当前节点:blackhat
时间节点
2021-07-24 04:07:35黑帽大会
发布时间:2021-07-23 演讲时间:2021-08-05 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
<p>Jen Easterly, the new Director for the Cybersecurity and Infrastructure Security Agency (CISA), lays out her vision for how hackers, the government, and private sector can work together to confront cyber threats and solve tomorrow’s cyber puzzles before they become threats. She’ll provide insight into the scope and scale of threats to the nation’s cyber infrastructure and what it means for the unified effort to secure the nation from these threats. Key themes include urgent threats and those on the horizon, transparency and information sharing, partners and collaboration, and ensuring the workforce of today and tomorrow is equipped with the right skillset and knowledge to protect against future threats.</p>
2021-07-24 04:07:35黑帽大会
发布时间:2021-07-22 演讲时间:2021-08-05 3:20pm 演讲时长:40-Minute
Tags:['Network Security', 'Applied Security'] 无附件
After a short intermission, the Black Hat NOC team is back with what's sure to be a year like no other. With the world going virtual, and Black Hat being no exception, come find out how we've spent the last two years changing, adapting, and preparing for an event that's both in person, and broadcast to the world. We'll share what we're using to stabilize and secure one of the most notorious networks in the world, what worked, what didn't, and all the shenanigans in between. As with all things in Vegas, the stakes are high, the outcomes are unknown, and we're going to learn a lesson one way or another.
2021-07-24 04:07:35黑帽大会
发布时间:2021-07-23 演讲时间:2021-08-05 4:20pm 演讲时长:40-Minute
Tags:['Keynote'] 无附件
<p>Alejandro Mayorkas was sworn in as Secretary of the Department of Homeland Security by President Biden on February 2, 2021. </p><p>Mayorkas is the first Latino and immigrant confirmed to serve as Secretary of Homeland Security. He has led a distinguished 30-year career as a law enforcement official and a nationally-recognized lawyer in the private sector. Mayorkas served as the Deputy Secretary of the U.S. Department of Homeland Security from 2013 to 2016, and as the Director of U.S. Citizenship and Immigration Services from 2009 to 2013. During his tenure at DHS, he led the development and implementation of DACA, negotiated cybersecurity and homeland security agreements with foreign governments, led the Department’s response to Ebola and Zika, helped build and administer the Blue Campaign to combat human trafficking, and developed an emergency relief program for orphaned youth following the tragic January 2010 earthquake in Haiti. 
2021-07-23 07:37:36黑帽大会
发布时间:2021-07-06 演讲时间:2021-08-04 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
<p>Defending against supply chain compromises in the Before Times was tough enough. But last year was … special, and safely managing the integrity of the software supply chain has become harder than ever.<br><br>Some of these problems are not new and have been growing in complexity year by year, from the explosion of third-party dependencies; to the sheer scale and depth of the modern software stack; to the vicious-cycle of needing ever more diverse sets of privileged programs to manage infrastructure that, in turn, introduce new entry-points into networks.<br><br>2020 added rocket fuel to that fire. Overnight, virtually everyone in office environments, including everyone in software development, suddenly become a remote worker. Keeping personal and corporate devices separate—a hard enough problem under normal circumstances—is, at least for now, essentially a lost cause for most businesses. And corporate environments designed for few (
2021-07-23 07:37:36黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['Reverse Engineering'] 无附件
<div><span>The release of M1 Macs marked a turning point for the open-source operating system community on Apple hardware. Now, the whole hardware stack would be proprietary, with little hope of reusing drivers written for standard PC hardware. At the same time, it offered an unprecedented insight into the design of the Apple SoC product line. With this motivation, we set out to reverse engineer these parts and the systems they power.</span></div><div><span><br></span></div><div><span>The talk will cover interesting quirks of Apple ARM architecture variant, such as memory access issues (and how to recognize them) and the novel AMX vector instruction set. We'll describe design patterns commonly employed by these SoCs, as well as give a short introduction to USB 4, which made its debut on them.</span></div>
2021-07-23 07:37:35黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 3:20pm 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
The exploration of baseband security has come a long way in the past decade. Published research has exposed privacy issues in 3GPP protocols from GSM to LTE and traditional memory safety vulnerabilities in implementations of various chipset vendors. Yet, in some ways, we have only scratched the surface.<br><br>For one, almost all published memory corruption bugs have been classic TLV parsing vulnerabilities in Layer 3 GSM. For another, previous remote exploitation demonstrations looked at basebands as more code doing typical input parsing without considering the maze of hardware elements that surround them and stayed inside the baseband sandbox.<br><br>We have set out to challenge the status quo with our research into the newest iterations of Huawei's Kirin SoCs. After Pwn2Own 2017, Huawei stopped supporting unlocked bootloaders, introduced new firmware encryption for SoC components, and invested heavily in improv
2021-07-17 08:15:44黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 3:20pm 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
<div><span>The traditional Safari exploit is to gain code execution in the renderer first, then escape the sandbox with userland bugs or directly attack the kernel. However, since Safari has been under attention for a long time, it is not easy to find vulnerabilities in it. Furthermore, the sandbox protection mechanism is becoming more and more challenging, escaping the sandbox is even harder. <br><br></span></div><div><span>Instead of struggling with the state-of-the-art mitigations in WebKit, we used a brutally simple logic bug to bypass the renderer sandbox and get arbitrary JavaScript execution in another WebView without initial code execution. It was introduced by iOS 3. By using an Inter-App XSS, we can launch the Calculator from MobileSafari with literally zero memory corruption. It can even read the phone number and Apple ID directly. But the exploit chain doesn't end here.</span></div><div><span><br></spa
2021-07-16 11:21:09黑帽大会
发布时间:2021-07-15 演讲时间:2021-08-04 4:20pm 演讲时长:40-Minute
Tags:['Keynote'] 无附件
At the end of day one, join Black Hat Founder Jeff Moss and Review Board members Stephanie Domas, Alex Ionescu, Kymberlee Price, and Chris Rohlf for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of the conference and how these trends will impact future InfoSec strategies.
