Topics for Black Hat Europe 2010 / Barcelona

Good afternoon,% username%. Already today Black Hat Europe 2010 begins in Barcelona, ​​and it would be very interesting to find out what was prepared for us this time. This translation will contain the topics of the reports and a brief description of them.
In some places, the translation may be a little bad, but as they say, the rich they are, the more they are pleased. Translation remarks are welcome.

The authors):

Andre Adelsbach (Telindus)

Title:

Misusing Wireless ISPs for Anonymous Communication (Abusing Wireless Providers to Create Anonymous Communication)

Description:

Most wireless communications techniques are inherently simple physical-level broadcasting, that is, in fact, a signal can be received by any party in a specific covered area. Cryptographic protocols are commonly used to provide secure p2p connections in such wireless infrastructures so that both sides of the connection (for example, the user and media) establish a session key that is used to create a private and authentic connection by encrypting the information and the authentication code. Today, the thought of creating and analyzing such communication protocols comes down precisely to the fact that both sides of the connection must behave correctly in relation to the crypto-protocol if they want to maintain their confidentiality regarding outsiders .

However, if the storage media has large capacity / resources in terms of bandwidth, users may not be interested in protecting their connections from outsiders, but instead may try to expand their capacities / resources through insider attacks on the communication protocol. And as far as the author of the report is aware, such new threats from a confidant have so far been neglected.
')
This report will present several types of insider attacks that violate secure communications initiated by a carrier of resources. A striking example is satellite Internet providers, because users have a hard connection with a service provider, and on the other hand, Internet providers have the ability to transmit signals to vast areas. That is why the report will mainly illustrate attacks related to satellite Internet providers, but the WiMAX theme will also be touched upon.
The strongest attack to be presented allows the end user to broadcast the data in clear text through their provider, despite the fact that all data sent from satellite to user must be encrypted.
At the end, the author intends to discuss how the presented results can be used to establish communication channels, achieving the recipient's perfect anonymity.

The authors):

Iftach Ian Amit (Security & Innovation)

Title:

Cyber ​​[Crime | War] charting dangerous water (Cyber ​​Graphics [crimes | wars])

Description:

Cyber ​​warfare has been a rather controversial topic for the last couple of years. Some say that this term is generally erroneous. Cybercrime, on the other hand, was a major source of concern, as the lack of jurisdiction and law enforcement agencies made it one of the best sources of income from organized crime. In this report, the author will explore the differences between Cybercrime and Cyber ​​War, noting along the main actors (mainly on the state side), and linking past attacks on the opposition with the Cybercrime syndicate. Also, the author will consider the relationship of Cyber ​​War and conventional war and the methods used in modern campaigns that use cyber security.

The authors):

Patroklos Argyroudis (Census, Inc)

Title:

Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation (Operation of the Heap and Stack of the FreeBSD Kernel)

Description:

FreeBSD is widely recognized as one of the most reliable, efficient operating systems available in both free and proprietary software. Although the exploitation of kernel vulnerabilities has been studied in the Windows and Linux operating systems, FreeBSD and BSD systems in general have not received so much attention. This presentation will first demonstrate how to exploit the FreeBSD kernel stack overflow. The development process for the privilege escalation exploit will be documented under the number CVE-2008-3531. In the second part of the presentation, a detailed analysis of the security of the memory management mechanism in FreeBSD - Universal Memory Allocator (UMA) will be shown. We will also consider the situation when an overflow of UMA can lead to the execution of arbitrary code in the context of the last stable core of FreeBSD (8.0-RELEASE).

