Post on 21-May-2020
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to
• Calian is tonight’s sponsor! Thank you!
• Three CPE for ISC2, attendance verification for ISACA
• SecTor final speakers announced. TASK2018 and TASKExpo2018
• CanHack Student CyberSecurity Competition – Haseeb Khawaj
• Jobs and other events?
© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
Def Con 26 Highlights
• Def Con 26 Speakers!
• https://www.defcon.org/html/defcon-26/dc-26-speakers.html
• Def Con 28 Archive is Live
• https://defcon.org/html/links/dc-archives/dc-26-archive.html
www.TASK.to© Toronto Area Security Klatch 2018
Black Hat 2018 Highlights
• Black Hat 2018 Speakers!
• https://www.blackhat.com/us-18/speakers/
• Black Hat 2018 Presentations / Archives
• http://www.blackhat.com/us-18/briefings.html
www.TASK.to
BSidesLV 2018 Highlights
• Website!
• https://www.bsideslv.org/
• Archive will eventually appear at:
• https://www.bsideslv.org/archive/
• Videos from 2018 are online at:
• https://www.youtube.com/channel/UCpNGmljppAJbTIA5Msms1Pw/videos
© Toronto Area Security Klatch 2018
www.TASK.to
• Brian Bourne
• Christoph Hebeisen
• Dillon Aykac
• Geoffrey Vaughan
• Joshua Arsenio
• Kristina Balaam
• Milos Stojadinovic
• Paul O’Grady
© Toronto Area Security Klatch 2018
www.TASK.to
Brian Bourne
Been to Defcon 17 times, BlackHat some number like 15. I’m old.
© Toronto Area Security Klatch 2018
Applied Self-Driving Car Security
Charlie Miller and Chris Valasek
www.TASK.to
• Premise
• In the not too distant future, we'll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.
• Currently working at Cruise Automation (GM), formerly Uber
• Made famous by the Jeep Hack
© Toronto Area Security Klatch 2018
www.TASK.to
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to
• So what’s new?
• They are spending a lot more time on the defensive side
• Discussion of how autonomous works today
• Discussion of protections, physical and technical
© Toronto Area Security Klatch 2018
Legal Liability for IOT Cybersecurity Vulnerabilities
Link to prez: https://i.blackhat.com/us-18/Thu-August-9/us-18-Palansky-
Legal-Liability-For-IoT-Vulnerabilities.pdf
Ijay Palansky
www.TASK.to
•
• Pathways
• Data breach
• IoT ransomware
• DDoS attacks
• Privacy-related
• Potential for cyber-physical
© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to
• Adhere to standards as a start (need some standards first)
• Don’t over promise security
• Act responsibility and invest in security
• Allocate risk (contracts upstream/downstream/warnings/instructions)
• Risk assessment and hazard analysis
• Word control
• Warnings for all anticipated uses
• Manuals
• Marketing
• Insurance
© Toronto Area Security Klatch 2018
www.TASK.to
Christoph Hebeisen
BH/DC repeat attender, “But-how-does-it-work” Reverse Engineer, Recovering Ex Physicist
Senior Manager, App Security Intelligence - Lookout
© Toronto Area Security Klatch 2018
DEFCON: You'd better secure your BLE devices or we'll kick your butts!
https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Cauquil
Damien "virtualabs" Cauquil
www.TASK.to
• Bluetooth Low Energy Swiss Army Knife• https://github.com/virtualabs/btlejack• Can handle new and existing connections• Uses cheap hardware (MICRO:BIT ~ $15)
© Toronto Area Security Klatch 2018
www.TASK.to
• Three advertising channels• 40 channels total• 37 channel hopping sequence• Connection setup on one of three advertising channels • CONNECT_REQ contains all information necessary to follow connection
© Toronto Area Security Klatch 2018
www.TASK.to
• Identify ACCESS ADDRESS unique to every connection• Observe interval between packets on one channel (37 * hop interval)• Observe interval between packets on two different channels to determine hop
increment
Challenges:• Sequence can contain repeating channels (to exclude some channels)• Protocol allows on-the-fly changes of the sequence
© Toronto Area Security Klatch 2018
www.TASK.to
• Supervisory timeout after a certain number of missed keepalive packets• Jamming can trigger a one-sided timeout• Attacker can take over connection
© Toronto Area Security Klatch 2018
Central
Peripheral
Attacker
...
