stephan Chenette @StephanChenette

OK I’ll try my best to follow Cesar, this years keynote speaker, Francisco, one of the founders of EkoParty and Jennifer our CEO in giving an impression of the EkoParty conference. If you haven’t been to EkoParty, stop what you’re doing right now, check out the web site (http://ekoparty.org) and set yourself a reminder to buy a plane ticket and a entry ticket for next year – because this is a con worth attending. If nothing else you’ll learn or confirm what you had thought for years: that the Latin American hacker community is awesome and you should be paying attention to their research if you haven’t been already.

Three days long, EkoParty is compromised of a CTF, Lock picking area, training, and 20 interesting talks on research and security findings. The venue is something you’d expect from CCC or PH-Neutral: An Industrial, bare-bones building loaded up with ping pong tables and massive computing power with no shortness of smoke machines, lights and crazy gadgets on stage…oh and as you read above in Francisco’s summary, a Mariachi band (hey, it is Argentina!).

The building reminded me of the the elaborate Farady cage Gene Hackman had set up in the movie Enemy of the State that was used to hide from the CIA. Except Eko Party was filled with around 1500 attendees and organizers.

IOActive sponsored a a booth and tried their best to provide the attendees with as much quality alcohol as possible =]

Our booth is where I spent most of my time when not seeing talks, so that I could hang out with IOActive’s Latin American team members originating from Mexico, Brazil, Colombia and Argentina.

I saw a number of talks while at EkoParty, but I’m sure most of you will agree the three most noteworthy talks were:

- CRIME (Juliano Rizzo and Thai Doung)

- Cryptographic Flaws in Oracle Database Authentication Protocol (Esteban Fayo)

- Dirty use of USSD Codes in Cellular Network (Ravi Borgaonkar)

I won’t go into details on the above talks, as more information is now available online about them.

I was lucky enough to be accepted as as speaker this year and talk on research focused around defeating network and file-system detection. My past development experience is on detection of threats, but as I stated in my presentation: You must think offensively when creating defensive technology and make no mistake of overselling it’s limitations – a problem most salespeople at security companies have these days.

I spent about 75% of my time reviewing various content detection technologies from the last 20 years and explaining each one of their limitations. I then talked about the use of machine learning and natural language processing for both exploit and malware detection as well as attribution.

Machine learning like any technology used in defense, has it’s limitations and I tried to explain my point of view and importance of not only having a layered defense, but having a well thought out layered defense that makes sense for your organization.

As I stated in my presentation, attackers have several stages they typically go through to pull off a full attack and successfully ex-filtration data:

- Recon (Intelligence gathering)

- Penetration (exploitation of defenses)

- Control (staging a persistent mechanism within the network)

- Internal Recon

- Ex-filtration of data

In my presentation I looked at the reality in offensive techniques against detection technologies: Attackers are going to stay just enough ahead of the defense curve to avoid detection.

(Stephan Chenette’s presentation on
“the Future of Automated Malware Generation”)

For example with Gauss and Zeus we’ve seen dlls being encrypted with a key only found on the targeted machine and downloaded binaries encrypted with information from the infected host – FYI – encrypting binaries with target information basically kills the possibility of any behavior sandbox from being able to run the binary outside of it’s intended environment.

So maybe attackers of the future will only make incremental improvements to thwart detection OR maybe we’ll start seeing anti-clustering and anti-classifications added to the attacker’s arsenal as machine learning is added as another layer of defense – The future is of course unknown – but I do have my suspicions.

In my concluding slides I stressed that there is much improvement that can be made on the side of detecting the threat before it happens as well as making sure that a defensive strategy should be layered in a manor that focuses on making the attacker spend, time, resources and different skill levels at each layer, hopefully comprising enough of his or herself in the process and giving the targeted organization enough time to mitigate the threat if not halt the attack all together.

This was by far the largest crowd I’ve ever spoken in front of and goes down as one of the best conferences I’ve attended. Thanks again EkoParty committee for inviting me to present, I’ll try my best to be back next year!!

By Ariel Sanchez

We had the opportunity at the Ekoparty to attend presentations which a show high level of innovation and creativity.

Here are some personal highlights:

*The CRIME Attack presentation by Juliano Rizzo and Thai Doung

*Trace Surfing presentation by Agustin Gianni

*Cryptographic flaws in Oracle Database authentication protocol presentation by Esteban Fayo

I can’t wait to see what is coming in the next ekoparty!

By Tiago Assumpcao @coconuthaxor

If my memory is accurate, this was my fourth EkoParty. From the first time to now, the numbers related to the conference have grown beyond my imagination. On the other hand, EkoParty remains the same on another aspect: it has the energetic blood of Latin American hackers. Too many of them, actually. Buenos Aires has a magical history of popping up talents like nowhere else. And the impressive numbers and quality of EkoParty, today, definitely have to do with that magic.

There were many great talks, on a wide range of topics. I will summarize the ones I mostly appreciated, being forced to leave aside the ones I didn’t have the chance to catch.

Cyberwar para todos, I’ve seen people complaining about this topic, either because it’s political (rather than technical), or because “it’s been too stressed” already. In my opinion, one can’t ignore how the big empires think of information security. Specifically, here is what I liked about this talk: the topic might have been stressed in North America, but the notion of cyberwar, per Gen. Keith Alexander’s vision, is still unknown to most in South America. A few years ago, the Brazilian CDCiber (Cyber Defense Centre) was created and, despite effort coming directly from the President, the local authorities are still very naïve, to say least, if compared to their rich cousins. Cesar raises questions about that.

