Automated Binary Analysis with Pin and Python
Omar Ahmed and Tyler Bohan
Reverse engineering typically involves activities ranging from reading disassembly output to playing with debuggers. However, an often overlooked technique is making use of dynamic binary analysis frameworks. In this talk, we will be looking at Intel's solution, Pin, and walk through how just about anyone can make great use of it. We will discuss reasons why more people should use these tools, some novel uses (including finding bugs and solving ctf challenges automatically!), and even introduce our own python bindings for Pin which will make writing pintools a breeze. Automated binary analysis is an extremely useful technique and we feel that the use of Python and Pin will making jumping in less intimidating by making the process of writing Pin tools a breeze. We will also demonstrate the ease of use by showing some real world examples and tackling some commonly seen issues when dealing with binary analysis.
Tyler is currently a student at NYU-Poly and a member of the ISIS lab. He has done some research projects in the fields of program analysis and vulnerability analysis as well as more general binary analysis. He also enjoys playing reverse engineering and playing in CTF competitions in his free time.
Omar is a recent graduate of NYU-Poly and currently a security engineer at Etsy. He enjoys doing security things such as playing CTF and looking for bugs. He has four cats, none of which are good at computers.
The Joy Of Intelligent Proactive Security
Scott Behrens and Andy Hoernecke
Netflix is amongst the largest users of the public cloud, consuming roughly 30% of all the US’s downstream bandwidth at peak. Multiple concurrent code bases, continuous deployments, regional content, and an ever-changing threat landscape make vulnerability and asset management difficult. In order to battle this dynamic environment, we have taken an approach of automating, simplifying, and collecting actionable data with proactive security.
This presentation will assert that the agility of modern infrastructure requires a different approach to security. We look at common areas of a mature security program: identifying and addressing potential issues, monitoring for attacks and anomalies, understanding your environment, collecting and sharing information, all while constantly reevaluating your approach. We will also walk through a few real world cases where intelligent proactive security has simplified Netflix’s response time for identifying, responding to, and remediating security issues.
We will also provide demonstrations of a number of Netflix applications that are currently or soon-to-be open sourced that can help you simplify your security program regardless of whether you operate in the cloud or data center.
Attendees will leave this talk with real world strategies, techniques, and Netflix open source tools they can use in their own organizations.
Scott Behrens and Andy Hoernecke are both security evangelists at Netflix focusing on application security engineering as part of the Product and Application Security team. Scott loves security research and has previously spoken at DEF CON, Derbycon, Shakacon, Chicago Bsides, and a handful of other security conferences. Prior to Netflix, Andy built the application security program for a Fortune 100 retailer, and taught web application security to grad students at DePaul University.
Analysis of POS Malware
With the rash of POS malware reported during the end of 2013 and 2014 this new, or not so new, attack vector aimed at merchants to steal credit card data is analyzed. This analysis takes a look at how long it has really been an issue, the difficulty that merchants and other companies are having fighting it, as well as one of the most common attack vectors that is being used to breach businesses.
Brandon Benson, Senior Security Analyst, is responsible for providing security consulting services and PCI compliance assessments for organizations across the globe. He holds CISSP, P2PE-QSA (Point to Point Encryption Qualified Security Assessor), QSA (Qualified Security Assessor), security certifications and has been performing and consulting with companies for the last four years. Benson assessed the world's first P2PE-validated solution in 2013. Previous to his current position, he assisted organizations, banks, and governments with encryption implementation. Benson received a Bachelor of Arts in Finance from the University of Utah.
NaCl: A New Crypto Library
Daniel J. Bernstein and Tanja Lange
NaCl (pronounced "salt") is a new easy-to-use high-speed software library for encryption, decryption, signatures, etc. NaCl’s goal is to provide all of the core operations needed to build higher-level cryptographic tools. Of course, other libraries already exist for these core operations, but NaCl improves security, improves usability, and improves speed. We’ll explain how the design and implementation of NaCl avoid various types of cryptographic disasters suffered by previous cryptographic libraries such as OpenSSL.
This talk also presents TweetNaCl, a self-contained public-domain C library which reimplements the NaCl library in just 100 tweets. See https://twitter.com/tweetnacl.
We’re researchers in applied cryptography working on making secure crypto more usable and on eliminating bad crypto. This includes us sometimes breaking bad crypto but most of the time our work is constructive. We’re the core NaCl development team, along with Peter Schwabe.
We’ve designed several cryptosystems, including Salsa20, Poly1305, Curve25519, and Ed25519. These cryptosystems are designed for security, robustness, performance, and ease of implementation without data-dependent branches and without data-dependent array indices. We use these functions in NaCl to make our lives easier and the software better.