The authors):

James Arlen (Push The Stack Consulting)

Title:

SCADA and ICS for Security Experts: How to avoid being a Cyber ​​Idiot (SCADA and ICS for security experts: how to avoid becoming a cyberdiot)

Description:

The author of the report wants to tell us that the traditional security industry for some reason decided that they, like knights on a white horse, should save everyone from the horror of unsafe pipelines, chemical plants and other cookie factories. But suddenly, every consultant suddenly becomes an expert, and each product widely advertises its capabilities to address the issue of SCADA security. But, mainly, because they do not know what they are saying, they expose us all to be idiots. Therefore, the author invites everyone to sit down peacefully and talk about SCADA and ICS, and thus solve the problems that have been formed together. The author argues that it is time to stop being cyberdiots and you need to start making some positive contributions to a common solution.

The authors):

Christiaan Beek (TenICT BV)

Title:

Virtual Forensics (Virtual Investigations)

Description:

This report will talk about the problems we face when we conduct an investigation on virtualized environments. The author raises questions such as “What are the differences in the techniques and means of investigation on virtualized and standard systems”, “What files are most important when conducting an investigation on Citrix and VMWare systems”, “What about the VMDK file system and its future research”.

The authors):

Marco Bonetti (Cutaway srl)

Title:

Surviving your phone: protecting mobile communications with Tor (Protecting mobile communications with Tor)

Description:

The author will remind us that Tor is a software product that helps us protect against network traffic analysis, as a form of surveillance that threatens our personal freedom and confidentiality of relationships. Tor provides protection by routing packets of network traffic across a distributed network of servers running by volunteers from around the world, thus making it impossible to know your real geographic location.

Unfortunately, the new features of HTML5 and browser-integrated geolocation technologies make it more and more difficult for users to maintain privacy.

This presentation will describe all the above problems and the methods by which they can be implemented even by Tor-users. It will also describe how to solve privacy issues for mobile users.

The authors):

Stephan Chenette (Websense Security Labs)

Title:

Fireshark - A tool to Link the Malicious Web (Fireshark - collect all malicious network programs)

Description:

Thousands of legitimate sites help spread malicious content to millions of visitors. Attempts to combine all the studies together in order to find any patterns between the sites, are quite a challenge, and sometimes unsolvable when using some free tools.

The author will present a research project called Fireshark (fire shark), which is able to visit a huge number of sites and at the same time performing, storing and analyzing the contents of each of them. According to the results of the analysis of this program, it will be possible to draw conclusions about the security of a site.

The authors):

Mariano Nuñez Di Croce (ONAPSIS)

Title:

SAP backdoors: A ghost at the heart of your business (SAP backdoors: ghosts at the heart of your business)

Description:

In any company ERP (Enterprise Resource Planning) - the heart of your business. These systems are designed to organize processes such as procurement, billing, personnel management, resource management, financial planning; Among such systems, SAP stands out most clearly, having already more than 90,000 customers in more than 120 countries of the world.

Information stored in such systems has the highest degree of importance for the company, the unauthorized manipulation of which can lead to economic losses and loss of reputation.

Speech in the presentation will be about backdoors in SAP, the author will talk about the various methods that can be used by attackers to create and install a backdoor in the SAP system, thereby allowing them to go unnoticed and install other malicious components, which ultimately lead to financial fraud. After that, the author will present some countermeasures aimed at avoiding such attacks, as well as present a new free tool Onapsis, allowing security managers to automatically detect unauthorized changes in SAP systems.

The authors):

Andrzej Dereszowski (3M)

Title:

Verifying eMRTD Security Controls (Electronic Document Security Check)

Description:

With the transition to electronic travel documents in Europe, there was an urgent need to verify the correctness of the implementation of authentication technology. Based on this, the author wants to consider the security control of an electronic document (eMRTD - electronic Machine Readable Travel Document, approx. Lane), will offer, in his opinion, the most correct implementation of the identification mechanism, and also show the danger of incorrect implementation and all the resulting problems consequences.

The authors):

Raoul D'Costa (SIGNAL 11)

Title:

Targeted attacks: from being a victim to counter attacking (Targeted attacks: moving from victim to attacker)

Description:

This presentation is an analysis of targeted attacks currently taking place against many organizations. As it turns out, the free means of obtaining remote access (RAT) is often used to maintain control over the victim after successful penetration. The presentation does not focus on specific attack methods, but instead focuses on RAT.

