Briefings

white paper presentation source video

Keynotes

Presented by Gen. Alexander

Presented by Brian Muirhead

Briefings

A Practical Attack against MDM Solutions Spyphones are surveillance tools surreptitiously planted on a users handheld device. While malicious mobile applications mainly phone fraud applications distributed through common application channels - target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings. How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.





A Tale of One Software Bypass of Windows 8 Secure Boot Windows 8 Secure Boot based on UEFI 2.3.1 Secure Boot is an important step towards securing platforms from malware compromising boot sequence before the OS. However, there are certain mistakes platform vendors shouldn't make which can completely undermine protections offered by Secure Boot. We will demonstrate an example of full software bypass of Windows 8 Secure Boot due to such mistakes on some of the latest platforms and explain how those mistakes can be avoided.





Above My Pay Grade: Cyber Response at the National Level Incident response is usually a deeply technical forensic investigation and mitigation for an individual organization. But for incidents that are not merely cyber crime but truly national security events, such as large-scale disruptive attacks that could be acts of war by another nation, the process is completely dissimilar, needing a different kind of thinking. This talk will discuss exactly how, detailing the flow of national security incident response in the United States using the scenario of a major attack on the finance sector. The response starts at individual banks and exchanges, through the public-private sector information sharing processes (like FS-ISAC). Treasury handles the financial side of the crisis while DHS tackles the technical. If needed, the incident can be escalated to the military and president especially if the incident becomes especially disruptive or destructive. The talk examines this flow and the actions and decisions within the national security apparatus, concluding with the pros and cons of this approach and comparing it to the process in other key countries.





Presented by Jason Healey

Android: one root to own them all This presentation is a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013. The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control. The vulnerability affects a wide number of Android devices, across generations & architectures, with little to no modifications of the exploit. The presentation will review how the vulnerability was located, how an exploit was created, and why the exploit works, giving you insight into the vulnerability problem and the exploitation process. Working PoCs for major Android device vendors will be made available to coincide with the presentation.





Presented by Jeff Forristal

BinaryPig - Scalable Malware Analytics in Hadoop Over the past 2.5 years Endgame received 20M samples of malware equating to roughly 9.5 TB of binary data. In this, we’re not alone. McAfee reports that it currently receives roughly 100,000 malware samples per day and received roughly 10M samples in the last quarter of 2012 [1]. Its total corpus is estimated to be about 100M samples. VirusTotal receives between 300k and 600k unique files per day, and of those roughly one-third to half are positively identified as malware [2]. This huge volume of malware offers both challenges and opportunities for security research especially applied machine learning. Endgame performs static analysis on malware in order to extract feature sets used for performing large-scale machine learning. Since malware research has traditionally been the domain of reverse engineers, most existing malware analysis tools were designed to process single binaries or multiple binaries on a single computer and are unprepared to confront terabytes of malware simultaneously. There is no easy way for security researchers to apply static analysis techniques at scale; companies and individuals that want to pursue this path are forced to create their own solutions. Our early attempts to process this data did not scale well with the increasing flood of samples. As the size of our malware collection increased, the system became unwieldy and hard to manage, especially in the face of hardware failures. Over the past two years we refined this system into a dedicated framework based on Hadoop so that our large-scale studies are easier to perform and are more repeatable over an expanding dataset. To address this problem, we will present our open framework, BinaryPig, as well as some example uses of this technology to perform a multiyear, multi-terabyte, multimillion-sample malware census. This framework is built over Apache Hadoop, Apache Pig, and Python. It addresses many issues of scalable malware processing, including dealing with increasingly large data sizes, improving workflow development speed, and enabling parallel processing of binary files with most pre-existing tools. It is also modular and extensible, in the hope that it will aid security researchers and academics in handling ever-larger amounts of malware. In addition, we will demonstrate the results of our exploration and the techniques used to derive these results. The framework, analysis modules, and some example applications will be released as open source (Apache 2.0 License) at Blackhat. http://www.darkreading.com/identityandaccessmanagement/167901114/security/attacksbrea ches/240006702/mcafeecloseto100knewmalwaresamplesperdayinq2.html https://www.virustotal.com/en/statistics/ as of 4/9/2013





BIOS Security In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement. We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.





Black-Box Assessment of Pseudorandom Algorithms Last year at Black Hat, Argyros and Kiayias devastated all things pseudorandom in open-source PHP applications. This year, we're bringing PRNG attacks to the masses. We'll point out flaws in many of the most common non-cryptographic pseudorandom number generators (PRNGs) and examine how to identify a PRNG based on a black-box analysis of application output. In many cases, most or all of the PRNG's internal state can be recovered, enabling determination of past output and prediction of future output. We'll present algorithms that run many orders of magnitude faster than a brute-force search, including reversing and seeking the PRNG stream in constant time. Finally, of course, we'll demonstrate everything and give away our tool so that you can perform the attacks during your own assessments.





BlackBerryOS 10 from a security perspective BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn't exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform. This talk will present an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we'll show ways for rootkits to persist on the device. Last but not least we will settle whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?

Presented by Ralf-Philipp Weinmann

Bluetooth Smart: The Good, The Bad, The Ugly, and The Fix! Bluetooth Smart, AKA Bluetooth Low Energy (BTLE), is a new modulation mode and link-layer packet format defined in Bluetooth 4.0. A new class of low-power devices and high-end smartphones are already on the market using this protocol. Applications include everything from fitness devices to wireless door locks. The Good: Bluetooth Smart is well-designed and good at what it does. We explain its workings from the PHY layer (raw RF) all the way to the application layer. The Bad: Bluetooth Smart's key exchange is weak. We will perform a live demonstration of sniffing and recovering encryption keys using open source tools we developed. The Ugly: A passive eavesdropper can decrypt all communications with a sniffed encryption key using our tools. The Fix: We implement Elliptic Curve Diffie-Hellman to exchange a key in-band. This backward-compatible fix renders the protocol secure against passive eavesdroppers.





Presented by Mike Ryan

Bochspwn: Identifying 0-days via System-wide Memory Access Pattern Analysis Throughout the last two decades, the field of automated vulnerability discovery has evolved into the advanced state we have today: effective dynamic analysis is achieved with a plethora of complex, privately developed fuzzers dedicated to specific products, file formats or protocols, with source code and binary-level static analysis slowly catching up, yet already proving useful in specific scenarios. Due to market demand and general ease of access, the efforts have been primarily focused around client software, effectively limiting kernel code coverage to a few generic syscall and IOCTL fuzzers. Considering the current impact of ring-0 security on the overall system security posture and number of kernel-specific bug classes, we would like to propose a novel, dynamic approach to locating subtle kernel security flaws that would likely otherwise remain unnoticed for years. The presentation will introduce the concept of identifying vulnerabilities in operating systems’ kernels by employing dynamic CPU-level instrumentation over a live system session, on the example of using memory access patterns to extract information about potential race conditions in interacting with user-mode memory. We will discuss several different ways to implement the idea, with special emphasis on the “Bochspwn” project we developed last year and successfully used to discover around 50 local elevation of privilege vulnerabilities in the Windows kernel so far, with many of them already addressed in the ms13-016, ms13-017, ms13-031 and ms13-036 security bulletins. The tool itself will be open-sourced during the conference, thus allowing a wider audience to test and further develop the approach.





Bugalyze.com - Detecting Bugs Using Decompilation and Data Flow Analysis Bugwise is a free online web service at www.bugalyze.com to perform static analysis of binary executables to detect software bugs and vulnerabilities. It detects bugs using a combination of decompilation to recover high level information, and data flow analysis to discover issues such as use-after-frees and double frees. Bugwise has been developed over the past several years and is implemented as a series of modules in a greater system that performs other binary analysis tasks such as malware detection. This entire system consists of more than 100,000 lines of C++ code and a scalable load balanced multi-node Amazon EC2 cluster. In this talk, I will explain how Bugwise works. The system is still in the development stage but has successfully found a number of real bugs and vulnerabilities in Debian Linux. This includes double free, use-after-free, and over 50 getenv(,strcpy) bugs statically found from scanning the entire Debian repository.