We’ve done some other things in crypto as well.
httpscreenshot - A Tool for Both Teams
Steve Breen and Justin Kennedy
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
Justin has been a security hobbyist since the early 2000's. He's held positions on both blue and red teams in the information security industry since 2008. Justin currently leads an Offensive Security team and spends his down time participating in bug bounties.
Steve is a former software developer turned pentester who has a knack for making software do things it was never intended to do. Steve is a senior security consultant on the Offensive Security team and spends his down time on research projects and development. He also presented his research in vulnerabilities in MDM solutions at BH USA 2014.
Deception for the Cyber Defender: To Err is Human; to Deceive, Divine
Tom Cross, David Raymond, and Gregory Conti
Since the first conflict between man, deception has played an integral role. Today on the network battlefield attackers enjoy many advantages and frequently employ deception as a powerful tool to accomplish their objectives. In this talk we discuss how to turn the tables on the attacker and employ deception strategies that deceive both human attackers and the code they employ to best defend your assets. This talk isn’t about social engineering or honeypots, but instead carefully analyzes dozens of deception techniques and how they can be woven together into a deception strategy that increases your defensive posture. We do so by mapping traditional and well-developed military battlefield deception techniques and principles onto the cyber domain. We’ll intersperse historical examples from military deception operations as well as provide new concepts for deception on the geographic, physical (OSI Layer 1), Logical (OSI Layer 2-7), persona, and supervisory planes that comprise the operational cyber environment. You’ll leave this talk inspired and armed to better defend your networks, systems, and people while forcing your attackers off balance.
Tom Cross is CTO at Drawbridge Networks. Previously he was the Director of StealthWatch Labs at Lancope and manager of XForce Research at IBM/ISS. He has spoken at numerous security conferences, including Black Hat, DEFCON, CyCon, HOPE and RSA.
David Raymond is an Associate Professor at West Point where he teaches cybersecurity and coaches the CTF Team. He is an Army officer with a unique mix of experience in armored maneuver warfare and Army automation.
Greg Conti is Director of the Army Cyber Institute at West Point. He has spoken at Black Hat, DEFCON, ShmooCon, and RSA.
Mascots, March Madness & #yogapants: Hacking Goes to College
Chris Cullison, Zack Allen, and Ian Amit
Professor Rubin gave his students an interesting assignment: conduct red-blue social media based penetration tests on American universities. Students were tasked to construct an attack, defend and a "cover-your-tracks" plan. Hashtags, fake coffee shops, racy direct messages and yoga pants were just some of the strategies used to lead victims on social media to an emulated attack landing-page. Afterwards, students defended their university’s social media presence from other teams carrying out their plans. Lastly, they employed concealment techniques to remove attack evidence.
The teams switched attack & defense phases after a four-week period. They catalogued their actions with a standardized syslog for analysis, and we calculated the amount of clicks each team generated based on the University IP range. The talk focuses on the results of this project, and it outlines some of our favorite write-ups, names, strategies and novel project constructions. An unexpected event also occurred – the students had a moral objection to some of the strategies attackers use on social media and refused to perform these attacks unless we gave them an alternative. We review the ethics of these exercises and generate a lessons learned based on our discussions with the class.
Chris Cullison, Zack Allen, and Ian Amit of ZeroFOX work together to help defend the social media aspect of an organization’s security posture. They work with Dr. Avi Rubin to advise as well as provides his graduate class help to test, verify and push the boundaries of social media-based attacks and defenses. This group has worked with industry, academia and government, spoken at conferences and been published in academic journals. With the help of the brilliant minds of students at Johns Hopkins University, they test the boundaries of security with a focus on this new attack vector.
White is the New Black: Why White Data Really Matters
We've already brought our malicious data collection skills to an art level, but in order to get good verdicts (most importantly - low FP rate) our benign (or White) data must enjoy the same level of confidence as the malicious (or Black) data. When dealing with Machine Learning algorithms, the certainty of the White data is taken for granted, but reality shows that it's a less-than-simple challenge. In this talk, we will focus on the collection of White data: Where do we get it from, and how do we collect it?
The talk is based on research we performed in the past year, during which we developed a methodology for the collection and creation of such repositories of clean data. We will share this methodology with the audience.
With both a BSc and an MSc in Computer Science, accompanied by a career performing R&D for the IDF and the industry, Irena is a security and intelligence researcher with a disturbing affection to "Hello Kitty". When she is not watching cartoons she is running the Threat Intelligence team at Check Point, performing innovative Malware research and developing infrastructure for better detection and techniques for research.
