Smart TV Insecurity
Author: Donato Ferrante, Luigi Auriemma
At the beginning TV were just supposed to be TV. They were used to make people's life happier. Nowadays, TV are fully-featured PC, having a proper OS, camera, microphone, web browser, and applications. They still make people happy. Especially the malicious ones. This talk will detail the current status of Smart TV, exploring their attack surface, detailing possible areas of interest, and demonstrating some issues the speakers found while assessing the security of Smart TV from different vendors.
Prior to founding ReVuln Ltd., Donato was a Security Researcher for Research In Motion (Blackberry), where his daily job was performing security research and vulnerability assessments of RIM authored code, products and services including infrastructure, devices, and QNX operating system. Before moving to RIM Donato analyzed and reversed several rootkits, malware, mobile malware and exploits for Sophos Antivirus. He presented one of his research projects on Java malware and Java Virtual Machine exploits (inREVERSE) during the CARO workshop in Prague. Donato found several vulnerabilities in well-known commercial products and open source software and his first public disclosed security advisory was released in 2003.
Luigi has been in the security field for more than a decade, as an Independent Security Researcher (aluigi.org) he is a world recognized expert in this field and discovered more than 2000 vulnerabilities in widely used software. The following are some key points of Luigi's work. Highest number of security vulnerabilities disclosed in SCADA/HMI software: General Electric, Siemens, ABB, Rockwell, Invensys, Schneider, InduSoft, CoDeSys and many others. Most known server-side Microsoft vulnerabilities found by him: ms12-020, ms11-035. Research on Smart TV vulnerabilities. Security vulnerabilities affecting the most diffused multiplayer game engines, libraries, middleware and games.
Mobile Network Attack Evolution
Author: Karsten Nohl
Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware.
Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: they target symptoms instead of solving the core issue.
This talk discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution.
Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.
Impressioning Attacks: Opening Locks with Blank Keys
Author: Deviant Ollam, Babak Javadi, Keith Howell
Impressioning is the art of fabricating a working key for a lock using only a hand file, a blank key, and keen observation. Without taking any mechanisms apart, and while only accessing a locked door from its secured side, it is possible to manipulate a lock in such a way that it will “leak” information, allowing for a full decoding of the pins within. This attack sometimes takes longer than conventional lockpicking, but it is very effective and if successful it will result in total compromise of the lock not just one time… but for all time. This presentation will demonstrate the art of impressioning, and attendees will be able to try these attacks themselves afterward in our hands-on area.
While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
Babak Javadi is a hardware hacker with a wayward sprit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and computer hardware hacking, he found his passion in the puzzling and mysterious world of high security locks and safes. After serving as a driving force within the locksport community for almost a decade and helping found the US division of The Open Organisation of Lockpickers, he has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance. He currently serves as the President of the US group of The Open Organisation of Lockpickers (TOOOL) and is the founder of The CORE Group, a security research and consulting firm. Trained as an Electronics Engineer by the British Army, Keith Howell became interested in computers and began his learning path with a TRS-80 and has owned most Intel based processors since then. After joining UUNET Technologies in 1995, he started to get interested in the security of networks and computers and in 1998 joined the UUNET InfoSec team.
Following the ‘dot-bomb’ period in 2001, Keith returned to his electronics background and began doing physical security including Access Control, Alarm Systems and Locksmithing. Keith is a CISSP as well as an ALOA CRL (Certified Registered Locksmith). Currently, Keith is a Security Consultant in the Washington, DC area where he is contracted to Assurance Data Inc in Alexandria, VA.
Give Me Your data!
Author: Dave Chronister
We hear news stories every day about malicious hackers compromising the sensitive data of corporations, governments and individuals. But that is only half of the story. The genesis of this presentation stems from the idea that, even today, data is still not stored securely. Professional Hacker, Dave Chronister, conducted a research project to find out if he could gain access to sensitive data. The catch? He would not hack any systems, all data must be collected legally. From purchasing devices on Facebook and bidding for Hard Drives on EBay, to monitoring public file sharing sites, and anonymously accessible servers, Chronister will unveil methods to retrieve information and show his findings - which are very surprising.