Timeout
Jamming
www.TASK.to
• BLE connections can be intercepted and even hijacked over-the-air even if we do not capture the CONNECT_REQ PDU
• Encryption could make the attacks more complex• Payload data authentication can prevent hijacking
www.TASK.to
Dillon Aykac
Software Developer at Autocase
My first time at DEF CON
Using Docker since 2015nixhatter
dillon@nixx.co
© Toronto Area Security Klatch 2018
www.TASK.to
An Attacker Looks at Docker: Approaching Multi-Container
Applications
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Wesley%20McGrew/
Wesley McGrew
www.TASK.to
What is Docker?
• Docker is a tool designed to make it easier to create, deploy, and run applications by using containers
• Containers – a standardized unit of software
•Essentially a config file for virtual machines
• Lightweight, easy to share, easy to deploy
© Toronto Area Security Klatch 2018
www.TASK.to
Why Should You Use Docker?
© Toronto Area Security Klatch 2018
www.TASK.to
Looking at Docker from the Red
• Exploiting multi-container vs monolithic systems
• Monolithic - Specific knowledge of the platform is required
• Multi-container – Leverage system/network-level post-exploitation and sniffing tools
• Docker inherently trusts the internal network by default
• This gives an attacker many opportunities to pivot once they’re in
• Docker has no fingerprint when looking at it from the outside
© Toronto Area Security Klatch 2018
www.TASK.to
Example
© Toronto Area Security Klatch 2018
Source: Wesley McGrew
www.TASK.to
Takeaways
• Existing networking skills can be used
• Containers should not be trusted
• Having a basic understanding of new technologies can go a long way
•The trendy/new thing is not that new
• Docker is actually pretty cool
© Toronto Area Security Klatch 2018
www.TASK.to
Geoff Vaughan @mrvaughan
A Canadian Goes to DEFCON
© Toronto Area Security Klatch 2018
www.TASK.to
• Connect with people I only see a couple times a year (even those that live 10 minutes away from me)
• See my boss and colleagues that I only see once a year.
• Hack something?
© Toronto Area Security Klatch 2018
www.TASK.to
• Reminded that what we do matters
• You never know how you can impact people years later
• Renewed my resolve to help others, and put in that extra time into the many side projects we accumulate
© Toronto Area Security Klatch 2018
Event: Hack-n-moose.ca
Hack-n-Moose
www.TASK.to
• You brought Timbits or Ketchup chips with you to share at the party
• You can perform a full rendition of ‘Log Drivers Waltz’ or ‘Barrett’s Privateer’ from memory
• Any Tattoo depicting a Canadian flag, Maple leaf, beaver, or Canadian landscape
• You know someone from Canada not at Defcon who the person at the door also knows - “Do you know Doug... from Canada?”
• You arrived dressed as a Canadian
• We can just tell by your accent
• Proof you’ve been screeched in
• Your laptop or Blackberry has a french canadian keyboard
• Enough Kinder Eggs to share
• You can come with a Canadian flag sewn on your backpack but we may still require additional evidence
• Your home town is famous for _____ and you brought some.
• 1 large bottle of Mapple Syrup from duty free
• You are wearing a Canadian security conference T-Shirt or Hoodie
• Enough chocolate bars not available in the US to share with the party
© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
www.TASK.to
• You brought a two-four of a canadian beer to share
• 1kg Canadian Steel or Aluminium
• 1kg bag of Canadian chesse curds ( US border regulation)
• 1L of Chic Choc, Newfie Screech or Canadian Liquor
• You arrive dressed as a Mountie, Bonhomme Carnaval, or a Beaver
• You arrive with a famous Canadian
• You portage your own canoe to the party
• You brought a cod to kiss and are prepared to perform screeching in ceremonies
• You brought goalie equipment
• You arrived with enough mini sticks for a game of shinny
• You brought a guitar and are willing to perform a set of Tragically Hip or Rush songs, if you'd rather sing Carly Rae that's ok too.
© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
workshop
Reverse Engineering OpenSCAD
www.TASK.to
• https://www.openscad.org/cheatsheet/
© Toronto Area Security Klatch 2018
https://www.securityinnovation.com/company/news-and-events/press-
releases/security-innovation-steven-danneman-digital-side-door-attack-
surfaces-def-con26
Your Bank's Digital Side Door
Steven Danneman
© Toronto Area Security Klatch 2018
www.TASK.to
• OFX - Open Financial Exchange protocol that allows 3rd parties (Quicken, Quickbooks, mint.com, etc) to connect to your banking data and issue transactions.
• Requires you to give your banking password to these third parties
• Third party must store it in plaintext so that they can use it to make the OFX connection
• Limited support for 2FA, in some cases PVQ’s or two step verification is available.
• Wrote a tool to assess all exposed OFX servers and found over 30 different implementations
• Lots of disclosures in process.