Understanding a New Memory Corruption Defense: Use-after-Free (UaF) Mitigation and Bypass
Memory corruption has plagued computers for decades. These software bugs can often be transformed into working cyber-attacks. High-level protections, such as anti-virus, have done little to stop the tide. Recent low-level protections such as non-executable memory and module randomization have helped. Yet a new variant called return-oriented programming (ROP) has survived these protections. Medium-level protections, such as Microsoft's anti-ROP add-on called EMET, has helped some. But a particularly troublesome bug known as Use-after-Free (UaF) has been used in conjunction with other techniques to bypass EMET. Thus, another low-level mitigation is required. This talk will describe Heap Isolation and Delayed Free, two such new mitigations, aimed at preventing UaFs. We will demo the protection in action. We will also walk through a bypass for the new protection. We wrap up by discussing trends to watch for in the next couple years as it relates to these and other similar software attacks.
Jared DeMott is a seasoned security researcher who has spoken at conferences such as DerbyCon, Blackhat, DefCon, ToorCon, etc. Notable research relates to helping stop an exploit technique (ROP), by placing as a finalist in Microsoft’s BlueHat prize contest, and by more recently showing how to bypass Microsoft’s EMET protection tool. Jared teaches his AppSec course, has co-authored a book on Fuzzing, has been on three winning Defcon CTF teams, has been an invited lecturer at prestigious institutions such as the United States Military Academy, previously worked for the National Security Agency, and holds a PhD from Michigan State University.
Cockroach Analysis: A Statistical Analysis of the Flash and Java Files that Infest the Internet
Java and Flash are and will continue to be popular attack vectors. To combat this, we’ll put these two file formats under the microscope and throw some data science at them. For each file format, we will take a quick look at its layout and then explore some of the file features. Then using a malicious and clean file set, we will walk through the process we took to identify important features and show the results of from several different machine learning algorithms when built from these feature sets. We’ll use several open source tools and libraries to perform the data exploration and analysis, including pandas, scikit-learn as well as the data hacking library we’ve already released. IPython notebooks containing the analysis will be released at the start of the talk.
David has been in the security field for over 10 years now. He enjoys static file analysis and tearing apart shellcode. He's starting to add various data analysis techniques to this toolbox when before he would only rely on hex editors, debuggers, and disassemblers. He dislikes wearing pants and has a strong antisock agenda.
The Windows Sandbox Paradox
More user applications are relying on sandboxes to limit the damage a Remote Code Execution vulnerability can inflict. It started with Web Browsers such as with Internet Explorer's Protected Mode and now covers many different applications. Unfortunately the Windows operating system isn't well matched to providing secure sandboxing. Through a combination of missing features, poor documentation and unexpected behaviour writing a secure sandbox on Windows seems an impossible task. Even built-in technologies such as Windows 8 AppContainer's have unusual behaviour which can even catch out Microsoft.
This presentation details some of the ways Windows actively hamstrings sandbox development. It also includes some interesting bugs in sandboxed applications such as Chrome, IE and Adobe Reader which directly result from these problems with OS. Attendees should get a better understanding of some of the issues with Windows sandboxes so that they might be able to better audit and develop them in the future.
James is a security researcher in Google's Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.
Tap On, Tap Off: Onscreen Keyboards and Mobile Password Entry
Kristen K. Greene, Joshua Franklin, and John Kelsey
Password entry on mobile devices significantly impacts both usability and security, but there is a dearth of usable security research in this area, specifically for complex password entry. To address this research gap, we set out to assign strength metricsto passwords for which we already had usability data, in an effort to have a more meaningful comparison between usability and security. A primary accomplishment of this work is our method of optimizing the input of randomly generated passwords on mobile devices via password permutation. This is done by grouping character classes (i.e., uppercase, lowercase, digit, symbol) together to minimize the total number of required keystrokes and decrease cognitive load. We propose a measurement method for quantifying effects on entropy resulting from this password permutation. Additionally, we created and are releasing python scripts, and make use of an existing publicly available NIST data visualization tool to facilitate comparison between usability and security metrics.
The authors work within the Information Technology Laboratory at the National Institute of Standards and Technology (NIST). Kristen is a Cognitive Scientist in NIST's Information Access Division and holds an M.A. and Ph.D. in Cognitive Psychology from Rice University. Joshua is an Information Security Engineer within NIST's Computer Security Division. Joshua graduated from George Mason University with a M.S. in Information Security and Assurance. John Kelsey is an experienced cryptographer at NIST and has degrees in Computer Science and Economics from the University of Missouri Columbia.
SEWiFi: Building a Security Enhanced WiFi Dongle
Securing a computer's network connection over WiFi has been a problem for years. Whether its your mom, grandfather, colleagues or yourself, not everyone understands how to properly setup and use VPNs, personal firewalls and a local IDS. Even if you do understand how setup and use network security tools, it can be a mundane task to repeatedly setup if you constantly change computers or reimage regularly. SEWiFi is an open source project which aims to seamlessly provide a full security stack for WiFi connections on all operating systems.