Presented by Silvio Cesare

Buying into the Bias: Why Vulnerability Statistics Suck Academic researchers, journalists, security vendors, software vendors, and other enterprising... uh... enterprises often analyze vulnerability statistics using large repositories of vulnerability data, such as CVE, OSVDB, and others. These stats are claimed to demonstrate trends in disclosure, such as the number or type of vulnerabilities, or their relative severity. Worse, they are often (mis)used to compare competing products to assess which one offers the best security. Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending. As maintainers of two well-known vulnerability information repositories, we're sick of hearing about sloppy research after it's been released, and we're not going to take it any more. We will give concrete examples of the misuses and abuses of vulnerability statistics over the years, revealing which studies do it right (rather, the least wrong), and how to judge future claims so that you can make better decisions based on these "studies." We will cover all the kinds of documented and undocumented bias that can exist in a vulnerability data source; how variations in counting hurt comparative analyses; and all the ways that vulnerability information is observed, cataloged, and annotated. Steve will provide vendor-neutral, friendly, supportive suggestions to the industry. Jericho will do no such thing.





Combating the Insider Threat at the FBI: Real World Lessons Learned What do T.S. Eliot, Puxatony Phil, eugenics, DLP, crowdsourcing, black swans, and narcissism have in common? They are all key concepts for an effective insider threat program. Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade. The talk will provide insight on how our nation's premier law enforcement agency is detecting and deterring insider threat using a variety of techniques and technologies. This session will provide unique lessons learned from building a real world, operational insider threat monitoring and response program.





Presented by Patrick Reidy

Compromising Industrial Facilities From 40 Miles Away The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities in industries such as energy production, oil, gas, water, utilities, refining, and petrochemical distribution and processing. Effective wireless sensor networks have enabled these companies to reduce implementation, maintenance, and equipment costs and enhance personal safety by enabling new topologies for remote monitoring and administration in hazardous locations. However, the manner in which sensor networks handle and control cryptographic keys is very different from the way in which they are handled in traditional business networks. Sensor networks involve large numbers of sensor nodes with limited hardware capabilities, so the distribution and revocation of keys is not a trivial task. In this presentation, we review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. We also demonstrate some attacks that exploit key distribution vulnerabilities, which we recently discovered in every wireless device developed over the past few years by three leading industrial wireless automation solution providers. These devices are widely used by many energy, oil, water, nuclear, natural gas, and refined petroleum companies. An untrusted user or group within a 40-mile range could read from and inject data into these devices using radio frequency (RF) transceivers. A remotely and wirelessly exploitable memory corruption bug could disable all the sensor nodes and forever shut down an entire facility. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made can be modified. This can lead to unexpected, harmful, and dangerous consequences.





CreepyDOL: Cheap, Distributed Stalking Are you a person with a few hundred dollars and an insatiable curiosity about your neighbors, who is fed up with the hard work of tracking your target's every move in person? Good news! You, too, can learn the intimate secrets and continuous physical location of an entire city from the comfort of your desk! CreepyDOL is a distributed sensing and data mining system combining very-low-cost sensors, open-source software, and a focus on user experience to provide personnel identification, tracking, and analysis without sending any data to the targets. In other words, it takes you from hand-crafted, artisan skeeviness to big-box commodity creepiness, and enables government-level total awareness for about $500 of off-the-shelf hardware.





Presented by Brendan O'Connor

Defending Networks with Incomplete Information: A Machine Learning Approach Let's face it: we may win some battles, but we are losing the war pretty badly. Regardless of the advances in malware and targeted attacks detection technologies, our top security practitioners can only do so much in a 24-hour day; even less, if you let them eat and sleep. On the other hand, there is a severe shortage of capable people to do "simple" security monitoring effectively, let alone complex incident detection and response. Enter the use of Machine Learning as a way to automatically prioritize and classify potential events and attacks as something could potentially be blocked automatically, is clearly benign, or is really worth the time of your analyst. On this presentation we will present publicly for the first time an actual implementation of those concepts, in the form of a free-to-use web service. It leverages OSINT and knowledge about the spatial distribution of the Internet to generate a fluid and constantly updated classifier that pinpoints areas of interest on submitted network traffic logs.





Presented by Alexandre Pinto

Dissecting CSRF Attacks & Countermeasures Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately. The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives. Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Storage Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.

End-to-End Analysis of a Domain Generating Algorithm Malware Family Select malware families have used Domain Generating Algorithms (DGAs) over the past few years in an effort to evade traditional domain blacklists, allow for fast-flux domain registration and usage, and evade analysts’ abilities to predict attackers’ control servers. While novel work has been done by both private industry and academia with respect to detecting DGA-related network traffic, this presentation demonstrates end-to-end analysis of a DGA malware family, from binary deobfuscation to DGA analysis, to sinkholing, to domain registrant research, to attribution of the malware’s author and accomplices. The malware family discussed in this presentation has thousands of active variants currently running on the Internet and has managed to stay off of the radar of all antivirus firms. This presentation will bring to light how this malware is tied to an underground campaign that has been active for at least the past six years.





Presented by Jason Geffner

Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus) Government requirements, new business cases, and consumer behavioral changes drive energy market players to improve the overall management of energy infrastructures. While the energy infrastructure is steadily maintained and improved, some significant changes have been introduced to the power grids of late. Actually, the significance of the changes could be compared to the early days of the Internet where computers started to become largely interconnected. Naturally, questions arise whether a grid composed of so many interacting components can still meet today's requirements for reliability, availability, and privacy. Nations absolutely recognize the criticality of the energy infrastructure for their economic and political stability. Therefore, various initiatives to ensure reliability and availability of their energy infrastructures are being driven at nation as well as at nation union levels. In order to contribute to the evaluation of national cyber security risks, the author decided to conduct a security analysis in the field of smart energy. Utilities have started to introduce new field device technology - smart meters. As the name implies, smart meters do support many more use cases than any old conventional electricity meter did. Not only does the new generation of meters support fine granular remote data reading, but it also facilitates remote load control or remote software updates. Hence, to build a secure advanced metering infrastructure (AMI), communication protocols must support bi-directional data transmission and protect meter data and control commands in transit. Therefore, analysis of smart metering protocols is of great interest. The work presented has analyzed the security of the Meter Bus (M-Bus) as specified within the relevant standards. The M-Bus is very popular in remote meter reading and has its roots in the heat metering industries. It has continuously been adopted to fit more complex applications during the past twenty years. According to a workshop note, an estimated 15 million devices were relying on the wireless version of M-Bus in 2010. It was analyzed whether smart meters using wireless M-Bus do fit the overall security and reliability needs of the grid or whether such devices might threaten the infrastructure. The M-Bus standard has been analyzed whether it provides effective security mechanisms. It can be stated that wireless M-Bus seems to be robust against deduction of consumption behaviour from the wireless network traffic. For this reason, it is considered privacy-preserving against network traffic analysis. Unfortunately, vulnerabilities have been identified that render that fact obsolete. The findings are mainly related to confidentiality, integrity, and authentication. Consequently, smart meters relying on wireless M-Bus and supporting remote disconnects are prone to become subject to an orchestrated remote disconnect which poses a severe risk to the grid. Further issues may lead to zero consumption detection, disclosure of consumption values, and disclosure of encryption keys. Following that, the availability and reliability of the smart grid or at least parts of it may not be guaranteed.





Presented by Cyrill Brunschwiler

Exploiting Network Surveillance Cameras Like a Hollywood Hacker This talk will examine 0-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities. Additionally, a proof-of-concept attack will be demonstrated in which a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.