© Toronto Area Security Klatch 2018
Workshop with Joe Grand
https://www.crowdsupply.com/grand-idea-studio/opticspy
Optical Spy Receiver -
Detecting Covert optical side channels
© Toronto Area Security Klatch 2018
www.TASK.to
• 4 hour workshop to build the device
• Mine wasn’t finished by the end of it so it was a homework project
• Lots of SMD components
• Purpose was to build an optical receiver that can read serial data transmitted through LED’s
• Some devices were found to tie their status lights to transmission data and be read with this (accidental covert channels)
• Routers
• MFA hardware tokens
• Cryptocurrency wallets.
• Anything with an LED (or UV/IR light)
© Toronto Area Security Klatch 2018
Live Demos
© Toronto Area Security Klatch 2018
www.TASK.to
Joshua Arsenio
Director, Advisory at Security Compass
Third DC
© Toronto Area Security Klatch 2018
Who Controls the Controllers?:
Hacking Crestron IoT Automation Systems
By Ricky Lawshae (@HeadlessZeke)
https://github.com/headlesszeke/defcon26-materials
Joshua Arsenio
www.TASK.to
• Crestron AVoIP devices used in enterprise, education, hospitality.
• Orgs with large IPv4 address spaces == devices are directly connected (see Shodan)
• Network connected devices with a camera and microphone attached most commonly used in closed rooms with an expectation of privacy.
• Mostly Windows CE, some Android.
© Toronto Area Security Klatch 2018
www.TASK.to
• Feature-rich CTP (Crestron Terminal Port) running on TCP/41795
• No authentication by default, easy mode to admin.
• Many engineering/developer tools included, including a handy backdoor account (rengsuperuser)
• Did I mentioned endless command injection vulnerabilities?
• Great POCs
© Toronto Area Security Klatch 2018
www.TASK.to
• Security features available but disabled by default.
• Crestron has secure deployment guides available.
• Talk missed the mark by not acknowledging that these devices are deployed by resellers. Complex problem to fix.
• Resellers/installers want to deploy quickly and prioritize functionality
• Generally install and run, servicing only outages. Gap in patch management capabilities.
• Headless_Zeke is an entertaining speaker, worth while to watch the video!
• Jackson Thuraisamy at Security Compass had been working with Crestron PSIRT for months, working through same vulns. Multiple shout outs. Come talk to me!
• Security Compass Blog: goo.gl/rYK1H9
© Toronto Area Security Klatch 2018
www.TASK.to
Kristina Balaam @chmodxx_ | Lookout
© Toronto Area Security Klatch 2018
Unpacking the Packed UnpackerReverse Engineering an Android Anti-Analysis Library
Black Hat 2018 Recording
Maddie StoneGoogle
www.TASK.to
“WeddingCake”- Android Anti-Analysis Native Library- Named wedding cake for the many layers of anti-analysis
techniques used to obfuscate important functionality within a malicious application
- Present in 5000+ distinct APK samples
Some characteristics:- Android Native Libraries named differently in each sample: lib.{3,8}\.so- Randomly named Java classes that interface with the library- Two Java-declared native methods with the same declarations
© Toronto Area Security Klatch 2018
www.TASK.to
- JNI = Java Native Interface- Allows developers to declare
Java native methods in C/C++
- Run-time check goal: “Detect if applications is being dynamically analyzed, debugged or emulated. The developers would rather limit the number of potential targets than risk being detected”.
- 45+ run-time checks; if any one(!!!) fails, the app is terminated
© Toronto Area Security Klatch 2018
@maddiestone
www.TASK.to
Milos Stojadinovic
© Toronto Area Security Klatch 2018
So I Became a Domain Controllerdeck – https://bit.ly/2LyIkHy
older preso – https://bit.ly/2Nt5zVi
Vincent Le Toux & Benjamin Delpy
www.TASK.to
• PingCastle
• AD domain discovery
• Queries data from forest configuration naming context
• Builds a map that shows forest and domain trust
• Implements a number of checks to determine an AD ‘risk level’
• Stale objects (inactive users and accounts)
• Old auth protocols (SMBv1)
• ACL verification (can any authenticated user modify logon scripts?)