Dave Chronister – C|EH, CISSP, MCSE, C|HFI is the founder and Managing Technology Partner of Ethical Hacking firm, Parameter Security. Growing up in the wild world of 1980’s BBSes and early Internet, Chronister obtained a unique firsthand look at the mind, motives, and methodologies of hackers. Chronister has provided ethical hacking services, auditing, forensics, and training to clients world-wide. Chronister’s expertise has been featured in many media outlets including; CNN, CNBC, CNN Headline News, ABC World News Tonight, Bloomburg TV, CBS, FOX Business News, Computer World, Popular Science, Information Security Magazine, St. Louis Post Dispatch, and St. Louis Business Journal, to name a few.
ID and IP Theft with Side-Channel Attacks
Author: David Oswald
Side-channel analysis (SCA) is a powerful tool to extract (cryptographic) secrets by observing physical properties (power consumption, EM) of a target device. After an intro to SCA and related methods, the speaker will demonstrate the practical relevance of SCA with two case studies: first, how SCA can be used to circumvent the IP protection (bitstream encryption) of FPGAs. In a similar way, AES keys of one-time password tokens can be extracted, allowing an attacker to steal digital identities.
David Oswald received his PhD in IT-Security in 2013 and is currently working at the Chair for Embedded Security, Ruhr-University Bochum. His main field of research is the practical security analysis of embedded systems, e.g., commercially employed RFID smartcards. The focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering.
Security Modelling of Access and Dataflow Control Using DP Models Theory
Author: Denis Kolegov
The talk will cover security modelling of logical access and data flow control in contemporary computer systems. The speaker will consider the approach to security modelling on the basis of DP models theory, its advantages and capabilities, along with its application characteristics when developing security mechanisms. The talk will address main components, concepts and techniques of DP models. The speaker will present new modelling approaches, targeted at software implementation of access control mechanisms.
Denis Kolegov is Candidate of Science and associate professor of the Information Protection and Cryptography Chair of the Tomsk State University (TSU), Senior Pentesting Engineer at F5 Networks. He graduated from TSU, the Department of Applied Methematics and Cybernetics, where he specialized in computer security.
CUA as a SAP Attack Vector
Author: Dmitry Gutsko
The talk will cover main vectors of attacks against SAP, particularly with CUA (Central User Administration) as a target. The speaker will review CUA vulnerabilities caused by architectural features, misconfigurations and unchanged default setting. Three attack possibilities will be discussed: obtaining control over one of child CUA systems, getting hold of communication link, and a situation with no control possibilities at all. The speaker will also advise on how to safely configure CUA systems in SAP landscapes.
Dmitry Gutsko is an information security expert in the field of SAP. He graduated from MEPhI (2006) specializing in information security. Currently is the head of the SAP Applications Security Analysis Team at Positive Technologies. Dmitry published many vulnerabilities and research papers on various SAP security topics.
Catching Shellcodes under ARM
Author: Svetlana Gayvoronskaya and Ivan Petrov
Over the last years the ARM platform became very popular, and the software of ARM devices may contain memory vulnerabilities, which can be exploited via shellcodes. Despite there are many tools for shellcodes detection, most of them are for the x86 platform. This research is an attempt to fill in this gap. The speakers will analyze the applicability of the existing identification methods to ARM and consider possible heuristics for the detection of shellcodes written for this platform.
Svetlana Gayvoronskaya is a former member of the CTF team Bushwhackers. Her interest in shellcodes resulted in presenting at DEFCON, BlackHat, NOPCon and three times at RusCrypto. Her passion for having a hands-on experience with “big systems” lead to a four months project with Microsoft Research on automated detection of malicious tenants in cloud infrastructures. Currently Svetlana works on her thesis on shellcodes detection.
Ivan Petrov is a student and member of Bushwhackers. He researches the possibilities of ARM devices, writes Metasploit modules. Already has published in a topical university articles collection and spoke at RusCrypto.
Threats to Control Systems of Contemporary Electric Substations
Author: Maxim Nikandrov
The talk analyzes real-life cyber security incidents and risks in control systems of contemporary electric substations. The special focus is on IEC 61850 vulnerabilities and practical methods of fixing them.