Presented by Craig Heffner

Evading deep inspection for fun and shell Whether you have a Next Generation Firewall, an IPS, IDS, or a BDS, the security provided by these devices depends on their capability to perform robust TCP/IP reassembly. If this fails, the device can be bypassed. We researched the TCP/IP reassembly capabilities of security boxes and found that their detection can be evaded or pierced through with evasions that apply to the IP & TCP layers. The TCP reassembly capabilities of most security boxes are still poor. Instead of doing proper TCP reassembly, many of the analyzed boxes try to prevent attacks by anomaly detection, for example, by blocking small TCP segments. However, blocking small segments leads to false positives, so this kind of blocking strategy cannot be applied to real traffic without the false positive risk. We also found evasions that allowed the attack to succeed without any logs in the security box, even if all signatures were set to block.





The Factoring Dead: Preparing for the Cryptopocalypse The last several years has seen an explosion of practical exploitation of widespread cryptographic weaknesses, such as BEAST, CRIME, Lucky 13 and the RC4 bias vulnerabilities. The invention of these techniques requires a lot of hard work, deep knowledge and the ability to generate a pithy acronym, but rarely involves the use of a completely unknown weakness. Cryptography researchers have known about the existence of compression oracles, RC4 biases and problems with CBC mode for years, but the general information security community has been unaware of these dangers until fully working exploits were demonstrated. In this talk, the speakers will explain the latest breakthroughs in the academic crypto community and look ahead at what practical issues could arise for popular cryptosystems. Specifically, we will focus on the latest breakthroughs in discrete mathematics and their potential ability to undermine our trust in the most basic asymmetric primitives, including RSA. We will explain the basic theories behind RSA and the state-of-the-art in large numbering factoring, and how several recent papers may point the way to massive improvements in this area. The talk will then switch to the practical aspects of the doomsday scenario, and will answer the question "What happens the day after RSA is broken?" We will point out the many obvious and hidden uses of RSA and related algorithms and outline how software engineers and security teams can operate in a post-RSA world. We will also discuss the results of our survey of popular products and software, and point out the ways in which individuals can prepare for the zombi^H^H^H crypto apocalypse.





Fact and Fiction: Defending your Medical Devices In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this brought much needed attention to the issue, it has also uncovered a great deal of misinformation. This talk is going to tackle those confusing and controversial topics. What’s the reality of patching a medical device? Is it safe to run anti-virus protection on them? You’ll find out in this talk. This presentation will outline a framework on how vendors, buyers, and administrators of medical devices can bring substantive changes in the security of these devices. This talk will also have the unique element of discussing a medical device software bug that InGuardians uncovered. This bug will be discussed in detail and replicated live on stage. InGuardians has worked closely with the FDA on properly documenting and submitting this through their tracking system. This will be covered in full detail so other researchers will know how to properly disclose bugs and vulnerabilities.

Presented by Jay Radcliffe

Fully Arbitrary 802.3 Packet Injection: Maximizing the Ethernet Attack Surface It is generally assumed that crafting arbitrary, and sniffing, Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) have historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released. This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored. We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.





Funderbolt: Adventures in Thunderbolt DMA Attacks Intel's Thunderbolt allows for high-speed data transfers for a variety of peripherals including high-resolution high-bandwidth graphics displays, all using the same physical connection. This convenience comes at a bit of a cost: an external port into your computer's bus and possibly memory! Thunderbolt ports appear on high-end laptops like the MacBook Pro, but also increasingly on PC hardware, and on newer desktop and server motherboards. This proprietary technology is undocumented but problems with it could potentially undermine the privacy and security of users. This talk chronicles process of exploring these risks through a practical exercise in reverse engineering. Experience the tribulations with reversing Thunderbolt chips, understand the attack strategies for exploiting DMA and see the pitfalls one encounters along the way, while gaining a deeper understanding of the risks of this new feature.





Presented by Russ Sevinsky

Hacking like in the Movies: Visualizing Page Tables for Local Exploitation A shiny and sparkling way to break user-space ASLR, kernel ASLR and even find driver bugs! Understanding how a specific Operating System organizes its Page Tables allow you to find your own ASLR bypasses and even driver vulnerabilities. We will drop one 0day Android ASLR bypass as an example; you can then break all your other expensive toys yourself. Page Tables are the data structures that map between the virtual address space your programs see to the actual physical addresses identifying locations on your physical RAM chips. We will visualize these data structures for: Windows 8 on x86_64

Windows 8 RT on ARMv7

Linux 3.8 on x86_64

Linux 3.4 on ARMv7 alias Android 4.2

XNU on x86_64 alias OS X

XNU on ARMv7 alias iOS Besides showing pretty pictures, we will actually explain what they show and how to interpret commonalities and differences across the same kernel on different architectures. By comparing the page table state on the same architecture across different runs, we will identify static physical mappings created by drivers, which can be useful for DMA attacks (think FireWire or Thunderbolt forensics). Static virtual mappings are even more interesting and can be used for (K)ASLR bypasses. To make a final point, that this is not only nice to look at, we will show how we found a mitigated Android <= 4.0.x generic user-space ASLR bypass. For those interested in actually owning targets, we will show an Android 4.2.2 generic user-space ASLR bypass that also affects other latest Linux/ARM kernels.





Hacking, Surveilling, and Deceiving victims on Smart TV Smart TVs sold over 80,000,000 units around the world in 2012. This next generation "smart" platform is becoming more and more popular. On the other hand, we hardly see security research on Smart TVs. This presentation will cover vulnerabilities we've found on the platform. You can imagine that Smart TVs have almost the exact same attack vectors that PC and Smart Phones have. Also, Smart TVs have interesting new attack surface such as the remote controller. We'll talk about attack points for Smart TV platform and cover security bugs we discovered. This talk will mostly focus on what attackers can do on a hacked Smart TV. For example, expensive Smart TVs have many hardware devices like a Camera or Mic which, if remotely controlled, means bad guys can spy remotely without you knowing. Even more, it is possible to make Smart TVs monitor you 24/7 even though users turn off their TV, meaning #1984 could be done. In addition, we'll point out a difference of viewpoint on leaked information type among PC, Smart Phone and Smart TV. Lastly, we'll give demo of live remote surveillance cam, which is sent to attacker's server at this talk. This talk is an extended version of one, which I gave at CANSECWEST. It will demonstrate a spoofed news story on a hacked Smart TV and possibly TVshing (Smart TV edition of phishing.)





Presented by SeungJin 'Beist' Lee

Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications. The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide peristent files on your devices and how you would go about discovering them. The project also considers how typical forensic software interacts with NAND devices and how those tools can be subverted. Lastly, the talk will cover how remote NAND manipulation can brick devices beyond repair, from Smartphones to SCADA, and how this vulnerability cannot realistically be patched or fixed (Hint: your current tools probably don't work as well as you would like to believe).

Presented by Josh 'm0nk' Thomas

Home Invasion v2.0 - Attacking Network-Controlled Hardware A growing trend in electronics is to have them integrate with your home network in order to provide potentially useful features like automatic updates or to extend the usefulness of existing technologies such as door locks you can open and close from anywhere in the world. What this means for us as security professionals or even just as people living in a world of network-connected devices is that being compromised poses greater risk than before. Once upon a time, a compromise only meant your data was out of your control. Today, it can enable control over the physical world resulting in discomfort, covert audio/video surveillance, physical access or even personal harm. If your door lock or space heater are compromised, you're going to have a very bad day. This talk will discuss the potential risks posed by network-attached devices and even demonstrate new attacks against products on the market today.





