logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Tom Pohl Principal Consultant and the Penetration Testing Team Manager at LMG Security
2023-08-01

Firmware and software binaries are littered with private keys, legitimate CA-blessed certificates, and encryption keys—but hardly anyone notices. These secrets are often obfuscated or otherwise hidden in ways that weren’t intended to be found. I’ll show three real-world examples from popular manufacturers (Netgear, Fortinet and Dell), and demonstrate techniques for uncovering them. In the most extreme example, an adversary can use an obfuscated key to gain access to any customer’s vCenter environment. I’ll start with a straightforward look at Netgear firmware and show methods for discovering private keys in PEM-encoded text files. We’ll dig into the Fortinet firmware, which contained custom obfuscated archive files, and show how to extract Apple and Google issued certificates and I will also show that 3 year awaited “fix” did not adequately solve the issue. Finally, I’ll dig into the worst case: a static AES encryption key within Dell software used to connect to vCenter. I'll demonstrate how retrieve, decompile and use a static AES key which will decrypt vCenter credentials. The key is the same for EVERY customer. This has not been talked about anywhere publicly. I’ll conclude by discussing the importance of developer training, proper key management, and (above all), identifying and eliminating this systemic practice.
Conference:  Defcon 31
Authors: Bohan Liu Senior Security Researcher, Tencent, GuanCheng Li Senior Security Researcher at Tencent Security Xuanwu Lab, Zheng Wang Senior Security Researcher at Tencent Security Xuanwu Lab
2023-08-01

Chromium is not only the most popular browser in the world but also one of the most widely integrated supply chain components. Nowadays, a large number of popular software is built on frameworks based on Chromium, such as CEF and Electron. This means that vulnerabilities in Chromium will directly affect popular software. In addition, according to Google's vulnerability disclosure policy, most of the details of Chromium vulnerabilities will be publicly disclosed 14 weeks after being fixed, and many of these vulnerabilities are high-impact and may lead to RCE. Unfortunately, we have found that much downstream software is unable to timely fix the Chromium vulnerabilities. This creates a window of opportunity for attackers to carry out RCE attacks on popular software. The cost for attackers to exploit these vulnerabilities during this window is relatively low, as it falls between the time of the Chromium vulnerability disclosure and the completion of fixes for popular software. We refer to this window as the "RCE window period". In this topic, we will first evaluate the "RCE window period" of more than 20 popular software. In the upcoming section, we will showcase how to transform Chromium nday vulnerabilities into popular software 0day vulnerabilities in a low-cost manner within the "RCE window period". To illustrate this process, we will use over 10 RCE 0day vulnerabilities in popular software that we have discovered as examples. Some software will attempt to enable sandbox to mitigate this problem, so we will also provide examples of how to bypass the sandbox by exploiting vulnerabilities in the software itself rather than a Chromium sandbox bug. Finally, we will discuss the reasons for the existence of the RCE window period and the lessons learned from it, hoping to help software developers improve the security of their products.
Authors: Ian Lewis, Asra Ali
2023-04-21

tldr - powered by Generative AI

The importance of attestation data in securing the software delivery pipeline and the need for a verification process to establish trust in the attestation data.
  • Attestation data provides proof of an event and allows tracing of outputs from inputs in the software delivery pipeline.
  • Verification process is necessary to ensure integrity and authenticity of the attestation data.
  • Integrity ensures that the attestation data cannot be tampered with, while authenticity ensures identification of the attestation creator.
  • Non-forigibility and non-perishability ensure that the attestation content cannot be influenced by users operating the pipeline.
  • Complete zero trust in the system is necessary to establish trust in the attestation data.
Authors: Kim Wuyts
2023-02-15

tldr - powered by Generative AI

The presentation discusses the importance of threat modeling in ensuring privacy and security in software development. It highlights the different approaches and resources available for successful threat modeling.
  • Threat modeling is crucial for ensuring privacy and security in software development
  • There are different approaches and resources available for successful threat modeling, such as the Threat Modeling Manifesto, Linden, and Stride
  • Threat modeling should be done early in the development cycle, but it's never too late to do it
  • Threat modeling should be a continuous process and the output should be used as input for subsequent steps
  • Threat modeling can be easy and fun, as illustrated by the example of analyzing a doll's privacy risks
Authors: David Korczynski, Adam Korczynski
2022-10-28