The SEWiFi device is meant to work exactly like an off the shelf commodity USB WiFi dongle, but in reality it is running a full ARM based Linux OS behind the scenes. The SEWiFi project is currently prototyped on a WiFi enabled USB ARM Gumstix board running a Debian operating system. Future iterations of the project will run on a fully open source ARM board or a custom made open source Gumstix expansion board. The project is currently in its early stages and provides a fully configured IDS and firewall.
During this talk I will go over the current state of the project and show how to build a SEWiFi USB dongle.
Ryan Holeman (@hackgnar) resides in Austin Texas where he works as a security researcher for Ziften Technologies. He has a Masters of Science in Software Engineering. He has published papers though ICSM and ICPC and spoken at various security conferences including DEF CON and Black Hat. His spare time is mostly spent digging into various network protocols and shredding local skateparks.
Manually Searching Advisories and Blogs for Threat Data--"Who’s Got Time for That?"
Elvis Hovor and Shimon Modi
Threat intelligence is generating a lot of buzz, and many vendors/industry driven initiatives are focused on addressing how enterprises can leverage threat intelligence. Despite the appearance that cyber threat intelligence is structured and well formatted, most enterprise receive threat intelligence from external sources in unstructured text format, in forms of advisories, email bulletins, chat forums etc. Threat intelligence is most relevant when it is timely and actionable. The status quo of using human analysts to process threat data and determine its relevance is inefficient and does not scale either.
We have developed a solution that increases automation of extracting threat data from unstructured sources and mapping them to the various STIX data constructs, in effect converting it into a structured form. This has several benefits:
- Allows human analyst to focus on analysis, and not spend time parsing text through a document
- Increases machine readability by converting incoming data into structured format
- Apply customized contextualization and prioritization filters to the extraction process
We have developed this solution on OpenNLP, a natural language processing toolkit. We will demonstrate how to process a batch of threat advisories and prioritize them for analysts to review based on predefined analyst preferences.
Shimon Modi has been in the information security industry for over 10 years, Shimon received his Ph.D. from Purdue University with a focus on biometrics. Prior to joining Accenture, he managed the biometrics research program at Purdue University and also has consulted on large scale identity management projects for various clients. He currently leads the threat intelligence research in the labs.
Elvis Hovor received a MS in information Security from the Johns Hopkins University, MD. He has worked on various research projects in his three years with Accenture’s technology labs. He leads development work for threat Intelligence.
Infrastructure Tracking with Passive Monitoring and Active Probing
Anthony Kasza and Dhia Mahjoub
Threat intelligence is crucial in our industry to proactively monitor for attacks, detect active breaches, and analyze incidents post-mortem. Intelligence is created by researching, tracking, and interpreting attacker movements with a focus on preemptively countering malicious campaigns as soon as they emerge. In this talk, we will describe tools and methodologies we use in-house to provide context on evil at Internet scale. We will also present concrete use cases on how to leverage threat intelligence, both open source and proprietary, to track internet threats and pivot around specific indicators to further the investigative effort. Our use case of choice will be the new Zeus GameOver variant that re-emerged last summer and which we've been tracking for several months. The various aspects of campaign tracking include command and control infrastructure, preferred hosting providers, domain registration practices, and compromised client behaviors.
Anthony Kasza is a Security Researcher at OpenDNS where he works on a team of specialized data scientists and security experts creating actionable defensive technologies. With a strong background in networks architectures and communication protocols, Anthony researches online threats, analyzes malware, and hacks on Bro IDS.
Senior Security Researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. He focuses on building threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia has a background in Computer Networks and holds a PhD in Computer Science from Southern Methodist University, Dallas with a speciality in graph theory applied on Wireless Sensor Networks.
Betting BIOS Bugs Won't Bite Y'er Butt?
Xeno Kovah and Corey Kallenberg
2013 saw the disclosure of the most BIOS vulnerabilities ever. Mostly due to our research. Mostly due to the fact that where people don't look, problems fester. The problem is, defenders typically don't track BIOS bugs the way they track the latest patch tuesday reports. Which means your enterprise is almost certainly rife with BIOS bugs, and you don't even know it. This talk will be a quick run through the BIOS vulnerabilities & PoC malware that have been disclosed in the last couple years, and what you can concrete steps you can take to start performing BIOS vulnerability checking, and integrity checking, to protect yourself or your company.
Xeno Kovah & Corey Kallenberg started LegbaCore in 2015 to wield Papa Legba's dark magics for the betterment of all mankind. LegbaCore specializes in vulnerability discovery, deep system security (OS/VMM/SMM/BIOS/PeripheralFirmware), defensive technology that doesn't just fall over in a slight breeze, and poisoning the snake oil supply.