• Useful for automated & rudimentary analysis of AD security posture
• “finger in the wind”
© Toronto Area Security Klatch 2018
www.TASK.to
• DCShadow
• Manipulate AD configuration and domain naming contexts while (largely) avoiding logging
• Useful in post-exploitation
• TLDR:
• Attacker registers malicious DC within the Configuration naming context
• Malicious ‘DC’ can push replication changes to legitimate DCs
• Remove previous modifications to demote malicious DC
• Replication causes AD objects to be created / manipulated / deleted, but no logging is generated outside of replication metadata
• But the replication metadata can be modified
• Allows for intimate manipulation of AD objects and associated attributes
– This manipulation can be done in ways that violates AD specifications as attributes can be (almost)
arbitrarily specified
© Toronto Area Security Klatch 2018
Subverting Sysmon: Application of a Formalized Security Product Evasion
MethodologyWhitepaper – https://bit.ly/2PicfpP
deck – https://bit.ly/2LCx5xP
Matt Graeber & Lee Christensen
www.TASK.to
• A formal methodology for detection subversion (disrupt the following):
• Attack technique identification
• Data source identification
• Data collection
• Event transport
• Event enrichment & analysis
• Malignant / benign classification
• Alerting /response
• Analysis process
• Tool familiarization & scoping
• Data source resilience auditing
• Footprint / attack surface analysis
• Data collection implementation analysis
• Configuration analysis
© Toronto Area Security Klatch 2018
www.TASK.to© Toronto Area Security Klatch 2018
Paul O’Grady
- Recent Former Consultant
- 2nd BlackHat
- DEFCON attendee off and on for the past 13 years
Detecting Blue Team Research Through Targeted Adshttps://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/0x200b/DEFCON-26-0x200b-Detecting-Blue-Team-
Research-Through-Targeted-Ads-Updated.pdf
0x200b
www.TASK.to© Toronto Area Security Klatch 2018
Red Team Operators invest time and energy in C2, Payloads and Campaigns
• Fog of War / limited situational awareness
• Inferences based on activity with Red Team infrastructure
• The earlier you learn of an investigation, the sooner you can abandon an approach and move towards different Tactics, Techniques and Procedures
• Protect your baby
www.TASK.to© Toronto Area Security Klatch 2018
Increase visibility into Blue Team interactions and investigations with Google Ads
• Register AdWord for unique malware characteristics
• Hash
• Author Handle
• Etc
www.TASK.to© Toronto Area Security Klatch 2018
Practical Applications / Benefits
• Detect burned campaigns earlier
• Identify Blue Team capabilities through layers of complexity
• Directly targeting the Blue Team / watering hole attack
• Relatively low cost
www.TASK.to© Toronto Area Security Klatch 2018
Considerations / Caveats
• There has to be something to find
• OPSEC
• Delay (~ 3 hours)
• AdWord selection
Subverting Sysmon - Application of a Formalized Security Product Evasion
Methodologyhttps://i.blackhat.com/us-18/Wed-August-8/us-18-Graeber-Subverting-Sysmon-Application-Of-A-Formalized-Security-Product-Evasion-Methodology-
wp.pdf
Matt Graeber and Lee Christensen
www.TASK.to© Toronto Area Security Klatch 2018
A look at the larger detection ecosystem within an environment and how the components work together and can be disrupted, both at the point of detection as well as through event aggregation and presentation to a human operator.
• E.g. if EDR agent alerts on a lateral movement technique, but it never reaches a human operator, the greater detection goal of the organization is not successful.
• A holistic approach
www.TASK.to© Toronto Area Security Klatch 2018
Too dense to thoroughly unpack and do justice in this format.
• Description and walkthrough of a methodology for subverting security products.
• Warrants thoroughly reading the whitepaper and walking through the process independently
• Valuable to Blue Team to identify gaps in adversarial resilience
• Valuable to Red Team for obvious reasons
• Sysmon case study - applicable to any product / solution
www.TASK.to© Toronto Area Security Klatch 2018
Adversary Detection Methodology (both Micro and Macro)
1. Attack Technique Identification
2. Data Source Identification
3. Data Collection
4. Event Transport
5. Event Enrichment and Analysis
6. Malignant/Benign Classification
7. Alerting/Response
www.TASK.to© Toronto Area Security Klatch 2018
Detection Subversion Methodology
• Bypass, evade or tamper with any steps in the Detection Methodology
▪ Latest Technical Research. New attacks. New Defences.
▪ Hands-on learning opportunities. Internet of Things. Lockpicking. CSA Summit. Pre-Conference Training. Career Development Panel and Fair.
▪ Opportunities for Networking during the event and at the reception.
▪ Purist Approach – no amount of money can buy a speaking slot in our technical track.
▪ Privacy, Policy, Compliance
▪ Experts from around the world. We fly them in from all over!
▪ Save 10% off registration with code TASK2018
October 1-3, 2018 - Metro Toronto Convention Centrewww.sector.ca
www.TASK.to