当前节点:blackhat
时间节点
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development', 'Cloud & Platform Security'] 无附件
Heap isolation is effective mitigation that reduces the exploitability of certain types of vulnerabilities, especially Use-After-Free. In the Android/Linux kernel, A Use-After-Free vulnerability in a dedicated cache is difficult to exploit because none of the ideal victim objects can be directly allocated in the same cache, and from the Android11-5.4 kernel, CONFIG_SLAB_MERGE_DEFAULT is not set on default, which means dedicated caches are never merged into one to reduce memory fragmentation. Thus, to exploit a UAF vulnerability in a dedicated cache, the technique of cross-cache attack has to be applied. However, since the well-known cross-cache attack techniques are time-consuming and less deterministic, lots of Use-After-Free vulnerabilities in the dedicated cache cause little attention and are recognized as unexploitable bugs.<br><br>In this talk, I will introduce "Ret2page" - a new and gener
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Lessons Learned', 'Enterprise Security'] 无附件
In the past 5 years, we've demonstrated countless supply chain attacks in production CI/CD pipelines for virtually every company we've tested, with several dozen successful compromises of targets ranging from small businesses to Fortune 500 companies across almost every market and industry. <br><br>In this presentation, we'll explain why CI/CD pipelines are the most dangerous potential attack surface of your software supply chain. To do this, we'll discuss the sorts of technologies we frequently encounter, how they're used, and why they are the most highly privileged and valuable targets in your company's entire infrastructure. We'll then discuss specific examples (with demos!) of novel abuses of intended functionality in automated pipelines which allow us to turn the build pipelines from a simple developer utility into Remote Code Execution-as-a-Service. <br><br>Is code-signing leading your team into a 
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Exploit Development'] 无附件
Networking is a critical and complex task for browsers. It ranges from high level JavaScript APIs, all the way down to managing every socket connection. Services on remote servers can control every single byte sent to the browser during communication, which might lead to memory safety issues when the browser parses the inputs. But apart from these security issues due to data processing, are there other logic bugs from a higher-level view? Can this type of bug be exploited and how?<br><br>In this presentation, we will show how we discovered several bugs in the Chrome network stack and exploited them to compromise the renderer process and escaped the Chrome sandbox. We will discuss the design problems of resource fetching/caching and one of the transport layer protocols embedded in Chrome. We will illustrate how server-side responses can affect browser behavior, which results in security bugs. Finally, we will detail the exp
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Malware', 'Reverse Engineering'] 无附件
Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare a Microsoft-approved list of explicitly allowed signers to run as protected (PPL) services. Microsoft makes clear that these mitigations are best-effort attempts to mitigate against security product tampering by labeling ELAM and PPL "defense-in-depth security features." This talk aims to make clear why these mitigations are "best-effort" and ultimately indefensible.<br><br>This talk will cover a methodology for assessing ELAM drivers and demonstrate scenarios where overly-permissive rules open up adversary tradecraft opportunities, not through exploiting vulnerabilities but through the abuse of intended functionality. A single, overly-permissive ELAM driver enables an adversary to not only tamper with security products but it also supplies malware with anti-tampering protections, ha
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Hardware / Embedded'] 无附件
Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6 and the Tensor Chip. From a security perspective, this meant rather than using code that had been tested and used for years, there was an entirely new stack of high value device firmware we needed to get right the first time.<br><br>This talk will explore how Android secured the Tensor Chip from the ground up, focusing on the perspective of the Android Red Team. We will cover exploits for issues valued at over $2M in total based on our Vulnerability Rewards Program. ($1M alone for breaking into Titan M2!)<br><br>We will cover offensive testing, including custom tool development, for 3 security-critical areas within the Pixel 6 SoC:<br>- Titan M2 (the secure element for a Pixel device) with PoC: The first end to end code exec
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Defense', 'Hardware / Embedded'] 无附件
This session covers the TRC (tunable replica circuit), a fault-injection detection circuit that has been productized in Intel's Alderlake platform and integrated into CSME (converged security and manageability engine). This is Intel's first foray into active fault-injection attack detection in high-volume products such as CPUs and chipsets.<br><br>Unlike traditional analog voltage and clock monitors, the TRC detects timing failures that result from voltage, clock, temperature, and other glitch attacks such as electromagnetic radiation. Ultimately, since a timing failure is the primary goal of fault-injection attacks and has been shown as the vehicle to cause unsigned code to run on other security engines, using the TRC to explicit detect timing failures is Intel's current approach to fault-injection detection in client security engines. This session will introduce the TRC technology, how the TRC was integrated i
2022年5月25日 03:31blackhat
发布时间:2022-05-24 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