Don’t Look Now! Malicious Image Spam
A picture is worth a thousand words. I've also found it contains malware and other interesting items if one looks past the wavy words, pills, sailboats and pornography. I have a corpus of more than 10,000 spam images provided daily by Knujon over a period of about 5 years. I've had students categorize the images, perform steganalysis, and extract malware. Images have their own unique methods to evade spam filters. This talk is about my corpus and the things we've found lurking in the wild.
Kathy Liszka is a Professor of Computer Science at The University of Akron. Her research area used to be parallel algorithms for the majority of her career until she got bored. Security is a fascinating and broad topic so she developed two courses with a heavy lab component for students to get an exposure to the field.
Where the Wild Things Are: Encryption, Police Access & the User
The government, frightened by companies’ move to enable encryption by default and/or make encryption easier to use, sparked discussion about the use of a "golden key" or implementation of backdoor access for law enforcement to decrypt an electronic device when the user refuses to do so. Announcements by Apple and Google that devices would expand the scope data encrypted as to prevent the companies from handing over decrypted data to police officers armed with a valid warrant stimulated this debate, but the government’s interest in weakening crypto is nothing new. It prompts the question: how should encryption, the user, and the law function?
This talk will briefly discuss the basics of encryption and the law and examine how "[e]ncryption is an altogether different beast." It will also incorporate recent research on how and why users implement encryption to discuss the role encryption plays in the probable cause analysis. Simply, does implementing encryption play any role in determining if there is a reasonable basis for believing that a crime may have been committed? Finally, the talk will discuss whether the government can legally and practically be able to decrypt data without forcing an individual to turn over a key.
Whitney Merrill (@wbm312) is an attorney and graduate student in computer science at the University of Illinois Urbana-Champaign specializing in information security, privacy, and Internet law. Her research focuses on the legal and usability issues surrounding encryption and information security. In 2014, Whitney co-founded and co-organized the Crypto & Privacy Village at DEF CON, and previously she interned at the Electronic Frontier Foundation.
There's Waldo! Tracking Users via Mobile Apps
Colby Moore and Patrick Wardle
Sure you assume the NSA can track you, but due to insecure mobile apps, it may be possible for anyone else to track you too. Mobile apps often leverage user location data to provide a custom experience. Unfortunately, as our case studies show, this is often done insecurely, revealing usersâ€™ location and compromising privacy.
We will be presenting a case study detailing how we were able to track tens of thousands of users actual locations in realtime, determine pattern of life, and subsequently determine true identities. Using a targeted approach we show just how easy it might be to reveal the identity of and track your favorite athlete, politician, or movie star.
Come for the war stories, leave with best practices and lessons learned!
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Currently he focuses on automated vulnerability discovery, Mac malware. Patrick, a former employee of NSA and VRL, is an experienced vulnerability and analyst, and has found exploitable 0days in major OSs and applications.
Colby Moore is Security Research Engineer at Synack, working mainly on breaking emerging technologies. He is a former employee of VRL and has identified 0day vulnerabilities in embedded systems and major applications. Colby prefers focus on that sweet spot where hardware and software meet, usually resulting in interesting... consequences.
No Budget Threat Intelligence: Tracking Malware Campaigns on the Cheap
In this talk, I'll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I'll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I'll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I'll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.
Andrew Morris is a security consultant with iSEC Partners. He specializes in network security, risk assessment, and making bad jokes. Andrew has consulted to fortune 100 corporations, technology companies, financial institutions, hospitals, human rights groups, social media organizations, and government agencies. When he is not talking too loudly in the office, Andrew likes to find confusing gifs on the Internet and try to understand what his dreams mean.
Practical Machine Learning for Network Security
Machine learning is currently receiving a lot of attention in network security. There are many start-ups and existing companies that claim they use it in their solutions; yet, few details are shared on why or how it works. So, is machine learning a potential solution or all hype? The answer depends on the problem.
In this talk we will demonstrate how machine learning can be leveraged to solve a set of practical network security problems. However, we will also discuss its limitations and show how it can fail. The focus of the talk will be on applying both supervised and unsupervised learning to problems in network security. Case studies of real machine learning systems will be used to illustrate some of the issues faced by practitioners and provide practical techniques that can be used to mitigate many of them.
Terry Nelms is the Director of Research at Damballa. His current research interests include the statistical analysis of network traffic, the network behavior of malware, and applying machine learning to identify network threats. Before joining Damballa, he spent nine years in IBM ISS X-Force Research inventing, designing, and developing protection technologies. His research has produced new security products, patents, and publications in top academic conferences. He holds a B.S. and M.S. in Information Systems and is currently a Ph.D. candidate in Computer Science at the Georgia Institute of Technology.