Honey, I’m home!! - Hacking Z-Wave Home Automation Systems Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016. Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration. The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices. Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

Hot Knives Through Butter: Bypassing Automated Analysis Systems Diamonds are girl’s best friend, prime numbers are mathematician’s best friend and automated analysis systems (AAS) are AV researcher’s best friend. Unfortunately, this fact is known by malware authors and hence techniques to evade automated analysis system are not only becoming an integral part of APT, but also many infamous malwares have resurrected and are using techniques to bypass the automated analysis system to stay under the radar. The infamous Khelios botnet was claimed to be dead in 2011 and got resurrected . To evade the automated analysis system one of the sample aka Trojan Nap found in 2013, was employing SleepEx() API with a 10 minutes time out. Since automated analysis systems are set to execute a sample within a given time frame ,which is in seconds, by employing an extended sleep call, it could prevent an AAS from capturing its behavior. The sample also made a call to the undocumented API NtDelayExecution() for performing an extended sleep calls. As per the report from Mandiant, infamous RAT Poison IVY has extensively been used in the targeted attacks and appeared to have been abandoned in 2008. Trojan UpClicker, reported in December 2012, a wrapper around Poison IVY, employs SetWindowsHookEX() API to hide its malicious activity. By sending 0EH as parameter to the function, the malicious code only gets activated when the left mouse button is clicked and released. Since in AAS there is no human interaction, the code remains dormant bypassing the AAS. PushDo, yet another infamous malware, checks the build number of windows OS. Once it has determined the build number of windows OS. It finds a pointer to PspCreateProcessNotify() API routine to deregister all the callbacks. Once the callbacks have been deregistered, the malware can create or delete processes, bypassing process monitoring module of AAS. Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used GetLocalTime() API to activate itself on March 20th 2013 at 2:00 P.M. If the sample is executed in an AAS before the 20th March 2013, it will not get executed and evades AAS. UpClicker, PushDo, Hastati, Nap are some of the resurrected advanced malware and/or APT which are using anti evasion techniques to evade detections from AAS. In first part of the presentation we provide an exhaustive list of techniques, API’s and the code segments from the APT and active malware, which are being used to bypass the AAS. We will also have live demonstration of some of the anti-analysis techniques, which have emerged in the recent past. In the next part of the presentation we provide an in-depth, technical analysis of the Automated Analysis System technologies available today focusing on computer security aspect. It will provide a comparison framework for different technologies that is consistent, measurable, and understandable by both IT administrators and security specialists. In addition we also explore each of the major commercially available automated analysis system flavors and evaluate their ability to stand against these evasions. We will present an architectural decomposition of automated analysis systems to highlight its advantages and limitations, and historical view on how fast Anti-AAS techniques have been evolved so rapidly recently. This will kick start the conversation on how new vectors that are likely to be used by sophisticated malware to actively target AAS in the future.





HOW CVSS is DOSsing YOUR PATCHING POLICY (and wasting your money) CVSS score is widely used as the standard-de-facto risk metric for vulnerabilities, to the point that the US Government itself encourages organizations in using it to prioritize vulnerability patching. We tackle this approach by testing the CVSS score in terms of its efficacy as a "risk score" and "prioritization metric." We test the CVSS against real attack data and as a result, we show that the overall picture is not satisfactory: the (lower-bound) over-investment by using CVSS to choose what vulnerabilities to patch can as high as 300% of an optimal one. We extend the analysis making sure to obtain statistically significant results. However, we present our results at a practical level, focusing on the question: "does it make sense for you to use CVSS to prioritize your vulnerabilities?"





How to Build a SpyPhone Learn how to build an Android SpyPhone service that can be injected into any application. The presentation will feature a live demonstration of how phones can be tracked and operated from a Web based command and control server and a demonstration of how to inject the SpyPhone service into any Android application. The presentation will also cover the APIs used to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected.





Presented by Kevin McNamee

How to Grow a TREE (Taint-enabled Reverse Engineering Environment) From CBASS (Cross-platform Binary Automated Symbolic-execution System) Binary analysis techniques from academic research have been introduced into the reverse engineering community as well as research labs that are equipped with lots of computing power. Some program analyses using these techniques have even begun to show up in hacker conferences. But significant limitations remain: No practical toolset delivers analyses of binary programs across multiple platforms (like x86, ARM, MIPS, PowerPC etc.);

No practical toolset scales to real-world large programs and automates all aspects of highly sophisticated tasks like vulnerability analysis and exploit generation;

No practical toolset runs on a typical engineer’s laptop or integrates seamlessly with any popular reverse engineering environment. Interested reverse engineers must switch back and forth between their familiar tool environment and some Dynamic Binary Instrumentation (DBI) environment (like PIN) or full system emulator (like QEMU). In this talk, we will present our solution to these limitations. We will explain the Cross-platform Binary Automated Symbolic-execution System (CBASS) that we developed and demonstrate one of its interactive applications: an IDA based Taint-enabled Reverse Engineering Environment (TREE). TREE can deliver program analysis techniques (taint analysis, dynamic slicing, symbolic execution and constraint solving) into the reverse engineer’s hands now. Binary analysis and its security applications have been extensively researched, mainly in the context of a single instruction set architecture (predominantly x86) and popular desktop operating systems (Linux or Windows). CBASS performs its binary analysis on a common Intermediate Representation (IR) rather than on the native Instruction Set Architecture (ISA) of any program. This thin layer allows our powerful analysis tools to work on cross-platform binary applications. While CBASS supports both automated and interactive security applications, TREE supports a subset of these capabilities but from with an IDA Pro plug-in. TREE provides useful interactive visualizations of the results of on-demand binary analysis. Symbolic execution and concolic execution (concrete-symbolic execution) are fundamental techniques used in binary analysis; but they are plagued by the exponential path explosion problem. Solving this problem requires vigorous path pruning algorithms and highly parallel computing infrastructure (like clouds). Neither of these is typically available to a reverse engineer. TREE solves this problem by helping the reverse engineer prioritize path execution through an interactive and intuitive visual representation of the results of on-demand analysis of what inputs and instruction sequences led to the crash site or other suspicious path, leverage path constraints and SMT solver to negate tainted branch condition for a new, unexplored path. The details of the taint analysis, dynamic slicing and path constraint solving mechanisms are transparent to reverse engineer. Utilizing the existing IDA Pro debugging infrastructure, TREE can automate trace generation from diversified target platforms, including kernel mode tracing for Windows. To our surprise, despite the fact that IDA Pro debugging API has been around for a long time, there has been no serious effort to automate trace collection for extensible binary analysis, particularly for kernel mode tracing. Our work has directly contributed to two bug fixes in the latest IDA Pro patches (IDA 6.4.130206). Our presentation will feature several case studies of using TREE to analyze real world vulnerabilities.





Hunting the Shadows: In Depth Analysis of Escalated APT Attacks APT attacks are a new emerging threat and have made headlines in recent years. However, we have yet to see full-scale assessment of targeted attack operations. Taiwan has been a long term target for these cyber-attacks due to its highly developed network infrastructure and sensitive political position. We had a unique chance to monitor, detect, investigate, and mitigate a large number of attacks on government and private sector companies. This presentation will introduce our results of a joint research between Xecure-Lab and Academia Sinica on targeted attack operations across the Taiwan Strait. We have developed a fully automated system, XecScan 2.0 (http://scan.xecure-lab.com) equipped with unique dynamic (sandbox) and static malicious software forensics technology to analyze nature and behavior of malicious binaries and document exploits. The system performs real-time APT classification and associates the analyzed content with existing knowledge base. In our experiments, the XecScan system has analyzed and successfully identified more than 12,000 APT emails, which include APT Malware and Document Exploits. With this presentation we will also analyze and group the samples from the recent Mandiant APT1(61398) Report and will compare the relationships between APT1 samples to the samples discovered in Taiwan and discuss the history behind APT1 Hacker activities. During this presentation we will release a free, publicly accessible portal to our collaborative APT classification platform and access to the XecScan 2.0 APIs.





I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free. This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user. The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked. During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks, and explain how we were able to clone a mobile device without physical access.

Implantable Medical Devices: Hacking Humans In 2006 approximately 350,000 pacemakers and 173,000 ICD's (Implantable Cardioverter Defibrillators) were implanted in the US alone. 2006 was an important year, as that's when the FDA began approving fully wireless based devices. Today there are well over 3 million pacemakers and over 1.7 million ICD's in use. This talk will focus on the security of wireless implantable medical devices. I will discuss how these devices operate and communicate and the security shortcomings of the current protocols. Our internal research software will be revealed that utilizes a common bedside transmitter to scan for, and interrogate individual medical implants. I will also discuss ideas manufacturers can implement to improve the security of these devices.

