· • Premise •In the not too distant future, we'll live in a world where computers are...

www.TASK.to© Toronto Area Security Klatch 2018

www.TASK.to

• Calian is tonight’s sponsor! Thank you!

• Three CPE for ISC2, attendance verification for ISACA

• SecTor final speakers announced. TASK2018 and TASKExpo2018

• CanHack Student CyberSecurity Competition – Haseeb Khawaj

• Jobs and other events?

© Toronto Area Security Klatch 2018


Def Con 26 Highlights

• Def Con 26 Speakers!

• https://www.defcon.org/html/defcon-26/dc-26-speakers.html

• Def Con 28 Archive is Live

• https://defcon.org/html/links/dc-archives/dc-26-archive.html

https://www.defcon.org/html/defcon-26/dc-26-speakers.html

https://defcon.org/html/links/dc-archives/dc-26-archive.html


Black Hat 2018 Highlights

• Black Hat 2018 Speakers!

• https://www.blackhat.com/us-18/speakers/

• Black Hat 2018 Presentations / Archives

• http://www.blackhat.com/us-18/briefings.html

https://www.blackhat.com/us-18/speakers/

http://www.blackhat.com/us-18/briefings.html

www.TASK.to

BSidesLV 2018 Highlights

• Website!

• https://www.bsideslv.org/

• Archive will eventually appear at:

• https://www.bsideslv.org/archive/

• Videos from 2018 are online at:

• https://www.youtube.com/channel/UCpNGmljppAJbTIA5Msms1Pw/videos


https://www.bsideslv.org/archive/

https://www.youtube.com/channel/UCpNGmljppAJbTIA5Msms1Pw/videos

www.TASK.to

• Brian Bourne

• Christoph Hebeisen

• Dillon Aykac

• Geoffrey Vaughan

• Joshua Arsenio

• Kristina Balaam

• Milos Stojadinovic

• Paul O’Grady


www.TASK.to

Brian Bourne

Been to Defcon 17 times, BlackHat some number like 15. I’m old.


Applied Self-Driving Car Security

Charlie Miller and Chris Valasek

www.TASK.to

• Premise

• In the not too distant future, we'll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.

• Currently working at Cruise Automation (GM), formerly Uber

• Made famous by the Jeep Hack


www.TASK.to

www.TASK.to

• So what’s new?

• They are spending a lot more time on the defensive side

• Discussion of how autonomous works today

• Discussion of protections, physical and technical


Legal Liability for IOT Cybersecurity Vulnerabilities

Link to prez: https://i.blackhat.com/us-18/Thu-August-9/us-18-Palansky-

Legal-Liability-For-IoT-Vulnerabilities.pdf

Ijay Palansky

https://i.blackhat.com/us-18/Thu-August-9/us-18-Palansky-Legal-Liability-For-IoT-Vulnerabilities.pdf

www.TASK.to

•

• Pathways

• Data breach

• IoT ransomware

• DDoS attacks

• Privacy-related

• Potential for cyber-physical


www.TASK.to

• Adhere to standards as a start (need some standards first)

• Don’t over promise security

• Act responsibility and invest in security

• Allocate risk (contracts upstream/downstream/warnings/instructions)

• Risk assessment and hazard analysis

• Word control

• Warnings for all anticipated uses

• Manuals

• Marketing

• Insurance


www.TASK.to

Christoph Hebeisen

BH/DC repeat attender, “But-how-does-it-work” Reverse Engineer, Recovering Ex Physicist

Senior Manager, App Security Intelligence - Lookout


DEFCON: You'd better secure your BLE devices or we'll kick your butts!

https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Cauquil

Damien "virtualabs" Cauquil

www.TASK.to

• Bluetooth Low Energy Swiss Army Knife• https://github.com/virtualabs/btlejack• Can handle new and existing connections• Uses cheap hardware (MICRO:BIT ~ $15)


https://github.com/virtualabs/btlejack

www.TASK.to

• Three advertising channels• 40 channels total• 37 channel hopping sequence• Connection setup on one of three advertising channels • CONNECT_REQ contains all information necessary to follow connection


www.TASK.to

• Identify ACCESS ADDRESS unique to every connection• Observe interval between packets on one channel (37 * hop interval)• Observe interval between packets on two different channels to determine hop

increment

Challenges:• Sequence can contain repeating channels (to exclude some channels)• Protocol allows on-the-fly changes of the sequence


www.TASK.to

• Supervisory timeout after a certain number of missed keepalive packets• Jamming can trigger a one-sided timeout• Attacker can take over connection


Central

Peripheral

Attacker

...

