SecDocs Feed for category Slides

[Slides] Stealth Attacks - Detection and Investigation

Sat, 04 Feb 2012 17:45:17 +0100

Authors: Ryan Jones Thomas Mackenzie
Tags: exploiting
Event: Black Hat Abu Dhabi 2011
Abstract: Meticulous attackers can subvert audit controls to the point where a compromise is almost undetectable. We look at the tools and techniques which can be used by attackers to minimise evidence left behind and propose a novel strategy for managing this issue. Fully identifying the method and impact of a data compromise is heavily reliant on the forensic information available to investigators. Commonly this is dependent on having logs for the compromised period. However, in the cases where an attacker has taken steps to reduce their footprint on the system, investigations can be more challenging. We explore the various evidential sources which are commonly used to identify the extent and method of a web application compromise. We then discuss an attack which, due to its nature, is more complicated to identify and understand. The presentation will draw together the techniques used in investigating a data compromise and create an attack which is designed to completely compromise the web server while leaving the least amount of evidence on the system. Incident readiness specialists can often recommend that verbose logging is put in place. Logging such as full http request and response logging fits the bill for the investigator but by their nature these logs have serious drawbacks for the day to day management of the server; large storage requirements, incidental storage of sensitive data and performance issues are common problems. We suggest a new approach, restricting access or logging anomalies at the framework level. By blending the information gained at the framework level with automated application profiling techniques we can create heavily targeted logs bespoke to the specific application. This can be implemented for all applications regardless of whether source code is available. This method gives us the best chance of keeping logging to an absolute minimum whilst ensuring that techniques used to minimise forensic evidence left by an attack are unsuccessful.

[Slides] New Ways I'm Going to Hack Your Web App

Sat, 04 Feb 2012 17:09:54 +0100

Authors: Jesse Ou Rich Lundeen
Tags: web application cookie vulnerability XSS
Event: Black Hat Abu Dhabi 2011
Abstract: Writing secure code is hard. Even when people do it basically right there are sometimes edge cases that can be exploited. Most the time writing code that works isn't even the hard part, it's keeping up with the changing attack techniques while still keeping an eye on all the old issues that can come back to bite you, straddling the ancient world of the 90's RFCs and 2010's HTML5 compatible browsers. A lot like how Indiana Jones bridges the ancient and the modern... Except for Indiana Jones 4. Let's never talk about that again. Ever. Take Facebook, Office 365, MSN, and Wordpress. These are applications that had decent mitigations to standard threats, but they all had edge cases. Using a mix of old and new ingredients, we'll provide a sampler plate of clickjacking protection bypasses, CSRF mitigation bypasses, "non-exploitable" XSS attacks that are suddenly exploitable and XML attacks where you can actually get a shell; and we'll talk about how to defend against these attacks.

[Slides] Exploiting Memory Corruption Vulnerabilities in the Java Runtime

Fri, 03 Feb 2012 06:37:36 +0100

Authors: Joshua Drake
Tags: memory heap overflow exploiting Java
Event: Black Hat Abu Dhabi 2011
Abstract: The Oracle (previously Sun) Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.

[Slides] Check Your Zombie Devices! : Analysis of the DDoS Cyber Terrorism Against the Country and Future Attacks on Various Devices

Fri, 03 Feb 2012 06:37:36 +0100

Tags: malware DoS
Event: Black Hat Abu Dhabi 2011
Abstract: A Distributed Denial-of-Service(DDoS), one of the simplest and most powerful cyber attacks is a big problem nowadays. It has existed since the past, but now attackers can give greater damage to their target due to the development of more effective attack techniques and the propagation of high-speed internet and so on. Especially DDoS attack is now getting a huge problem because the unspecified individuals(called zombie PCs) are used in loading malicious codes while attacking a single site or system. DDoS attack is directly related to targeted companies, institutions and even governments, security companies and users as well. Plus, there is a possibility of running malicious code onto many other types of electronic devices such as smart phones, game consoles, home appliances and even cars. Therefore a new type of DDos attack might be seen in various places. In this presentation, we will figure out the large-scale DDoS attacks occurred in Korea(July 2009, March 2011) with detailed analysis and reverse tracking and how defenders(Korean institutions and security companies) coped with the attack. WE WILL NOT MENTION WHO THE ATTACKER IS. Also we will show the new type of DDoS attacks (by PC, smart phone, game console and so on) through demonstration. In this demonstration, we will handle the mechanism of DDos attacks including the type of attack, damage and preparation stage as well. Finally, we will suggest a solution of this problem. *IMPORTANT* This presentation tries not to include boring stuff. It will be fun with easy explanation and interesting demonstration.