The speaker will tell about a full-scale testing ground created in Cheboksary, imitating a real contemporary electric substation of high voltage. The results of testing the steadiness of its control systems performance, relaying, and techniques of protection against cyber threats will be shared.
The presentation is based on the collaboration of R&D Center @ FGS UES, Kaspersky Lab, and ChEAZ.
Maxim Nikandrov is an expert in power control systems, Candidate of Science. He is the Head of Control Systems Department at JSK ChEAZ (Cheboksary).
(No)SQL Timing Attacks for Data Retrieval
Author: Ivan Novikov
The author will focus on various search algorithms in SQL and NoSQL databases (binary search hashes, etc.). The goal of the research was to explore these algorithms to perform timing attacks for data retrieval purposes.
Such attacks can be used mainly in the field of web applications. For example, key-value storage is often used for storing user sessions. The conceptual attack can be, in this case, getting foreign session based on the time of creation of new sessions.
Ivan Novikov is CEO and lead security expert of Wallarm. Ivan has been engaged in research in the field of web applications security since 2004, published numerous researches in the field of web application security. He has rewards from various bug hunting programs, such as Google, Facebook, Twitter, Nokia and Yandex. Currently, he is actively engaged in the development of a self-learning web application firewall system.
Compromise Indicator Magic
Author: Fyodor Yarochkin, Vladimir Kropotov and Vitaliy Chetvertakov
In this presentation Vladimir, Fyodor and Vitaliy will cover an interesting concept of compromise indicators and use of compromise indicators in pro-active incident response and forensic investigation process. The team has developed a framework and a platform that allows integration of various IOC formats into dynamic defense framework. The framework allows integration of various 3rd party-encoded indicators (such as CyBox, OpenIOC, etc.) and provides facilities to perform individual IOC characteristic mapping to known/existing Indicators of Compromise. The input can be provided in form of an IP address, a hash, a URL, a process of executable name, an executable behavior characteristic and so on. The output of indicators of compromise can be produced in form of: snort rule(s), Yara rule(s), or a hunt description for GRR Rapid Response Framework. The authors will demonstrate an applied process of identifying, mining and refining IOCs as well as running "IOC sweeps" on available data sources. Several tools will be demonstrated (including passive DNS, passive HTTP frameworks developed by authors) in these examples as well as possibilities of integration with 3rd party tools, such as Splunk, Moloch and so on.
The authors will also discuss the implementation of IOC sharing policies and facilitation of such shares and will walk attendees through series of simulated case studies including breach simulations, customized rootkits detection and use of framework to detect, refine, redeploy and sweep for potential indicators of compromise.
All the provided tools are to be released open-source.
Fyodor Yarochkin is a security analyst at P1 Security, Academia Sinica.
Vladimir Kropotov is an information security analyst and independent researcher.
Vitaliy Chetvertakov is a security analyst and independent researcher.
Visual Analytics on Guard of Information Security
Author: Igor Kotenko, Yevgheniya Novikova
Methods of visual analytics significantly simplify a security administrator’s work, since these methods involve intelligent data processing algorithms and allow for peculiarities of human visual data perception.
The talk will cover the existing methods of data visual analysis designed for solving various tasks in order to provide protection against computer attacks. The efficacy of applying visual analysis is exemplified by the tools developed by the research authors, specifically the utilities for traffic analysis, attack modelling, security assessment, and detecting financial infringements in mobile payment systems.
Igor Kotenko is a Professor, Doctor of Technical Sciences, and Head of the SPIIRAS Laboratory of Information Security Issues.
He participated in various projects on developing new computer security technologies and managed projects of the European FP7 and FP6 framework programs and also projects commissioned by HP, Intel, F-Secure, etc. These projects resulted in the development of innovative methods for detecting network intrusions, modeling network attacks, network security assessment, security protocols development, security policies verification, etc.
Yevgheniya Novikova is a Candidate of Sciences and Senior Staff Scientist of the SPIIRAS Laboratory of Information Security Issues. She focuses her research on developing new models and methods of data visual analysis for intelligent information security management of computer systems. She takes special interest in public-key cryptography.