Satellite baseband mods: Taking control of the InmarSat GMR-2 phone terminal, this was probably my favorite talk. They showed how a user can easily modify satellite phones at will, poking data that comes in and out of the device. Furthermore, the presenters showed how communication technologies very similar to GSM, when applied over a different medium, can open whole new vectors of potential attacks. Finally, Sebastian “Topo” Muniz is one of the most hilarious speakers in the infosec industry.

Trace Surfing, this is one of those rare talks that resolve hard problems with very simple solutions. Agustín showed how one can retrieve high-level information about the Windows heap, during the course of an execution trace, simply by tracking ABI specifics at call-sites of choice. The simplicity of his solution also makes it really fast. Great work!

PIN para todos (y todas), basically Pablo Sole created an interface that allows one to write Pin-based tools to instrument JavaScript. I heard it’s impressively fast.

What I really wanted to have seen, but couldn’t…

OPSEC: Because Jail is for wuftpd, unfortunately, they had Grugq speaking at 9am. I can’t digest humour so early and will have to ask him for a secondhand presentation.

Literacy for Integrated Circuit Reverse Engineering, very sadly, I didn’t catch Alex’s presentation. But if you are into reverse engineering modern devices, I would recommend it with both my eyes closed, nonetheless.

By Lucas Apa @lucasapa

What begun publicly as an e-zine in the early century now arises as the most important latin american security conference “ekoparty”. All the latin american team landed Buenos Aires to spend an amazing week.
My “ekoparty week” started on monday where I got invited to attend a “Malware Analysis Training” by ESET after solving a challenge of “binary unpacking” posted on their blog. First, two intensive days were held with paid trainings which covered the following topics: cracking, exploiting, sap security, penetration testing, web security, digital forensics and threats defense. Every classroom was almost fully booked.

The conference started on Wednesday in “Konex Cultural Center”, one of the most famous cultural centers especially for music and events. The building used to be an oil factory some decades ago.
On Wednesday, our CTO Cesar Cerrudo, was the main keynote of the day.
Many workshops were open for any conference assistant for the rest of the day.
At night we enjoyed a classic “Mexican Grill” at IOActive’s party where VIP guests were invited. The meal was brought you by Alejandro Hernández and Diego Madero, our Mexican Security Consultants.
On Thursday and Friday were the most awaited days since the presentations were going to start.

My favorite talks were:

*Taking control of the InmarSat GMR-2 phone terminal (Sebastian Muñiz and Alfredo Ortega): Without modifying the firmware image, researchers managed to send AT commands to the phone terminal to write arbitrary memory. They copied binary instrumentation code for logging and hooking what really sends the phone on common actions like sending SMS. Then, they wrote the “data” section for redirecting the flow at some point and discovered that messages sent to the satellite “might” be vulnerable to
“memory corruption” if they are preprocessed by the satellite before retransmision. No satellites were harmed.

*VGA Persistent Rootkit (Nicolás Economou and Diego Juarez): Showed a new combo of techniques for modifing reliably the firmware of a VGA card to execute code or add new malicious basic blocks.

*The Crime (Juliano Rizzo and Thai Duong): The most awaited talk revealed a new chosen plaintext attack where compression allowed to recognize which secuences of bytes were already on the TLS data. The attack works like BEAST, with two requirements: capture encrypted victim’s traffic and control his browser by using a web vulnerability (or MITM on an HTTP service). When forcing the browser to issuing some specific words on the HTTP resource location, they figured that if that portion of the random string is already on the cookie the TLS data gets more compressed. This allows to bruteforce to identify the piggybacked cookie that is automatically added to the request.

*The Future of Automated Malware Generation (Stephan Chenette): Our Director of R&D showed how different AV’s performs approaches for detecting malware mostly failing. It is difficult to defend ourselves in something we dont know but we must remember that attackers are also having fun with Machine Learning too !

*Cryptographic flaws in Oracle DB auth protocol (Esteban Fayó): When authenticating a user, Oracle uses the hashed password (on the database) as the key for encrypting the server session (random). The user hashes its password and then tries to decrypt the encrypted session that the server returned. The problem is that is possible to recognize if this decryption returns an invalid padding so the initial password can be tried offline. This allows to bruteforce the process of decrypting locally till a valid padding occurs (sometimes it colides with a valid padding but it’s not actually the password). This vulnerability was
reported to Oracle 2 years ago but no patch was provided by them till then.

By Alejandro Hernández @nitr0usmx

After a 10 hours delayed flight, finally I landed to Buenos Aires. As soon as I could, I went straight to the VIP party to meet with the IOActive team and to prepare some mexican tacos and quesadillas (made by Diego Bauche @dexosexo).

The next day, Thursday, I had the chance to be at the Stephan Chanette’s talk (@StephanChenette), which was a really interesting presentation about automated malware generation and future expectations. His presentation had a good structure because he started with the current state of malware generation/defense and later he explained the future of malware generation/defense passing through the actual malware trends. The same day, I enjoyed the Esteban Fayo’s talk (@estemf) because he showed a live demo on how to crack an Oracle password taking advantage of some flaws in the Oracle authentication protocol.

The venue, KONEX, the same as the last year, was really cool, there were vendors booths, old computers, video games (where I spent like two hours playing Super Mario Bros) as well as a cocktail bar, obviously the IOActive booth ;).

In conclusion, I really had a great time with my fellow workers, drinking red wine and argentine asado, besides amazing conferences.

Definitely, I hope to be there the next year.