[Slides] Taming Worms, RATs, Dragons and More!

Thu, 02 Feb 2012 06:41:02 +0100

Authors: Christiaan Beek
Tags: malware intelligence malware analysis
Event: Black Hat Abu Dhabi 2011
Abstract: Over years the use of malware has dramatically changed. Ranging from programmers exploring the malicious possibilities of their programming code, copycats trying to combine code snippets, to organized crime and governments using custom made malware for their purposes. Where financial gratification is the main drive for cybercrime, it seems that the hunger for secrets and intellectual property is taking over. Some examples of cases are: Operation Aurora, Night-Dragon and recently Shady-RAT. These are examples of investigations that started with the detection of unknown customized malware, hiding on corporate networks and ended in large investigations regarding Data Loss. So how is it possible that this malware was undetected? How can you detect hidden malware on your network using open-source tools, what patterns to look for? What countermeasures can you take? How to build a layered malware defense to keep unknown malware out of your network. In my talk I will give some demo's how you can use Wireshark to investigate networkdata for traces of malware, how to filter for suspicious connections.

[Slides] Evolution of iOS Data Protection and iPhone Forensics: from iPhoneOS to iOS 5

Thu, 02 Feb 2012 06:41:02 +0100

Authors: Andrey Belenko Dmitry Sklyarov
Tags: forensic iPhone
Event: Black Hat Abu Dhabi 2011
Abstract: iOS 5 is the latest and most advanced mobile OS from Apple. Besides tweaking UI and UX, Apple has made some changes to Data Protection mechanisms that were introduced in iOS 4. Those changes provide better security for users, but they also impose additional hurdles for mobile phone forensic process. This talk will provide detailed discussion of iOS Data Protection, focusing on both technical description of defenses and on circumventing certain protections to provide forensic access to the data stored on the iOS devices. iOS versions from iOS 3 (iPhoneOS 3) to iOS 5 will be covered.

[Slides] Android : From Reversing to Decompilation

Thu, 02 Feb 2012 06:41:02 +0100

Authors: Anthony Desnos Geoffroy Gueguen
Tags: reverse engineering phone Android
Event: Black Hat Abu Dhabi 2011
Abstract: This talk deals with Android's bytecode analysis. The Android system is now widespread, and lots of applications are developed each days. These applications are mostly written in Java, though it is now possible to do some calls to binaries or shared libraries. To be executed on the DVM (Dalvik Virtual Machine) the Java source code (.java files) is translated into Java bytecode (.class files) and then a tool named `dx' is used to convert them into the DVM (or Dex) format (these are the .dex files). Such a conversion is needed as the DVM is a register-based machine whereas the JVM is a stack-based one, and as such they have different opcodes. Due to the nature of the bytecode, its reversing is somewhat easier than machine code. Indeed, unlike machine code, (Dalvik) bytecode contains semantics information (e.g types of objects) that allows us to do a better analysis. We can get useful details on variables, fields, methods... We can create signatures for a method, or we can use the android permissions to see where a specific one is used in an application. The analysis part allows us to extract the control flow graph (which is composed of basic blocks, and which cannot be modified dynamically due to the virtual machine) which is used to reverse the different possibles executions of an application. Furthermore, we have implemented new algorithms to calculate the similarity distance between two applications, a useful information to know if your application has been stolen from the android market. It's also possible to use similarity to do `diffing' of Android applications is useful to see patches of bugs or insertion of evil code, this is why we have developed a combination of techniques to quickly see the differences between two applications. Moreover it's interesting to have the ability to manipulate in a simple way all these new formats (APK, DEX, Dalvik bytecode, Android's binary xml) to automate testing directly in a program or in a specific interpreter. Though some closed-source decompilers exist for Java as well as for Android applications, their effectiveness is somewhat limited (unreadable, don't compile...). There are other ways to retrieve the Java source code of an application from the bytecode, for instance some people use a software which transform Dex bytecode into Java bytecode and then combined this with a regular Java decompiler. But the resulting code looks more like an obfuscated version which does not compile than real source code. That's why we have developed a new decompiler which uses only Dalvik bytecode to create an original Java source code. We present a new open-source tool (Androguard) written in Python (and some parts of C language) which help the reversing of Android applications, as well as a technique we use to build a decompiler.

