Conference:  Defcon 31

Authors: Andrew Brandt Principal Researcher, Sophos X-Ops

2023-08-01

One common thread runs through a recent wave of (initially, successful) targeted malware attacks I've investigated: The attackers communicated with their targets, personally, using social engineering in real-time, in order to lay the groundwork for the rest of the attack to succeed. Throughout the course of several post-breach investigations, it became apparent that -- for a certain kind of target and a particular class of attacker -- engaging the victim in direct conversation was far more effective at assuring the target infected their computer than crafting a believable-looking "malspam" email that would "fool" the target into clicking a link or opening a file. The attackers did not need to be charismatic for the technique to succeed. In fact, so long as the attacker "got into character" and treated the interaction as a normal, everyday event (from their perspective), the targets went along for the ride, and in many cases, self-infected with malware that was capable of snooping through their most sensitive files. In this session, we'll discuss both the social engineering and technical aspects of the attacks, and why this combination of tactics is particularly dangerous and hard to defend against.

Conference:  Defcon 31

Authors: James Kettle Director of Research, PortSwigger

2023-08-01

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs at high-profile websites to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. To handle this explosion of attack surface, I'll share a polished methodology designed to help you eke out subtle tell-tale clues and scent blood long before sacrificing anything to the RNG gods. I've also taken lore amassed over years of research into HTTP Desync Attacks and developed a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release free online labs so you can try out your new skillset immediately.

Conference:  OWASP 20th Anniversary Event

Authors: Ric Campo

2021-09-24

The presentation covers the top three major breaches reported via IHaveBeenPwned in the APAC region in 2021, offering a summary of the publicly known information, how the attacks occurred, and providing tips on how to prevent these types of attacks.

• IHaveBeenPwned is a platform created and maintained by Troy Hunt that allows users to check if their email address or password has been compromised
• The presentation covers three major breaches in the APAC region: Raychat, Oxfam Australia, and Domino's India
• For Raychat, basic security guidelines and vendor recommendations should be followed, and free resources like OWASP should be utilized
• For Oxfam Australia, a good security program with good detection systems is essential, and people should be trained and controls should be implemented
• For Domino's India, security involves all parts of the business, including third-party programs, and it's important to help those businesses protect themselves
• An anecdote about the Raychat breach is provided, highlighting the importance of honesty and helping customers secure their data
• References are provided for those interested in learning more