The presentation will describe the methods used to determine which Trojan was used (architecture, capabilities, methods of hiding presence in the system). At the end, the search for vulnerabilities in the attacking tool will be shown, and the attacker may become a victim himself.

The authors):

Thai Duong & Juliano Rizzo (VNSECURITY)

Title:

Practical Crypto Attacks Against Web Applications (Practical Crypto Attacks on Web Applications)

Description:

In 2009, the authors have already shown the possibility of an attack on MD5, respectively, on sites such as Flickr, Vimeo, Scribd. In this presentation, the authors want to present the latest results of their research aimed at another equally strong crypto attack.

The authors will show that many widely used modern web development frameworks use encryption incorrectly, and therefore allow attackers to read and modify confidential data. Examples include Padding Oracle attack, eBay Latin America, Apache MyFaces, SUN Mojjara, Ruby On Rails, and so on. The authors claim that all these are 0-day (zerodei) vulnerabilities.

The authors):

Eric Filiol (ESIEA)

Title:

Encryption Cryptanalysis (How to quickly detect the use of weak stream ciphers - an application for cryptanalysis of the Office suite)

Description:

Despite the ever increasing level of use of block ciphers, stream ciphers are still widespread in areas such as satellite communications, civil telecommunications, software. But the use of stream ciphers is unsafe due to incorrect work with encryption keys, the author of the report says so. The presentation will explain how to identify such errors and recover texts in a relatively short time.

For example, the author of the report will demonstrate the cryptoanalysis of encryption used in Office, up to the 2003 version (RC4), mainly focusing on Word and Excel. In a few seconds, it will be possible to restore more than 90% of the source code.

The authors):

FX (REcurity Labs)

Title:

Defending the Poor (Defending the Poor)

Description:

It’s about a simple but effective approach to securing Rich Internet Application (RIA) content. We will discuss some of the internal mechanisms of Adobe Flash, which allow attacks on the technology as a whole. Some of these aspects will make you smile, others will make you wince. Along with the presentation of these mechanisms, ideas for protection will be shown, not only in theory, but also in practice, in the form of implemented code, as well as the results of its application in the real world.

The authors):

Thanassis Giannetsos (REcurity Labs)

Title:

Weaponizing Wireless Networks: An Arming Wireless Networks: Attacking Sensory Networks

Description:

The widespread unification of autonomous sensor devices has spawned a wide class of new applications. But at the same time, the automatic nature and limited resources of the sensor nodes created the same number of vulnerabilities that an attacker could use to gain access to the network. Although much has been done to protect such networks, much less has been done to create tools to prove the vulnerabilities of sensor networks.
In this paper, we will present such a tool that allows us not only to carry out passive reconnaissance in the networks, but also to try to protect the strength of the network by attacking it in various ways. As far as the author is aware, this tool is the first of its kind. The results show that this tool is quite flexible, easily adapting to different sensor networks and different protocol stacks. The author hopes that his development will help to identify weaknesses in new network protocols, and thereby increase their level of security.

The authors):

Joe Grand (Grand Idea Studio)

Title:

Hardware is the New Software (Iron is a new kind of software)

Description:

The society thrives because of the steady growth of technology. Electronics is already in everything we touch. Hardware products now rely on security-related applications, they have to be trusted, although they often do not protect against even the simplest classes of attacks that have been known for decades.
DIY hobby, easy access to equipment, instant information retrieval from the Internet, have led to the fact that hardware can no longer be discounted when considering the issue of computer security. In the report, the author will present the hardware hacking process and demonstrate several attacks on electronic devices.