[Slides] Fun with Google Custom Searches: Intelligence, Secrets and Leaks

Wed, 01 Feb 2012 06:31:40 +0100

Authors: Jamal Bandukwala
Tags: intelligence Google
Event: Black Hat Abu Dhabi 2011
Abstract: Traditional Google searches can generate millions of results many of which are not relevant to what a user is looking for and when a user searches for items with various advanced operators they are still limited to searching one site at a time. This means that an individual can have to peruse through several different pages of sometimes questionable quality looking for relevant and usable information. My custom searches allow a user to peruse multiple relevant sources at the same time. I have put together three different custom searches/ engines; each of these searches goes through different types of online sources/ content and consequently provides different types of information/ intelligence. My presentation goes over each of these custom searches and provides examples of the type of information one can obtain from them and also examines how they can be used both in an offensive manner (ie. attacks) and defensively as well. One can find everything from credit card numbers to passport information and even do things like interrupt travel plans and take over identities. Additionally you can also find significant information on various individuals even if they do not have their own presence online; this can allow an attacker to craft a much more convincing attack to get the information they need. It would appear that the custom search engine owner/ creator and the individual using the searches are both only limited by the content in the search engine and their imagination. The possibilities on what you can find with the appropriate search are endless.

[Slides] Cryptanalysis vs. Reality

Wed, 01 Feb 2012 00:47:41 +0100

Authors: Jean-Philippe Aumasson
Tags: cryptography
Event: Black Hat Abu Dhabi 2011
Abstract: It is commonplace to argue that academic cryptanalysis---whose "attacks" literally take billions of years to complete---has no relevance whatsoever to actual security, for real-world failures of crypto are most often due to: Side-channel leakage (padding oracle attacks, etc.) Attacks on the implementation (key extraction through fault attacks, etc.) Complete bypass (after theft of keys à la DigiNotar, etc.) Nevertheless, a number of new cryptanalytic attacks have appeared these last years with various degrees of sophistication and of objectives, from complex key-recovery attacks to efficient-yet-cryptical "distinguishingers". To better understand the risk (or absence thereof), this talk will go through technical subtleties of state-of-the-art cryptanalysis research, which we'll illustrate with concrete field examples. The topics discussed include related-key attacks, cube attacks, the real security of AES, the case of pay-TV encryption, or the risk of using SHA-1, SHA-2, or the future SHA-3. Finally, we will present a recent attempt to bridge theory and practice, with an introduction to leakage-resilient cryptography.

[Slides] Iron Chef Black Hat: John Henry Challenge

Tue, 31 Jan 2012 06:49:50 +0100

Authors: Brian Chess Jacob West Pravir Chandra
Tags: hacking
Event: Black Hat EU 2008

[Slides] DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife

Tue, 31 Jan 2012 06:49:50 +0100

Authors: David Weston Tiller Beauchamp
Tags: reverse engineering
Event: Black Hat EU 2008

[Slides] Attacking Anti-Virus

Mon, 30 Jan 2012 06:41:05 +0100

Authors: Feng Xue
Tags: antivirus
Event: Black Hat EU 2008

[Slides] Security Failures in Secure Devices

Mon, 30 Jan 2012 06:41:05 +0100

Authors: Christopher Tarnovsky
Tags: security
Event: Black Hat EU 2008

[Slides] Investigating Individuals and Organizations Using Open Source Intelligence