Log4Shell is an epic vulnerability in Log4j, a popular Java logging framework widely used by developers. The existence of this vulnerability has not been noticed for almost a decade! We recently discovered a similar attack surface in the logging components on Android devices-the logging services provided by Android vendors is such a long-neglected attack surface that it can cause serious security incidents, just like what Log4j did. We named the attack surface Log4Android.<br><br>Almost all vendors would integrate their customized logging services into release devices to help collect runtime logs of devices, which makes vendors better understand what is happening on the release devices, especially when handling exceptions or crashes. We've found that the logging services are not only useful tools for vendors to improve device stability, but also powerful helpers for attackers to attack Android devices. Quite a fe
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Defense', 'Exploit Development'] 无附件
One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter). Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability.<br><br>When it comes to security, eBPF has been a hot topic in the previous years, for good and less desirable reasons. Like any other kernel features, eBPF has introduced its fair share of kernel bugs and vulnerabilities, questioning the maturity of a solution that introduces a rich feature set but considerably increases the kernel attack surface. On the other hand, eBPF is now powering an increasing amount of endpoint protection solutions, showcasing original ideas to detect threats at runtime.<br><br>Unlike many pr
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Malware', 'Defense'] 无附件
<div><span>Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework (ESF) as an event source to fuel behavioral-based detections. </span></div><div><span><br></span></div><div><span>In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections. </span></div><div><span><br></span></div><div><span>The Endpoint Security Framework provides many different fields that get overlooked in detection scenarios. We will show how we can use these clues to piece together a story about malicious activity that has taken place on a system. Finally, we will discuss examples where ESF has helped us identify that exploitation has taken place, including the detection of multiple 0-days.<
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Enterprise Security', 'Application Security'] 无附件
Single Sign On (SSO) has become the dominant authentication scheme to login to several related, yet independent, software systems. At the core of this are the identity providers (IdP). Their role is to perform credential verification and to supply a signed token that service providers (SP) can consume for access control.<br><br>On the other hand, when an application requests resources on behalf of a user and they're granted, then an authorization request is made to an authorization server (AS). The AS exchanges a code for a token which is presented to a resource server (RS) and the requested resources are consumed by the requesting application.<br><br>Whilst OAuth2 handles authorization, and SAML handles authentication and as such Identity and Access Management (IAM) solutions have become very popular in the enterprise environment to handle both use cases. What if IAM solutions are vulnerable to cri
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Application Security'] 无附件
macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.<br><br>CVE-2021-30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update from October 2021, but completely fixing this vulnerability requi
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Malware', 'Policy'] 无附件
The Russian invasion of Ukraine has included a wealth of cyber operations that have tested our collective assumptions about the role that cyber plays in modern warfare. The concept of 'Cyber War' has been subject to all kinds of fantastic aberrations fueled by commentators unfamiliar with the realities and constraints of real world cyber. <br><br>From the beginning of 2022, we have dealt with at least seven strains of wiper malware targeting Ukraine. The latest wiper was used to attack satellite modems with suspected spillover into critical infrastructure in Western Europe. Before this, nation-state wiper malware was relatively rare and this period of abundance is teaching us a great deal about the effects attackers can('t) have during military operations and what we should realistically expect in an era of hybrid warfare with cyber components.
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Cloud & Platform Security'] 无附件
The SMM is a well-guarded fortress that holds a treasure – an unlimited god mode. We hopped over the walls, fooled the guards, and entered the holy grail of privileges. <br><br>An attacker running in System Management Mode (SMM) can bypass practically any security mechanism, steal sensitive information, install a bootkit, or even brick the entire platform.<br><br>We discovered a family of industry wide TOCTOU vulnerabilities in various UEFI implementations affecting more than 8 major vendors making billions of devices vulnerable to our attack. RingHopper leverages peripheral devices that exist on every platform to perform a confused deputy attack. With RingHopper we hop from ring 3 (user-space) into ring -2 (SMM), bypass all mitigations, and gain arbitrary code execution.<br><br>In our talk, we will deep-dive into this class of vulnerabilities, exploitation method and how it can be prevented. F
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Data Forensics & Incident Response', 'Lessons Learned'] 无附件
Ransomware gangs are increasingly engaging in rebranding to shield their malicious activity from scrutiny and minimize operational risk. However, to date the level of this rebranding activity hasn't been assessed or documented, meaning only the bad guys get the benefit of this institutional knowledge. <br><br>This presentation will dive into ransomware rebranding over the last 5+ years and discuss why threat actors rebrand, present new research on the frequency of rebranding, and how organizations can use this data to inform their defenses. <br><br>Finally, we will debut a new openly available repository of linked ransomware brands so you can use attackers' institutional knowledge against them.