2021-07-15 05:21:00黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems'] 无附件
<div><span>IOT devices are widely deployed. Some hotels are now allowing their guests to control their room from their smartphone or other devices.</span></div><div><span><br></span></div><div><span>While traveling in a foreign country, a few nights were booked in a capsule hotel that was using various modern technologies. Capsule hotels are hotels composed of extremely small rooms that are stacked side-by-side.</span></div><div><span><br></span></div><div><span>In this hotel, an iPod touch given at check-in allowed each customer to control their bedroom. It was possible to control the light, change the position of the adjustable bed and control the ventilation fan.</span></div><div><span><br></span></div><div><span>In this presentation, we will share the methodology used to bypass the present security protections and we will show in detail how six different vulnerabilities were combined together and exploited in order 
2021-07-15 05:20:58黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 11:20am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
The prevalence of memory corruption bugs in the past decades resulted in numerous defenses, such as stack canaries, control flow integrity (CFI), and memory-safe languages. These defenses can prevent entire classes of vulnerabilities, and help increase the security posture of a program. <br><br>In this talk, we show that memory corruption defenses can be bypassed using speculative execution attacks. We study the cases of stack protectors, CFI, and bounds checks in Go, demonstrating under which conditions they can be bypassed by a form of speculative control flow hijack, relying on speculative or architectural overwrites of control flow data. Information is leaked by redirecting the speculative control flow of the victim to a gadget accessing secret data and acting as a side-channel send. We also demonstrate, for the first time, that this can be achieved by stitching together multiple gadgets, i
2021-07-13 05:20:52黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Network Security'] 无附件
A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight - the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named "carriers"). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring -- that enables the on-prem PTS system to be monitored and controlled through the Cloud.<br><br>Despite the prevalence of these systems, and the reliance of hospitals on their availability to de
2021-07-07 03:13:48黑帽大会
发布时间:2021-07-06 演讲时间:2021-08-04 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
<p>Defending against supply chain compromises in the Before Times was tough enough. But last year was … special, and safely managing the integrity of the software supply chain has become harder than ever.<br><br>Some of these problems are not new and have been growing in complexity year by year, from the explosion of third-party dependencies; to the sheer scale and depth of the modern software stack; to the vicious-cycle of needing ever more diverse sets of privileged programs to manage infrastructure that, in turn, introduce new entry-points into networks.<br><br>2020 added rocket fuel to that fire. Overnight, virtually everyone in office environments, including everyone in software development, suddenly become a remote worker. Keeping personal and corporate devices separate—a hard enough problem under normal circumstances—is, at least for now, essentially a lost cause for most businesses. And corporate environments designed for few (
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['Community'] 无附件
<div><span>Achieving a diverse, inclusive team which is a dream to work in was not a short journey. It took time and was well worth the effort. While the industry numbers paint a gloomy picture for gender equality and representation, we successfully built a thriving diverse team of hackers with equal representation.</span></div><div><span><br></span></div><div><span>There were no misogynists, sexists, or toxic culture of any kind on our core team. Yet initially, it consisted entirely of men and no women. There was an unconscious bias that kept us in this state. We will share our journey to reveal and measure this bias and to ultimately increase female representation from 0 to 50%.</span></div><div><span><br></span></div><div><span>According to the Global Gender Gap Report 2020 (by World Economic Forum), it will take on average more than 100 years for women to reach gender equality. This is unacceptable and we can and must make it ha
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 1:30pm 演讲时长:40-Minute
Tags:['CorpSec', 'Cloud & Platform Security'] 无附件
<span>We present a novel class of DNS vulnerabilities that affect multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets. The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider's side, cause major information leakage from internal corporate networks. <br><br>In this research, we detail a specific vulnerability that is common across many major DNS service providers that leads to information leakage in connecte
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 1:30pm 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
OPC Unified Architecture (OPC-UA) is emerging as one of the most important architectures for industrial communication and industry 4.0 transformation. It is platform-independent and trusted for connecting Industrial environments with the IT and cloud and it is being rapidly adopted. <br><br>Yet with great trust comes great responsibility. The potential of the OPC-UA protocol as an enabler for cyberattacks is tremendous. Thus, we decided to thoroughly evaluate the protocol itself, without focusing on specific products. We reviewed the architecture's attack surface - including specifications, components, connection types, and communication stack implementations.  <br><br>During our analysis of the communication stacks, we noticed an interesting tree of software supply chain branches. At the end of these branches were products using stack implementations made by a line of vendors, each modifying and e
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['CorpSec', 'Defense'] 无附件
Compromised credentials have been APT groups' favorite tool for accessing, propagating and maintaining access to their victims' networks. Consequently, aware defenders mitigate this risk, by adding additional factors (MFA), so no secret is a single point of failure (SPOF). However, the systems' most lucrative secrets, their "Golden Secrets", are still a SPOF and abused in practice by attackers.<br><br>Golden secrets are at the heart of most current authentication systems. These secrets, such as KRBTGT for Kerberos or private key for SAML, are used to cryptographically secure the issuance of access tokens and protect their integrity. Consequently, they are also the attackers' most lucrative targets. When a golden secret is captured, it allows attackers to issue golden access tokens in an offline manner to take full control over the system.<br><br>Recently, SUNBURST attackers were reported to use stolen private keys to create
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['Exploit Development', 'Reverse Engineering'] 无附件
<div><span>If you have ever done Windows debugging or crash dump analysis, you must be familiar with PDB files. These files store debugging information (or 'symbols') about a program, and are parsed by debuggers such as WinDBG and Visual Studio. Researching the parser for those files, implemented by DbgHelp.dll, I discovered several memory corruption vulnerabilities.</span></div><div><span><br></span></div><div><span>One attack surface for triggering these vulnerabilities is serving malformed PDBs through a remote symbol server to a debugger. I reported the issue to Microsoft MSRC, and they decided it doesn't meet the bar for security servicing because the attack surface is too complex. This led me to discover another attack surface, allowing me to use the exact same parsing bug for escalating privileges locally (fixed as CVE-2021-24090). I created a full exploit demonstrating a low-IL process gainin
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 3:20pm 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'AppSec'] 无附件
<div><span>Multiple AWS services were found to be vulnerable to a new cross-account vulnerability class. An attacker could manipulate various services in AWS and cause them to perform actions on other clients' resources due to unsafe identity policies used by AWS services to access clients' resources. The vulnerabilities have been proven on three major AWS services (AWS Config, Cloudtrail, and Serverless Repository) and have allowed a potential attacker to write and read certain objects from private S3 buckets.</span></div><div><span><br></span></div><div><span>In this presentation, we will review the discovered vulnerabilities and explain their root cause. We will show how an attacker can perform actions on any account in AWS using these services via the discovered cross-account vulnerability. We believe this is a new class of vulnerabilities that may affect many other services in AWS because the tenant sco
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 1:30pm 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Exploit Development'] 无附件
For decades, the Windows kernel pool remained the same, using simple structures that were easy to read, parse and search for, but recently this all changed, with a new and complex design that breaks assumptions and exploits, and of course, tools and debugger extensions.<br><br>This new design modernizes the kernel pool and makes it significantly more efficient. Additionally, it has significant security implications - both good and bad. Major code changes break a lot of existing code and might make future pool-related exploits more difficult, or in some cases nearly impossible to write.<br><br>But could this open up a whole new attack surface as well?
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['CorpSec', 'Data Forensics & Incident Response'] 无附件
At Two Sigma, we had sunk over $1 million in licensing for a popular third-party SIEM product and were paying an additional $200,000 in annual maintenance. We were limited on what data sources we could leverage as our license was restricted to a low daily ingestion rate. As our company began to explore cloud transformation broadly, we in Security began investigating competitive options for our event collection and analysis platform. We wanted to know if we could roll our own cloud-native SIEM more efficiently while providing greater access to our data, and be as effective as the vendor's solution.<br><br>To figure that out, we asked:<br>1. Does the vendor SIEM product cover enough of our threat landscape to make it worth the cost? <br>2. If not, has our organization made strategic investments in alternate platforms which could be leveraged instead? <br>3. If yes, does our team have the skills requ
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['Defense', 'Data Forensics & Incident Response'] 无附件
Excel 4.0 (XL4) macros are a popular attack vector for threat actors, as security vendors struggle to play catchup and detect malicious macros properly. These macros provide attackers with a simple and reliable method to gain a foothold in a target network. They represent an abuse of a legitimate feature of Excel and do not rely on any vulnerability or exploit. For many organizations, blacklisting Excel 4 macros isn't a viable solution, and any signature to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.<br><br>As XL4 macros represent somewhat 'uncharted territory', malware authors make discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. While Microsoft recently introduced novel mechanisms to monitor the execution of these macros, obfuscation based on environmental c
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 3:20pm 演讲时长:40-Minute
Tags:['Community', 'Human Factors'] 无附件
When I left the service and the NSA, I was offered a job that seemed WAY too good to be true. Turns out it was. This talk will discuss how I came to work on the UAE's Project Raven, what signs I missed because I was being naive, and how other transitioning intelligence personnel can avoid making the same mistake.<br><br>Project Raven is discussed in episode 47 on Darknet Diaries, has been reported about extensively by Chris Bing at Reuters and Nicole Perloth in her book "<span>This Is How They Tell Me the World Ends</span>".
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 10:20am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 无附件
<div><span>Fuzzers are tremendously important in the realm of vulnerability research, as they automate the process of bug discovery by rapidly feeding a target with numerous inputs. Several factors make up an efficient fuzzer. One of them is structure-awareness - leveraging knowledge of the input format to generate test-cases. Another important property is coverage-guidance - the ability to mutate inputs based on previously visited execution paths. Sophisticated fuzzers have been developed and used to find critical vulnerabilities in all types of software.</span></div><div><span><br></span></div><div><span>Targeting Hyper-V with existing fuzzers is highly challenging. Hyper-V does not trivially support Intel-PT, and therefore when run on top of kAFL, the latter loses one of its strongest features - coverage-guidance. Other complexities arise from sending fuzzing inputs to Hyper-V virtualization
2021-07-01 11:22:50黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 3:20pm 演讲时长:40-Minute
Tags:['Human Factors', 'Data Forensics & Incident Response'] 无附件
When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation.<br><br>Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as "Charming Kitten". This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims' most private chats, emails, and even photos. <br><br>In our talk, we will reveal how an ITG18 operator set up their machine and various personas, hence 9 lives, to run adversarial ope
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Policy'] 无附件
<div><span>Last year, OpenAI developed GPT-3—currently the largest and most powerful natural language model in the world. The select groups that were granted first access quickly demonstrated that it can write realistic text from almost any genre—including articles that humans couldn’t distinguish from real news stories. In the wrong hands, this tool can tear at the fabric of society and bring disinformation operations to an entirely new scale.</span></div><div><span><br></span></div><div><span>Based on six months of privileged access to GPT-3, our research tries to answer just how useful GPT-3 can be for information operators looking to spread lies and deceit. Can GPT-3 be used to amplify disinformation narratives? Can it come up with explosive news stories on its own? Can it create text that might fuel the next QAnon? Can it really change people’s stances on world affairs? We will show how we got GPT-3 to do
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 无附件
ARM is taking over the computer industry. In recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. Most notable is Apple, which has supported the transition to ARM from x86 with a binary translator, Rosetta 2, which has recently gotten the attention of many researchers and reverse engineers. However, you might be surprised to know that Intel has its own binary translator, Houdini, which runs ARM binaries on x86.<br><br>In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 2:30pm 演讲时长:30-Minute
Tags:['Policy', 'AppSec'] 无附件
As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be "false positives," when the underlying component vulnerability isn't actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk.<br><br>The German and US governments have ended up partnering to coordinate industry-led initiatives to help automate the production, consumption, and scale of advisories, with particular attention to non-traditional software areas like ICS and healthcare. The Common Security Advisory Framework (CSAF) is an OASIS project that seeks to help automate the creation, management, and use of machine-readable vulnerability-related advisories. Thi