The authors):

Vincenzo Iozzo (Zynamics GmbH)

Title:

0-knowledge fuzzing (Fuzzing without prior preparation)

Description:

Currently, fuzzing is a fairly common technique used by both intruders and developers. It usually includes knowledge of the protocol or format of the input data, as well as a general understanding of how this input is processed within the application.
In the past, using fuzzing, one could get impressive results with a small amount of effort; Now, the search for errors requires getting into the code and user code due to the fact that common, widespread vulnerabilities have already been identified and corrected by the developers.
The report will discuss the effective use of fuzzing without knowing the format of user input. In particular, it will be demonstrated that such techniques as code coverage (code coverage), data tainting and memory fuzzing allow you to build a smart fuzzer without any special tools.

// Translator's note
Fuzzing is a technology for testing programs when random data is transferred to the program instead of the expected input data. If the program hangs or shuts down, this is considered to be a defect in the program that may lead to the detection of a vulnerability. The big advantage of fuzzing is its simplicity and the possibility of automatic analysis.

The authors):

Haifei Li & Guillaume Lovet (Fortinet Inc)

Title:

Adobe Reader's Custom Memory Management: a Heap of Trouble (Adobe Reader memory management: a lot of trouble)

Description:

Vulnerabilities in PDF are always awesome. Some antivirus companies, in their forecasts for 2010, talk about an increase in the number of vulnerabilities in PDF caused by cybercrime requests. But how serious can it be compared to how it is predicted, and what is the proportion of FUD (FUD - Fear-Uncertainty-Doubt - fear-uncertainty-doubt) in this? In the end, many PDF vulnerabilities are related to the file structure (format), and therefore lead to heap corruption situations. And everyone knows that damage to a heap rarely goes into the category of serious vulnerabilities for which exploits are written. So, a lot of MS Windows is hardly predictable, and is also protected by mechanisms such as safe-unlinking.
The most popular PDF reader - Adobe Reader has a specific architecture that can make us reconsider our previous statements. To increase productivity, it implements its own heap management system, on top of the system one. But sometimes it happens that performance becomes an enemy of security, and this heap management system is much easier to exploit vulnerabilities. Coupled with recent events related to the DEP Flash bypass (JIT-spraying), which will be briefly shown in the presentation, exploiting the heap becomes quite easy prey.
As a result, the report will review the heap management system, highlight key weaknesses in order to shed light on the issue of PDF vulnerability.

// Translator's note
FUD - Fear-Uncertainty-Doubt - fear-uncertainty-doubt.
The name of the unfair competition method, which consists in disseminating claims that are intended to cause the consumer (or potential consumer) of a competitor’s product to doubt the choice and lack of undesirable consequences. It is assumed that a consumer who has doubted a competitor’s products is unlikely to acquire it, guided by the well-known principle: “Doubt - refuse”, thus making it easier for the competitor to oust the competitor from the market or, at least, to reduce his market share.
Safe-unlinking is heap protection technology. It consists in checking, before deleting a free block from the bidirectional list, the validity of the pointers to the previous and subsequent blocks of memory.

The authors):

David Lindsay & Eduardo Vela Nava (Cigital)

Title:

Universal XSS via IE8s XSS Filters (Universal XSS to bypass IE8 XSS filters)

Description:

As we all know, IE8 has built-in XSS detection and prevention filters. The authors will show the details of how the filters detect attacks, discuss their main strengths and weaknesses. Also, the authors will show several ways in which filters become victims and allow XSS on sites where there were no vulnerabilities. It will demonstrate how this vulnerability makes most sites vulnerable to XSS using IE8.

The authors):

Moxie Marlinspike (Institute For Disruptive Studies)

Title:

Changing Threats To Privacy: From TIA to Google (Changing privacy threats: from TIA to Google)

Description:

We won the war for cryptography, there are still anonymous underground networks, decentralized networks appeared to become a reality. Such a network communication strategy was conceived in anticipation of a bleak future, but somehow these efforts did not lead to protection against the threat of confidentiality that we all faced.
Instead, there are centralized state databases of all our correspondence and movements, modern threats of confidentiality take on an increasingly ominous tone. The author proposes to talk about new trends in this area, and will present some interesting solutions.

