SecDocs Feed for category Papers

[Paper] Stealth Attacks - Detection and Investigation

Sat, 04 Feb 2012 17:44:29 +0100

Authors: Ryan Jones Thomas Mackenzie
Tags: exploiting
Event: Black Hat Abu Dhabi 2011
Abstract: Meticulous attackers can subvert audit controls to the point where a compromise is almost undetectable. We look at the tools and techniques which can be used by attackers to minimise evidence left behind and propose a novel strategy for managing this issue. Fully identifying the method and impact of a data compromise is heavily reliant on the forensic information available to investigators. Commonly this is dependent on having logs for the compromised period. However, in the cases where an attacker has taken steps to reduce their footprint on the system, investigations can be more challenging. We explore the various evidential sources which are commonly used to identify the extent and method of a web application compromise. We then discuss an attack which, due to its nature, is more complicated to identify and understand. The presentation will draw together the techniques used in investigating a data compromise and create an attack which is designed to completely compromise the web server while leaving the least amount of evidence on the system. Incident readiness specialists can often recommend that verbose logging is put in place. Logging such as full http request and response logging fits the bill for the investigator but by their nature these logs have serious drawbacks for the day to day management of the server; large storage requirements, incidental storage of sensitive data and performance issues are common problems. We suggest a new approach, restricting access or logging anomalies at the framework level. By blending the information gained at the framework level with automated application profiling techniques we can create heavily targeted logs bespoke to the specific application. This can be implemented for all applications regardless of whether source code is available. This method gives us the best chance of keeping logging to an absolute minimum whilst ensuring that techniques used to minimise forensic evidence left by an attack are unsuccessful.

[Paper] New Ways I'm Going to Hack Your Web App

Sat, 04 Feb 2012 17:09:16 +0100

Authors: Jesse Ou Rich Lundeen
Tags: web application cookie vulnerability XSS
Event: Black Hat Abu Dhabi 2011
Abstract: Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn't even the hard part, it's keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90's RFCs and 2010's HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let's never talk about that again. Ever. Take Facebook, Office 365, MSN, and Wordpress. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we'll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks.

[Paper] Exploiting Memory Corruption Vulnerabilities in the Java Runtime

Fri, 03 Feb 2012 06:37:36 +0100

Authors: Joshua Drake
Tags: memory heap overflow exploiting Java
Event: Black Hat Abu Dhabi 2011
Abstract: The Oracle (previously Sun) Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.

[Paper] Check Your Zombie Devices! : Analysis of the DDoS Cyber Terrorism Against the Country and Future Attacks on Various Devices

Fri, 03 Feb 2012 06:37:36 +0100

Tags: malware DoS
Event: Black Hat Abu Dhabi 2011
Abstract: A Distributed Denial-of-Service(DDoS), one of the simplest and most powerful cyber attacks is a big problem nowadays. It has existed since the past, but now attackers can give greater damage to their target due to the development of more effective attack techniques and the propagation of high-speed internet and so on. Especially DDoS attack is now getting a huge problem because the unspecified individuals(called zombie PCs) are used in loading malicious codes while attacking a single site or system. DDoS attack is directly related to targeted companies, institutions and even governments, security companies and users as well. Plus, there is a possibility of running malicious code onto many other types of electronic devices such as smart phones, game consoles, home appliances and even cars. Therefore a new type of DDos attack might be seen in various places. In this presentation, we will figure out the large-scale DDoS attacks occurred in Korea(July 2009, March 2011) with detailed analysis and reverse tracking and how defenders(Korean institutions and security companies) coped with the attack. WE WILL NOT MENTION WHO THE ATTACKER IS. Also we will show the new type of DDoS attacks (by PC, smart phone, game console and so on) through demonstration. In this demonstration, we will handle the mechanism of DDos attacks including the type of attack, damage and preparation stage as well. Finally, we will suggest a solution of this problem. *IMPORTANT* This presentation tries not to include boring stuff. It will be fun with easy explanation and interesting demonstration.

[Paper] Fun with Google Custom Searches: Intelligence, Secrets and Leaks

Wed, 01 Feb 2012 06:31:40 +0100

Authors: Jamal Bandukwala
Tags: intelligence Google
Event: Black Hat Abu Dhabi 2011
Abstract: Traditional Google searches can generate millions of results many of which are not relevant to what a user is looking for and when a user searches for items with various advanced operators they are still limited to searching one site at a time. This means that an individual can have to peruse through several different pages of sometimes questionable quality looking for relevant and usable information. My custom searches allow a user to peruse multiple relevant sources at the same time. I have put together three different custom searches/ engines; each of these searches goes through different types of online sources/ content and consequently provides different types of information/ intelligence. My presentation goes over each of these custom searches and provides examples of the type of information one can obtain from them and also examines how they can be used both in an offensive manner (ie. attacks) and defensively as well. One can find everything from credit card numbers to passport information and even do things like interrupt travel plans and take over identities. Additionally you can also find significant information on various individuals even if they do not have their own presence online; this can allow an attacker to craft a much more convincing attack to get the information they need. It would appear that the custom search engine owner/ creator and the individual using the searches are both only limited by the content in the search engine and their imagination. The possibilities on what you can find with the appropriate search are endless.

[Paper] Cryptanalysis vs. Reality

Wed, 01 Feb 2012 00:46:59 +0100

Authors: Jean-Philippe Aumasson
Tags: cryptography
Event: Black Hat Abu Dhabi 2011
Abstract: It is commonplace to argue that academic cryptanalysis---whose "attacks" literally take billions of years to complete---has no relevance whatsoever to actual security, for real-world failures of crypto are most often due to: Side-channel leakage (padding oracle attacks, etc.) Attacks on the implementation (key extraction through fault attacks, etc.) Complete bypass (after theft of keys à la DigiNotar, etc.) Nevertheless, a number of new cryptanalytic attacks have appeared these last years with various degrees of sophistication and of objectives, from complex key-recovery attacks to efficient-yet-cryptical "distinguishingers". To better understand the risk (or absence thereof), this talk will go through technical subtleties of state-of-the-art cryptanalysis research, which we'll illustrate with concrete field examples. The topics discussed include related-key attacks, cube attacks, the real security of AES, the case of pay-TV encryption, or the risk of using SHA-1, SHA-2, or the future SHA-3. Finally, we will present a recent attempt to bridge theory and practice, with an introduction to leakage-resilient cryptography.