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Malware', 'Cyber-Physical Systems'] 无附件
Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder.<br><br>We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia's GRU.<br><br>Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 "speaks" just one: IEC-104.<br><br>We also
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy', 'Lessons Learned'] 无附件
You get a fact…and you get a fact…and you get a fact! It sounds like a meme until you realize that's how most people treat their conceptions of what happened after a major cyber incident investigation. If you asked ten people even in the infosec community right now what happened during the Colonial Pipeline hack, you'd get ten different answers that are substantially different on fundamental facts of Who, What, Where, When, Why, and How. <br><br>In December of 2021, Harvard's Belfer Center released a report based on a workshop involving over 100 international experts. Our project investigated how the aviation industry draws lessons learned from aviation incidents and how a process could be applied to cyber incident investigations. Based on this, we have created the Major Cyber Incident Investigations Playbook. This new document, pending publication at Harvard and being released here at Black Hat, is a playbook to mak
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Enterprise Security'] 无附件
External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant, or are unmanaged accounts outside of Azure AD. <br><br>This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated. During the research for this talk, several flaws in the implementation were identified, which create novel ways to backdoor and hijack Azure AD accounts from a regular user. There were also ways identified to exploit these external identity links to elevate privileges, bypass Multi Factor Authentication and Conditional Access policies. All these attacks were pos
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Network Security'] 无附件
The recent hijack of Twitter prefix by RTCOMM demonstrated the central role of RPKI for Internet routing security. The RPKI filtering (ROV) by major networks limited the propagation of the hijacked prefix.<br><br>We demonstrate the first downgrade attacks against RPKI, which allows remote adversaries to disable RPKI validation, hence exposing to prefix hijacks. In our attacks a malicious RPKI publication point stalls the relying party implementations, disabling the RPKI validation on those networks.<br><br>We show that all the current RPKI relying party implementations are vulnerable to attacks by a malicious publication point. This translates to 20.4% of the IPv4 address space.<br><br>We provide recommendations for preventing our downgrade attacks. However, resolving the fundamental problem is not straightforward: if the relying parties prefer security over connectivity and insist on RPKI validation when ROAs cannot be retri
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development'] 无附件
Unauthenticated remote code execution bugs are always the focus of both offensive, defensive and vulnerability research. On windows platform, the remote file systems are popular targets for looking for such bugs. For example, 5 years ago the WannaCry ransomware infected tens of thousands of computers all over the world by leveraging a leaked SMB exploit in EternalBlue and SMB it is not the only windows remote file system. For example, the network file system (NFS) is a widely used file system in Linux/Unix servers, Microsoft also has its' own NFS implementation and supported by Azure cloud, but so far, we have not found any public presentation on it. Because of the high severity and impact of these critical bugs, the windows insider preview bounty program pays $10,000 for an unauthenticated RCE bug.<br><br>In Aug 2021 we started a project to find unauthenticated RCE bugs in windows remote file systems and found some unauth
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Mobile', 'Cryptography'] 无附件
ARM-based Android smartphones rely on the TrustZone hardware support for a Trusted Execution Environment (TEE) to implement security-sensitive functions. The TEE runs a separate, isolated, TrustZone Operating System (TZOS), in parallel to Android. The implementation of the cryptographic functions within the TZOS is left to the device vendors, who create proprietary undocumented designs. <br><br>In this work, we expose the cryptographic design and implementation of Android's Hardware-Backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices. We reverse-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate 
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Human Factors', 'Defense'] 无附件
Cybersecurity practitioners in defensive roles are regularly confronted with high risk behaviors from the populations they protect. In theory, the security response should be simple: Inform the user of the risks and get them to stop. Phishing email? Don't click those links. Dangerous software on the internet? Don't download it. Unfortunately, all or nothing guidance like this rarely fits all members of a population and can lead to unintended consequences and increased harm. How can Cybersecurity defenders help those who can't or won't stop engaging in risky behaviors?<br><br>For more than 30 years, healthcare practitioners have been exploring an alternative to all or nothing guidance (aka abstinence or use reduction) called harm reduction. Originally designed in response to the spread of HIV amongst intravenous drug users in the eighties, harm reduction focuses on decreasing the negative consequences of high risk beha
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Human Factors', 'Mobile'] 无附件
In recent years the data leaks have escalated, and leaked passwords and usernames have become a common attack vector in phishing attacks. Until recently phone numbers were commonly overlooked by attackers as well as red teams. This year has seen an increase in attacks circumventing text based 2fa.<br><br>In this talk, the researchers will show how it's possible to gather data from publicly available sources and connect the phone numbers most likely used by two factor authentication systems to other leaked email and login credentials. <br><br>We will simulate an attack armed with your cracked password, email address and phone number.<br><br>We will show techniques and methods used by real threat actors to bypass text based 2fa using only publicly leaked data using real time attack by indexing OSINT data combined with publicly available attack tools and frameworks.