The authors):

Steve Ocepek & Wendel G. Henrique (Trustwave)

Title:

Oracle, Interrupted: Stealing Sessions and Credentials (Oracle: theft of sessions and credentials)

Description:

In the world of free, widely used encryption libraries, many pentesters still find quite interesting things in the communication channels. If the database traffic is transmitted, then this is good, and if, in addition, the data includes PAN, Track, CVV, then it makes you stop and wonder why this whole thing is not encrypted by default. However, we still need someone to query the database. Or maybe not…
The authors propose to pay attention to one of the most popular relational databases - Oracle. Using a combination of downgrade attacks and exploits designed to intercept sessions, the authors will present a unique approach to hijacking database accounts. Using the new tool, thicknet, which will be directly introduced to BH, the team will demonstrate how deadly injection-based attacks can be.

The authors):

Christian Papathanasiou (Trustwave Spiderlabs)

Title:

Abusing JBoss (JBoss Abuse)

Description:

JBoss Application Server is an open source implementation of a Java EE service set. The ease of use and high flexibility make JBoss an ideal choice for both users starting with J2EE and experienced developers looking for a customizable middleware platform.
The prevalence of JBoss in enterprises is causing it to become a tasty morsel for both blackhat (crackers?) And pentesters. JBoss is usually launched from the user SYSTEM, which automatically means getting super-privileges when detecting a realizable vulnerability.
The developed tool allows you to compromise the security of unprotected JBoss. It allows you to load the payload of Metasploit, and as a result, execute it in the context of JBoss. On Windows platforms, using the Metaploit framework, you can get a full-fledged VNC shell.
Depending on the platform that is being used and the level of privileges obtained, the tool developed is able to deploy the backdoor in conjunction with the technology that is hidden from antivirus.
In connection with the cross-platform technology of Java, the author is confident that he can do the same with JBoss under Linux, MacOSX.

The authors):

Enno Rey & Daniel Mende (ERNW)

Title:

Hacking Cisco Enterprise WLANs (Cisco Wireless Hacking)

Description:

The world of "corporate wireless network solutions" is full of ambiguities and "non-standard" elements and technologies. Solutions from Cisco, ranging from the Structured Wireless-Aware Network (SWAN) to Cisco Wireless Unified Networking (CUWN), are just some of them. In the report, the authors will describe the internal architecture of these solutions, analyze the vulnerable parts and discuss theoretical and practical attacks, while still showing a couple of demos. There will also be presented a new tool for automatic attacks.

The authors):

Manish Saindane (Attack & Defense Labs)

Title:

Attacking JAVA Serialized Communication (Breaking Java Serialized Communication)

Description:

Many applications written in Java use Object Serialization to transfer objects over the network as a stream of bytes or to place them on the file system. Currently, existing Serialized Objects pentesting programs provide limited opportunities for intercepting and modifying requests and responses. The author will try to present a new technology for influencing such Serialized communication, and their modification will be no more difficult than working when testing a regular Web application. The author has developed a plugin for Burp Suite.

The authors):

Peter Silberman & Ero Carrera (MANDIANT & SABER Security)

Title:

State Of Malware: Family Ties

Description:

Over the past couple of years, there has been a tendency for malware to accumulate in large “families”, which is fundamentally different from what it was before. Families consisting of hundreds or even thousands of Malvari are not uncommon. Such groups explicitly demonstrate the evolution of malware over time. Evolution can be expressed in simple fixes and small improvements, or in a fundamental change in all the functionality based on existing code. The study of relationships within families and between families, provides information on the pace of development, the pace of improvement of technical equipment. The study of the growth rate of families identifies their main functions, and therefore allows you to create a certain classification.