Mon, 30 Jan 2012 06:41:05 +0100

Authors: Chris Böhme Roelof Temmingh
Tags: intelligence
Event: Black Hat EU 2008

[Slides] Exposing Vulnerabilities in Media Software

Mon, 30 Jan 2012 06:41:05 +0100

Authors: David Thiel
Tags: vulnerability
Event: Black Hat EU 2008

[Slides] Hacking Second Life

Sun, 29 Jan 2012 11:32:53 +0100

Authors: Michael Thumann
Tags: Second Life
Event: Black Hat EU 2008

[Slides] Mobile Phone Spying Tools

Sun, 29 Jan 2012 06:51:48 +0100

Authors: Jarno Niemelä
Tags: phone
Event: Black Hat EU 2008

[Slides] The Fundamentals of Physical Security

Sun, 29 Jan 2012 06:51:48 +0100

Authors: Deviant Ollam
Tags: physical security lockpicking
Event: Black Hat EU 2008

[Slides] Client-side Security

Sun, 29 Jan 2012 06:51:48 +0100

Authors: Petko d. Petkov
Tags: client side
Event: Black Hat EU 2008

[Slides] Antiphishing Security Strategy

Sun, 29 Jan 2012 06:51:48 +0100

Authors: Angelo Rosiello
Tags: phishing
Event: Black Hat EU 2008

[Slides] 0-Day Patch -Exposing Vendors (In)Security Performance

Sat, 28 Jan 2012 06:52:56 +0100

Authors: Bernard Tellenbach Stefan Frei
Tags: vulnerability
Event: Black Hat EU 2008

[Slides] Intercepting Mobile Phone/GSM Traffic

Sat, 28 Jan 2012 06:52:56 +0100

Authors: David Hulton
Tags: GSM
Event: Black Hat EU 2008

[Slides] Biologger - A Biometric Keylogger

Sat, 28 Jan 2012 06:52:56 +0100

Authors: Matthew Lewis
Tags: biometric
Event: Black Hat EU 2008

[Slides] URI Use and Abuse

Fri, 27 Jan 2012 22:43:36 +0100

Authors: Billy Rios Nathan McFeters Rob Carter
Tags: URI
Event: Black Hat EU 2008

[Slides] CrackStation

Fri, 27 Jan 2012 06:49:56 +0100

Authors: Nick Breese
Tags: cracking
Event: Black Hat EU 2008

[Slides] Side Channel Analysis on Embedded Systems. Impact and Countermeasures

Fri, 27 Jan 2012 06:49:56 +0100

Authors: Job de Haas
Tags: covert channel
Event: Black Hat EU 2008

[Slides] New Viral Threats of PDF Language

Fri, 27 Jan 2012 06:49:56 +0100

Authors: Eric Filiol
Tags: malware PDF
Event: Black Hat EU 2008

[Slides] Malware on the Net - Behind the Scenes

Thu, 26 Jan 2012 22:49:50 +0100

Authors: Iftach Ian Amit
Tags: malware
Event: Black Hat EU 2008

[Slides] LDAP Injection & Blind LDAP Injection

Thu, 26 Jan 2012 22:42:29 +0100

Authors: Chema Alonso José Parada
Tags: authentication
Event: Black Hat EU 2008

[Slides] Exploiting Live Virtual Machine Migration

Wed, 25 Jan 2012 06:50:11 +0100

Authors: Jon Oberheide
Tags: virtualization virtual machine
Event: Black Hat DC 2008

[Slides] (un)Smashing the Stack: Overflows, Countermeasures, and the Real World

Wed, 25 Jan 2012 06:50:11 +0100

Authors: Shawn Moyer
Tags: buffer overflow exploiting
Event: Black Hat DC 2008

[Slides] Scanning Applications 2.0 - Next Generation Scan, Attacks and Tools

Wed, 25 Jan 2012 06:50:10 +0100

Authors: Sheeraj Shah
Tags: web application vulnerability assessment
Event: Black Hat DC 2008