Timeout

Jamming

www.TASK.to

• BLE connections can be intercepted and even hijacked over-the-air even if we do not capture the CONNECT_REQ PDU

• Encryption could make the attacks more complex• Payload data authentication can prevent hijacking

www.TASK.to

Dillon Aykac

Software Developer at Autocase

My first time at DEF CON

Using Docker since 2015nixhatter

[email protected]


www.TASK.to

An Attacker Looks at Docker: Approaching Multi-Container

Applications

https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Wesley%20McGrew/

Wesley McGrew

www.TASK.to

What is Docker?

• Docker is a tool designed to make it easier to create, deploy, and run applications by using containers

• Containers – a standardized unit of software

•Essentially a config file for virtual machines

• Lightweight, easy to share, easy to deploy


www.TASK.to

Why Should You Use Docker?


www.TASK.to

Looking at Docker from the Red

• Exploiting multi-container vs monolithic systems

• Monolithic - Specific knowledge of the platform is required

• Multi-container – Leverage system/network-level post-exploitation and sniffing tools

• Docker inherently trusts the internal network by default

• This gives an attacker many opportunities to pivot once they’re in

• Docker has no fingerprint when looking at it from the outside


www.TASK.to

Example


Source: Wesley McGrew

www.TASK.to

Takeaways

• Existing networking skills can be used

• Containers should not be trusted

• Having a basic understanding of new technologies can go a long way

•The trendy/new thing is not that new

• Docker is actually pretty cool


www.TASK.to

Geoff Vaughan @mrvaughan

A Canadian Goes to DEFCON


www.TASK.to

• Connect with people I only see a couple times a year (even those that live 10 minutes away from me)

• See my boss and colleagues that I only see once a year.

• Hack something?


www.TASK.to

• Reminded that what we do matters

• You never know how you can impact people years later

• Renewed my resolve to help others, and put in that extra time into the many side projects we accumulate


Event: Hack-n-moose.ca

Hack-n-Moose

www.TASK.to

• You brought Timbits or Ketchup chips with you to share at the party

• You can perform a full rendition of ‘Log Drivers Waltz’ or ‘Barrett’s Privateer’ from memory

• Any Tattoo depicting a Canadian flag, Maple leaf, beaver, or Canadian landscape

• You know someone from Canada not at Defcon who the person at the door also knows - “Do you know Doug... from Canada?”

• You arrived dressed as a Canadian

• We can just tell by your accent

• Proof you’ve been screeched in

• Your laptop or Blackberry has a french canadian keyboard

• Enough Kinder Eggs to share

• You can come with a Canadian flag sewn on your backpack but we may still require additional evidence

• Your home town is famous for _____ and you brought some.

• 1 large bottle of Mapple Syrup from duty free

• You are wearing a Canadian security conference T-Shirt or Hoodie

• Enough chocolate bars not available in the US to share with the party


www.TASK.to

• You brought a two-four of a canadian beer to share

• 1kg Canadian Steel or Aluminium

• 1kg bag of Canadian chesse curds ( US border regulation)

• 1L of Chic Choc, Newfie Screech or Canadian Liquor

• You arrive dressed as a Mountie, Bonhomme Carnaval, or a Beaver

• You arrive with a famous Canadian

• You portage your own canoe to the party

• You brought a cod to kiss and are prepared to perform screeching in ceremonies

• You brought goalie equipment

• You arrived with enough mini sticks for a game of shinny

• You brought a guitar and are willing to perform a set of Tragically Hip or Rush songs, if you'd rather sing Carly Rae that's ok too.


workshop

Reverse Engineering OpenSCAD

www.TASK.to

• https://www.openscad.org/cheatsheet/


https://www.openscad.org/cheatsheet/

https://www.securityinnovation.com/company/news-and-events/press-

releases/security-innovation-steven-danneman-digital-side-door-attack-

surfaces-def-con26

Your Bank's Digital Side Door

Steven Danneman


https://www.securityinnovation.com/company/news-and-events/press-releases/security-innovation-steven-danneman-digital-side-door-attack-surfaces-def-con26

www.TASK.to

• OFX - Open Financial Exchange protocol that allows 3rd parties (Quicken, Quickbooks, mint.com, etc) to connect to your banking data and issue transactions.

