2018-12-03 ~ 2018-12-06
Presentations (with video): 46 (42)
Black Hat provides attendees with the very latest in research, development, and trends in Information Security. Here the brightest professionals and researchers in the industry will come together for a total of four days—two or four days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures in the Briefings.
Sort by:
Most recent
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses the security architecture of Microsoft Edge and how to escape its sandbox through design flaws in its components and features.
- Microsoft Edge has a more secure security architecture than its predecessor, Internet Explorer.
- Inter-process communication mechanisms and interactions between processes and components are needed to attack the entire browser.
- Abusing design flaws in components and features can lead to bug chains for escaping the sandbox.
- Logical bugs are a result of bad design decisions from the beginning.
- A deeper understanding of the target software is necessary to find logical bugs.
- The presentation thanks Alex Ionescu and James Forshaw for their contributions to the field.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses the use of trust execution environments and the potential of Rust as a replacement for C in certain applications.
- Trust execution environments are useful but not a silver bullet for security
- Rust is a potential replacement for C in certain applications due to its ability to compile straight down with no Lib C
- Memory safety and other language features make Rust a useful language
- Secure storage in trusted execution environments is possible through processor features and configuration
- Arm's trusted execution environment defines two worlds, normal and secure, with restricted access to hardware, memory, and code
- Access to peripherals is available from the normal world
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
Secure Boot is widely deployed in modern embedded systems and an essential part of the security model. Even when no (easy to exploit) logical vulnerabilities remain, attackers are surprisingly often still able to compromise it using Fault Injection or a so called glitch attack. Many of these vulnerabilities are difficult to spot in the source code and can only be found by manually inspecting the disassembled binary code instruction by instruction.
While the idea to use simulation to identify these vulnerabilities is not new, this talk presents a fault simulator created using existing open-source components and without requiring a detailed model of the underlying hardware. The challenges to simulate real-world targets will be discussed as well as how to overcome most of them.
An attacker in procession of the binary of his target can use such simulator to find the ideal glitch location while developers of these systems can use such a tool to verify the effectiveness of their countermeasures against specific types of fault attacks.
We used our simulator to identify locations in the binaries of several real-world targets where due to a successful glitch the security could be compromised. For example, a successful glitch would result in bypassing the authentication of the next boot stage or arbitrary code execution in the context of the boot process. This would then reveal the cryptographic keys used to protect the system or gives access to additional information required to develop a more scalable attack not requiring fault injection.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
Two popular machine-to-machine (M2M) protocols—MQTT & CoAP—are slowly forming the backbone of many IoT infrastructures, including critical industry environments. They are used to provide data connectivity for practically any kind of "machines". We found out that these protocols are affected by security and privacy issues that impact several market verticals, applications, products, and brands.This talk provides a security analysis of MQTT & CoAP at the design, implementation, and deployment level. We found issues in the design specifications, vulnerable product implementations, and hundreds of thousands unsecured, open-to-the-world deployments. These issues show the risk that endpoints could be open to denial-of-service attacks and, in some cases, full control by an adversary. Despite the fixes in the design specifications, it is hard for developers to keep up with a changing standard when a technology becomes pervasive. Also, the market of this technology is very wide because the barrier to entry is fairly low. This led to a multitude of fragmented implementations.We analyzed the source code of the most common MQTT implementations, and discovered common flaws—mostly originating from misinterpretation of the standard. In particular, we found issues in how multibyte strings, UTF-8 characters, and regular-expressions are parsed. Combined with standard features that force servers to retain messages and clients to request acknowledgement the delivery of every message, such bugs can lead to persistent denial of service. Our findings have been acknowledged by the MQTT Technical Committee, which released a note to help identify the risks.Alongside this, we've analyzed hundreds of millions MQTT & CoAP messages obtained from hundreds of thousands server. Despite previous efforts that tried to raise awareness, we still found exposed data related to various industry sectors and sensitive information, including credentials and network infrastructure details. Moreover, we found out that MQTT is being used beyond messaging, to transport binary data, most likely for OTA update purposes, which certainly raises a red flag.Using MQTT & CoAP as a concrete example of modern M2M technology, we will provide recommendations at various levels (standardization bodies, vendors, developers, and users) in the hope to see a significant reduction in the number of insecure deployments in the future, and a more responsible position by standardization bodies.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