Presented by Barnaby Jack

Is that a government in your network or are you just happy to see me? Defense and military network operations center around the age-old game: establishing long-term footholds deep inside a network. In this talk, we will discuss specific techniques and tactics observed while providing defensive incident response services to organizations compromised by foreign intelligence and defense agencies. The discussion will also incorporate the release and open-sourcing of several private projects used to identify pass-the-hash/impersonation attacks, including: a set of network monitoring daemons known as breachbox, part of which was funded by DARPA's Cyber Fast Track program; and an open-source tool and blueprint to help trojanize your own network to monitor and detect adversarial activity.





Presented by Eric Fiterman

Java Every-Days: Exploiting Software Running on 3 Billion Devices Over the last three years, Oracle Java has become the exploit author's best friend, and why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program. We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component. Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.





Javascript Static Security Analysis made easy with JSPrime Today, more and more developers are switching to JavaScript as their first choice of language. The reason is simple JavaScript has now been started to be accepted as the mainstream programming for applications, be it on the web or on the mobile; be it on client-side, be it on the server side. JavaScript flexibility and its loose typing is friendly to developers to create rich applications at an unbelievable speed. Major advancements in the performance of JavaScript interpreters, in recent days, have almost eliminated the question of scalability and throughput from many organizations. So the point is JavaScript is now a really important and powerful language we have today and it's usage growing everyday. From client-side code in web applications it grew to server-side through Node.JS and it's now supported as proper language to write applications on major mobile operating system platforms like Windows 8 apps and the upcoming Firefox OS apps. But the problem is, many developers practice in-secure coding which leads to many clients side attacks, out of which DOM XSS is the most infamous. We tried to understand the root cause of this problem and figured out is that there are not enough practically usable tools that can solve real-world problems. Hence as our first attempt towards solving this problem, we want to talk about JSPrime: A javascript static analysis tool for the rest of us. It's a very light-weight and very easy to use point-and-click tool! The static analysis tool is based on the very popular Esprima ECMAScript parser by Aria Hidayat. I would like to highlight some of the interesting features of the tool below: JS Library Aware Source & Sinks

Most dynamic or static analyzers are developed to support native/pure JavaScript which actually is a problem for most developers since the introductions and wide-adoption for JavaScript frameworks/libraries like jQuery, YUI etc. Since these scanners are designed to support pure JavaScript, they fail at understanding the context of the development due to the usage of libraries and produce many false-positives and false-negatives. To solve this we have identified the dangerous user input sources and code execution sink functions for jQuery and YUI, for the initial release and we shall talk about how users can easily extend it for other frameworks.

Variable & Function Tracing

This feature is a part of our code flow analysis algorithm

Variable & Function Scope Aware analysis

This feature is a part of our code flow analysis algorithm

Known filter function aware

OOP & Protoype Compliant

Minimum False Positive alerts

Supports minified javascript

Blazing fast performance

Point and Click :-) (my personal favorite) Upcoming features: Automatic code de-obfuscation & decompression through Hybrid Analysis (Ra.2 improvisation; http://code.google.com/ra2-dom-xss-scanner)

ECMAScript family support (ActionScript 3, Node.JS, WinJS)





Just-In-Time Code Reuse: The more things change, the more they stay the same Fine-grained address space layout randomization (ASLR) has recently been proposed as a method of efficiently mitigating runtime attacks. In this presentation, we introduce the design and implementation of a framework based on a novel attack strategy, dubbed just-in-time code reuse, which both undermines the benefits of fine-grained ASLR and greatly enhances the ease of exploit development on today's platforms that combine standard ASLR and DEP (e.g. Windows 8). Specifically, we derail the assumptions embodied in fine-grained ASLR by exploiting the ability to repeatedly abuse a memory disclosure to map an application's memory layout on-the-fly, dynamically discover API functions and gadgets, and JIT-compile a target program using those gadgets-- all within a script environment at the time an exploit is launched. We demonstrate the power of our framework by using it in conjunction with a real-world exploit against Internet Explorer, show its effectiveness in Windows 8, and also provide extensive evaluations that demonstrate the practicality of just-in-time code reuse attacks. Our findings suggest that fine-grained ASLR may not be as promising as first thought.





Lawful Access Panel Protecting yourself, your network and your users when the FBI or NSA knocks: When you get a National Security Letter, no one can hear you scream. Being served with a search warrant for a criminal investigation can be scary enough, but national security investigations can be downright Kafkaesque. You probably won't be allowed to tell anyone about it. And they may ask for more than just user data, such as for backdoor access or to install special monitoring hardware or software deep inside your network. This panel will bring together a range of expertise on the perils of secret "lawful intercepts" in today's networks. We'll discuss the technical risks of surveillance architectures, the legal and technical defenses against over-broad or invasive searches, and actual experiences fighting against secret surveillance orders.

Legal Aspects of Full Spectrum Computer Network (Active) Defense Full spectrum computer network (active) defense mean more than simply “hacking back.” We’ve seen a lot of this issue lately. Orin Kerr and Stewart Baker had a lengthy debate about it online. New companies with some high visibility players claim they are providing “active defense” services to their clients. But all-in-all, what does this really mean? And why is it that when you go to your attorneys, they say a flat out, “No.” This presentation examines the entire legal regime surrounding full spectrum computer network (active) defense. It delves into those areas that are easily legal and looks at the controversial issues surrounding others. As such we will discuss technology and sensors (ECPA and the service provider exception); information control and management (DRM); and, “active defense” focusing on – honeypot, beacons, deception (say hello to my little friend the Security and Exchange Commission); open source business intelligence gathering (CFAA, economic espionage; theft of trade secrets); trace back and retrieval of stolen data (CFAA). Past presentations have shown much of what is taken away is audience driven in response to their questions and the subsequent discussion. And, as always, I try to impress upon computer security professionals the importance of working closely with their legal counsel early and often, and of course “Clark’s Law” - explain the technical aspects of computer security to your attorneys at a third grade level so they can understand it and then turn around and explain it to a judge or jury at a first grade level.





Presented by Robert Clark

Legal Considerations for Cellular Research The security of mobile communications is becoming increasingly critical, prompting security researchers to focus their attention on vulnerabilities in cellular systems. Researchers need to fully understand the legal ramifications of interacting with specialized hardware, cellular communications, and the restrictions imposed by service providers. This briefing will provide a legal overview of what a researcher should keep in mind when investigating mobile communications, technologies, and networks. We will cover legal issues raised by end user license agreements, jailrooting or rooting devices, and intercepting communications.

Lessons from Surviving a 300Gbps Denial of Service Attack On Saturday, March 23, 2013, a distributed denial of service (DDoS) attack against Spamhaus that had been growing for weeks culminated with over 300 Gigabits per second of attack traffic targeting the anti-spam organization's network. At that point it became the largest such attack ever reported in history — at least 4x the size of the attacks that crippled US banks just a few months earlier. The attackers launched the full range DDoS methods at Spamhaus — simultaneously targeting Layer 3, Layer 4, and Layer 7. Spamhaus has given us permission to tell the full, behind-the-scenes story of what happened, show how the attacks were launched, outline the techniques the attackers used, and detail how Spamhaus.com was able to stay online throughout. While the Spamhaus story has a happy ending, the massive DDoS exposed key vulnerabilities throughout the Internet that we will need address if the network is to survive the next, inevitably larger, attack.