• Requires you to give your banking password to these third parties

• Third party must store it in plaintext so that they can use it to make the OFX connection

• Limited support for 2FA, in some cases PVQ’s or two step verification is available.

• Wrote a tool to assess all exposed OFX servers and found over 30 different implementations

• Lots of disclosures in process.


Workshop with Joe Grand

https://www.crowdsupply.com/grand-idea-studio/opticspy

Optical Spy Receiver -

Detecting Covert optical side channels


https://www.crowdsupply.com/grand-idea-studio/opticspy

www.TASK.to

• 4 hour workshop to build the device

• Mine wasn’t finished by the end of it so it was a homework project

• Lots of SMD components

• Purpose was to build an optical receiver that can read serial data transmitted through LED’s

• Some devices were found to tie their status lights to transmission data and be read with this (accidental covert channels)

• Routers

• MFA hardware tokens

• Cryptocurrency wallets.

• Anything with an LED (or UV/IR light)


Live Demos


www.TASK.to

Joshua Arsenio

Director, Advisory at Security Compass

Third DC


Who Controls the Controllers?:

Hacking Crestron IoT Automation Systems

By Ricky Lawshae (@HeadlessZeke)

https://github.com/headlesszeke/defcon26-materials

Joshua Arsenio

https://twitter.com/HeadlessZeke

www.TASK.to

• Crestron AVoIP devices used in enterprise, education, hospitality.

• Orgs with large IPv4 address spaces == devices are directly connected (see Shodan)

• Network connected devices with a camera and microphone attached most commonly used in closed rooms with an expectation of privacy.

• Mostly Windows CE, some Android.


www.TASK.to

• Feature-rich CTP (Crestron Terminal Port) running on TCP/41795

• No authentication by default, easy mode to admin.

• Many engineering/developer tools included, including a handy backdoor account (rengsuperuser)

• Did I mentioned endless command injection vulnerabilities?

• Great POCs


www.TASK.to

• Security features available but disabled by default.

• Crestron has secure deployment guides available.

• Talk missed the mark by not acknowledging that these devices are deployed by resellers. Complex problem to fix.

• Resellers/installers want to deploy quickly and prioritize functionality

• Generally install and run, servicing only outages. Gap in patch management capabilities.

• Headless_Zeke is an entertaining speaker, worth while to watch the video!

• Jackson Thuraisamy at Security Compass had been working with Crestron PSIRT for months, working through same vulns. Multiple shout outs. Come talk to me!

• Security Compass Blog: goo.gl/rYK1H9


www.TASK.to

Kristina Balaam @chmodxx_ | Lookout


Unpacking the Packed UnpackerReverse Engineering an Android Anti-Analysis Library

Black Hat 2018 Recording

Maddie StoneGoogle

https://www.youtube.com/watch?v=s0Tqi7fuOSU

www.TASK.to

“WeddingCake”- Android Anti-Analysis Native Library- Named wedding cake for the many layers of anti-analysis

techniques used to obfuscate important functionality within a malicious application

- Present in 5000+ distinct APK samples

Some characteristics:- Android Native Libraries named differently in each sample: lib.{3,8}\.so- Randomly named Java classes that interface with the library- Two Java-declared native methods with the same declarations


www.TASK.to

- JNI = Java Native Interface- Allows developers to declare

Java native methods in C/C++

- Run-time check goal: “Detect if applications is being dynamically analyzed, debugged or emulated. The developers would rather limit the number of potential targets than risk being detected”.

- 45+ run-time checks; if any one(!!!) fails, the app is terminated


@maddiestone

www.TASK.to

Milos Stojadinovic


So I Became a Domain Controllerdeck – https://bit.ly/2LyIkHy

older preso – https://bit.ly/2Nt5zVi

Vincent Le Toux & Benjamin Delpy

www.TASK.to

• PingCastle

• AD domain discovery

• Queries data from forest configuration naming context

• Builds a map that shows forest and domain trust

• Implements a number of checks to determine an AD ‘risk level’

• Stale objects (inactive users and accounts)

• Old auth protocols (SMBv1)

• ACL verification (can any authenticated user modify logon scripts?)