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Hardware / Embedded', 'Exploit Development'] 无附件
The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution attacks. These attacks usually allow a lower-privileged attacker to leak arbitrary data from higher privileged security domains by observing the side-effects of transiently executed instructions. One especially powerful attack variant, Branch Target Injection (BTI), abuses misprediction and resulting mispeculation on indirect branches to transiently execute attacker-controlled instructions. To put a stop to this, affected vendors initially relied on a complicated set of software defenses and began only in the last two years to roll out in-silicon defenses to the consumer market.<br><br>The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution attacks. These attacks usually allow a lower-privileged attacker to leak arbitrary data from higher privileged security domains by observing
2022年5月25日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
Over the past 12 months, Google's TAG (Threat Analysis Group) and Android Security teams have discovered and analyzed several in-the-wild 1day/0day exploits by surveillance vendors. We will present in-the-wild browser and kernel LPE exploits found in 2021 such as CVE-2021-28663 (Mali GPU), CVE-2020-16040/CVE-2021-38000 (Browser), CVE-2021-1048 (Linux kernel) and CVE-2021-0920 (Linux kernel). CVE-2021-0920 is an in-the-wild 0day Linux kernel garbage collection vulnerability; not publicly well-known, it's much more sophisticated and arcane in contrast with the other aforementioned exploits. We will do a deep dive into the CVE-2021-0920 exploit and its attribution. Furthermore, we will present a novel and previously unseen in-the-wild kernel exploitation technique for fully bypassing a hardware level mitigation.<br><br>Among the commercial exploit vendors who built the above in-the-wild exploits, one, the developer 
2022年5月24日 05:54blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
<div><span>Automotive Remote Keyless Entry (RKE) systems implement disposable </span><span>rolling codes, making every key fob button press unique, effectively </span><span>preventing simple replay attacks. However, RollJam was proven to break </span><span>all rolling code-based systems in general. By a careful sequence of </span><span>signal jamming, capturing, and replaying, an attacker can become aware </span><span>of the subsequent valid unlock signal that has not been used yet. </span><span>RollJam, however, requires continuous deployment indefinitely until it </span><span>is exploited. Otherwise, the captured signals become invalid if the key fob</span><span> is used again without RollJam in place.</span></div><div><span><br></span></div><div><span>We introduce RollBack, a new replay-and-resynchronize attack against </span><span>most of today's RKE systems. </span><span>In particular, we sho
2022年5月24日 05:54blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Cryptography', 'Network Security'] 无附件
In this talk, we show that the cryptographic agility in DNSSEC, although critical for making DNS secure with strong cryptography, also introduces a severe vulnerability. We find that under certain conditions, when new cryptographic material is listed in signed DNS responses, the resolvers do not validate DNSSEC.<br><br>We use this to develop DNSSEC-downgrade attacks and show that in some situations these attacks can be launched even by off-path adversaries. We experimentally and ethically evaluate our attacks against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We validate the success of DNSSEC-downgrade attacks by poisoning the resolvers: we inject fake records, in signed domains, into the caches of validating resolvers. We find that major DNS providers as well as 70% of DNS resolvers used by web clients are vulnerable to our attacks.
2022年5月20日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['AI, ML, & Data Science', 'Malware'] 无附件
This session will present a hybrid machine learning architecture that simultaneously utilizes static and dynamic malware analysis methodologies. We employ the Windows kernel emulator published by Mandiant for dynamic analysis and process emulation reports with a 1D convolutional neural network. On the contrary, static analysis is based on the state-of-the-art ensemble model publicly released by Endgame. It surpasses the capabilities of the modern AI classifiers. We use threat intelligence data consisting of in-the-wild telemetry from 100k samples and record a detection rate of 96.70% with a fixed False Positive rate of 0.1%. Additionally, we will show that contextual telemetry from a system, such as an executable's file path, can further increase detection rates. Finally, unaffiliated with any organization, we open-source our hybrid model with a convenient scikit-learn-like API for public use.
2022年5月20日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Application Security'] 无附件
Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing?<br><br>We dive into IIS internals through months of Reverse-Engineering efforts to examine both the Hash Table implementation and the use of Hash Table algorithms. Several types of attacks are proposed and uncovered in our research, including (1) A specially designed Zero-Hash Flooding Attack against Microsoft's self-implemented algorithm. (2) A Cache Poisoning Attack based on the inconsistency between Hash-Keys. (3) An unusual A
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Privacy', 'Lessons Learned'] 无附件
Red teams are an important component of a holistic cyber security program because they test how well the program stands up to threats from real adversaries. In 2021, Meta created a privacy red team to help improve our privacy posture and preserve the privacy of our ~3 billion users and their data. Based on that experience, we present the case for why a privacy-focused red team is an important part of a holistic privacy program. <br><br>In this talk, you'll learn what a privacy red team is, how it's different from a security red team, the challenges we faced, and examples of real operations we performed. You'll walk away with a better understanding of how privacy red teaming can benefit your organization, and the role that offense can play in your privacy defense.