The authors):

Paul Stone (Context Information Security)

Title:

Next Generation Clickjacking (Clickjacking new generation)

Description:

Clickjacking is a technique to trick a user into performing unintended actions on a website by formatting a web page so that the victim navigates through a hidden link, usually hidden inside an IFRAME. However, in comparison with other attacks, such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery), Clickjacking is considered as an attack with limited capabilities. During the report, the author wants to prove that this statement is wrong, and that today's Clickjacking methods can be extended to perform new more powerful attacks.
In total, the report will highlight the topics of the basics of Clickjacking, ways to improve existing methods, will show new ways of cheating the user. For example, the author will show several cross-browser techniques for conducting attacks.

The authors):

Christopher Tarnovsky (Flylogic Engineering)

Title:

Hacking the Smartcard Chip (Hacking a smartcard chip)

Description:

Description not given: (

The authors):

Roelof Temmingh (Paterva)

Title:

Unveiling Maltego 3.0 (Maltego 3.0 in its true light)

Description:

During the year, the Paterva team quietly and peacefully worked on Maltego 3.0 without any releases, starting in March 2009. For the first time since BH 2009, Paterva will show what they have done - they will present the new version of Maltego to the world, completely built from scratch. You'll see Hollywood graphics and animations, endless expansion options, and new analytic opinions will make you cry.

The authors):

Julien Tinnes & Chris Evans (Google, Inc.)

Title:

Security in depth for Linux software

Description:

In many projects, the slightest error in the code can become exploited by a vulnerability giving an attacker almost or no unrestricted access to the system. In the report, the authors, on the example of vsftpd and Google Chrome Linux, firstly show how to create their code more resilient to known vulnerabilities, and secondly, how to mitigate the consequences of an attack by giving up privileges.
There are an amazing number of ways in Linux to manage privileges, but each of them has certain nuances. The report will discuss the technical aspects of various methods, will be explained how to combine them in order to raise the safety bar of the system.
Although mandatory access control systems are easily accessible, and even three of them are included in the Linux kernel, the rejection of privileges will lead to discretionary control, which in turn relies on rather ancient mechanisms (which, moreover, may not have been intended to ensure security) . The authors will show how using standard mechanisms one can achieve a decent level of privilege reduction, consider their main drawbacks, and also how improper use can be used by an attacker.
After that, the authors will explain and demonstrate the projects that will allow developers to move the execution of their code in the "sandbox", and as mentioned earlier, will show it all on the example of vsftpd and Google Chrome Linux.

The authors):

Mario Vuksan, Tomislav Pericin & Brian Karney (ReversingLabs & AccessData Corporation)

Title:

Hiding in the Familiar: Steganography and Vulnerabilities in Popular Archives Formats (Hiding in something very familiar: steganography and vulnerabilities in popular archive formats)

Description:

Archives can be used to hide data steganographically, but they also cause interest because of their prevalence on any computer: PC, Apple. They are widely distributed, they are trusted, but can they somehow be used to the detriment of what is already in progress 10, and before 20 years?
Due to the in-depth analysis of formats, the authors concluded that the specifications of these very formats are interpreted for some reason differently. Can you trust the programs that work with archives? In general, can you trust your antivirus? The authors will try to answer these questions and present 15 new vulnerabilities to the public in such formats as ZIP, 7ZIP, RAR, CAB, GZIP.
The report will also feature the ArchiveInsider program - a new tool that detects and extracts hidden data, thereby confirming the vulnerability of the formats. The authors will also demonstrate steganography, alteration and even “self-destruction” of the data.

The authors):

Kyle Yang (FORTINET INC)

Title:

Protocol, Mechanism and Encryption of Pushdo / Cutwail / Webwail Botnet (Architecture Pushdo / Cutwail / Webwail botnets)

Description:

After several months of effort, the author (s) of the Pushdo / Cutwail / Webwail botnet finally released (and) a new advanced installer pushdo (codename: “revolution”), in which not only the protocol and encryption were changed, but also the “Services” mechanism was added. In addition, the new spam engine was only in the experimental phase. In this report, the author (already a report, not a botnet) will present the above-mentioned protocol and encryption, submit them to “Services for Cyber-criminals”, sort out the protocol and encryption of the debug-version of the new spam engine.