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 11:20am 演讲时长:40-Minute
Tags:['Policy', 'AI, ML, & Data Science'] 无附件
Adversarial machine learning research is booming. ML researchers are increasingly targeting commercial ML systems such as those used by Facebook, Tesla, Microsoft, IBM, or Google to demonstrate vulnerabilities. But what legal risks are researchers running? Does the law map onto expectations that vendors might have about how their systems should be used?<br><br>In this talk, we analyze the legal risks of testing the security of commercially deployed ML systems. Studying or testing the security of any operational system potentially runs afoul of the Computer Fraud and Abuse Act (CFAA), the primary United States federal statute that creates liability for hacking. Previously, our team analyzed common adversarial attacks under the United States law, summarizing the ways in which variability in legal regimes created uncertainty for researchers and for companies that might be interested in understanding the legal rul
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 1:30pm 演讲时长:40-Minute
Tags:['Data Forensics & Incident Response', 'Cloud & Platform Security'] 无附件
This past year has proved the point that advanced nation-state backed threat actors are increasingly investing their time and money to develop novel ways to access the cloud. These actors are especially interested in Microsoft 365, where more and more organizations are collaborating and storing some of their most confidential data. Especially for threat groups with intelligence collection requirements, Microsoft 365 can be their holy grail.<br><br>In this talk, we will break down a number of novel techniques that we've observed used in the past year by APT groups to persistently access Microsoft 365 and extract data. This talk will detail the technical underpinnings that are key to understanding and realizing these techniques. We will also cover new extensions or facets of these techniques that have not yet been observed or discussed but are natural extensions of the techniques th
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 2:30pm 演讲时长:30-Minute
Tags:['Data Forensics & Incident Response', 'Malware'] 无附件
<div><span>The ubiquity of Linux servers across the internet and within cloud instances necessitates that defensive research maintains pace with the introduction of new features to the platform. Unfortunately, these research efforts have not adequately kept pace with advances in Linux kernel development, leaving blind spots for attackers to remain undetected. </span></div><div><span><br></span></div><div><span>In this presentation, we document our effort to close a significant blind spot - the Linux kernel's tracing infrastructure. This infrastructure is installed and enabled by default on essentially all Linux distributions and is heavily utilized across a significant number of cloud-centric organizations, such as Facebook, Netflix, Google, GitLab, and Adobe.</span></div><div><span><br></span></div><div><span>The provided tracing features have legitimate uses for system monitoring, but also allow 
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 3:20pm 演讲时长:40-Minute
Tags:['Malware', 'Network Security'] 无附件
<div><span>How can we identify active CnC servers? Answering this question is critical for containing and combating botnets. Finding CnC servers is not trivial because: CnC servers can change locations expressly to avoid detection, use proprietary communication protocols, and often use end-to-end encryption. Most prior efforts first "learn" a malware communication protocol, and then, scan the Internet in search of live CnC servers. Although useful, this approach will not work with sophisticated malware that may use encryption or communication protocol that is hard to reverse engineer.</span></div><div><span><br></span></div><div><span>In this session, we propose CnCHunter, a systematic tool that discovers live CnC servers efficiently. The novelty of our approach is that it uses real "activated" malware to search for live CnC servers, with CnCHunter acting as a Man-In-The-Middle. As a result, our approach overcomes t
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 2:30pm 演讲时长:30-Minute
Tags:['Human Factors', 'Community'] 无附件
Stalkerware is a type of spyware that is often used to surveil intimate partners or ex-partners. While it has been around for many years, its use has seen an uptick in recent years, with some studies suggesting a particular increase during the COVID-19 pandemic.<br><br>Technically, stalkerware is not particularly interesting: it is (primarily mobile) spyware and technically on par with commercial malware. But stalkerware is part of a broader ecosystem of technology-enabled abuse and coercive control, and therefore, technical means play only a small part in addressing it.<br><br>In this presentation, we will explain what stalkerware is, how it works and under what pretense it is often marketed and sold. More importantly, we will explain that stalkerware is part of the much wider problem of technology-enabled abuse and coercive control, such as intimate partner violence (IPV), domestic abuse, harassment, stalking, sexu
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 2:30pm 演讲时长:30-Minute
Tags:['AppSec'] 无附件
The File System Access API deployed to browsers this year is the current version of a W3C draft to give websites, with user approval, the ability to read, write, and edit files and folders the user selects on their devices, an outgrowth of an earlier proposal called Native File System. It has been released and deployed in many Chromium-based browsers. Despite a number of security features implemented in the API, this presentation will show several ways in which a hostile website may gain arbitrary code execution and slip malicious code past operating system and security product scans, or even detailed, manual inspection.