Micronesia: Sub-kernel Kit for Host Introspection in Determining Insider Threat
Bootkits have long been used in an offensive manner by adversaries in order to maintain cold-state persistence. Micronesia is an extended bootkit to allow for self-surveillancupon a host system. The purpose of the kit is to monitor for insider-threat potential on a local machine. At current, resources invested in this problem space for anti-leak/insider-threat detection is primarily invested in exterior-host communications. They rely heavily upon heuristics and detection of anomalous traf?c movement. A notable example can be seen in various government entities where sensitive documents in high-side networks are ?ngerprinted. These ?ngerprints are then matched against low-side traf?c with hopes of taint marking against data leakage. A knowledgeable adversary however can easily render communications ineffective to being tagged. This talk proposes a bootkit solution to allow for discrete full-system monitoring and determination of insider-threat activity. The kit's name symbolizes a shift in analytical focus away from mass collection of many systems and more towards host self-determination, hence Micronesia--a collection of small islands.
Loc Nguyen (@nocsi_) is a security researcher at Exodus Intelligence. For the past decade, his work has covered areas such as vulnerability research, exploit development, language design, program analysis and digital forensics. In his spare time, Loc likes to read YouTube comments.
The Internet of TR-069 Things: One Exploit to Rule Them All
Lior Oppenheim and Shahar Tal
TR-069 is the de-facto standard remote management protocol that ISPs surreptitiously use to control consumer-premises equipment (these would be your home routers, set-top boxes, VoIP phones etc.), rumored to be a well-thought conspiracy devised by Internet Service Provider secret societies since the 17th century.
The findings we published earlier this year demystified the voodoo that is TR-069, demonstrated how mass pwnage can be achieved via server-side attacks, and proved the landscape is ripe for harvesting. We will continue where we left off to explore TR-069 client-side vulnerabilities; we analyze client implementations, pour some insight into mysterious results from our internet-wide scans, and follow to mass pwnage through remote code execution on millions of online devices. again.
Lior is a vulnerability researcher in the Malware & Vulnerability Research group at Check Point Software Technologies. Lior was trained and served in an elite technological unit performing security research in the IDF. In his spare time, Lior loves tap dancing, reversing, playing his guitar and pwning home routers. Shahar leads the Vulnerability Research team, being Lior's manager, publication editor and inspiring role model.
Ask the EFF
Kurt Opsahl and Nate Cardozo
Get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation's premiere digital civil liberties group fighting for freedom and privacy in the computer age. This session will include updates on current EFF issues such as NSA surveillance and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology projects to protect privacy and speech online, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it's your chance to ask EFF questions about the law and technology issues that are important to you.
The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. Nate Cardozo and Kurt Opsahl are attorneys who work on EFF's Coders' Rights Project, which builds on EFF's longstanding work protecting security researchers through education, legal defense, amicus briefs, and involvement in the community with the goal of promoting innovation and safeguarding the rights of curious tinkerers and hackers.
For more about the presenters, see: https://www.eff.org/about/staff/kurt-opsahl and https://www.eff.org/about/staff/nate-cardozo
The Dark Art of Data Visualization
Data visualization is very much a dark art. It is very dependent upon the data you are using, what you want to get out of it, and how it is displayed. You change any one thing and you will get a completely different outcome. I have been doing data visualization during ShmooCon Labs for quite a few years now. During that time I have tried out many different approaches to visualizing the ShmooCon network. Some techniques and data sources worked well and others did not. I would like to share with you some of the techniques and data sources that I have found to work well. I also plan on doing a quick demo of some of the tools that I use.
David is a member of The Honeynet Project where he does research in data visualization, data distribution and data processing. He is also responsible for all of the shared research infrastructure that the project uses. As a day job David works for a non-profit federally funded research and development center, where he does research in network security. He has been running the data visualization effort in ShmooCon Labs for the past few years.
Userland Persistence on Mac OS X "It Just Works"
Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access.
As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.
Joshua Pitts is a pentester and reverse engineer for Leviathan Security Group. Josh has been working in Infosec for some time, first trying to secure Win 3.1.1 and NT 4.0 enterprise machines while in the Marines in 1998, which was a hilarious experience. Josh currently develops open source projects which include 'The Backdoor Factory' (BDF) and BDFProxy.
Quantum Computing 01100101
We have all probably heard at one point or another that quantum computing would render current encryption standards as we know them obsolete. Intrigued by this assertion, I set about to understand why. This presentation will cover the very basics of classical versus quantum physics to include key concepts in the field, a "not too technical" introduction to quantum computing, and an explanation of quantum key cryptography as well as those trying to hack and secure it.