Presented by Matthew Prince

Let's get physical: Breaking home security systems and bypassing buildings controls 36 million home & office security systems reside in the U.S., and they are all vulnerable. This is not your grandpa’s talk on physical security; this talk is about bypassing home and office digital physical security systems, from simple door sensors to intercepting signals and even the keypad before it can alert the authorities. All the methods presented are for covert entry and leave no physical sign of entry or compromise. If you are interested in bettering your skills as a pen tester or just want to know how break into an office like a Hollywood spy this is the talk for you. Come join us to see live demos of what the security companies never want you to see.

Mactans: Injecting Malware into iOS Devices via Malicious Chargers Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction. In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications. To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.





Mainframes: The Past Will Come Back to Haunt You From governments to military, airlines to banks, the mainframe is alive and well and touches you in everything you do. The security community that's tasked with reviewing the security on mainframes, though, actually knows very little about these beasts. Be it a lack of access by the security community or the false notion that mainframes are dead, there is a distinct gap between the IT security world and the mainframe world. Mainframes in the IT security community are talked about in whispered hushed tones in the back alleys. Neither knowing if they're as secure as IBM (and mainframers) claim or if they're ripe with configuration problems ready to be exploited. This talk will remove some of the mystery surrounding the mainframe, breaking down that 'legacy wall.' Discussing how security is implemented on the mainframe (including where to find configuration files), how to access it, simple networking and configuration commands, file structure etc. will be presented at this session.





Presented by Philip Young

Maltego Tungsten as a collaborative attack platform Maltego has always been a strong favorite for pre-attack intelligence gathering - be that for social engineering, doxing or for infrastructure mapping. Indeed it's earned its rightful place in the Kali Linux top 10 tools. For as long as we can remember we at Paterva were annoyed that Maltego lacked the ability to share intelligence effectively. Up to now the only way to share graphs was to send the actual files around. This is all about to change - with Maltego Tungsten. The Tungsten release (at BlackHat) allows multiple users to share graphs in real time. This creates interesting opportunities and new workflows - suddenly we can have a team of analysts and/or pen testers working together in real time and on the same goal. Be it profiling (or 'doxing') a human target or attacking a network - with real time graph sharing we now have a platform where information can be safely (and anonymously) shared as it happens. The other lacking aspect of Maltego was real bite. In the past we purposely stayed away from all out attack - concentrating rather on info gathering. In this talk we'll also show how to integrate Maltego with industry standard attack tools. This will range from infrastructure attacks, web platform attack and remote Trojans to social engineering as well as denial of service. Combine human intelligence, machines (introduced in Radium release) and real time collaboration with these powerful transforms and wait... oh noes...we've created a monster!!





Million Browser Botnet Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild. With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks. Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.





Mobile rootkits: Exploiting and rootkitting ARM TrustZone Exploiting and rootkitting ARM-based devices gets more and more interesting. This talk will focus on the exploitation of TEEs (Trusted Execution Environments) running in ARM TrustZone to hide a TrustZone-based-rootkit (Presented at Black Hat EU 2013).

Presented by Thomas Roth

Multiplexed Wired Attack Surfaces Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.





OptiROP: hunting for ROP gadgets in style Return-Oriented-Programming (ROP) is the fundamental technique to bypass the widely-used DEP-based exploitation mitigation. Unfortunately, available tools that can help to find ROP gadgets mainly rely on syntactic searching. This method proves to be in inefficient, time-consuming and makes the process of developing ROP-based shellcode pretty frustrated for exploitation writers. This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. OptiROP supports input binary of all executable formats (PE/ELF/Mach-O) on x86 & x86_64 architectures. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver, parallel processing and some heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode. In case where no suitable gadget is found, OptiROP tries to pick and chain available gadgets to create a sequence of gadgets satisfying the input requirements. This significantly eases the hard job of shellcode writers, so they can focus their time on other tedious parts of the exploitation process. Our talk will entertain the audience with some live demo, so they can see how OptiROP generates gadgets in reality.





Presented by Nguyen Anh Quynh

Out of Control: Demonstrating SCADA device exploitation America’s next great oil and gas boom is here: the United States is on track to become the world’s top oil producer by 2020. New wells require new pipelines to distribute their bounty. These oil and gas pipelines crisscross the country carrying volatile fluids through densely populated areas. What runs these pipelines? How are they controlled? What happens when the process goes out of control?





The Outer Limits: Hacking the Samsung Smart TV There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling the transmission. "Smart" TVs are becoming more and more common. Samsung and other vendors such as Sony and LG have sold more than a hundred million Smart TVs in the last few years. During this talk, Aaron Grattafiori and Josh Yavor will discuss the Samsung SmartTV design, attack surfaces and overall insecurity of the platform. A short discussion of the current application stack, TV operating system and other details will be provided to help set the stage for details of significant flaws found within the Samsung SmartTV application architecture, APIs and current applications. A number of vulnerabilities will be explored and demonstrated which allow malicious developers or remotely hijacked applications (such as the web browser or social media applications) to take complete control of the TV, steal accounts stored within it and install a userland rootkit. Exploitation of these vulnerabilities also provides the ability for an attacker to use the front-facing video camera or built-in microphone for spying and surveillance as well as facilitate access to local network for continued exploitation. This talk will also discuss methods to bypass what (meager) security protections exist and put forth several worst case scenarios (TV worm anyone?). Concluding this talk, Aaron and Josh will discuss what has been fixed by Samsung and discuss what overall weaknesses should be avoided by future "Smart" platforms. Video demos of exploits and userland rootkits will be provided.

Owning the Routing Table - Part II The holy grail of routing attacks is owning the routing table of a router. In this work we present a powerful OSPF attack that exploit a newly discovered ambiguity of the OSPF protocol -- the most popular routing protocol inside autonomous systems (AS). The attack allows an attacker who gained control over just a single router in an AS to control the routing tables of all other routers in that AS. The attack may be utilized to induce black holes, network cuts or longer routes in order to facilitate DoS of the routing domain or to gain access to information flows which otherwise the attacker had no access to. The attack can also be used to easily DoS a victim router using a single packet. A multi-vendor effort is now under way to fix this vulnerability which currently inflict many of today's OSPF routers. This work is a sequel to the work "Owning the Routing Table" we presented at Black Hat USA 2011. This is a joint work with Eitan Menahem, Yuval Elovici and Ariel Waizel of Telekom Innovation Laboratories at Ben Gurion University.





Presented by Gabi Nakibly

Pass the Hash and Other Credential Theft and Reuse: Mitigating the risk of Lateral Movement and Privilege Escalation Pass the Hash (PtH) has become one of the most widespread attacks affecting our customers and many of our customers have made it their top priority to address these attacks. In response, Microsoft has assembled a workgroup to investigate effective and practical mitigations that could be used now as well as future platform modifications. This presentation will cover the problem of credential theft and re-use, focusing on Pass-the-Hash attacks as an example, and discuss Microsoft’s recommended mitigations. The presenters are members of the workgroup: Patrick Jungles of the Trustworthy Computing group and Mark Simos of the Cybersecurity Services team.





Pass-The-Hash 2: The Admin's Revenge Some vulnerabilities just can't be patched. Pass-The-Hash attacks against Windows enterprises are still successful and are more popular than ever. Since the PTH-Suite was released at Black Hat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the shortcomings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker's lateral movement in your enterprise.





Pixel Perfect Timing Attacks with HTML5 Maybe you’ve heard it before - HTML 5 and related technologies bring a whole slew of new features to web browsers, some of which can be a threat to security and privacy. But subtle interactions between the less explored corners of new browser features can have some unexpected and dangerous side effects. In this presentation, I’ll introduce a number of new techniques that use JavaScript-based timing attacks to extract sensitive data from your browser. In my talk I will demonstrate cross-browser vulnerabilities against Chrome, Internet Explorer and Firefox that can be used to access your browsing history and read data from websites you’re logged into. I’ll also take a look at the difficulties involved in fixing these types of vulnerabilities.