• Useful for automated & rudimentary analysis of AD security posture

• “finger in the wind”


www.TASK.to

• DCShadow

• Manipulate AD configuration and domain naming contexts while (largely) avoiding logging

• Useful in post-exploitation

• TLDR:

• Attacker registers malicious DC within the Configuration naming context

• Malicious ‘DC’ can push replication changes to legitimate DCs

• Remove previous modifications to demote malicious DC

• Replication causes AD objects to be created / manipulated / deleted, but no logging is generated outside of replication metadata

• But the replication metadata can be modified

• Allows for intimate manipulation of AD objects and associated attributes

– This manipulation can be done in ways that violates AD specifications as attributes can be (almost)

arbitrarily specified


Subverting Sysmon: Application of a Formalized Security Product Evasion

MethodologyWhitepaper – https://bit.ly/2PicfpP

deck – https://bit.ly/2LCx5xP

Matt Graeber & Lee Christensen

www.TASK.to

• A formal methodology for detection subversion (disrupt the following):

• Attack technique identification

• Data source identification

• Data collection

• Event transport

• Event enrichment & analysis

• Malignant / benign classification

• Alerting /response

• Analysis process

• Tool familiarization & scoping

• Data source resilience auditing

• Footprint / attack surface analysis

• Data collection implementation analysis

• Configuration analysis



Paul O’Grady

- Recent Former Consultant

- 2nd BlackHat

- DEFCON attendee off and on for the past 13 years

Detecting Blue Team Research Through Targeted Adshttps://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/0x200b/DEFCON-26-0x200b-Detecting-Blue-Team-

Research-Through-Targeted-Ads-Updated.pdf

0x200b

https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/0x200b/DEFCON-26-0x200b-Detecting-Blue-Team-Research-Through-Targeted-Ads-Updated.pdf


Red Team Operators invest time and energy in C2, Payloads and Campaigns

• Fog of War / limited situational awareness

• Inferences based on activity with Red Team infrastructure

• The earlier you learn of an investigation, the sooner you can abandon an approach and move towards different Tactics, Techniques and Procedures

• Protect your baby


Increase visibility into Blue Team interactions and investigations with Google Ads

• Register AdWord for unique malware characteristics

• Hash

• Author Handle

• Etc


Practical Applications / Benefits

• Detect burned campaigns earlier

• Identify Blue Team capabilities through layers of complexity

• Directly targeting the Blue Team / watering hole attack

• Relatively low cost


Considerations / Caveats

• There has to be something to find

• OPSEC

• Delay (~ 3 hours)

• AdWord selection

Subverting Sysmon - Application of a Formalized Security Product Evasion

Methodologyhttps://i.blackhat.com/us-18/Wed-August-8/us-18-Graeber-Subverting-Sysmon-Application-Of-A-Formalized-Security-Product-Evasion-Methodology-

wp.pdf

Matt Graeber and Lee Christensen

https://i.blackhat.com/us-18/Wed-August-8/us-18-Graeber-Subverting-Sysmon-Application-Of-A-Formalized-Security-Product-Evasion-Methodology-wp.pdf


A look at the larger detection ecosystem within an environment and how the components work together and can be disrupted, both at the point of detection as well as through event aggregation and presentation to a human operator.

• E.g. if EDR agent alerts on a lateral movement technique, but it never reaches a human operator, the greater detection goal of the organization is not successful.

• A holistic approach


Too dense to thoroughly unpack and do justice in this format.

• Description and walkthrough of a methodology for subverting security products.

• Warrants thoroughly reading the whitepaper and walking through the process independently

• Valuable to Blue Team to identify gaps in adversarial resilience

• Valuable to Red Team for obvious reasons

• Sysmon case study - applicable to any product / solution


Adversary Detection Methodology (both Micro and Macro)

1. Attack Technique Identification

2. Data Source Identification

3. Data Collection

4. Event Transport

5. Event Enrichment and Analysis

6. Malignant/Benign Classification

7. Alerting/Response


Detection Subversion Methodology

• Bypass, evade or tamper with any steps in the Detection Methodology

▪ Latest Technical Research. New attacks. New Defences.

▪ Hands-on learning opportunities. Internet of Things. Lockpicking. CSA Summit. Pre-Conference Training. Career Development Panel and Fair.

▪ Opportunities for Networking during the event and at the reception.

▪ Purist Approach – no amount of money can buy a speaking slot in our technical track.

▪ Privacy, Policy, Compliance

▪ Experts from around the world. We fly them in from all over!

▪ Save 10% off registration with code TASK2018

October 1-3, 2018 - Metro Toronto Convention Centrewww.sector.ca

www.TASK.to

· • Premise •In the not too distant future, we'll live in a world where computers are...

Documents

Transcript of · • Premise •In the not too distant future, we'll live in a world where computers are...