The week before last we were at Black Hat USA 2012 and DEF CON 20 and besides the Qualys talks at BH (Web Application Firewall, Malware Analysis, Websockets) and DEF CON (Dwarf Programming) there were a number of great talks at BH and DEF CON that the team enjoyed. The following list shows their individual favorites:
- @DEF CON: Hacking [Redacted] Routers - FX and Gregg, Recurity Labs
FX and Gregg dive into the security of (smaller...) Huawei routers and are transported back 15 years in time, as they easily find buffer overflow vulnerabilities, abundant use of “ sprintf”, in-house-written implementations of SSH and memory allocation, etc. This, paired with the fact that the researchers failed to find a single security advisory published by Huawei, left the audience with serious doubts to the security of Huawei routers. Huawei has already started to respond to the allegations and it will be interesting to see if the same problems are present in enterprise class Huawei routers. Presentation
= Favorited by Wolfgang Kandek
- @BlackHat: Targeted Intrusion Remediation: Lessons From The Front Lines - Jim Aldridge
Jim Aldridge provided an outstanding overview of targeted intrusions including the lifecycle of a targeted attack, remediation planning for targeted attacks, incident response and strategic planning for targeted intrusions. In addition to the overview of the targeted attack lifecycle, several specific recommendations were provided. Two of my favorite suggestions were to enhance logging/monitoring, and IR team preparation (table top exercises). Presentation and Paper
= Favorited by Andrew Wild
- @DEF CON: Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 - Moxie Marlinspike, David Hulton
Enterprises reliant on Active Directory with investments in large-scale 802.11 wireless deployments typically leverage 802.1X, PEAP and MS-CHAPv2 as part of their supplication authentication process. Creating its basic framework is relatively wizard-driven and the properties to implement are made easier for Microsoft-centric organizations. However, the common reliance on MS-CHAPv2 as part of the inner-identity method now means that the potential of user credential extrapolation is now even more practical due to the increased predictability inherent in MS-CHAPv2’s characteristics. David Hulton reduced the length of attack time based on dedicated, expensive hardware (FPGAs, etc.) which by itself makes brute-forcing the passwords costly, but by simply enhancing CloudCracker to leverage it as well as using the free chapcrack tool, it’s now a cheap SaaS solution available to anyone with a simple 802.1X authentication handshake capture. More info from Moxie Marlinspike on this talk.
= Favorited by Kimi Ushida
- @DEF CON: Black Ops - Dan Kaminsky
Computers and The Internet have problems, and Dan has some solutions he wants us all to try out. He wants us to eliminate timing attacks, create better random numbers, and enable our developers to create safe code on the first try. He also thinks we can route around internet censorship, and he demonstrates a technique to perform simple port scans at unprecedented speeds. All of this and more in a compelling, unified, and entertaining package. Presentation and more info from Dan Kaminsky.
= Favorited by Lucas Sweany
- @BlackHat: Find Me in Your Database: An Examination of Index Security - David Litchfield
David Litchfield discusses ways to attack Oracle Databases via specially crafted indexes, triggers and tables. In some cases, these attacks take advantage of the fact that the bulk of database management itself is built in PL/SQL, which can still be susceptible to SQL injection attacks.
= Favorited by Matt Wirges
Chema Alonso sohows us an excellent demostration of a MITM attack performed in a very simple manner. While the presentation does not have anything super-technical or novel, it is captivating. Chema created an open proxy that is the MITM implementor, and it looks like people will trust the proxy. All kinds of traffic good/bad legit/criminal was seen by this experiment. The bottom line: do not to trust open proxies. He also had a very unique, fun way of presenting. Presentation and Paper
=Favorited by Vaagn Toukharian
- @BlackHat: Ghost Is in the Air(traffic) - Andrei Costin
Andrei Costin discusses ADS-B (in)security from the practical angle, presenting the feasibility of attacks as well as techniques that potential attackers could use to play with generated/injected air-traffic and as such potentially opening new attack surfaces onto AirTrafficControl systems. Presentation and Paper
= Favorited by Sergey Shekyan
- @BlackHat: Automated Package Clone Detection - Silvio Cesare plus PRNG Pwning Randown Number Generators - George Argyros and Aggelos Kiayias
These talks from university level researchers showed real world applications:
- Silvo demonstrates how to design an automatic classficiation engine and lower its false positive rate, applied to detect code clones; copies of an external librarie's code in a project instead of a clean link to that library. The result of his work is the discovery of several (previously) unknown Debian Linux vulnerabilities, and several Fedora Linux vulnerabilities as well.
- George Argyros and Aggelos Kiayias focus on PHP randomness vulnerabilities. Through the usage of different attacks, going from the time synchronization (at millisecond level) with the victim's up to the solving of linear equations (state recovery attack), they demonstrate practical exploitation of password reset mechanisms of popular PHP applications - More Info
- @BlackHat: Don`t Stand So Close To Me: An Analysis of the NFC Attack Surface - Charlie Miller
Charlie Miller, famous for his first public remote exploit for iPhone, demonstrated his research on the near Field Communications(NFC) technology. The talk discussed some of the protocols for NFC and Charlie shared some results he obtained from fuzzing these protocols. Many latest phones from Google and Samsung are shipped with NFC built-in and Charlie demonstrated how he could basically own a phone just by touching or getting close to it - Presentation and Paper
= Favorited by Bharat Jogi
- @BlackHat: Adventures in Bouncerland - By Nicholas Percoco and Sean Schulte
Nicholas and Sean talk about how they managed to fool Google's Bouncer system by submitting a completely legitimate app called "SMS Blocker" in Google Play's market and then slowly modifying the app to include malicious behavior and functionality that had nothing to do with "blocking SMS". It was interesting to know how the app was updated over 10 times to access data, photographs, call list as well as turn the phone into a zombie to launch DDOS attacks and Bouncer was unable to detect any of the malicious activity going on. Paper
= Favorited by Prutha Parikh