Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: Tom Pohl Principal Consultant and the Penetration Testing Team Manager at LMG Security
2023-08-01
Firmware and software binaries are littered with private keys, legitimate CA-blessed certificates, and encryption keys—but hardly anyone notices. These secrets are often obfuscated or otherwise hidden in ways that weren’t intended to be found. I’ll show three real-world examples from popular manufacturers (Netgear, Fortinet and Dell), and demonstrate techniques for uncovering them. In the most extreme example, an adversary can use an obfuscated key to gain access to any customer’s vCenter environment.
I’ll start with a straightforward look at Netgear firmware and show methods for discovering private keys in PEM-encoded text files. We’ll dig into the Fortinet firmware, which contained custom obfuscated archive files, and show how to extract Apple and Google issued certificates and I will also show that 3 year awaited “fix” did not adequately solve the issue.
Finally, I’ll dig into the worst case: a static AES encryption key within Dell software used to connect to vCenter. I'll demonstrate how retrieve, decompile and use a static AES key which will decrypt vCenter credentials. The key is the same for EVERY customer. This has not been talked about anywhere publicly.
I’ll conclude by discussing the importance of developer training, proper key management, and (above all), identifying and eliminating this systemic practice.
Conference: Defcon 31
Authors: Bohan Liu Senior Security Researcher, Tencent, GuanCheng Li Senior Security Researcher at Tencent Security Xuanwu Lab, Zheng Wang Senior Security Researcher at Tencent Security Xuanwu Lab
2023-08-01
Chromium is not only the most popular browser in the world but also one of the most widely integrated supply chain components. Nowadays, a large number of popular software is built on frameworks based on Chromium, such as CEF and Electron. This means that vulnerabilities in Chromium will directly affect popular software. In addition, according to Google's vulnerability disclosure policy, most of the details of Chromium vulnerabilities will be publicly disclosed 14 weeks after being fixed, and many of these vulnerabilities are high-impact and may lead to RCE. Unfortunately, we have found that much downstream software is unable to timely fix the Chromium vulnerabilities. This creates a window of opportunity for attackers to carry out RCE attacks on popular software. The cost for attackers to exploit these vulnerabilities during this window is relatively low, as it falls between the time of the Chromium vulnerability disclosure and the completion of fixes for popular software. We refer to this window as the "RCE window period".
In this topic, we will first evaluate the "RCE window period" of more than 20 popular software. In the upcoming section, we will showcase how to transform Chromium nday vulnerabilities into popular software 0day vulnerabilities in a low-cost manner within the "RCE window period". To illustrate this process, we will use over 10 RCE 0day vulnerabilities in popular software that we have discovered as examples. Some software will attempt to enable sandbox to mitigate this problem, so we will also provide examples of how to bypass the sandbox by exploiting vulnerabilities in the software itself rather than a Chromium sandbox bug.
Finally, we will discuss the reasons for the existence of the RCE window period and the lessons learned from it, hoping to help software developers improve the security of their products.
Conference: Global AppSec Dublin 2023
Authors: Kim Wuyts
2023-02-15
tldr - powered by Generative AI
The presentation discusses the importance of threat modeling in ensuring privacy and security in software development. It highlights the different approaches and resources available for successful threat modeling.
- Threat modeling is crucial for ensuring privacy and security in software development
- There are different approaches and resources available for successful threat modeling, such as the Threat Modeling Manifesto, Linden, and Stride
- Threat modeling should be done early in the development cycle, but it's never too late to do it
- Threat modeling should be a continuous process and the output should be used as input for subsequent steps
- Threat modeling can be easy and fun, as illustrated by the example of analyzing a doll's privacy risks
Conference: SupplyChainSecurityCon 2022
Authors: Jacques Chester
2022-06-22
tldr - powered by Generative AI
The presentation discusses the challenges of identifying and reducing cybersecurity risks in software projects, and the need for a combination of objective data and expert input.
- The speaker emphasizes the importance of honest probabilities and dollars in assessing risk.
- There are numerous software projects, creating a sparsity problem for expert opinions.
- Automated tools like the Criticality Score and Harvard Census can help identify high-risk projects, but they have limitations.
- Human input is necessary to fill in gaps in data and provide context, but experts may have biases and limited knowledge.
- Prediction markets can be a useful tool for eliciting expert opinions, but they require high liquidity to be effective.
Conference: SupplyChainSecurityCon 2022
Authors: Matt Jarvis, Steve Hendrick
2022-06-21
tldr - powered by Generative AI
The main theme of the conference presentation is the importance of involving developers in improving security knowledge and leveraging specialized security tools to automate security processes in DevOps. The presentation also emphasizes the need to rely on vendors for guidance and to follow best practices for security policy.
- Involving developers in improving security knowledge and empowering them to make decisions based on guidance and feedback can be effective in improving security posture.
- Leveraging specialized security tools, such as FAST, is crucial for providing guidance and insight for identifying security risks.
- Relying on vendors for guidance and help in solving security problems is necessary due to the complexity of identifying security risks.
- Automating security processes is essential for addressing security issues without impacting the speed of innovation.
- Following best practices for security policy, such as those provided by the Linux Foundation's Secure Software Development course, can help organizations understand their current security posture and improve it over time.
Conference: SupplyChainSecurityCon 2022
Authors: Rose Judge, Joshua Lock
2022-06-21
tldr - powered by Generative AI
The presentation discusses the importance of reproducibility in software development pipelines and infrastructure for better security and transparency. It provides three levels of reproducibility and their supply chain security implications.
- Reproducibility in software development pipelines and infrastructure is crucial for better security and transparency
- There are three levels of reproducibility: unscripted builds, repeatable builds, and rebuildable builds
- Rebuildable builds control all explicit inputs for a build and can produce an equivalent artifact that can be reproduced at any future point in time
- Achieving reproducible builds requires engineering effort and long-term storage, which can be costly for some organizations
Conference: OWASP 20th Anniversary Event
Authors: Sam Stepanyan, Tom Brennan
2021-09-24
tldr - powered by Generative AI
The presentation discusses the importance of OWASP chapters in advancing tactical knowledge and understanding software security. It emphasizes the value of membership and consistent meetings in recruiting attendees and building a community.
- OWASP chapters are important in advancing tactical knowledge and understanding software security
- Multiple people in the chapter should share a common bond and understanding
- Understanding historical changes and policies can help utilize operational processes
- OWASP has around 300 projects on its list, constantly growing every day
- Existing projects can be used as content for meetings and collaboration
- Recruiting attendees is not difficult if the focus is on software security
- Membership is important in shaping the direction of the organization and building a global community
- Consistent meetings and virtual components are useful in building a community