In this talk, we present a practical side-channel attack that identifies the social web service account of a visitor to an attacker's website. As user pages and profiles in social web services generally include his/her name and activities, the anonymity of a website visitor can be easily destroyed by identifying the social account.Our attack leverages the widely adopted user-blocking mechanism, abusing its inherent property that certain pages return different content depending on whether a user is blocked by another user. Our key insight is that an account prepared by an attacker can hold an attacker-controllable binary state of blocking/non-blocking with respect to an arbitrary user on the same service. This state can be retrieved as one-bit data through the conventional cross-site timing attack when a user visits the attacker's website. We generalize this property as "visibility control," which we consider to be the fundamental assumption of our attack. Building on this primitive, an attacker with a set of controlled accounts can gain a flexible control over the data leaked through the side channel. Using this mechanism, it is possible to design a robust, large-scale user identification attack on social web services. We performed an extensive empirical study and found that at least 12 are vulnerable: Facebook, Instagram, Tumblr, Google+, Twitter, eBay, PornHub, Medium, Xbox Live, Ashley Madison, Roblox, and Xvideos. The attack achieves 100% accuracy and finishes within a sufficiently short time in a practical setting.We have shared details of this attack and countermeasures with service providers and browser vendors. Then, Twitter and eBay have been able to prevent the attack by changing their implementations. In addition, the "SameSite attribute" used for cookies has been added to some major browsers such as Microsoft Edge, Internet Explorer, and Mozilla Firefox.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses the Terminator attack, a thermal side-channel attack that can recover passwords from external keyboards. The study investigates the success rate of the attack and factors that affect it.
- The Terminator attack is a thermal side-channel attack that can recover passwords from external keyboards.
- The study investigates the success rate of the attack and factors that affect it.
- The attack can be opportunistic or orchestrated.
- The success of the attack depends on factors such as password strength, typing style, and keyboard type.
- Hunt-and-peck typists are more vulnerable to the attack than touch typists.
- The attack can recover entire sets of key presses as late as 30 seconds and partial sets up to one minute.
- The study did not find reliable key press ordering information.
- The study provides a distance metric for non-random passwords.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
Billy chips, which are peripheral chips, can be vulnerable to attack and can lead to network breaches. Access points and network infrastructure devices are also unmanaged devices, making them vulnerable to attacks.
- Billy chips, which are sometimes considered peripheral chips, can also be vulnerable to attack
- Access points and network infrastructure devices are also unmanaged devices
- Billy chips can lead to network breaches
- Attacks on Billy chips can lead to attacks on an entire network
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses the dangers of deep fake technology and proposes a solution using deep learning to identify complex deep fake videos.
- Deep fake technology is an AI-based human image blending method used to create fake videos that can cause chaos and bring economic and emotional damages to one's reputation.
- Videos targeted on politicos in the form of cyber propaganda can prove to be catastrophic to a country's government.
- The proposed solution is to identify complex deep fake videos using deep learning by training a pre-trained Facenet model on image data of people of importance or concern.
- After training, the output of the final layer will be stored in a database and compared to the output of the final layer from the neural network to confirm the authenticity of the video.
- Defensive measures against deep fake technology are also discussed.
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses a steganographic system that allows for hidden data to be stored on a computer without detection.
- The system involves a kernel module that hides data in the slack space of a hard drive
- The system also involves a utility that allows for access to the hidden data
- The system is designed to provide plausible deniability and can be used for secure communication
- The system runs quickly and efficiently on modern hardware
Tags:
Conference: BlackHat EU 2018
Authors:
2018-12-06
tldr - powered by Generative AI
The presentation discusses the use of neural networks to detect and prevent cyber attacks, specifically focusing on detecting exploit kits and content type sequences.
- Neural networks can be used to detect and prevent cyber attacks
- The focus is on detecting exploit kits and content type sequences
- The presentation provides examples of different types of exploit kits and their characteristics
- The recurrent neural network model is used to detect content type sequences
- The model is tested with both benign and malicious sequences and is successful in detecting malicious ones
Tags: