Agenda
"Threat and Risk Analysis With (PASTA) Process of Attack Simulation and Threat Analysis", Marco Morana
Threat and risk analysis are critical factors for the assessment of cyber risks affecting critical infrastructure, applications and software and for the identification of measures and controls to protect critical assets such as data and transactions. But despite threats abound very little effort has been devoted so far to the specific analysis of cyber threats by extracting information from threat intelligence leading to the identification of attack vectors and simulation of these against targeted assets to determine the impacts and the risks. For example, we all know that passwords today are the keys of the kingdom, however, do companies know which threats and threat actors target them and the impact of their compromise? Do companies know the attack vectors used by the threat agents? How companies catch up with emerging threats to change their risk profile? How the analysis of threats and attacks can be dynamic enough to evolve into new attack vectors and tools used by threat actors? Which type of threat analysis and tools help us to walk the issues on how password compromises have taken place and are taking place? For threats against authentication for example, how we construe a threat analysis that is inclusive of the threat intelligence and identification of the actors, assets, services, attack vectors, surfaces, trust boundaries that match up against today's most common countermeasures to protect passwords (salting, multi-facto, etc.) ? The author believe that these goals can be achieved by following a methodology known as (PASTA) Process for Attack Simulation and Threat Analysis and a new threat modelling tool.The goal of this presentation is to walkthrough the steps of the threat analysis of threats against authentication to depict how passwords have been broken, captured, and intercepted across multiple different platforms and attack surfaces. Through the supported evidence of this threat analysis it is also shown how it is possible to characterise the risk factors of likelihood and impacts and to manage the risk of possible password compromises.
"The missing piece of Defence-in-Depth: Applying the 'Grand Strategy of the Roman Empire' to today's cyberwars ", Emmanouil Serrelis
Ever since the Late Roman army in the 3rd and 4th centuries AD, "Defence-in-Depth" strategies have been based on building different layers of defence aiming to neutralise attacks on the defender's area. However, even today, the original idea of "Defence-in-depth" is frequently neglected by implementing a multilayered - although static - defence area to handle all sorts of attacks. This presentation aims to identify, discuss and propose actions to develop and organise the missing piece of "Defence-in-depth" strategy for Information Security area - i.e. the "war changing factor" - that could turn an InfoSec "battle" in favour of the defender.
"Protecting the corporate information. The insider threat : risks and countermeasures", Gerasimos Moschonas
Will be anounced soon..
"Rooting your internals: custom shellcode, BeEF and Inter-Protocol Exploitation", Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you? The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session. This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker. Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall. During the talk, we will see a demonstration on how to compromise an IMAP server in the victim's internal network through her browser hooked in BeEF. This will include disabling browsers PortBanning, identifying the victim's internal network IP, identify the live hosts in the subnet, port scan them and finally send our custom shellcode after the service has been identified.
"Firefox Exploitation", Patroklos Argyroudis & Chariton Karamitas
The Mozilla Firefox web browser has a new memory allocator named `jemalloc' enabled by default on all supported platforms (Windows, OS X, Linux and Android). Therefore, the traditional platform-specific heap exploitation techniques (like `unlinking' and `frontlinking') are no longer applicable when attacking new Firefox heap corruption vulnerabilities. In this talk we will develop novel exploitation approaches and primitives that can be used to attack Mozilla Firefox via its new heap manager. We will build on our previously published work on this area and include practical hands-on demonstrations of researching Firefox vulnerabilities and developing exploits for them. Moreover, we will release an updated and enhanced version of our jemalloc debugging utility (`unmask_jemalloc').
"Spy-Pi: Do you trust your laptop docking stations?", Andy Davis
Laptop docking stations are widely used in organisations, often in hot-desking environments. They provide a neat connectivity solution for workers who are semi-mobile and therefore use laptops rather than desktop PCs. However, laptop docks are an attractive target for an attacker. They have access to the network, to all the ports on a laptop, often some that aren't and they are permanently connected to a power supply. But most importantly, they are considered to be trusted, "dumb" devices ñ the perception is that they just connect all the ports on your laptop to the ports in the dock. The IT department is typically more concerned about someone stealing your laptop, so they'll ask you to physically secure your laptop, but not necessarily to secure the dock. I recently investigated how attackers can exploit the privileged position that laptop docking stations have within an environment and how to construct a remotely controllable, covert hardware implant, based on the Raspberry Pi miniature computer. More importantly I went on to investigate some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.