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 1:30pm 演讲时长:40-Minute
Tags:['CorpSec', 'Applied Security'] 无附件
Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar by both the offensive and defensive realms. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. <br><br>We will present the relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common certificate template misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority's private key in order to forge new user/machine "golden" certificates. <br><br>By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders ali
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 10:20am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Network Security'] 无附件
A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight - the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named "carriers"). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring -- that enables the on-prem PTS system to be monitored and controlled through the Cloud.<br><br>Despite the prevalence of these systems, and the reliance of hospitals on their availability to de
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 3:20pm 演讲时长:40-Minute
Tags:['Defense', 'Cloud & Platform Security'] 无附件
<div><span>While serverless is all the rage, creating secure infrastructure that integrates serverless technology with existing Data Center (DC) services remains a challenge. Square's DC uses a microservice architecture. Services communicate over an envoy service mesh with short-lived mTLS certificates using SPIFFE identity for zero-trust based authentication. To achieve higher flexibility and scalability we have been migrating to the cloud, a gradual process that is still in progress.</span></div><div><span><br></span></div><div><span>Why bother? Workloads have different characteristics, while a payment system might be required to be available all the time and have predictable traffic, other applications might have unpredictable bursts of use but otherwise receive no traffic. This flexibility draws developers to Lambda. Applications can scale up immediately, but also scale down when demand is low. However,
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 1:30pm 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Hardware / Embedded'] 无附件
<div><span>Windows Hello is the most popular password-less solution that includes authentication by either PIN code or biometric authentication. As a password-less technology, Windows Hello provides people with a more convenient authentication experience compared with the traditional password technique. In addition, it promises better security – but is it the truth? Would it make the lives of attackers harder or easier?</span></div><div><span><br></span></div><div><span>In this talk, we'll introduce our research on attacking the face recognition mechanism of Windows Hello and show how an attacker can bypass Windows Hello using an external crafted USB device.</span></div><div><span><br></span></div><div><span>Every biometric authentication process includes biometrics collection, preprocessing, liveness detection, and feature matching. Windows Hello is no different, and some processes apply to it 
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 1:30pm 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
<div><span>"BadAlloc" is our code name for a class of integer-overflow related security issues found in popular memory allocators' core functions such as malloc and calloc. BadAlloc vulnerabilities affect 17 different widely used real time operating systems (i.e., VxWorks, FreeRTOS, eCos), standard C libraries (i.e., newlib, uClibc, Linux klibc), IoT device SDKs (i.e., Google Cloud IoT SDK, Texas Instruments SimpleLink SDK) and other self-memory management applications (i.e., Redis). Some of these vulnerabilities go as far back as the early 90's and all of them collectively impact millions of devices worldwide, mainly IoT and embedded devices as this was our focus.</span></div><div><span><br></span></div><div><span>In this talk, we'll present some of the most interesting findings and discuss how we found them. We'll do a quick root-cause analysis for each of the selected cases and show, in high dep
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 11:20am 演讲时长:40-Minute
Tags:['Cryptography', 'Exploit Development'] 无附件
<div><span>Elliptic-curve cryptography is now a common choice by practitioners, implementing cryptographic primitives that require a group of large prime order. However, for some elliptic curves, the prime order group is a subgroup of a larger composite-order group.  Two such examples are Curve25519 and the pairing friendly curve BLS12-381.</span></div><div><span><br></span></div><div><span>Protocols that are implemented with these curves are susceptible to small subgroup attacks where a point from the composite-order group is used instead of the prime-order group. Such attacks were previously demonstrated in the wild for Curve25519, e.g. CryptoNote double spend vulnerability.</span></div><div><span><br></span></div><div><span>In this talk, we focus on small subgroup attacks in implementations that are based on threshold cryptography: proactive secret sharing, distributed key generation, and threshold signa
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 11:20am 演讲时长:40-Minute
Tags:['Network Security'] 无附件
While IP Geolocation -- tying an IP address to a physical location -- is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With "IPvSeeYou," we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.<br><br>We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. B
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 3:20pm 演讲时长:40-Minute
Tags:['Applied Security', 'Cryptography'] 无附件
<div><span>Databases often store sensitive data such as personally identifiable information. For this reason, databases often provide a data-at-rest encryption feature. Large databases may also attempt to compress data to save storage space. However, combining encryption and compression can be dangerous and potentially leak the underlying plaintext. This class of vulnerabilities is known as a compression side-channel. </span></div><div><span><br></span></div><div><span>Compression side-channel attacks were most notably demonstrated during the CRIME (2012) and BREACH (2013) attacks to break SSL. In practice, compression side-channel attacks have so far been limited to a web security context. In this presentation, we demonstrate the first compression side-channel attacks on a real-world database. We show how an attacker is able to extract encrypted content that was inserted by another user.</span></div><div><span
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 2:30pm 演讲时长:40-Minute
Tags:['Malware', 'Reverse Engineering'] 无附件