Reverse Engineering Automation
Author: Anton Dorfman
While reverse engineering, a researcher should perform many routine tasks in order to find out what and how a program does. These include: allocating the code which implements a certain function, analyzing data dependencies in certain points of a program, identifying control dependencies, etc. For complicated software systems, using a debugger and disassembler is not enough. Apart from Code Flow Graph (CFG) and decompiling, there are relatively new approaches, such as taint analysis, symbolic execution and dynamic binary instrumentation. However, there are also many technologies to improve the abstraction level of program presentation and routine jobs automation. The talk will address the advantages of such technologies, examples of their application and open-source utilities for their implementation.
Anton Dorfman is a researcher, reverser and assembly language fan. He dislikes routine jobs and is really interested in automating any reversу engineering tasks.
Anton graduated from the Samara State Technical University with honors in 1999. He has lectured in his alma mater since 2001 and published more than 50 papers on information security. In 2007 he successfully defended his thesis on analyzing and modelling malware behavior.
He has been an organizer and playing coach of student CTF teams since 2009. Anton was the third in the contest Best Reverser at PHDays 2012, presented a 4-hour workshop on mastering shellcode at PHDays III and shared some ideas on data format reversing at Zero Nights 2013.
My Journey Into 0-Day Binary Vulnerability Discovery in 2014
Author: Alisa Esage (Shevchenko)
While the IT security research hotspot migrates constantly towards new technologies, the demand for binary exploitation today is higher than ever before, as proven by this year’s pwn2own contest stakes and outcomes. The question that bothers many is thus whether it is still possible to discover new — and exploitable — vulnerabilities in widely deployed and extensively audited applications, given the nowadays reality of overwhelming tool base, research, computational power, and intelligence competition? The author says yes, and this is the report of her own journey on this way.
The presentation will detail into the author’s own approach to discovery of 0-day binary vulnerabilities, mostly based on fuzzing. Specific concepts and techniques, which worked (or failed), will be demonstrated. Finally, the root cause analysis of a few 0-day vulnerabilities will be presented, along with a few ideas to bypass exploitation mitigations.
Alisa “Esage” Shevchenko is a self-taught offensive security researcher. She has been running her own company Esage Lab since 2009; co-founded Neuron, a hackspace in Moscow. She used to be occupied with reverse engineering, malware analysis, antivirus bypassing, penetration testing, cyber forensics, black-box software and hardware security auditing. Her current research interest is discovery and exploitation of 0-day binary vulnerabilities. Alisa spoke at such conferences as RusCrypto 2009, RECon 2011, InfoSecurity 2012, and ZeroNights 2012; published her works in such magazines as InfoSecurity Russia, (IN)Secure, Hakin9, VirusBulletin, and No Bunkum.
How to Intercept a Conversation Held on the Other Side of the Planet
Author: Sergey Puzankov
Lately, phone communication records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. Many of us have received weird text messages and, after that, long bills for mobile services. The author of the research is Sergey Puzankov, an expert at Positive Technologies specializing in mobile networks safety. He will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies—SS7. The author will speak about attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, changing enabled services, call forwarding, unauthorized intrusion into a voice communication channel. Information about signaling messages, which can help to perform these attacks, is open for public access. The research also includes types of proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.
Sergey Puzankov graduated from Penza State University with a degree in Automated Data Processing Systems. He is interested in mobile networks safety. Being an expert at Positive Technologies, he designed MaxPatrol 8 modules of security standards compliance for several types of GSM and UMTS mobile communication equipment.
PHP Object Injection Vulnerability in WordPress: an Analysis
Author: Tom Van Goethem
With approximately 19% of the web running on WordPress, it comes as no surprise that the security of this content management system has an enormous impact on a large number of users. Despite being open source, and reviewed by security researchers, WordPress is—just as any other software—prone to errors and vulnerabilities.
In this talk, the author will discuss how the unexpected behavior of MySQL led to the discovery of a PHP Object Injection vulnerability in the WordPress core. The author will also demonstrate how this vulnerability can be exploited in order to run arbitrary code on WordPress installations that enable a popular plugin.