Tess is an INFOSEC noob who almost got her undergrad degree in physics. She began her college experience as a physics major but veered off into forensic science, lollygagged in law enforcement for a spell, and then made the transition into "national security". A chance client requirement waterboarded her with Chapter 8 of the NISPOM and she survived to come full circle, marrying her years of security experience with her original passion for science and technology.
Knock Knock: A Survey of iOS Authentication Methods
David Schuetz (Darth Null)
Almost all "interesting" mobile applications don't exist in a vacuum. They rely on external systems for much of their data, and as such, frequently need a method for identifying and authenticating the application's user to the server. How this happens varies widely.
As part of my day job, I frequently review mobile applications on iOS and so have seen many ways for applications to authenticate to the server -- some good, some great, some OMG awful. In this talk, I'll review some of the common (and not-so-common) techniques I've observed both on apps I've seen at work and just what's running on my own iStuff. I'll talk about what's good and what's bad, and most importantly, why. And finally, I'll try to suggest some general advice that you can follow when designing your own mobile apps, or when reviewing them for your own organization.
David (@DarthNull) is a Senior Consultant with Intrepidus Group (now part of NCC Group), where he performs web and iOS application security testing, iOS research, MDM reverse engineering, and other such fun. He's honored to have spoken at multiple security conferences on topics from rainbow tables to iOS and MDM to puzzle contests.
When not actively engaged in paying work, David loves solving crypto puzzles, working on side projects like KhanFu, and, when he remembers the app on his phone, looking for Geocaches. He can be found on Twitter as DarthNull, and is perpetually behind in his blogging at darthnull.org.
Eliminating Timing Side-channels. A Tutorial.
The traditional model of an attacker against a cryptographic primitive sees (and potentially controls) inputs and outputs of the computation. Side-channel attacks go beyond this model. The attacker now also sees some "leakage" of the internal state of the cryptographic computation. One class of leakage is timing: If the time taken by a computation depends on secret data, the attacker can measure time and obtain information about this secret data. This is not just a theoretical threat as illustrated, for example, by a 2006 attack by Osvik, Shamir, and Tromer who used a timing attack to recover the AES-256 key used in Linux hard-disk encryption in just 65 ms. A more recent example is the Lucky 13 attack against almost all implementations of AES-CBC in TLS libraries.
The timing side channel is different than other side channels (such as power consumption or electromagnetic radiation) because it can be exploited remotely and without any specialized hardware or manual interaction. It is also different because it is now well understood how to fully eliminate timing leakage. This talk is a tutorial on how to write constant-time software, i.e., software that does not leak any secret information through timing.
Peter Schwabe is a researcher in applied cryptography working at Radboud University Nijmegen in the Netherlands. He is mainly working on secure and efficient software implementations of cryptography and occasionally cryptanalysis. Examples of what he's been working on includes speed-record-setting timing-attack protected software for AES-CTR and AES-GCM, the Ed25519 signature scheme, and recently the formal verification of a hand-optimized assembly implementation of Curve25519 Diffie-Hellman key exchange. He is in the core development team of NaCl, the only cryptographic library that systematically protects against timing attacks.
Five Not-Totally-Crazy Ways to Build for Usability
As security becomes an increasingly mainstream concern, we are challenged with making our products easier to use. Elissa Shevinsky, CTO of the secure photo sharing app Glimpse, will share several highly effective (including some unconventional) ways technologists can make their products more user-friendly.
Elissa Shevinsky (@ElissaBeth) is CTO of Glimpse Labs. She has been building software and startups for fifteen years. Her latest product, Glimpse, is an encrypted, ephemeral photo sharing app (like Snapchat but more secure.) With a mission of "easy to use privacy," Glimpse’s early adopters include both hackers and sorority girls. Shevinsky is editing a book on Silicon Valley culture, which will be published by OR Books this spring. Shevinsky can be found all over the internet, and on Twitter as @ElissaBeth. Contrary to popular belief, she is neither a feminist nor a nice girl.
0wn the Con
The Shmoo Group
For ten years we've chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon and anything thing else you might want to talk about. This is an informative, fast paced and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though--if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn't miss this. Or go ahead and do. It'll be online later anyway.
The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.
Simple Windows Application Whitelisting Evasion
Often deployed as the new way to prevent malware and unauthorized execution, application whitelisting has been billed as a way to contain and prevent advanced threats. "Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system." So goes the guidance of the Critical Security Controls. Is this guidance effective? Are there practical ways to circumvent whitelisting technology. If so, what are these techniques?
Adversaries adapt. Eventually, like we see in the biological world (weeds, mosquitoes), adversaries become resistant or inoculated against our defenses. We have developed a catalog of bypass techniques we would like to share. These techniques, while focused on the Windows Operating Systems, may have application to other areas.