Presented by Paul Stone

Post Exploitation Operations with Cloud Synchronization Services Cloud backup solutions, such as Dropbox, provide a convenient way for users to synchronize files between user devices. These services are particularly attractive to users, who always want the most current version of critical files on every device. Many of these applications “install” into the user’s profile directory and the synchronization processes are placed in the user’s registry hive (HKCU). Users without administrative privileges can use these applications without so much as popping a UAC dialog. This freedom makes illicit installations of these applications all the more likely. Cloud backup providers are marketing directly to corporate executives offering services that will “increase employee productivity” or “provide virtual teaming opportunities.” Offers such as these make it more likely than ever that any given corporate environment has some cloud backup solutions installed. We released the DropSmack tool at Blackhat EU. This showed enterprise defenders the risks posed by cloud synchronization software and gave pen testers a new toy to play with (you can bet that pen testers weren’t the only ones who noticed). In response to feedback from the original presentation, DropSmack has been improved to deal with some of the unique operational challenges posed by synchronization environments. In particular, we added the ability to work with more synchronization services automatically. In this talk, we’ll demonstrate how DropSmack v2 works and explain how to deploy it in an operational environment. We’ll look at some of the countermeasures to these attacks, including the encryption of synchronized files by third party software. Additionally, we’ll investigate the potential of using so-called “next generation firewalls” to defeat DropSmack. You’ll also learn about the issues of credential storage in the context of cloud synchronization services. Several synchronization applications also use insecure authentication methods. We’ll highlight these applications so you know what works, what doesn’t, and what you should run (not walk) away from. You’ll learn about post-exploitation activities you can accomplish when your freshly compromised target is running a cloud synchronization product. Finally, we’ll demonstrate the steps you need to follow to steal credentials for the products that store them. Why would you want to steal stored credentials for a cloud synchronization service you ask? After all, any files that have been synchronized to the cloud must already on the machine you just compromised, right? Not necessarily. You’ll learn a variety of nasty things you can do with the cloud synchronization service portals that you may never have considered.,/ If you’re a network defender, you’ll leave this talk with a new appreciation of the risks posed by cloud synchronization services (and a nauseous feeling if you have them in your environment). If you are a penetration tester, you’ll leave with a new bag of tricks. Either way, a fun time is sure to be had by all.





Presented by Jacob Williams

Power Analysis Attacks for Cheapskates Power analysis attacks present a devious method of cracking cryptographic systems. But looking at papers published in this field show that often the equipment used is fairly expensive: the typical oscilloscope used often has at least a 1 GSPS sampling rate, and then various probes and amplifiers also add to this cost. What is a poor researcher to do without such tools? This presentation will give a detailed description of how to setup a power analysis lab for a few hundred dollars, one that provides sufficient performance to attack real devices. It's based on some open-source hardware & software I developed, and is small enough to fit in your pocket. This will be demonstrated live against a microcontroller implementing AES, with details provided so attendees can duplicate the demonstration. This includes an open-hardware design for the capture board, open-source Python tools for doing the capture, and open-source example attacks. Underlying theory behind side-channel attacks will be presented, giving attendees a complete picture of how such attacks work.





Presented by Colin O'Flynn

Predicting Susceptibility to Social Bots on Twitter Are some Twitter users more naturally predisposed to interacting with social bots and can social bot creators exploit this knowledge to increase the odds of getting a response? Social bots are growing more intelligent, moving beyond simple reposts of boilerplate ad content to attempt to engage with users and then exploit this trust to promote a product or agenda. While much research has focused on how to identify such bots in the process of spam detection, less research has looked at the other side of the question—detecting users likely to be fooled by bots. This talk provides a summary of research and developments in the social bots arms race before sharing results of our experiment examining user susceptibility. We find that a users’ Klout score, friends count, and followers count are most predictive of whether a user will interact with a bot, and that the Random Forest algorithm produces the best classifier, when used in conjunction with appropriate feature ranking algorithms. With this knowledge, social bot creators could significantly reduce the chance of targeting users who are unlikely to interact. Users displaying higher levels of extraversion were more likely to interact with our social bots. This may have implications for eLearning based awareness training as users higher in extraversion have been shown to perform better when they have great control of the learning environment. Overall, these results show promise for helping understand which users are most vulnerable to social bots.





Press ROOT to continue: Detecting OSX and Windows bootkits with RDFU UEFI has recently become a very public target for rootkits and malware. Last year at Black Hat 2012, Snare’s insightful talk highlighted the real and very significant potential for developing UEFI rootkits that are very difficult, if not impossible, to detect and/or eradicate. Since then, a couple of practical bootkits have appeared. To combat this new threat, we developed a Rootkit Detection Framework for UEFI (“RDFU”) that incorporates a unified set of tools that address this problem across a wide spectrum of UEFI implementations. We will demonstrate a sample bootkit for Apple OSX that was designed specifically for testing purposes. As a UEFI driver, it infects the OSX kernel utilizing a UEFI “rootkit” technique. The entire infection process executes in memory (by the UEFI driver itself). Therefore, the bootkit does not need to install any OSX kernel extension modules. The bootkit demonstrates the following functionality: Sniffing FileVault passwords (sniffing keys while booting)

Privilege escalation (to root)

Hiding PIDs, files, and directories with selected patterns Rootkit Detection Framework for UEFI was developed under DARPA CFT. Following this talk, we will publicly release the RDFU open source code along with whitepapers that outline a possible use case for this technology.





Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Embedded systems are everywhere, from TVs to aircraft, printers to weapons control systems. As a security researcher when you are faced with one of these “black boxes” to test, sometime in-situ, it is difficult to know where to start. However, if there is a USB port on the device there is useful information that can be gained. This talk is about using techniques to analyze USB stack interactions to provide information such as the OS running on the embedded device, the USB drivers installed and devices supported. The talk will also cover some of the more significant challenges faced by researchers attempting to exploit USB vulnerabilities using a Windows 8 USB bug recently discovered by the presenter (MS13-027) as an example.





Presented by Andy Davis

RFID Hacking: Live Free or RFID Hard Have you ever attended an RFID hacking presentation and walked away with more questions than answers? This talk will finally provide practical guidance on how RFID proximity badge systems work. We’ll cover what you’ll need to build out your own RFID physical penetration toolkit, and how to easily use an Arduino microcontroller to weaponize commercial RFID badge readers – turning them into custom, long range RFID hacking tools. This presentation will NOT weigh you down with theoretical details, discussions of radio frequencies and modulation schemes, or talk of inductive coupling. It WILL serve as a practical guide for penetration testers to understand the attack tools and techniques available to them for stealing and using RFID proximity badge information to gain unauthorized access to buildings and other secure areas. Schematics and Arduino code will be released, and 100 lucky audience members will receive a custom PCB they can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use (such as badge cloning). This solution will allow you to read cards from up to 3 feet away, a significant improvement over the few centimeter range of common RFID hacking tools. Some of the topics we will explore are: Overview of best RFID hacking tools available to get for your toolkit

Stealing RFID proximity badge info from unsuspecting passers-by

Replaying RFID badge info and creating fake cloned cards

Brute-forcing higher privileged badge numbers to gain data center access

Attacking badge readers and controllers directly

Planting PwnPlugs, Raspberry Pis, and similar devices as physical backdoors to maintain internal network access

Creating custom RFID hacking tools using the Arduino

Defending yourself from RFID hacking threats This DEMO-rich presentation will benefit both newcomers and seasoned professionals of the physical penetration testing field.





Presented by Fran Brown

Rooting SIM cards SIM cards are among the most widely-deployed computing platforms with over 7 billion cards in active use. Little is known about their security beyond manufacturer claims. Besides SIM cards’ main purpose of identifying subscribers, most of them provide programmable Java runtimes. Based on this flexibility, SIM cards are poised to become an easily extensible trust anchor for otherwise untrusted smartphones, embedded devices, and cars. The protection pretense of SIM cards is based on the understanding that they have never been exploited. This talk ends this myth of unbreakable SIM cards and illustrates that the cards -- like any other computing system -- are plagued by implementation and configuration bugs.





