A little story about BlackHat Europe 2014

Last week, one of the iconic annual events in the world of practical information security was completed - BlackHat Europe 2014. How it took place, what was remembered, and a couple of photos - under the cut.


If BlackHat USA is traditionally held in Las Vegas, then for a conference in Europe, the place is better than the cozy capital of moral freedom and unshakable cultural values, it is difficult to imagine. This year was no exception, and BlackHat Europe was held in the glorious city of Amsterdam, within the walls of the Amsterdam RAI conference center.
')


The conference is divided into two parts: the first two days of training, and another two days allotted the most interesting.
This time we didn’t have anything to do with the trainings, so the discussion will focus mainly on memorable moments during two days of reports.


The first day as a keynote was opened by a living legend of modern cryptography and infosec in general - Adi Shamir (for a moment, he is still “S” in the familiar RSA abbreviation).
Usually, keynote-reports are built around general analytics of the processes occurring in a particular area, world trends, and fashion trends.
But Professor Shamir, after a brief excursion into the history of high-profile hacks of various cryptosystems and personal achievements (and these two stories largely overlap), recalling the recent leak of NSA toolkit descriptions and one of his latest works , went directly to the story of a curious two-way channel concept interactions.

Given:

• A seemingly multi-storey building with an ordinary office infrastructure functioning inside.
• The building is completely isolated from the outside world, no communication lines and even its own internal energy supply.
• Inside, brought up in some way, there is a Trojan software.

It is necessary to establish a two-way interaction channel with this software in order to transfer control commands and receive data from this information fortress.


A recipe was offered in the best traditions of spy movies and paranoid nightmares. An ordinary network multifunctional device (one of those that is printed, scanned and controlled through the network) was chosen as the communicating element. Namely, for the delivery of information to the building, the scanning process was initiated, and from a distance of a kilometer and a little the illumination of the room in which the multifunctional printer was located was carried out using a powerful laser encoding information bits by radiation and pauses between flashes, respectively.
A cunning picture could easily decode a striped image obtained as a result of scanning indoors with such a laser stroboscope. The reverse channel was implemented by the same scanner by starting and stopping the scanning process and registering the radiation from the lamp with the help of a quadrocopter camera hovering in front of the building.
As a result, the report was saturated with all sorts of technological tricks and permeated with hacking spirit 100%, which set a very cheerful mood for the speakers who followed it.

Jose Selvi then talked about the HSTS bypass technique under MitM conditions by replacing the responses from the NTP server and rewinding the time on the client's host ahead, until the period during which the browser is required to use a secure connection expires. In principle, the vector lay on the surface, and there is little new in NTP spoofing, but the author presented a demo of a working NTP spoofer (and it is always nice to see a working combat tool). And, among other things, provided some information about how NTP-clients behave in different operating systems. In Windows, as it turned out, the most protected from this type of attack implementation.



Next came a report from Alberto Garcia Illera and Javier Vazquez Vidal - reckless dudes from Spain. Alberto had previously been seen telling about the weaknesses of transport systems on Zeronights 0x02. This time, he and his colleague threw out a smart electricity meter and demonstrated the vulnerabilities of the embedded platform on which it was built, and the architectural weaknesses of networks that combine such devices, with which attackers can potentially compromise the entire energy metering system and, of course, not to pay the bills. The report dazzled with technical details about the rich inner world of a smart counter and contained all the components of the classic haxstori: the reverse engineering process of an unknown piece of hardware, bypassing factory protection methods, dumping and subsequent reversing and modifying the firmware. All this was accompanied by a live demo right from the scene.

The second half of the day was marked by the coolest report from Balint Seeber about SDR in general and specific cases of using Software Defined Radio for good and fun. From games with RDS, ADS-B, paging systems and radio buttons on the tables in restaurants to such crazy things as establishing communications and programming a spacecraft, which has been dangling lifelessly for 15 years in orbit . Balint is a visualization specialist, an SDR fan and an evangelist at Ettus, one of those enthusiasts who, using the radio telescope bowl, did this miracle.



A new model USRP - e310, the most portable SDR platform from Ettus, was also presented in action. With its help, at the time of the report, a fully functional local GSM network was deployed on OpenBTS and Asterisk, which made it possible to ask questions by directly calling or writing an SMS to the short number of the speaker.



To heighten the amusement of the public, during a performance at a frequency of 915 MHz, a sample was played in a cycle, the waterfall spectrogram of which was a different graphic image.

The next report was noted by our compatriots Alexei Osipov and Olga Kochetova, telling how you can entertain yourself with an ATM, if you expand its functionality with the help of Raspberry PI. The issues of methods for studying the functioning of the internal components of modern ATM, intercomponent interaction, and also the attack vectors for them were revealed in detail.



We closed the first day with Alexander Bolshev (@ dark_k3y) with a report on a number of vulnerabilities in FDT / DTM components discovered during our research, and on the study itself, which included the development of a number of special software and hardware tools for analyzing industrial protocols and searching for vulnerabilities. .



The next day of the reports was remembered by a story from a man- (self) XSS, Ashar Javed.



Ashar talked about his search methodology for cross-site scripting (XSS) in WYSIWYG editors, how to follow it, he “managed to detect vulnerabilities in almost all popular visual text editors”, and on the specifics of subsequent communication with vendors.

The report from Gregory Pickett about Software Defined Networks was extremely informative, and the toolkit for working with openflow, I am sure, will find its use.



And finally, Oren Hafif ignited with an attempt to identify a new type of web vulnerability - Reflected File Download.



An inconspicuous handful of vulnerabilities with elements of social engineering that could not be individually exploited. But under certain circumstances, lining up in a chain, they can lead to RCE on the client side.

In conclusion, you can not even mention separately that Blackhat Europe turned out to be rich in content, there is even an opinion that this year the local event surpassed its older American brother in terms of reports. And, of course, BH is not only reports, but also live communication, lots of new interesting contacts, fresh perspectives from the outside, a huge useful experience and a source of new ideas.

Full list of reports with descriptions and materials

UPD: The work of Ashar Javed was reasonably criticized for manipulating the facts and wishful thinking. In particular, the use of self-xss vectors, which reduces to zero the practical value of such finds.