[Slides] Security Failures in Secure Devices

Tue, 24 Jan 2012 22:17:09 +0100

Authors: Christopher Tarnovsky
Tags: security
Event: Black Hat DC 2008

[Slides] Preparing for the Cross Site Request Forgery Defense

Tue, 24 Jan 2012 21:23:18 +0100

Authors: Chuck Willis
Tags: CSRF
Event: Black Hat DC 2008

[Slides] DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife

Tue, 24 Jan 2012 21:21:04 +0100

Authors: David Weston Tiller Beauchamp
Tags: reverse engineering
Event: Black Hat DC 2008

[Slides] Classification and Detection of Application Backdoors

Tue, 24 Jan 2012 21:12:31 +0100

Authors: Chris Wysopal
Tags: backdoor
Event: Black Hat DC 2008

[Slides] Disclosing Secret Algorithms from Hardware

Mon, 23 Jan 2012 06:45:56 +0100

Authors: Karsten Nohl
Tags: reverse engineering hardware hacking
Event: Black Hat Asia 2008

[Slides] A Hypervisor IPS based on Hardware Assisted Virtualization Technology

Mon, 23 Jan 2012 06:45:55 +0100

Authors: Junichi Murakami
Tags: virtualization IDS
Event: Black Hat Asia 2008

[Slides] Satan is on My Friends List: SNS Survey

Sun, 22 Jan 2012 06:48:41 +0100

Authors: Nathan Hamiel Shawn Moyer
Tags: social engineering
Event: Black Hat Asia 2008

[Slides] Exploiting Symbian OS in mobile devices

Sun, 22 Jan 2012 06:48:41 +0100

Authors: Collin Mulliner
Tags: phone
Event: Black Hat Asia 2008

[Slides] Owning the Fanboys: Hacking Mac OSX

Sun, 22 Jan 2012 06:48:40 +0100

Authors: Charlie Miller
Tags: Mac OS X
Event: Black Hat Asia 2008

[Slides] Threat Gallery of Japanese Landscape

Sat, 21 Jan 2012 06:58:43 +0100

Authors: Hiroshi Kawaguchi
Tags: security
Event: Black Hat Asia 2008

[Slides] The Internet is Broken: Beyond Document.Cookie - Extreme Client Side Exploitation

Sat, 21 Jan 2012 06:58:43 +0100

Authors: Nathan McFeters
Tags: cookie client side
Event: Black Hat Asia 2008

[Slides] Cyberspace and the Changing Nature of Warfare

Sat, 21 Jan 2012 06:58:42 +0100

Authors: Kenneth Geers
Tags: warfare
Event: Black Hat Asia 2008

[Slides] FragFS: An Advanced NTFS Data Hiding Technique

Fri, 20 Jan 2012 06:32:30 +0100

Authors: Irby Thompson Mathew Monroe
Tags: cryptography
Event: Black Hat Federal 2006

[Slides] Understanding Targeted Attacks with Office Documents

Fri, 20 Jan 2012 06:32:30 +0100

Authors: Bruce Dang
Tags: Office
Event: Black Hat Asia 2008

[Slides] Get Rich or Die Trying - "Making Money on The Web, The Black Hat Way"

Fri, 20 Jan 2012 06:32:30 +0100

Authors: Arian Evans
Tags: hacking
Event: Black Hat Asia 2008

[Slides] Playing Server Hide and Seek on the Tor Anonymity Network

Fri, 20 Jan 2012 06:32:29 +0100

Authors: Lasse Øverlier Paul Syverson
Tags: Tor privacy
Event: Black Hat Federal 2006

[Slides] Attacking with Character Encoding for Profit and Fun

Thu, 19 Jan 2012 21:37:58 +0100

Authors: Yosuke Hasegawa
Tags: vulnerability
Event: Black Hat Asia 2008

[Slides] Combatting Symbian Malware

Thu, 19 Jan 2012 06:49:24 +0100

Authors: Jarno Niemelä
Tags: malware phone
Event: Black Hat Federal 2006