There is a challenge on the badge 😉 PRIZES!
HISTORIC BADGES! There are a limited number of badge from previous ToorCons. If you'd like some for your collection, stop by Registration.
See you at the party tonight!
This presentation looks at TCP/UDP network traffic and protocols to identify what information can be of great value when either detecting a threat or responding to an alert.
Although traditional system and security controls may exist, humans are still a part of building and fielding applications running in a modern IT shop. The likelihood of significant flaws in the applications, or configurations of the systems, opens the risk of a security breach or compromise that may signal an alert in a log file, or on an automated intrusion detection system. This presentation looks at TCP/UDP network traffic and protocols to identify what information can be of great value when either detecting a threat or responding to an alert.
With millions of phishing Emails caught be spam filters and users properly trained by well-defined cybersecurity programs, it’s getting harder and harder to properly phish users. Spear phishers must come up with new and improved methods for increa...
The goal of this presentation is to make IT and Security professionals aware of newly identified techniques used to get high click rates during phishing campaigns. The talk will introduce new research conducted using typosquatting, doppelganger domains, and IDN homograph attacks. Current research and demonstrations will show how the attacks working against current and patched applications.
This presentation will cover the following topics:
- Phishing campaigns & how they work
- Research conducted using typosquatting, doppelganger, and IDN homographic attacks
- The true cost of failing to protect against malicious phishing attacks
- Countermeasures to defend against these new techniques
- Why security awareness training won’t help protect against doppelganger and IDN attacks
- How to bypass patched web browsers to spoof Emails/domains
- How to setup a highly successful phishing campaign in the cloud for $17
DevSecOps is becoming the rule not the exception. Right? Applying the "rule" backwards can prove this wrong.
The IT industry is all fired up with talk of devOps and DevSecOps. What if someone took those same tools and techniques and applied them backward, not to improve security for their own apps and organizations, but to find bugs in OTHER organizations' systems and code? If only developers had some way to do these checks themselves... This talk is about using static and dynamic analysis tools normally used by developer to chase bug bounties in automated ways.
Experienced InfoSec professionals are familiar with leveraging digital forensics in their incident response efforts. There are other opportunities to let the data tell the story, provide insight on risks your organization face, with how to mitigat...
When leveraging digital forensics, there are opportunities to let the data tell the story beyond our incident response efforts. Let the story provide insight on the risks your organization face, provide insight on how to mitigate, and provide the evidence to take the actions needed. What sort of organizations and what sorts of use cases are there; and what real world examples have organizations been able to leverage digital forensics to identify and manage their risks?
In this talk, we will demonstrate attacks on Kubernetes clusters, discuss defenses, then demonstrate how those defenses break the attacks. Come begin your training in Kubernetes attack and defense!
The number of companies moving to a microservices model appears to be increasing at an exponential rate, causing a similarly accelerating rate of adoption for Kubernetes and other container orchestration systems. Machine learning work has contributed to this as well, especially with this year's introduction of native Kubernetes support in Spark. It is time for the information security specialists to learn how to attack Kubernetes clusters, as well as learn how to defend them. In this talk, we will demonstrate attacks on Kubernetes clusters, discuss defenses, then demonstrate how those defenses break the attacks. All demonstrations will be recorded, to avoid interference from the Demo gods. Talk attendees will be able to download the same cluster on which the demos are performed, as well as the configuration files used to break the attacks. Come begin your training in Kubernetes attack and defense!
IoT botnets are deployed heavily to perform nefarious activities by circumventing the integrity of the IoT device to launch sophisticated targeted or broad-based attacks. IoT botnets have enhanced the cybercrime operations to a great extent, there...
IoT botnets are deployed heavily to perform nefarious activities by circumventing the integrity of the IoT device to launch sophisticated targeted or broad-based attacks. IoT botnets have enhanced the cybercrime operations at a great extent thereby making it easier for the attackers to carry out unauthorized activities on the Internet. This paper presents the empirical analysis of the six botnet families to draw the comparative analysis of the widely known IoT botnets. The study not only provides deep insights into the working behavior of the IoT botnets but also highlights the preventive measures to be taken to defend against IoT botnets. The talk encompasses the following:
· We conducted an analytical study of more than six IoT botnet families to better understand the various techniques deployed to abuse and exploit the IoT devices. This includes analysis of protocols, network communication, anti-detection strategies, bricking devices, data exfiltration and others. The mapping of characteristic analysis provides a broad picture on the state of IoT botnets.
