all 16 comments

[–]zyxzevn[S] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Go NULL Yourself

Input sanitization issues will always exist, although it’s surprising at how we’re still seeing amateur mistakes being made on everyday applications and systems used by millions. After making some observations against automatic license plate recognition (ALPR) data requested via the freedom of information act (FOIA) while having reminiscent conversations about old hacker tales, it turned on the evil bit, leading to some interesting ideas. We’ll go over this adventure of poking at systems using totally valid user-controlled data that causes unexpected behavior in the real world. It’s always a strange thing when you can “exploit” unexpected attack surface, due to poor specification, especially in government systems.

Note: I find this interesting, because almost all government systems are open to hacking. People that report security problems can even be punished.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

All the 4G modules could be hacked

Nowadays more and more 4G modules are built into IoT devices around the world, such as vending machines, car entertainment systems, laptops, advertising screens, and urban cameras etc. But no one has conducted a comprehensive security research on the 4G modules. We carried out this initiative and tested all the major brand 4G modules in the market (more than 15 different types). The results show all of them have similar vulnerabilities, including remote access with weak passwords, command injection of AT Command/listening services, OTA upgrade spoofing, command injection by SMS, and web vulnerability. Through these vulnerabilities we were able to get to the shell of these devices. In addition to using wifi to exploit these vulnerabilities, we created a new way to attack through fake base station system, triggered by accessing the intranet of cellular network, and successfully run remote command execution without any requisites. In this talk, we will first give an overview on the hardware structure of these modules. Then we will present the specific methods we use in vulnerability probe. In the final section we will demonstrate how to use these vulnerabilities to attack car entertainment systems of various brands and get remote control of cars.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Infiltrating Corporate Intranet Like NSA

Computer security is now a public policy issue. Election security, blockchain, "going dark," the vulnerabilities equities debate, IoT safety , data privacy, algorithmic security and fairness, critical infrastructure: these are all important public policy issues with a strong Internet security component. But while an understanding of the technology involved is fundamental to crafting good policy, there is little involvement of technologists in policy discussions. This is not sustainable. We need public-interest technologists: people from our fields helping craft policy, and working to provide security to agencies and groups working in the broader public interest. We need these people in government, at NGOs, teaching at universities, as part of the press, and inside private companies. This is increasingly critical to both public safety and overall social welfare. This talk both describes the current state of public-interest technology, and offers a way forward for us individually and collectively for our field. The defining policy question of the Internet age is this: How much of our lives should be governed by technology, and under what terms? We need to be involved in that debate.SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to intranet. However, we found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a “magic” backdoor was found to allow changing any user’s password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!

In such complicated closed-source systems, gaining root shell from outside the box certainly ain’t easy. It takes advanced web and binary exploitation techniques to struggle for a way to root shell, which involves abusing defects in web architectures, hard-core Apache jemalloc exploitation and more. We will cover every detail of all the dirty tricks, crazy bug chains, and the built-in backdoor. After gaining root shell into the box, we then elaborate on post exploitation and how we hack back the clients. In addition, we will share the attack vectors against SSL VPNs to kick start researches on similar targets. On the other hand, from our previous experience, we derive general hardening actions that mitigate not only all the above attacks, but any other potential 0days.

In summary, we disclose practical attacks capable of compromising millions of targets, including tech giants and many industry leaders. These techniques and methodologies are published in the hope that it can inspire more security researchers to think out-of-the-box; enterprises can apply immediate mitigation, and realize that SSL VPN is not merely Virtual Private Network, but also a “Vulnerable Point of your Network”.

Orange Tsai Cheng-Da Tsai, also as known as Orange Tsai, is the principal security research of DEVCORE and the member of CHROOT security group from Taiwan. He has spoken at conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB, Hack.lu and CODEBLUE. He participates in numerous Capture-the-Flags (CTF), and also the team captain of HITCON, which won 2nd place in DEF CON 22/25. Currently, he is focusing on application security and 0day research. Orange enjoys finding vulnerabilities and participating in Bug Bounty Programs. He is enthusiastic about Remote Code Execution (RCE), and uncovered RCEs in several vendors, such as Facebook, Uber, Apple, GitHub, Amazon, Yahoo, Netflix and Imgur.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Are you being followed by cars?

Surveillance Detection Scout Your Lookout on Autopilot

Surveillance detection routes are a daily occurrence for clandestine operatives and agents all over the world. These mentally taxing counter-surveillance measures often mean the difference between life and death. Surveillance Detection Scout hopes to ease that burden. Scout currently supports Tesla Models S, 3 and X, running license plate recognition on 3 camera feeds to alert you in real time if you're being followed. When you park, Scout remains vigilant, implementing familiar face detection as well. By combining timestamped vehicle location data & video, computer vision and an intuitive web interface, it becomes apparent that Scout has just as many offensive as defensive applications. Over time, SDS captures and reports on observed patterns of life, allowing you to quickly gain an overview of your surroundings (or your target) with minimal effort. Whether you're conducting or evading surveillance, Scout has got your 6.

Note: These models can be followed by NSA/CIA via the transmitters in these cars.