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Privacy', 'Malware'] 无附件
It's easy to forget the human cost of state-sponsored threats operating with impunity. While we often think of espionage, intellectual property theft, or financial gain as the objectives of these cyber operations, there's a far more insidious motivation that flies under the radar– APTs fabricating evidence in order to frame and incarcerate vulnerable opponents. <br><br>This talk focuses on the activities of ModifiedElephant, a threat actor operating for at least a decade with ties to the commercial surveillance industry. More importantly, we'll discuss how they've gone about incriminating activists who are locked up to this day despite forensic reports that show the evidence was planted. And if that's not concerning enough, we'll show how multiple regional threat actors were going after these same victims prior to their arrest. This cluster of activity represents a critically underreported dimension of how some governments 
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Defense'] 无附件
Voice is an essential medium for humans to transfer information and build trust, and the trustworthiness of voice is of great importance to humans. With the development of deep learning technologies, attackers have started to use AI techniques to synthesize and even clone human voices. To combat the misuse of such techniques, researchers have proposed a series of AI-synthesized speech detection approaches and achieved very promising detection results in laboratory environments. Can these approaches really be as effective in the real world as they claim to be? This study provides an in-depth analysis of these works, identifies a set of potential problems, and designs a novel voice clone attack framework, SiF-DeepVC, based on these problems. This study first proposes the idea "bypass fake voice detection using speaker-irrelative features" and proves that detecting AI-synthesized speeches is still highly challen
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development'] 无附件
If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restricted and site isolation still enforces the web security guarantees. To allow such strong restrictions, various IPC services provide required functionality to the renderer process which themselves can become a target for sandbox escapes.<br><br>In this talk, we will take a look at Mojo, the IPC framework in Chrome. I will explain the protocol's inner workings using three logic bugs as examples. Finally, we're going to write a reliable exploit for a seemingly impossible race condition.
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Privacy'] 无附件
Many real-world data come in the form of graphs. Graph neural networks (GNNs), a new family of machine learning (ML) models, have been proposed to fully leverage graph data to build powerful applications. In particular, the inductive GNNs, which can generalize to unseen data, become mainstream in this direction. Those models have facilitated numerous practical solutions to real world problems, such as node classification, community detection link prediction/recommendation, binary similarity detection, malware detection, fraud detection, bot detection, etc.<br><br>To train a good model, a large amount of proprietary data as well as computational resources are needed, leading to valuable intellectual property. Previous research has shown that ML models are prone to adversarial attacks, which aim to steal the functionality of the target models. However, most of them focus on the models trained with non-structure
2022年5月19日 03:31blackhat
发布时间:2022-05-16 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['AI, ML, & Data Science', 'Malware'] 无附件
In this session, we will present a composite machine learning architecture that incorporates both static and dynamic malware analysis methodologies. It surpasses the performance of the current state-of-the-art gradient boosted decision tree classifier commonly called Ember and originally released by Endgame. We will evaluate performance on threat intelligence data consisting of in-the-wild telemetry from 100k samples provided by an undisclosed security partner and record an increased detection rate to $96.70\%$ by composite approach with a fixed False Positive rate of 0.1\%. This is possible since we employ a Windows kernel emulator published by Mandiant for dynamic analysis of binaries and process emulation reports with a 1D convolutional neural network in a separate module. Additionally, we will show that contextual telemetry from a system such as an executed file path on a system can decrease False Positiv
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Policy', 'Defense'] 无附件
We present a protocol that collectivises security bounties for deterministically verifiable zero-day exploits. It enables companies to show customers how secure their software is, in terms of dollars staked on their open-source software stack. It also helps ethical hackers retrieve their bounties without ambiguity. Subjectivity and manual labour of triage-processes are eliminated for these exploits.<br> <br>The protocol enables companies and users (stakeholders) to pool bounties on open-source security stacks in decentralised virtual machines (DVMs) containing read and/or write secrets. Stakeholders specify minimum responsible disclosure durations and a public key. Next, ethical hackers can submit an attack to such DVMs, by storing it in a decentralised encrypted locker (DEL), and notifying the DVM of its presence. Once the stakeholders see this notification, (along with the rest of the world), they can use their private key
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Human Factors'] 无附件
An unrecognised individual enters a busy workplace. They are not wearing any ID and they are asking people if they can use their laptops or plug in an unauthorised USB device. Even though people typically know this is a problem, staff often fail to challenge resulting in an exploitable vulnerability. But our individual is wearing a brightly coloured t-shirt with the words "CHALLENGE ME" in large friendly letters on the chest and they are overtly trying to engineer risky behaviours. It is all far too obvious - almost like they want to be caught doing something wrong…<br><br>That is exactly the point. They want to be caught because each time they are challenged, our work indicates that their target becomes more secure. This is the "Malicious Floorwalker" exercise, an impactful behavioural intervention designed and delivered by the UK MOD Cyber Awareness Behaviours & Culture team. <br><br>Grounded in robust psychological theory int
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Hardware / Embedded'] 无附件
ESP32 is one of the most widely used microcontrollers, and is present in hundreds of million devices such as IoT applications, mobile devices, hardware wallets, etc. In 2019, Limited Results published a fault injection attack at Black Hat Europe which resulted in breaking the security of ESP32-V1 chip family. Therefore, Espressif patched this vulnerability and then advised its customers to use ESP32-V3, which is a hardened silicon revision.<br><br>In this talk, we present an in-depth hardware security evaluation for ESP32-V3. The main goal of this evaluation is to extract the firmware encryption key in order to decrypt the encrypted flash content that may possibly contain secret data.<br><br>First, we use Fault Injection (FI), using our homemade electromagnetic fault injector, in an attempt to access the flash encryption keys stored in the read-protected eFuses. We show by experimental results that this new
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Network Security', 'Reverse Engineering'] 无附件
Protocol reverse engineering is the process of extracting the specification of a network protocol from a binary code that implements it. Extraction of protocol specification is useful in several security-related contexts, such as finding implementation bugs, determining conformance to a standard, or discovering a botnet's command and control (C&C) protocol.<br><br>Manual reverse engineering of a protocol can be time-consuming. We present a tool that automatically reverse engineers a protocol directly from the binary. Namely, given a binary sample, the tool automatically extracts the protocol specification, including message formats and protocol state machine! The tool leverages symbolic execution and automata learning algorithms. <br><br>This is the first tool that extract a protocol’s specification without relying on captures of the protocol’s traffic, with no prior knowledge of message formats and wit
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Application Security'] 无附件
Finding concurrency bugs has presented a challenge for security and development teams. Race condition-based vulnerabilities are a growing category of bugs reported to vendors and have been observed in in-the-wild exploits. Coverage-guided fuzzing has been a boon to the security community both offensive and defensive but on its own is often not sufficient to find deep concurrency issues reliably. <br><br>This research discusses a novel approach to fuzzing that enables deterministic discovery of race condition bugs, allowing researchers to unearth and root cause these serious bugs while still having fun.