· Our empirical study demonstrates how the IoT botnets have been configured and deployed in ...
Modern malware uses a wide variety of code obfuscation techniques to hide it’s true intentions and to avoid detection. In this talk, we’ll explore the latest in native code obfuscation techniques as well as a few techniques commonly used with inte...
- This talk will discuss modern code obfuscation techniques, which affects anyone involved with the analysis of malware
- We will explore a variety of prevalent techniques in both native code and interpreted languages
- Detailed technical analysis will be provided for each technique, along with effective strategies for defeating that particular technique
- Real world malware along with malware used by nation-states will be used for demonstrative purposes
- String obfuscation, dynamic import table construction, use of shellcode, packing, use of virtual machines (i.e. bytecode) and other anti-analysis techniques will be discussed
- The goal is to shed light on these techniques and contribute to the body of knowledge, making detection, analysis and mitigation easier for security researchers
Security and the Internet of Things (IoT) are commonly discussed, though rarely in a positive light. In 2018, the state of security in embedded devices appears to be a continuation of this trend, according to research performed by Independent Secu...
This talk presents real world application of solvers for checking code, as well as some discussion about tools that can be used and the history of symbolic execution.
Symbolic execution is a useful approach for a variety of problems from solving puzzles to discovering vulnerabilities. It is show and tell time.
Ransomware and cryptojacking have been recognized as the top malware threats in 2018. Financially motivated cybercriminals are attracted to both since both remain viable means of generating illicit income. In this talk, we delve deep into the late...
Modern malware present multi-faceted threats that leverage a variety of attack vectors. Leading the malware threatscape in 2018 are ransomware and cryptojacking attacks, and the more evolved variants are now implementing targeted attacks against organizations (e.g. SamSam). These modern ransomware include a hybrid cryptosystem that uses a combination of symmetric and asymmetric cryptography. In recent practice, ransomware are going beyond mere data encryption and come bundled with other threats. We present real-world cases of ransomware where we observed these cryptoviral extortions drop trojan horses (e.g. RAA dropping pony) and cryptominers (e.g. BlackRuby). Our research shows that these secondary infections remain active on host even after the ransom is paid. During this talk, we will also discuss how elliptic curve cryptography (ECIES) is deployed in modern ransomware (e.g. Petya and PetrWrap) and the tactical advantages it provides (over RSA) to ransomware operators. We will show how many ransomware variants purge shadow copies (via vssadmin), encrypt network backups (using WNetAddConnection2), and use the latest anti-virus circumvention techniques such as “process doppelga...
With a surge in the production of internet of things (IoT) devices, embedded development tools are becoming commonplace and the software they run on is often trusted to run in escalated modes. However, some of the embedded development tools on the...
In this talk we will describe the methodology used in order to assess the security of one of the most commonly used embedded debuggers in the world. Additionally, we will describe our findings which resulted in 5 CVEs and included remote code execution flaws and an unauthenticated backdoor. We will also discuss the impact of these vulnerabilities and steps one can take to improve the security of their embedded development supply chain.
Ethereum is currently the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) using smart contracts. When you create a smart contract on the blockchain, it's not mandatory to provide the Solidit...
Ethereum is the reference of smart contract platform due to the possibility to create decentralized applications (Dapps) by writing smart contracts. The Solidity source code of those smart contracts are not always available and can contains flaws (reentrancy, integer overflow/underflow, bad randomness, backdoor, ....). Some smart contract handle thousand of ETH and can't be modified once pushed into the blockchain. More than 90% of them doesn’t provide the associated Solidity source code and that's also why be able to reverse and analyze Ethereum smart contract (only with the EVM bytecode) make even more sense.
This hands-on is intended to bring attendees the basic skills (theoretical and practical) to analyze Ethereum smart contracts. After this hands-on, they will be able to reverse, debug and start their analysis of real-life smart contracts without having the Solidity source code.
Mental health issues within the hacker/infosec community are a growing concern. Not only as a result of some high profile losses but also from
ever demanding careers and stressors in our personal lives. There is a developing epidemic of infosec burnout that needs to be acknowledged and addressed.
The Hacker Mental Health Project is a community based effort with the goal of promoting mental health awareness, communication and resources. Because, we want to see you at next year’s con.
Automated Teller Machines (ATM) attacks are more sophisticated than ever before. Criminals have upped their game, compromising and manipulating ATM networks, software and other connected infrastructure. Between having a third-party manage these m...