Preparation of a false flag?

Panel - Hacking Congress The Enemy Of My Enemy Is My Friend

A SIMULATED crisis is unfolding on a national scale, based loosely on the NotPetya attack of 2017. Triggered by a yet-unknown adversary, what started as a an isolated technical issue has quickly escalated into a society-wide event affecting millions of citizens, several industries, and spanning government jurisdictions. Who is in charge, how do they cooperate with others, and how do they make decisions? The Wilson Center, Hewlett Foundation and I Am The Calvary are teaming up to bring public policymakers together with security researchers and others to discover how our nation might respond to a wide-scale “cyber crisis”. Work in tandem with sitting Members of Congress to understand what levers of power Congress yields and how Members can address policy gaps in the future.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Behind the Scenes Industry of Social Media Manipulation

This talk is the grand finale of a four-year long investigation that started with analyzing an IoT botnet, to discovering the structured industry that exists behind social media manipulation (SMM). SMM is the deliberate act of paying for popularity with followers or activity on social media.

Adopting a bottom-up approach, the thorough methodology undertook to study the botnet will be presented: from building honeypots, infecting them with malware and conducting a man-in-the-middle-attack on the honeypots’ traffic to access the decrypted HTTPS content between the C&Cs and social networks. Then, the various investigative paths taken to analyze this large data set, leading to the discovery of industry actors involved in the supply chain of social media manipulation, will be presented. These investigative paths include traffic analysis, various OSINT approaches to reveal and understand actors, reverse-engineering the software that automates the use and creation of fake accounts, forum investigations, and qualitative profiling. All actors involved in the industry will be mapped, from malware authors, to reseller panels, and customers of fake popularity.

The potential profitability of the industry will then be discussed, as well as the revenue division in the chain, demonstrating that the ones making the highest revenue per fake follower sold are not the malware authors, but rather those at the end of the chain.

Note: Might be interesting to use Honeypots to keep SaidIt clear of bots (and maybe clickfarms).

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Breaking Google Home Exploit It with SQLite

Over the past years, our team has used several new approaches to identify multiple critical vulnerabilities in SQLite and Curl, two of the most widely used basic software libraries. These two sets of vulnerabilities, which we named "Magellan" and "Dias" respectively, affect many devices and software. We exploited these vulnerabilities to break into some of the most popular Internet of things devices, such as Google Home with Chrome. We also exploited them on one of the most widely used Web server (Apache+PHP) and one of the most commonly used developer tool (Git).

In this presentation, we will share how we try to crack the Google Home from both hardware and software aspects, get and analyze the newest firmware, solve the problem, and introduce new methods to discover vulnerabilities in SQLite and Curl through Fuzz and manual auditing. Through these methods, we found "Magellan", a set of three heap buffer overflow and heap data disclosure vulnerabilities in SQLite ( CVE-2018-20346, CVE-2018-20505 CVE-2018-20506 ) We also found "Dias", two remote memory leak and stack buffer overflow vulnerabilities in Curl ( CVE-2018-16890 and CVE-2019-3822 ). Considering the fact that these vulnerabilities affect many systems and software, we have issued a vulnerability alert to notify the vulnerable vendor to fix it.

We will disclose the details of "Magellan" and "Dias" for the first time and highlight some of our new vulnerability exploitation techniques. In the first part, we will introduce the results of our analysis on hardware, how to get the newest firmware from simulating an update request, and attack surface of Google Home. We will show how to use Magellan to complete the remote exploit of Google Home, we will also give a brefing talk about how to use Dias to complete the remote attack on Apache+PHP and Git. Finally, we will summarize our research and provide some security development advice to the basic software library developers.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

State of DNS Rebinding Attack & Prevention Techniques

Do you want to know how you can exploit DNS rebinding 10x faster, bypass prevention mechanisms, interactively browse the victim's internal network, and automate the whole process during your next red team exercise?

This talk will teach you how and give you an easy-to-use tool to do it.

First, we will cover in detail the subtleties that make DNS rebinding attacks more effective in practice, including techniques and operational conditions that make it faster and more reliable. We'll also explain how to bypass commonly recommended security controls, dispelling attack and defense misconceptions that have been disseminated in blogs and social media posts. This talk will include a number of demos using Singularity, our open source DNS rebinding attack framework that includes all the parts you need to get started pwning today, including: Remote code execution and exfiltration payloads for common dev tools and software Practical scanning and automation techniques to maximize the chance of controlling targeted services We'll also show an interesting post-exploitation technique that allows you to browse a victim browser network environment via the attacker's browser without the use of HTTP proxies.

You'll leave this talk with the knowledge and tools to immediately start finding and exploiting DNS rebinding bugs.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Hacking WebAssembly Games with Binary Instrumentation

WebAssembly is the newest way to play video games in your web browser. Both Unity3d and Unreal Engine now support WebAssembly, meaning the amount of WebAssembly games available is growing rapidly. Unfortunately the WebAssembly specification is missing some features game hackers might otherwise rely on. In this talk I will demonstrate adapting a number of game hacking techniques to WebAssembly while dealing with the limitations of the specification.