2022年5月19日 03:31blackhat
发布时间:2022-05-17 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, RollJam was proven to break all rolling code-based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place.<br><br>We introduce RollBack, a new replay-and-resynchronize attack against today's most RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, replaying a few previously captured signals consecutively can trigger a rollback-like mechanism in the RKE sys
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Privacy', 'Reverse Engineering'] 无附件
On September 20, 2021, we started a study on spying and tracking in popular applications from Apple and Google markets. We have created a platform for static and dynamic analysis that decrypts all network activity and tracks access to device resources and unique identifiers. Because of its proprietary nature and difficulty, we started from iOS and made an adb tool alternative based on reverse engineering of Apple services. After running a few tests we noticed that almost every app, even simple ones like calculators, sends a bunch of tracking data to URLs like "appsflyer.com", etc. <br><br>This presentation covers our analysis of 10,000 applications from App Store and Play Market, including messengers and applications calling themselves "privacy first".
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Policy', 'Human Factors'] 无附件
<div><span>This talk will present results of a study on the reliance of critical proprietary and open source software on Chinese software vulnerability disclosures. The increasingly difficult environment for Chinese security researchers became acute with the passage of a law banning disclosure to non-governmental sources in September 2021. As yet however, the impact of these restrictions has not been systematically evaluated in public.</span></div><div><span><br></span></div><div><span>This talk will present results of a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages. The analysis considers changes over time in response to the evolving Chinese legal environment, significant divergence from data on the allocations of bug bounty rewards, and noteworthy trends in the
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Community & Career', 'Reverse Engineering'] 无附件
<div><span>In an ideal world, members of a community work together towards a common goal or greater good. Unfortunately, we do not (yet) live in such a world. </span></div><div><span><br></span></div><div><span>In this talk, we discuss what appears to be a systemic issue impacting our cyber-security community: the theft and unauthorized use of algorithms by corporate entities. Entities who themselves may be part of the community.</span></div><div><span><br></span></div><div><span>First, we’ll present a variety of search techniques that can automatically point to unauthorized code in commercial products. Then we’ll show how reverse-engineering and binary comparison techniques can confirm such findings. </span></div><div><span><br></span></div><div><span>Next, we will apply these approaches in a real-world case study. Specifically, we’ll focus on a popular tool from a non-profit organization that was re
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Application Security'] 无附件
If there's one prediction you can make with certainty, it's that security in the Web3/blockchain space will get a whole lot worse before it gets better. We have the perfect cocktail of inexperience mixed with emerging technology playing out in full public view with large sums at stake and the permanence of immutable transactions. The result is predictable. An environment free from constraints can seem like an innovation paradise, but when the stakes are so high, you have to get everything right the first time because there may not be a next time. We tend to forget that what we see from this space are experiments playing out in production, and the time between exploitation and losing millions of dollars worth of value can be measured in seconds. So, how did we get here? Is it all doom and gloom? What can be done?<br><br>This talk is a grounded look at the factors contributing to the security failures we've witnessed, free 
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
<div><span>Cloud service providers often provide popular and beloved open-source solutions as multi-tenant managed services. This is a significant power of the cloud - to offer anything as a scalable, managed service. However, these projects were not built with multi-tenancy in mind, and therefore, their adoption relies on multiple modifications and adjustments by the cloud vendor.</span></div><div><span><br></span></div><div><span>Our team explored PostgreSQL-as-a-Service offered by multiple cloud providers and found a series of vulnerabilities related to its implementation as a multi-tenant service, including severe isolation issues. The impact of these vulnerabilities can be wide-reaching as they may become the starting point for a cross-account access attack; as we recently demonstrated in the “ExtraReplica” vulnerability, a Postgres vulnerability leads to cross-account access of customer d
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Enterprise Security', 'Exploit Development'] 无附件
XMPP is a popular instant messaging protocol based on XML that is used in messengers, online games and other applications. <br><br>This talk will introduce a new way of attacking XMPP client software: XMPP stanza smuggling. More specifically, it will show how seemingly subtle quirks in XML parsing can be exploited to "smuggle" attacker-controlled XMPP control messages to the victim client and how the design of the XMPP protocol makes it especially susceptible to such issues. It will be demonstrated how such issues led to 0-click remote code execution in the Zoom client. <br><br>While Zoom is used as an example throughout the talk and to demonstrate the maximum impact achievable, the XMPP bugs presented are not specific to Zoom.
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
<div><span>Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses and with almost a 100% success rate is exceptionally rare. After reporting the in-the-wild CVE-2020-0069 in Mediatek's Command Queue device driver, we conducted a security review on ImgTec's PowerVR GPU device driver during which we discovered and reported several such rare vulnerabilities (e.g. GPU CVE-2021-39815). In total, we discovered 35+ exploitable bugs.</span></div><div><span><br></span></div><div><span>This talk will primarily focus on GPU hacking. There have been many vulnerability reports about other GPUs like Mali and Adreno in the last few years, but Google only received a single report about ImgTec's PowerVR GPU. It appears that the security risks of ImgTec's PowerVR GPUs have been underexplored so far, even though ImgTec may have the largest GPU market share in the Androi
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Defense', 'Application Security'] 无附件
Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today's applications. Several years ago, our team began exploring a new approach to mitigating these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.<br><br>To accomplish this, we began migrating Firefox to an architecture where third party C libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.<br><br>We will explore a variety of hard questions we encountered when bringing this approach to Firefox: How do we ensure sandboxing is efficient enough that we don't have to significantly change or re-architect existing code? How can we retrofit sandboxing without changing libraries? How do we ensure that our application (Firefox), which was written to trust libraries, ca
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development', 'Cloud & Platform Security'] 无附件
Kerberos is the primary authentication protocol for on-premise Windows enterprise networks. As it's so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively, little research has been undertaken on the implications of Kerberos for security on the local machine, especially for privilege escalation.<br><br>This presentation is a deep dive into the inner workings of Kerberos as it applies to local authentication and some of the unusual behaviors to be found within. We'll describe the security issues we've discovered, including authentication bypasses, sandbox escapes and arbitrary code execution in privileged processes. <br><br>We'll be releasing tooling to inspect and manipulate the state of the Kerberos authentication protocol on the local system so that you can perfo
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 无附件
In 2020, Hyper-V introduced a new feature of GPU-Paravirtualization, which is based on GPU virtualization technology. This technology is integrated into WDDM (Windows Display Driver Model) and all WDDMv2.5 or later drivers have native support for GPU virtualization. However, new features mean new attack surfaces.<br><br>In this talk, I will disclose 4 vulnerabilities of Hyper-V DirectX component that I found and have been fixed so far. Two of these vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.<br><br>To understand these vulnerabilities, I will first introduce the basic architecture of the Hyper-V DirectX component, and explain how to configure the virtual machine parameters to implement the method of using this virtual device in a virtual machine. By referri
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Lessons Learned', 'Application Security'] 无附件
Bug Bounties, once heralded as a security best practice, are growing stale without ever having brought the revolutionary security benefits and great ways to earn a living to the masses that proponents like me dreamed of. What have we been getting wrong and what can we do to save security and our souls? <br><br>Before Google invigorated the bug bounty practice in 2010 by paying nearly triple the going rate that Mozilla set in the mid-1990s, bug bounty programs had received little fanfare during their previous 20 years of existence. Then, in 2013, when these programs were still not considered mainstream for most organizations, Microsoft launched its programs with the largest bounty amounts in the industry by any software vendor at the time. Then, in 2016 came Hack The Pentagon, and suddenly everyone was either running a bug bounty program or wanted to run one.<br><br>Where are we now and what have we lear
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 无附件
Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 9 months, the Binarly efiXplorer team disclosed 42 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS. <br><br>The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Malware', 'Cloud & Platform Security'] 无附件
From 2017 to 2021, Microsoft disclosed a total of 28 in-the-wild Windows LPE 0days, most of which are Windows kernel LPE vulnerabilities. These vulnerabilities are often used by top level APT and could cause great harm. For security vendors, it is very challenging to capture an in-the-wild Windows kernel LPE 0day. <br><br>At the beginning of 2020, we made a decision to capture an in-the-wild Windows kernel LPE 0day. In order to achieve it, we studied a large number of historical cases. We then developed an effective Windows LPE vulnerability detection method.<br><br>This talk will focus on our story of how to hunt in-the-wild Windows LPE during 2020 and 2021: why we think this is possible, how we study historical cases, how we use learning experience to develop a detection method, and how we continuously improve the method to make it more accurate and effective. By using this method, we successfully captur
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Community & Career', 'Lessons Learned'] 无附件
For the past eight years, the National Security Agency (NSA) has hosted the Codebreaker Challenge. This competition, written and run by NSA's technical experts, includes a new theme and challenge each year. The challenges are custom-designed by NSA to mimic a real world problem NSA faces in its mission, and include up to 10 rounds of increasing difficulty including code analysis and reverse engineering. Starting with only 5 schools in 2013, the program has grown exponentially. In 2021, more than 5,500 participants from 600+ schools across the United States competed for bragging rights. Only 42 people (less than 1%) successfully completed all 10 rounds of the challenge this past year.<br><br>For the very first time, the NSA will publicly share insights and lessons from running the Codebreaker Challenge. We will present details about the design of the 2021 challenge that focused on protecting the Defense In