Tom Van Goethem is a PhD student at KU Leuven (Belgium).
Side Channel Analysis: Practice and a Bit of Theory
Author: Ilya Kizhvatov
The proposed talk is about side channel analysis of secure devices. This topic is not so often addressed in hacker conferences. The speaker will introduce the conference community to side channels, present an overview, and explain the state of the art in the this area, giving practical examples. After the talk, a listener should be able to understand if a particular device is falling under the threat of a side channel attack, how to protect it, and maybe become motivated to play around with side channel analysis just for fun.
Ilya Kizhvatov is a senior security analyst at Riscure (Delft, Netherlands). He has 6 years of experience (half academic, half industrial) in embedded security, with the focus on side channel and fault attacks on cryptographic implementations, and 2 years of embedded software engineering experience. He spoke at scientific and industrial conferences and seminars.
OS X Drivers Reverse Engineering
Author: Egor Fedoseev
It is a technical report on the peculiar features of OS X driver analysis that covers the main complexities and ways to simplify the analysis. The report will be of interest to virus analysts and OS X security researchers.
Egor Fedoseev has never worked in the information security industry. He works in the Ural Federal University and leads the student group Hackerdom. He has been engaged in reverse engineering since 2004.
In the Middle of Printers: (In)security of Pull Printing Solutions
Author: Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
Jakub Kaluzny has more than 7 years experience in web programming focused on security - PHP, pgSQL, MySQL, bash scripting, and 3 years experience in software security lifecycle and penetration testing. He was introduced in the Google Security Hall Of Fame in 2013. He was a speaker at OWASP Poland Local Chapter - "Advanced data mining" - focusing on security aspects of data crawlers in 2011. In 2008 presented his report "Ciphers and encrypted file systems" at Open-source security conference, Warsaw. Jakub Kaluzny was Main Programmer and Security Officer at Homepay.pl in 2010 - 2012 (developing financial intermediary platform, security hardening). Now he is an IT security specialist at SecuRing (penetration tests, vulnerability assessment and threat modelling of web applications and network environment). He is intended to receive a bachelor’s degree in Engineering in Applied Computer Science at AGH University Of Science And Technology, Cracow.
Cracking Pseudorandom Sequences Generators in Java Applications
Author: Mikhail Egorov and Sergey Soldatov
Modern applications widely use random sequences for security related tasks: encryption keys, authentication challenges, session identifiers, CAPTCHAs and passwords. Resistance to cracking of such applications strongly depends on the quality of random sequences generators.
The talk will explain vulnerabilities found in Java-applications that using pseudorandom generators, how to successfully attack them. The speaker will demonstrate a tool that effectively recover the internal state of the generator (a.k.a. seed), previous and subsequent generator output values.
The research also covers mechanisms for session IDs generation for different Java application servers and web servers both open source and proprietary.
Mikhail Egorov graduated from Moscow State Technical University named after Bauman in 2009 and obtained a Master’s degree in information security. He is an independent security researcher and experienced Java/Python programmer. His area of expertise includes vulnerabilities research, fuzzing, reverse engineering, web application and network security. He worked as an information security consultant and software developer in different companies, holds OSCP and CISSP certifications.
Sergey Soldatov is a Bauman Moscow State Technological university graduate and an independent security practitioner with more than 10 years of network security experience. He has extensive programming experience and has been involved in large ISP related development projects. He is a speaker at a number of conferences including HITB, ZeroNights, holds CISA and CISSP certifications.
Intercepter-NG: The New-Generation Sniffer
Author: Alexander Dmitrenko, Ares
The report is devoted to a unique toolkit named Intercepter-NG developed in Russia. Today it is the most advanced sniffer with a lot of functions.
Ironically enough, it is more popular in other countries than in Russia, and the report is intended to change the situation. The speaker will not only review the utility’s main peculiar features, but will give full details of two attacks with Intercepter-NG: MySQL LOAD DATA LOCAL injection recently presented at Chaos Constructions and DNS over ICMP, a little-known but powerful attack.
The Head of Training Department at PentestIT, the author of articles on habrahabr.ru and in the “Hacker” magazine.
PentestIT expert, the developer of Intercepter-NG.