For if you really need to beat that game ;-)

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Your Car is My Car

For many of us, our cars are one of the largest purchases we will ever make. In an always connected world it is natural that we would want to have the convenience of being able to remotely monitor our vehicles: to do everything from remind ourselves exactly where exactly we parked, verify we locked our vehicle, or even remote start it so it will be warmed up (or cooled down) when we get in. There are a variety of vendors offering aftermarket alarm systems that provide these conveniences and offer a peace of mind. But how much can we trust the vendors of these systems are protecting access to our cars in the digital domain? In this talk, Jmaxxz will tell the story of what he found when he looked into one such system.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Meticulously Modern Mobile Manipulations

Mobile app hacking peaked in 2015 with tools like keychain-dumper & ssl-kill-switch released but requiring jailbroken/rooted devices. Back then, wresting the power to understand & modify apps on our devices from dystopian looking mega corps was our cause. As jailbreaks became infrequent, the hackers’ arsenal was left behind. While this is progress against dark uses of hacking, done to protect our freedom fighters, how can hackers still hold power to account? Can we still find flaws in apps/devices & live up to the protections the technology promises?

Enter runtime binary instrumentation with Frida. It’s possible to analyze apps in their final state when executed on real hardware running the latest iOS/Android with no jailbreaks. This fills a gap between source analysis & debuggers. But, simply enumerating app classes requires studying multiple blogs & a deep read of the docs. We created Objection to simplify this & hide the boilerplate so hackers could focus on unravelling apps. But, many people still rely on simple hacks & automation & rarely use new advanced techniques such as reflectively inspecting live heap objects, canary execution tracing, runtime memory edits and filesystem exploration.

We’ll show hackers, malware researchers & security engineers how to use these advanced mobile hacking techniques.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Relaying Credentials Has Never Been Easier

Active Directory has always been a popular target for attackers, with a constant rise in attack tools attempting to compromise and abuse the main secrets storage of the organization. One of the weakest spots in Active Directory environments lies in the design of one of the oldest authentication protocols – NTLM, which is a constant source of newly discovered vulnerabilities. From CVE-2015-0005, to the recent LDAPS Relay vulnerability, it is clear why this protocol is one of the attackers’ favorites.

Although there are offered mitigations such as server signing, protecting the entire domain from NTLM relay is virtually impossible. If it weren’t bad enough already, we will present several new ways to abuse this infamous authentication protocol, including a new critical zero-day vulnerability we have discovered which enables to perform NTLM Relay and take over any machine in the domain, even with the strictest security configuration, while bypassing all of today's offered mitigations. Furthermore, we will present why the risks of this protocol are not limited to the boundaries of the on-premises environment and show another vulnerability which allows to bypass various AD-FS restrictions in order to take over cloud resources as well.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

EDR Is Coming Hide Yo Sh!t

There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away!

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Im In Your Cloud Pwning Your Azure Environment

After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I’ll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise.

Note: Interesting due to the Pentagon "moving data" to Amazon's servers. Will it be open for hacking or planned modifications?

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

MI CASA SU CASA My 19216811 is Your 19216811

Your browser thinks my 192.168.1.1 is the same as your 192.168.1.1. Using a novel combination of redirects, Karma, JavaScript and caching we demonstrate that it’s viable to attack internal management interfaces without ever connecting to your network. Using the MICASA-SUCASA tool it’s possible to automate the exploitation of hundreds of interfaces at once. This presentation will introduce the attack vector and demonstration, but also the public release of the MICASA-SUCASA tool.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

HAKC THE POLICE

PULL OVER!

No, it is a cardigan, but thanks for noticing! After getting a nasty speeding ticket, OG SecKC HA/KC/ER hevnsnt decided enough was enough, and set out to fully understand police speed measurement devices, and develop homebrew countermeasures that are legal in some states (and some that are not). Come learn how police RF (X, K, KA) and Laser speed detection systems work and how to implement your own homebrew jamming countermeasures on the cheap, essentially making your vehicle invisible to law enforcement. HOP IN and BUCKLE UP, this talk is going to FUEL your hardware hacking desires! You better be able to think fast to keep up with this talk and prepare to get home in record time.

[–]zyxzevn[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

GSM We Can Hear Everyone Now

The presentation demonstrates that the security of the A5/1 and A5/3 ciphers used to protect cellular calls are vulnerable to compromise leading to full decryption of GSM communications, using freely available open source solutions along with our tools we developed for this task.

The flaw being exploited lies in the heart of the design of GSM. In all implementations the standard requires GSM messages to first be error control encoded using a convolutional code and then encrypted. In the vast majority of implementations used today, encryption is performed using the A5/1 or A5/3 cipher. The convolutional code adds redundancy to the transmitted message, which can act like a fingerprint to identify the key used to encrypt the GSM message.

To exploit the vulnerability an attacker simply needs to capture a transmission and identify the GSM channel used. The standard defines the convolutional code and therefore how the redundancy may be interpreted to recover the encryption key.

This presentation considers passively capturing GSM traffic using A5/3 encryption and demonstrates a novel solution to cracking the key used without interacting with the mobile or network.