2022年5月19日 03:31blackhat
发布时间:2022-05-17 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Cryptography', 'Network Security'] 无附件
Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer deemed secure. Significant operational and research efforts are dedicated to push the deployment of new algorithms in DNSSEC forward. Recent research shows that DNSSEC is gradually achieving algorithm agility: most DNSSEC supporting resolvers can validate a number of different algorithms and domains are increasingly signed with cryptographically strong ciphers.<br><br>In this work, we show for the first time that the cryptographic agility in DNSSEC, although critical for making DNS secure with strong cryptography, also introduces a severe vulnerability.<br><br>We find that under certain conditions, when new algorithms are listed in DNSSEC-signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new stronger ciphers, expose the re
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Network Security'] 无附件
Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025. Among its current applications, off-the-shelf Real Time Locating Systems (RTLS) employ UWB to provide localization solutions for a wide set of use cases (i.e., medical patients location tracking, safety geofencing, asset monitoring, contact tracing, etc.).<br><br>The security of UWB wireless communications has recently been strengthened by the Institute of Electrical and Electronic Engineers (IEEE) 802.15.4z amendment. However, critical phases of the RTLS process are handled by obscure network protocols that are not regulated by standards, leaving the responsibility for their design and implementation to the vendors.<br><br>In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a s
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Lessons Learned', 'Data Forensics & Incident Response'] 无附件
"Ask 10 infosec professionals to define threat hunting and you'll get 11 different answers." Threat hunting is one of those interesting components of cybersecurity where everyone knows they should be doing it but not everyone can fully articulate what threat hunting is.<br> <br>In our roles as threat hunters, we're lucky enough to be witness to, and evaluate, the hunt programs of Fortune 100 companies, state and national governments, and partners and MSPs. This experience has shown us that one person's definition of threat hunting does not necessarily equal another's.<br><br>If you do an Internet search for "how to build a threat hunting program" there are plenty of results and some include great insights into what makes a threat hunting program effective. However, while resources do exist, they're often tied to a specific vendor or a particular product and the best way to hunt using it. T
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy', 'Defense'] 无附件
Compliance with industry standards as well as various government regulations also requires a robust servicing and patching strategy. Beyond compliance, you must understand the risk to your resources from poor servicing. To help with this effort, standards exist to help assess risk. However, vendors can manipulate these standards, which can lead to errors when enterprises attempt to accurately gauge risk. Over time, vendors reduced the clarity of language in their advisories to the point where plain language about a bug no longer exists, leaving network defenders to speculate what the real risk from a product may be.<br><br>There are occasions when vendors release patches that are nothing more than placebos – patches that make no code changes at all and leave administrators with a false sense of security. Similarly, vendors release incomplete patches that do not properly mitigate the vulnerability. Not only does this leave so
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Hardware / Embedded'] 无附件
Wi-Fi replaced Ethernet and became the main network protocol on laptops for the last few years. Software implementations of the Wi-Fi protocol naturally became the targets of attackers, and vulnerabilities found in Wi-Fi drivers were exploited to gain control of the operating system, remotely and without any user interaction. However, not much research has been published on Wi-Fi chips and the firmware they run.<br><br>Nowadays, Intel's Wi-Fi chips implement complex features in their firmware: Wake-on-WLAN, Tunnel Direct Link Setup (TDLS)... We investigated through reverse-engineering some internals of Intel Wi-Fi chips and exploited the way they load their firmware to gain arbitrary code execution. We also studied how the chip can securely store parts of its code in the system memory, through a mechanism we call "Paging Memory", and found how any read-anywhere vulnerability can be used to also gain code execution.
2022年5月19日 03:31blackhat
发布时间:2022-05-23 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Data Forensics & Incident Response', 'Community & Career'] 无附件
When a job offer looks too good to be true… it probably is. As the COVID-19 pandemic has led workers to rethink their careers and long-term goals, threat actors have exploited it as an opportunity to fulfill strategic objectives. Over the past two years, PwC's Global Threat Intelligence team has tracked nation state threat actors as they socially engineered employees at high-profile companies over email, social media and beyond, enticing them with promising job opportunities - only to infect them with malware and disappear.<br><br>In this talk, we unmask how ongoing operations by advanced persistent threats based in different countries (North Korea and Iran) are using recruitment themes to compromise victims. We draw the profiles of three different threat actors that conduct such operations: North Korea-based Lazarus Group and Black Alicanto; an emerging Iran-based intrusion set which w