Casey Smith (@subTee) is an Information Security Analyst in the Financial Industry. His daily responsibilities involve deploying and testing defensive systems in the enterprise. He has a passion for understanding and testing the limits and of defensive systems.
How Random is Your RNG?
Meltem Sönmez Turan, John Kelsey, and Kerry McKay
Cryptographic primitives need random numbers to protect your data. Random numbers are used for generating secret keys, nonces, random paddings, initialization vectors, salts etc. Deterministic pseudorandom number generators are useful, but they still need truly random seeds generated by entropy sources in order to produce random numbers. Researchers have shown examples of deployed systems that did not have enough randomness in their entropy sources, and as a result, crypto keys were compromised. So how do you know how much entropy is in your entropy source?
Estimating entropy is a difficult (if not impossible) problem, and we’ve been working to create usable guidance that will give conservative estimates on the amount of entropy in an entropy source. We want to share some of the challenges and proposed methods. We will also talk about some new directions that we’re investigating, and present results of our estimation methods on simulated entropy sources.
The authors work within the Cryptographic Technology Group at the National Institute of Standards and Technology (NIST). Meltem is a cryptographer at NIST and holds a Ph.D. in Cryptography from Middle East Technical University. Kerry is a computer scientist at NIST and holds a D.Sc. in Computer Science from The George Washington University. John is an experienced cryptographer at NIST and has degrees in Computer Science and Economics from the University of Missouri Columbia.
NSA Playset: USB Tools
Dominic Spill, Michael Ossmann, and Jared Boone
USB implants were among the most talked about gadgets in the NSA ANT catalog after it leaked last year. Concealed in cables and connectors, these devices appear to be designed primarily to provide covert communication channels to malware operating on a host computer. Secondarily it seems that they could be used to implement USB attacks or to monitor connected USB devices.
We'll demonstrate tools we've built for the same capabilities. This will be the first public demonstration of USB man-in-the-middle with Daisho, our SuperSpeed USB platform for wired communication security research. Additionally we will show capabilities recently added to USBProxy, a software framework that can operate on hardware platforms such as BeagleBone Black. Just for fun, we'll also play with TURNIPSCHOOL, our own RF implant hidden in a USB cable.
Dominic Spill has been building Bluetooth packet sniffers since 2007; he now works on Ubertooth and USBProxy among other communications sniffing projects.
Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting new tools into the hands of innovative people.
Jared Boone designs open-source hardware focused on radio, music, art, and timekeeping. He dabbles in security and privacy topics when opportunities present.
The Mile High Club: Getting Root at 40,000 Feet
Have you ever been stuck on a plane with no internet, and wished that you could be doing something better, like hacking? Thanks to new airline technologies, now you can!
The current trend in the airline industry is to move in-flight entertainment to passenger's mobile devices, instead of relying on in-seat displays. This presentation will cover an in-depth analysis of a popular inflight entertainment system and assess the (scary... very scary) security implications for both the traveler and the airline. A few of the topics covered will be:
- Learn how to choose exactly what content is served up (Is it time for Rebecca Black to make a comeback yet?).
- See how an hacking the entertainment system can actually get a plane grounded.
- Is your plane PCI compliant? Those credit card numbers used to pay for premium content have to go somewhere...
- Hack all the planes! Why hack one when you can have a self propagating global plane botnet?!
Wesley Wineberg lives in Vancouver, Canada, and is a Security Research Engineer at Synack. Prior to Synack, Wes spent six years working on SCADA and critical infrastructure security (yes it's as bad as everyone says it is!).
Wes enjoys black-box analysis of systems, including reverse engineering and pen testing. Having looked at the security of many embedded devices, Wes looks forward to the job security that the internet of things will provide to the security industry!
Rethinking Security's Role in CS Education
The role of security in computer science education needs to be reconsidered. There is little to no applied security content for the majority of undergraduate computer science students. Given that security is an afterthought in education, it should be no surprise that it ends up being an afterthought when those students join the working world. As a result, the same security mistakes are made over and over again.
Most security content in curriculum today is meant for future security specialists. What content there is comes as a standalone class or lecture, and not interwoven with regular curricula.
The integration of Environmental Engineering design concepts into general engineering curricula provides a model for how to fix this "afterthought" problem. Applied security content needs to be integrated throughout the undergraduate computer science curriculum. This can be achieved with minimal disruption to the existing courses, as long as the changes are subtle, but consistent.
Sarah is a partner at L0pht Holdings LLC, the spin off from the L0pht that created the award winning password cracking tool L0phtCrack. She holds a degree in mathematics from MIT, and a Master’s in computer science from Boston University. After working with various three letter agencies she wanted to do something unequivocally "good" and has been visiting high schools and elementary schools representing "hacker" on career day. She's trying to convince her local library to let her teach a lockpicking workshop.