Presented by Karsten Nohl

The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux! These attackers had a plan, they acted upon their plan, and they were successful. In my first presentation, given at Black Hat EU in 2013, I covered a robust ICS honeynet that I developed, and who was really attacking them. In this talk, I cover many of the same concepts, but I go several steps further- profiling the attackers that exploited my ICS honeynet. This talk will profile, provide intelligence, and list actors that attacked my ICS honeypot environment. This talk will also feature a demo of the attackers in progress, exfiltrating perceived sensitive data. In addition, I will discuss in greater detail how I geo-located these individuals, and tracked their movements, operations, and attacks. Some of the findings are truly surprising and substantial, and my not be what you think they are. This talk will release brand new statistics and attack details seen nowhere else in the ICS community.





Presented by Kyle Wilhoit

Smashing The Font Scaler Engine in Windows Kernel The Font Scaler Engine is widely used to scale the outline font definition such as TrueType/OpenType font for a glyph to a specific point size and converts the outline into a bitmap at a particular resolution. The revolution of font in computer that is mainly used for stylist purposes had make many users ignored its security issues. In fact, the Font Scaler engine could cause many security impacts especially in Windows kernel mode. In this talk, the basic structure of the Font Scaler engine will be discussed. This includes the conversion of an outline into a bitmap, the mathematical description of each glyph in an outline font, a set of instruction in each glyph that instruct the Font Scaler Engine to modify the shape of the glyph, and the instruction interpreter etc. Next, we introduce our smart font fuzzing method for identifying the new vulnerabilities of the Font Scaler engine. The different of dumb fuzzing and vulnerable functions will be explained and we will prove that the dumb fuzzing technique is not a good option for Windows Font Fuzzing. Lastly, we focus on the attack vector that could be used to launch the attacks remotely and locally. A demonstration of the new TrueType font vulnerabilities and the attack vector on Windows 8 and Windows 7 will be shown.





SPY-JACKING THE BOOTERS It's become commonplace for security reporters and providers of security technologies to find themselves targets of hackers' wrath, especially when they put criminal activity under the spotlight. Earlier this year, Brian Krebs had done some work to expose a "booter" service. Like other public security figures, he found himself the target of repeated DDoS attacks. In Brian's case, this culminated in a "SWATting" attack -- a surprise visit by dozens of heavily armed police at his front door. Research on "booter" services reveals a relatively unsophisticated, but high-profit criminal community of DDoS-for-hire web sites that are capable of considerable impact. They operate under legal auspices, leveraging legitimate DDoS protection services. Anyone with an axe to grind and a small amount of money can hire one of these services to have virtually any person or web site knocked off the Internet. As an indicator of how mainstream these services have become, most of them accept payment via Paypal. This talk will delve into the recent proliferation of these malicious commercial DDoS services, and reveal what's been learned about their surreptitious functioning, exposing the proprietors behind these illicit services, and what is known about their targets and their thousands of paying customers. Emphasis will be placed on detailing the vulnerabilities present in most booter sites, and the lessons we can draw about how targets of these attacks can defend themselves.

SSL, gone in 30 seconds - a BREACH beyond CRIME In this hands-on talk, we will introduce new targeted techniques and research that allows an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate this new browser vector is real and practical by executing a PoC against a major enterprise product in under 30 seconds. We will describe the algorithm behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations you can implement today. We will also describe the posture of different SaaS vendors vis-à-vis this attack. Finally, to provide the community with ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.





Stepping P3wns: Adventures in full-spectrum embedded exploitation (and defense!) Our presentation focuses on two live demonstrations of exploitation and defense of a wide array of ubiquitous networked embedded devices like printers, phones and routers. The first demonstration will feature a proof-of-concept embedded worm capable of stealthy, autonomous polyspecies propagation. This PoC worm will feature at least one* 0-day vulnerability on Cisco IP phones as well as several embedded device vulnerabilities previously disclosed by the authors. We will demonstrate how an attacker can gain stealthy and persistent access to the victim network via multiple remote initial attack vectors against routers and printers. Once inside, we will show how the attacker can use other embedded devices as stepping-stones to compromise significant portions of the victim network without ever needing to compromise the general-purpose computers residing on the network. Our PoC worm is capable of network reconnaissance, manual full-mesh propagation between IP phones, network printers and common networking equipment. Finally, we will demonstrate fully autonomous reconnaissance and exploitation of all embedded devices on the demo network. The second demonstration showcases host-based embedded defense techniques, called Symbiotes, developed by the authors at Columbia University under support from DARPA’s Cyber Fast Track and CRASH programs, as well as IARPA’s STONESOUP and DHS’s S&T Research programs. The Symbiote, is an OS and vendor agnostic host-based defense designed specifically for proprietary embedded systems. We will demonstrate the automated injection of Software Symbiotes into each vulnerable embedded device presented during the first demonstration. We then repeat all attack scenarios presented in the first demo against Symbiote defended devices to demonstrate real-time detection, alerting and mitigation of all malicious embedded implants used by our PoC worm. Lastly, we demonstrate the scalability and integration of Symbiote detection and alerting mechanisms into existing enterprise endpoint protection systems like Symantec End Point. Over the past two years we have discovered vulnerabilities in and and developed exploits for several embedded system. 2011 had not only the version agnostic Cisco IOS rootkit (“Killing the Myth of Cisco IOS Diversity”, Black Hat USA), but also the HP RFU vulnerability (“Print Me if You Dare”, 28C3). In 2012 we presented the Cisco IP phone kernel vulnerability (“Hacking Cisco Phones”, 29C3) . While each exploit focused on one device, we posited polyspecies malware propagation in which a device of one type could be used to exploit a device of a completely different type. In this presentation, we demonstrate an HP printer being used to exploit two different Cisco IP phones (which includes a yet-to-be-disclosed privilege escalation exploit in the 8900/9900 series). We may throw in a fourth yet-to-be-named device just for good measure. We then take the same devices on the same network and install host-based defense to detect or prevent the same exploits.

Teridian SoC Exploitation: Exploration of harvard architecture smart grid systems The Teridian 8051 based chips are found in a variety of places in daily life, from the smart energy grid to smart cards and pin-pads. While the most prominent placement in the US is currently the metrology and power measurement side of a smart meters, the 8051 core is ubiquitous in embedded devices. They are additionally found in power distribution automation (the backend power shoveling inside your utility) and home automation (monitoring energy usage and changing configuration of appliances and similar in the home). The Teridian System-on-a-Chip platform wraps a complete system around a modified 8051 core, with additional features for chip security to block debug functionality and external access to memory. Additionally, the Harvard architecture design sets relatively rigid barriers between code and data (as opposed to x86/64), which presents an unintentional security barrier, somewhat similar to robust hardware DEP on x86/64 platforms. In this talk, we will quickly cover architecture and system overviews, then dive into exploitation scenarios with techniques to attack Harvard architecture systems and code security implementations. End state results include pathways to gain coveted binary images of firmware and resident code execution.

TLS 'secrets' SSL and TLS have become the de-facto standards for transport-layer encryption. In recent years, many vulnerabilities have been uncovered in both the standards, their implementation and the way people configure and use them. This talk is exploring in details a lesser-known and much less talked about part of the standard which breaks some of the security properties one would expect. A tool allowing for forensic recovery of plaintext (even when PFS ciphers are in use) will be released.





Presented by Florent 'NextGen$' Daigniere

Town Hall Meeting: CFAA Reform Strategy Aaron Swartz, a brilliant computer programmer and activist, committed suicide in January. At the time of his passing, Aaron was facing criminal charges carrying the possibility of decades in prison based on his use of the MIT campus network to download millions of journal articles from a database of academic scholarship. Aaron's death has prompted a vigorous public debate about the factors that contributed to his tragedy, including the many problems with the Computer Fraud and Abuse Act, including its vague language and harsh penalty scheme. The information security community has an important role to play in educating and persuading lawmakers to reform this dangerous law. In this to