<div><span>Apple's new M1 systems offer a myriad of benefits ...for both macOS users, and unfortunately, to malware authors as well.</span></div><div><span><br></span></div><div><span>In this talk we detail the first malicious programs compiled to natively target Apple Silicon (M1/arm64), focusing on methods of analysis. </span></div><div><span><br></span></div><div><span>We'll start with a few foundation topics, such as methods of identifying native M1 code (which will aid us when hunting for M1 malware), as well as introductory arm64 reversing concepts. </span></div><div><span><br></span></div><div><span>With an uncovered corpus of malware compiled to natively run on M1 (and in some cases notarized by Apple!), we'll spend the remainder of the talk demonstrating effective analysis techniques, including many specific to the analysis of arm64 code on macOS. </span></div><div><span><br></span></div><div><span>Armed
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 11:20am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Cloud & Platform Security'] 无附件
The UEFI ecosystem is very complicated in terms of supply chain security where we have multiple parties involved in the firmware code development like Intel/AMD with its reference code, or AMI, Phoenix and Insyde with its core frameworks for system firmware development. The hardware platform vendor contributes less than 10% to the UEFI system firmware code base from all the code shipped to the customers. The reality is vulnerabilities can be discovered not just in the platform vendor codebase, but inside the reference code. This impact can be worse reflecting on the whole ecosystem. The patch cycles are different across vendors and these vulnerabilities can stay unpatched to endpoints for 6-9 months. Moreover, they can be patched differently between vendors making fix verification difficult and expensive. <br><br>This research resulted from an internal security review for some of the NVIDIA har
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 3:20pm 演讲时长:40-Minute
Tags:['Human Factors', 'Defense'] 无附件
How do you know that you are actually talking to the person you think you are talking to? Deepfake and related synthetic media technologies represent the greatest revolution in social engineering capabilities over the past century. <br><br>In recent years, scammers have used synthetic audio in vishing attacks to impersonate executives to convince employees to wire funds to unauthorized accounts. In March 2021, the FBI warned the security community to expect a significant increase in synthetic media enabled scams over the next 18 months. The security community is at a highly dynamic moment in history in which the world is transitioning away from being able to trust what we experience with our own eyes and ears. <br><br>This presentation proposes the <span>Synthetic Media Social Engineering</span> framework to describe these attacks and offers some easy to implement, human-centric countermeasures. The <span>Synthetic Med
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 2:30pm 演讲时长:30-Minute
Tags:['AI, ML, & Data Science', 'Malware'] 无附件
<div><span>While ML models for malware detection have become an industry standard for heuristically detecting malware, signature-based detection still proliferates thanks to ease of updates, transparency of detection logic, and operability in compute-constrained environments. In this work, we propose an interpretable machine learning model that can generate signatures tuned to optimize detection and minimize false positives on a given corpus of malware and benign samples. On a corpus of malicious and benign ELF executables targeting i386 and amd64, we observe detection rates in the 80% range with a false positive rate of 0% on the benign corpus with a few hundred YARA rules.</span></div><div><span><br></span></div><div><span>The approach is filetype-agnostic and can be applied anywhere YARA rules can be used -- whether it be simple static analysis of binaries, Cuckoo reports, network monitoring, or memory scan
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 2:30pm 演讲时长:30-Minute
Tags:['Policy', 'Community'] 无附件
Who needs a backdoor when front door access is required? From Tesla to the U.S. tech giants, there has been a growing focus on whether private sector companies are obliged to turn over data to a foreign government in exchange for market access. This can take the form of source code reviews to unfettered access upon request and increasingly may pose a risk to intellectual property and personal data as digital authoritarian frameworks proliferate. <br><br>This comes at a time when significant supply chain disruptions have prompted many in the private sector to reassess their global footprint, with cybersecurity a top priority and motivator when exploring greener pastures elsewhere. Integrating government data access policies must become core to these considerations as corporations reshore and transform their global footprint.<br><br>But how do these policies compare from one country to the next? Has the GDPR inspired more pro
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 2:30pm 演讲时长:30-Minute
Tags:['Data Forensics & Incident Response', 'Human Factors'] 无附件
Privilege, two-track investigations, OFAC, insurance coverage, and preserving evidence... Lawyers think about this stuff from the jump in a security incident, and you should be aware of them too. Often, attorneys are brought into a security incident after key decisions get made - sometimes those decisions accept unknown legal risk.<br><br>This session will focus on the lawyer's role in a security incident and how lawyers work together with information security professionals by walking through real-world client examples.
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 1:30pm 演讲时长:40-Minute
Tags:['Community', 'Policy'] 无附件
In 2019, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) held the first cybersecurity competition for the Federal workforce. Dubbed the President's Cup Cybersecurity Competition, its purpose is "to identify, challenge, and reward the United States Government's best cybersecurity practitioners and teams across offensive and defensive cybersecurity disciplines". With just a few months between the creation of the concept and its execution, time was short to prepare a competition that would meet this tall order.<br><br>This talk gives the behind-the-scenes story of the first two President's Cup competitions from two members of the team that built it. In year one, the multi-round event came together in record time and included over 1,000 participants from 25+ top-level departments and agencies within the United States government. In year two, the team improved the competition while a
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 10:20am 演讲时长:40-Minute
Tags:['Cryptography'] 无附件
What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0, i.e., the equation is always satisfied no matter what x is.  This talk will explore crypto bugs in four BLS signatures' libraries (ethereum/py ecc, supranational/blst, herumi/bls, sigp/milagro bls) that revolve around 0. Furthermore, we developed "splitting zero" attacks to show a weakness in the proof-of-possession aggregate signature scheme standardized in BLS RFC draft v4. <br><br>Eth2 bug bounties program generously awarded $35,000 in total for the reported bugs.