tldr - powered by Generative AI

The importance of integrating fuzzing into open source software (OSS) development to identify security vulnerabilities and improve code quality
  • Fuzzing involves generating random inputs to test software for bugs and vulnerabilities
  • Integrating fuzzing into OSS development can save CPU resources and improve code quality
  • Fuzzing can identify security vulnerabilities, such as unauthenticated control plane denial of service attacks
  • Tools like Fast Introspector can help identify complex code and entry points for fuzzing
  • Improving tool support and identifying security issues in memory safe languages are priorities for organizations
  • Collaboration and sponsorship from maintainers, the CNCF, and the Open Source Technology Improvement Fund are important for advancing fuzzing in OSS development
Authors: Brendan O'Leary
2022-10-27

tldr - powered by Generative AI

The presentation discusses the challenges faced by organizations and individual contributors in contributing to open source projects and the importance of understanding the bigger picture beyond software supply chain security.
  • Open source software has become critical in the world and is eating into organizations that employ them
  • Incentivizing and understanding the contribution to revenue is a challenge for organizations
  • Maintaining sustainability of open source projects is a big question
  • Understanding the people connections and relating it to the finance side of things is critical for open source projects
  • Individual contributors face challenges in understanding collaboration, transactional vs social relationships, and software incentives
Authors: Jacques Chester
2022-06-22

tldr - powered by Generative AI

The presentation discusses the challenges of identifying and reducing cybersecurity risks in software projects, and the need for a combination of objective data and expert input.
  • The speaker emphasizes the importance of honest probabilities and dollars in assessing risk.
  • There are numerous software projects, creating a sparsity problem for expert opinions.
  • Automated tools like the Criticality Score and Harvard Census can help identify high-risk projects, but they have limitations.
  • Human input is necessary to fill in gaps in data and provide context, but experts may have biases and limited knowledge.
  • Prediction markets can be a useful tool for eliciting expert opinions, but they require high liquidity to be effective.
Authors: Matt Jarvis, Steve Hendrick
2022-06-21

tldr - powered by Generative AI

The main theme of the conference presentation is the importance of involving developers in improving security knowledge and leveraging specialized security tools to automate security processes in DevOps. The presentation also emphasizes the need to rely on vendors for guidance and to follow best practices for security policy.
  • Involving developers in improving security knowledge and empowering them to make decisions based on guidance and feedback can be effective in improving security posture.
  • Leveraging specialized security tools, such as FAST, is crucial for providing guidance and insight for identifying security risks.
  • Relying on vendors for guidance and help in solving security problems is necessary due to the complexity of identifying security risks.
  • Automating security processes is essential for addressing security issues without impacting the speed of innovation.
  • Following best practices for security policy, such as those provided by the Linux Foundation's Secure Software Development course, can help organizations understand their current security posture and improve it over time.
Authors: Rose Judge, Joshua Lock
2022-06-21

tldr - powered by Generative AI

The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.
  • Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
  • There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
  • Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
  • Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations
Authors: Sam Stepanyan, Tom Brennan
2021-09-24

tldr - powered by Generative AI

The presentation discusses the importance of OWASP chapters in advancing tactical knowledge and understanding software security. It emphasizes the value of membership and consistent meetings in recruiting attendees and building a community.
  • OWASP chapters are important in advancing tactical knowledge and understanding software security
  • Multiple people in the chapter should share a common bond and understanding
  • Understanding historical changes and policies can help utilize operational processes
  • OWASP has around 300 projects on its list, constantly growing every day
  • Existing projects can be used as content for meetings and collaboration
  • Recruiting attendees is not difficult if the focus is on software security
  • Membership is important in shaping the direction of the organization and building a global community
  • Consistent meetings and virtual components are useful in building a community