In this session, I will discuss unknown ATM flaws our pentesting team has uncovered while performing testing, the various ways criminals are attacking ATMs, the many security problems that we have identified with ATM systems, and what can be done to prevent these attacks.
I will review three case studies of ATMs. One where the ATM security was extremely poor; One where the security was very good but the ATM still fell victim to an attack because we discovered a zero-day in the management software; And one where the security was just right- but its specific deployment had some major flaws that ultimately led to an ATM compromise. In this last case, the attackers side-loaded an application, and were able to run a criminal ring that led to $7M USD in losses.
ICS attacks are increasingly in the spotlight, yet significant misconceptions exist as to how these attacks are executed. Most research, presentations, and news items focus on the final element of what are prolonged, multi-step attacks: the final ...
2017 was a highlight year for Industrial Control System (ICS) security: the first electric grid-targeting malware was identified (CRASHOVERRIDE); and the first Safety Instrumented System (SIS) tailored infection event was revealed (TRISIS). While these events appear dissimilar in terms of targeting and technology, closer analysis identifies multiple points of similarity. By examining these events in detail, defenders can gain knowledge on how future ICS-focused attacks will develop, and orient defense appropriately.
CRASHOVERRIDE and TRISIS targeted different environments (electric distribution and SIS) in geographically disparate areas (Ukraine and Saudi Arabia). But for these high-level differences, the two attacks featured a number of elements in common: the capability to reverse-engineer relevant ICS software to develop an attack package; the ability to penetrate and navigate from IT to ICS networks to deliver an attack; and flexibility in building modular frameworks for malware delivery. Additionally, both groups leveraged ‘living off the land’ intrusion techniques to penetrate and move laterally through the ICS network before switching to more bespoke malware. These ele...
WebAssembly (WASM) is a new binary format currently developed by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge. In this talk, I will introduce WebAssembly concepts, detailed security measures implemented into WebA...
WebAssembly (WASM) is a new binary format currently developed and supported by all major browsers including Firefox, Chrome, WebKit /Safari and Microsoft Edge through the W3C. This new format have been designed to be “Efficient and fast“, “Debuggable“ and “Safe” that why it is often called as the "game changer for the web". More than one year after the “official” release, it is not only used “for the web” by web browsers but also in some (huge) other projects like Blockchain Smart Contract platforms (EOS and Ethereum).
I will first introduce WebAssembly concepts and who currently used it in the wild. Secondly, I will show different WebAssembly VM available and explain the security measures implemented into it. Finally, I will show you, throw real life WASM modules, how to do static analysis, using techniques such as reversing, control flow and calls flow analysis, to understand deeper its behaviors. Along the talk, I will used multiple open source tools but mainly the one that I have developed and that is already available on Github (https://github.com/quoscient/octopus).
Having a scalable suite of continuously run security tests seems out of reach for all but the most mature security programs. Yet, many companies already have integration tests that snake their way deeply into their web application, covering nearly...
Having a dedicated suite of continuously run security tests seems out of reach for all but the most mature security programs. Scanners only scratch the surface of your application. Many companies already have integration tests that snake their way deeply into their web application, covering nearly every workflow. In this talk, we will use a minimal amount of work to transform these integration tests into a suite of security tests.
Using Selenium and ZAP we will repurpose integration tests into security tests to search for common web application flaws such as XSS and SQLi with more context than a scanner. These security tests will traverse the web application the same way a real user would. We will then extend these tests to find subtle security bugs in authorization and business logic.
This session is ideal for testers and developers interested in making security testing part of their continuous integration pipeline.
The First Qualifying Round for the 25th Annual Hacker Jeopardy
As many of you heard, Hacker Jeopardy -- the longstanding (in)famous competition at DefCon -- is now going National for the 25th Anniversary.
There are to be 9 qualifying rounds at conferences across the country, and ToorCon 20 is the first step in this mighty journey! This is your chance to show off your big geek brain, and possibly make it to finals in Vegas at DefCon 27, next August. Grab a few friends (or even a smart stranger or two), and set up your team now!
THE NUMBER OF TEAMS WILL BE LIMITED, so get your application in now. Include in text team name, exactly 3 players (handles and real names [we protect]) with cell and e-mail so we can contact you, and why you should play. Please email: email@example.com.
20 years ago Win95 was dominant, security meant AV and firewalls, cDc released BO2k, the Melissa virus was kind of a big deal, The Matrix was in theaters, Mitnick went to prison, and we feared Y2K. Today Android is #1, AI and ML are solving all ou...
This talk covers finding a buffer overflow vulnerability in some old Windows 3.x-based Internet software and constructing a payload to exploit it. The segmented memory model of 16-bit x86 code complicates exploitation and provides accidental defen...
What if I told you that Windows 3.x provided Data Execution Prevention and a crude form of Address Space Layout Randomization? The segmented memory model that made 16-bit x86 code difficult to program also complicates building an exploit. Blending nostalgia and plain curiosity into exploiting "weird" systems, I demonstrate what may be the first public writeup (try Googling for one) of a buffer overflow targeting a Windows 3.x application, complete with ROP chain and shellcode. Everyone loves a good exploit and demo or just shuffling program groups--so stop by for a look back into the four-megabyte era equipped with a copy of Visual Studio 1.52c and modern techniques.
Developers frequently commit secrets to source code, and sometimes push secrets to package managers. These secrets often leak out into the public either through accidental source code disclosure, or intentional source code disclosure. TruffleHog i...
In the interest of full disclosure, I did give this talk at Bsides SF 2018
# Finding secrets in source code with TruffleHog
Prior to me releasing truffleHog, there where a lot of folks pushing secrets managment solutions, but not many tools available for cleaning up code that wasn't conforming to proper secrets managment. I'll give an overview of how I struggled at my job to find secrets committed, and how I saw other companies struggling with the same issues.
I'll also show how much code is left in the past. Version control keeps history of old commits, which often contain secrets not in the current version of the source code.
## The tech
I'll talk about what technologies I use to power truffleHog. Entropy detection, and grep based rules. I'll explain the advantages and disadvantages to both. I'll also explain how a large percentage of the secrets identified were found in old commits, not in the current branch of code. I'll show off a few examples of successful runs of the code, and I'll explain how I'd use the tool in different scenarios. I...
"Unikernels" are specialized, single-address-space machine images that run entirely in ring 0 as a guest VM atop a hypervisor. They typically bundle application code and a framework platform on top of a thin hypercall-based IO/IPC layer used to pe...
Operating systems are insecure. Why do we even need them anyway? Why not just
run our web apps in kernel space and let the cloud schedule CPU and I/O?
What could go wrong?
In an effort to mitigate security and performance issues caused by application
and OS functionality bloat, some are attempting to combine the concept of
library operating systems with modern virtualization technologies to create
purpose-built lightweight virtual machines that strip out "unnecessary"
functionality. These "unikernels" are specialized, single-address-space machine
images that have been coupled with a kernel and thin OS stub layer to create a
single binary blob.
Proponents of unikernels claim that their smaller total codebases and lack of
excess services make them more efficient and secure than applications running
on top of full operating systems, either as a container or a virtual machine.
We surveyed several major unikernels, and found that this was decidedly not the
case; unikernels, which in many ways resemble embedded systems, often have a
similarly negligible level of security. Standard memory hardening practices
such as ASLR, W^X, stack canaries, heap integrity checks...
This talk walks through mechanisms used by container solutions to create an "isolated" computation environment and the weaknesses of each mechanism. It also covers a basic testing methodology that can be used when assessing a new container environ...
Containerization is often used as a replacement for virtual machines to isolate customer data and customer code due to its ease of deployment and marginal performance impact. As security consultants, we have conducted numerous security reviews of a variety of container configurations, where real companies have been using Docker to securely run untrusted customer code.
While Docker is easy to get up and running, it is not always clear that certain high level settings have low level security implications. When configured poorly, a container running malicious code can view network traffic from the host or other co-located containers, access firewalled servers, affect the performance of other containers, or even run code on the host.
In this presentation, we’ll give insight into how Docker utilizes Linux kernel security features, such as capabilities and namespaces, in order to attempt to provide container isolation. We’ll illustrate common security pitfalls in container configurations and how to exploit them.
We’ll conclude with a demo of a new container auditing tool that finds common container configuration issues and presents exploits for these issues, if applicable. Th...
This talk covers the fundamental problem of handling secrets (e.g., passwords, API tokens, private keys) in open source code repositories and shared access to distributed systems. If adopted, these techniques can not only help minimize the “defau...
Passwords, API tokens, and private keys are the primary access control mechanisms used in a wide range of client/server software systems, be they simple web applications, hardware appliances, or cloud based services. The Mirai and Carna botnets show what happens when default passwords are used in consumer devices. News reports of huge data breaches resulting from API tokens found in Git repositories using tools like Gitrob and TruffleHog happen repeatedly. Groups of individuals in political parties and campaigns sharing sensitive documents need easy to use mechanisms for securing login access that go beyond simple passwords, and their site reliability engineers need easier means of standing up and maintaining secure systems for them and recovering quickly when control of secrets is lost. Open source tools, techniques, and training materials will be discussed and demonstrated that are intended to raise the bar in solving these issues.
When purchasing a new domain name you would expect that you are the only one who can obtain a valid SSL certificate for it, however that is not always the case. When the domain had a prior owner(s), even several years prior, they may still possess...
Staying in a hotel can bring numerous privacy concerns. Shared WiFI, housekeeping with access to your room, weak physical security, and now security checks if you opt-out of maid service. Ever come back to your room and get the feeling your stuff ...
IoT devices often present unique and unexpected challenges for hackers to overcome.
In this talk, we provide an in-depth walk-through of how we broke custom solutions and built exploits to remotely control the targeted device as a root user. The...
A well-tuned security awareness program will fill up your team’s inbox with malware, phishing, and incident reports needing your immediate attention. With additional security tasks and multiple hats, you need to quickly analyze the malicious conte...
The ransomware protection in Windows 10 is useless
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries.
As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective?
In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
OpenWRT is stable on many cheap platforms. It does so many things. The power provided by modern embedded device can sometimes give commercial hardware a run for its money, especially in the SoHo environment.
This talk discusses uses a moderately prices home router to provide most of the features you might want in a network: Enterprise WiFi, VPN (outbound AND inbound), network segmentation, redundancy, multi-wan, dynamic routing. Do a lot with a little.
Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting s...
Introducing the speaker
Briefly discuss the presentation’s agenda
Discuss some of the problems that plague Bug Bounties, from both the researcher and program owner perspectives, – duplicates, noisy submissions, costs, lack of standards, new tools being released frequently, not easy to automate most tools as they seem to be their own platform
Briefly discuss some of the technologies we will be using to build our bug hunting machine – Docker, Kubernetes, Argo
The Bug Bounty Machine
Introducing the architecture and talk about some of the components of the Bug Bounty machine – architecture walkthrough, asynchronous queuing system, microservices modular framework, ability to deploy across multiple cloud providers – (GCP, AWS)
Live Demo of how it works – walkthrough of a sample bug bounty workflow that can be implemented in the Bug Bounty machine i.e. how can the machine find a bug bounty submission before the researchers can. Also, as a researcher, how can you attack multiple programs on a scheduled basis
What we have learned while trying to build something like this – the geog...
Ethereum smart contracts have bugs: a lot of them. So many, in fact, that attackers have flocked to exploit them, but occasionally they lose money themselves. Malicious contracts that look vulnerable but are exploitative are a rising trend, and th...
Ethereum honeypot contracts combine the oldest of cons with the newest of tech. As it turns out, it’s still easy to con someone who thinks they’re a conman. These malicious contracts share one trait in common: they almost always try to look like they were designed by a beginner. As such, they are a great place to learn about some of the pitfalls that can befall a new entrant to the space, and serve as an interesting (and often entertaining) case study into the wild-west world of smart contract security. By exploring a few of the more interesting cases of not-so-vulnerable contracts, the audience can gain a deeper understanding of how smart contract security works in practice, and maybe how to beat a few scammers at their own game.
A good schematic should flow like a well written manuscript or a piece of music. Learn how to orchestrate your ideas onto the page like an electrical composer. Be careful with this knowledge, as you will begin to see poorly drawn schematics everyw...
Nothing impacts your security program as much as who you hire into it. Using Coinbase as an example, we'll talk through how we enabled a massive push to the left with our security hiring.
UEFI is borked. This is nothing new. But the tools are making it easier to mess with.
Increase feature sets combined with easy to use platform development kits is making UEFI hacking easier. That combined with uefi code to stay resident after boot as part of the Vault 7 drop means we are in more trouble than before. Its gotten easier. Take a look at some of the kit to see for yourself!
This talk will introduce https://InfoconDB.org - a site that aims to catalog and cross-reference all hacker conferences, similar to what IMDB does for TV/movies. We'll look at what the site catalogs and expose some interesting discoveries. For ins...
Exploding light bulbs? Yup. How safe is IOT? Can your speakers make you go blind temporarily and vomit? Yup. This talk focuses only on things that can harm or kill you.
Medical devices and iot devices that can harm, kill, or assault you is the primary focus of this talk and is the primary focus of critical con conference criticalcon.com