"Hacking Appliances: Ironic exploits in security products", Ben Williams
It is tempting to think of security appliances as somehow fortified; i.e. specially secured and hardened, or that these devices have undergone comprehensive security testing as part of a Secure Development Lifecycle. My research shows that this is mostly not the case, and rather basic and easily identified vulnerabilites were discovered in almost all security appliances I have tested. This presentation discusses common vulnerabilities I have found across various security appliances in the past 12 months. I will show some interesting attack vectors where external attackers can exploit vulnerabilities in appliances to gain control over gateways, firewalls, email and web-filters, VPN solutions and access the internal network.
"Automated analysis and Deobfuscation of Android Apps & Malware", Jurriaan Bremer
During this presentation we will walk through various obfuscation techniques used by both legitimate and malicious applications in order to hide potentially malicious activities, as well as to make reverse engineering (much) harder. We will then learn about various scripts involving both static and dynamic analysis (based on a framework which I will publish after this talk) that aid in the analysis of these applications by automatically deobfuscating, stripping, and rebuilding the applications to something that resembles the original form. After the deobfuscation steps, existing tools will be able to make more sense out of the application and will therefore show a much more complete analysis, making the life of reverse engineers easier (as well as more efficient.) After all the theory, we will see a demonstration of analyzing a certain well-known, legitimate, application before and after the magic deobfuscation in order to evaluate the effectiveness of the proposed scripts and techniques.
"Attacking NFC Mobile Wallets: Where Trust Breaks Down", Max Sobell
This talk covers the attack surface of NFC Mobile Wallets (including Google Wallet) and known attacks to date. It details the ISO/IEC 7816-4 protocol with relationship to the communication between the Secure Element (SE), and Android and BlackBerry Near Field Communication (NFC) APIs. Whether the SE is an embedded component of the mobile device or contained on ISO/IEC 7810 universal integrated circuit card, protecting its data is paramount. This talk will discuss how the security features should be implemented to protect against access on rooted devices or through direct communication. It will also discuss the SE role with cellular communications and NFC interactions (both for EMV payments and ISO/IEC 14443 card emulation). Finally, it examines communication with the SE, trust relationships between the SE and mobile device, Trusted Service Manager (TSM), issuing bank, and mobile network operator. Audience members will gain an overall picture of mobile wallet security, as well as low-level details of communication between elements of the security scheme.
"Security Research and Development Framework", Amr Thabet
This is a free open source Development Framework created to support writing security tools and malware analysis tools. And to convert the security researches and ideas from the theoretical approach to the practical implementation. This development framework created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and inspire the innovative minds to write their researches on this field and implement them using SRDF.
"The Icarus story", George Nicolaou & Glafkos Chralambous
Presenting and publishing the initial release of the Icarus Exploitation Toolkit. The Icarus engine, designed for general exploitation on multiple platforms and operating systems, is an effort of generalizing and improving the efficiency of software exploitation by refining the processes and methodologies used nowadays into a centralized and automated (where possible) system. The attending audience will get a firsthand experience of the design and workings of our initial release, as well as the project link for downloading and contributing.
"An audio chaotic stego communication system", Antonios S. Andreatos
This paper presents a Steganography Telecom System for data cryptography, based on a Chua’s Circuit Chaotic Noise Generator. The ciphertext is randomly distributed on a cover audio signal in a stochastic mode. To achieve this innovative feature, we use a pseudo-random number generator. The whole system presents advanced security features and it is simulated in Matlab. Simulation results which demonstrate the proof of concept will be presented.
"Hacking SIP Services Like a Boss!", Fatih Ozavci
He developed a basic Metasploit Framework REX Library for SIP testing, because Penetration Testing of SIP Services are not easy with widely used sip tools. Also He developed 5 general testing modules for Penetration Testing SIP Services. In this presentation, he will explain Steps of Pen-Testing SIP Services and he will demonstrate this Steps Using Newly Developed Metasploit Modules. This presentation will present many handy tips and tools usage for Testing of Next Generation Networks and VoIP Infrastructure.
"The Sandbox difference or how an integration feature impacts on the sandbox", Yury Chemerkin
My research highlights the security opportunity and problems raised by BlackBerry features relied on highest possible way of integration and aggregation with data, service and application to simplify management. BlackBerry application environment is enough for business or personal use and filled with almost all of useful applications developed by RIM or DataViz. Such way integration shapes developer's outlook as well as malware writer's outlook leads to methods to bypass security solutions, especially when consumer has a BIS-device or BES-device but with flexible IT Policy. Moreover, additional 3rd party security solutions often ruin security at whole. The new BlackBerry devices are QNX-based and have the most known technologies. However, they have a poor application environment and a little native features were known on non-QNX BlackBerry device. This research examines and highlights a range of issues referred to the incorrect approach to the security techniques development. It draws security management level of inefficiency outside isolated environment as well as old-attack techniques possibility of application for new BlackBerry device known as Playbook.