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:20am 演讲时长:40-Minute
Tags:['Human Factors'] 无附件
With recent advances in next-generation language models such as OpenAI's GPT-3, AI generated text has reached a level of sophistication that matches or even exceeds human generated output. The proliferation of Artificial Intelligence as a Service (AIaaS) products places these capabilities in the hands of a global market, bypassing the need to independently train models or rely on open-source pre-trained models. By greatly reducing the barriers to entry, AIaaS gives consumers access to state-of-the-art AI capabilities at a fraction of the cost through user-friendly APIs.<br><br>In our research, we present a novel approach that uses AIaaS to improve the delivery of Red Team operations - in particular, the conduct of phishing campaigns. We developed a targeted phishing pipeline that uses OpenAI and Personality Analysis AIaaS products to generate persuasive phishing emails. Our pipeline automatically personalizes the content based o
2021-07-01 11:22:49黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 10:20am 演讲时长:40-Minute
Tags:['Policy', 'Human Factors'] 无附件
Virtually any meaningful interaction occurring across the Internet requires the establishment of a user profile, which in turn requires entry of Personally Identifiable Information (PII) as a way for service providers to verify and support/track user activity. Such PII often includes a person's name, age, address, email, phone number, or demographic information, which is often associated with the IP address of the device used to access online services, all of which contribute to tailored responses from the vendor. Most users understand and accept that these distant parties will use the information to optimize their interactions; however, substantially unrelated uses and abuses of users' personal information are common.<br><br>Our talk explores the levels and depths of how online entities, and their affiliates, use and abuse our personal information. Our conclusions are based on a 12-month study tracking email, phone, S
2021-06-29 03:50:58黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 10:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.<br><br>In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted app
2021-06-22 06:39:04黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 2:30pm 演讲时长:30-Minute
Tags:['Applied Security', 'Exploit Development'] 无附件
Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters. Therefore, we have focused on spooler over the past months and reaped fruitfully.<br><br>The beginning of the research is PrintDemon from which we get inspiration. After digging into this bug deeper, we found a way to bypass the patch of MS. But just after MS released the new version, we immediately found a new way to exploit it again. After the story of PrintDemon, we realized that spooler is still a good attack surface, although security researchers have hunted for bugs in spooler for more than ten ye
2021-06-15 05:32:07黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-05 1:30pm 演讲时长:40-Minute
Tags:['Community', 'CorpSec'] 无附件
<div><span>Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before - and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven't yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can.</span></div><div><span><br></span></div><div><span>The combination of distributed community-driven development, public-facing deobfuscated source code, inconsistent use of security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises aro
2021-06-10 06:37:53黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 10:20am 演讲时长:40-Minute
Tags:['Cryptography', 'AppSec'] 无附件
TLS is widely used to add confidentiality, authenticity, and integrity to application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP. However, TLS does not bind a TCP connection to the intended application layer protocol. This allows a man-in-the-middle attacker to redirect TLS traffic to a different TLS service endpoint on another IP address and/or port. For example, if subdomains share a wildcard certificate, an attacker can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one service may compromise the security of the other at the application layer.<br><br>We investigate cross-protocol attacks on TLS in general and conduct a systematic case study on web servers, redirecting HTTPS requests from a victim's web browser to SMTP, IMAP, POP3, and FTP servers. We show that in reali
2021-05-28 02:43:52黑帽大会
发布时间:2021-06-16 演讲时间:2021-08-04 1:30pm 演讲时长:40-Minute
Tags:['Data Forensics & Incident Response'] 无附件
<div><span>There’s been a spike in major incidents and widespread DFIR disasters involving both service providers (such as MSPs and cloud providers) as well as software providers (such as SolarWinds, Microsoft, and Accellion). Responders have little visibility and often find out about vulnerabilities, exploits, and backdoors far too late. <br>  </span></div><div><span>In this fast-paced talk, we'll dissect real “next-gen” DFIR cases and how to adapt your response processes to meet today’s global threats. This will include a walkthrough of a SolarWinds case, including threat intelligence and threat hunting, which were the keys to an effective response. We'll analyze a recent Exchange exploitation case where multiple cybercriminal gangs hacked into the server, both before and after the vulnerability was made public. We'll discuss the FBI's court-approved removal operation and the implications of pre-emptive acc