DEF CON
29

Breaking TrustZone-M: Privilege Escalation on LPC55S69

45 minutes | Demo, Exploit

Laura Abbott Oxide Computer Company

Rick Altherr Oxide Computer Company

Virtual only presentation

The concept of Trusted Execution Environments has been broadly introduced to microcontrollers with ARM’s TrustZone-M. While much experience with TrustZone-A can be applied, architectural differences with ARMv8-M lead to a very different approach to configuration and transitions between secure and non-secure worlds. This talk will deep dive into how TrustZone-M works, where to look for weaknesses in implementations, and a detailed look into NXP LPC55S69’s implementation including discovering an undocumented peripheral that leads to a priviledge escalation vulnerability exploitable with TrustedFirmware-M. Finally, NXP PSIRT will be used as a case study in how _not_ to respond to a vulnerability report.

REFERENCES:
TrustZone technology for the ARMv8-M architecture Version 2.0; ARM; https://developer.arm.com/documentation/100690/0200

Your Peripheral Has Planted Malware -- An Exploit of NXP SOCs Vulnerability; Yuwei Zheng, Shaokun Cao, Yunding Jian, Mingchuang Qin; DEFCON 26; https://media.defcon.org/DEF CON 26/DEF CON 26 presentations/DEFCON-26-Yuwei-Zheng-Shaokun-Cao-Bypass-the-SecureBoot-and-etc-on-NXP-SOCs-Updated.pdf

Laura Abbott
Laura Abbott is a software engineer who focuses on low level software. Her background includes Linux kernel development with work in the memory management and security areas as well as ARM enablement.

@openlabbott

Rick Altherr
Rick Altherr has a career ranging from ASICs to UX with a focus on the intersection of hardware and software, especially in server systems. His past work includes USBAnywhere, leading the unification of OpenBMC as a project under Linux Foundation, co-authoring a whitepaper on Google’s Titan, and reverse engineering Xilinx 7 Series FPGA bitstreams as part of prjxray.

@kc8apf

The Mechanics of Compromising Low Entropy RSA Keys

20 minutes

Austin Allshouse Staff Research Scientist / BitSight

Speaker(s) will be at DEF CON!

Over the past decade, there have been a number of research efforts (and DEFCON talks!) investigating the phenomenon of RSA keys on the Internet that share prime factors with other keys. This can occur when devices have poorly initialized sources of “randomness” when generating keys; making it trivial to factor the RSA modulus and recover the private key because, unlike large integer factorization, calculating the greatest common divisor (GCD) of two moduli can be fast and efficient. When describing their research, past hackers and researchers have attested that they “built a custom distributed implementation of Batch-GCD;” which seems like one hell of a detail to gloss over, right? This talk will detail a hacker's journey from understanding and implementing distributed batch GCD to analyzing findings from compromising RSA keys from network devices en masse.

REFERENCES:
Amiet, Nils and Romailler, Yolan. “Reaping and breaking keys at scale: when crypto meets big data.” DEF CON 26, 2018.

Heninger, Nadia, et al. "Mining your Ps and Qs: Detection of widespread weak keys in network devices." 21st {USENIX} Security Symposium ({USENIX} Security 12). 2012.

Hastings, Marcella, Joshua Fried, and Nadia Heninger. "Weak keys remain widespread in network devices." Proceedings of the 2016 Internet Measurement Conference. 2016.

Kilgallin, JD. “Securing RSA Keys & Certificates for IoT Devices.” https://info.keyfactor.com/factoring-rsa-keys-in-the-iot-era. 2019

Daniel J. Bernstein. Fast multiplication and its applications, 2008.

Austin Allshouse
Austin Allshouse is a Research Scientist at BitSight where he applies information security, statistical modeling, and distributed computing concepts to develop quantitative methods of assessing security risk. He has a decade of experience researching the technologies and methodologies underpinning digital network surveillance systems.

@AustinAllshouse

A Look Inside Security At The New York Times Or A Media Security Primer For Hackers

45 minutes

Jesse "Agent X" Krembs

Speaker(s) will be at DEF CON!

This talk will cover the unique threats and challenges of working in information security for a news organization. Some best practices for journalists, hard technical problems facing media security, and how hackers can get involved. This talk is for both hackers and journalists.

Jesse "Agent X" Krembs
Jesse Krembs is a long term Def Con goon and now a staff information security analyst at The New York Times. He provides security support to journalists, and staff globally. He’s had a variety of jobs over his lifetime, working as a bike messenger, a caterer, a webmaster for a brewery, a wireless engineer, and doing even security work for the phone company. He leads the Def Con 4 X 5K, and climbs rocks for fun.

Bring Your Own Print Driver Vulnerability

45 minutes | Tool, Exploit

Jacob Baines Vulnerability researcher at Dragos

Virtual only presentation

What can you do, as an attacker, when you find yourself as a low privileged Windows user with no path to SYSTEM? Install a vulnerable print driver! In this talk, you'll learn how to introduce vulnerable print drivers to a fully patched system. Then, using three examples, you'll learn how to use the vulnerable drivers to escalate to SYSTEM.

REFERENCES:
- Yarden Shafir and Alex Ionescu, PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) - https://windows-internals.com/printdemon-cve-2020-1048/
- voidsec, CVE-2020-1337 – PrintDemon is dead, long live PrintDemon! - https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/
- Zhipeng Huo and Chuanda Ding, Evil Printer: How to Hack Windows Machines with Printing Protocol - https://media.defcon.org/DEF CON 28/DEF CON Safe Mode presentations/DEF CON Safe Mode - Zhipeng-Huo and Chuanda-Ding - Evil Printer How to Hack Windows Machines with Printing Protocol.pdf
- Pentagrid AG, Local Privilege Escalation in many Ricoh Printer Drivers for Windows (CVE-2019-19363) - https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/
- space-r7, Add module for CVE-2019-19363 - https://github.com/rapid7/metasploit-framework/pull/12906
- Microsoft, Point and Print with Packages - https://docs.microsoft.com/en-us/windows-hardware/drivers/print/point-and-print-with-packages
- Microsoft, Driver Store - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/driver-store
- Microsoft, Printer INF Files - https://docs.microsoft.com/en-us/windows-hardware/drivers/print/printer-inf-files
- Microsoft, Use Group Policy settings to control printers in Active Directory - https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer

Jacob Baines
Jacob is a vulnerability researcher at Dragos. He enjoys focusing much of his research time on routers and other embedded devices. Occasionally, he finds himself looking at Windows internals. Sometimes he even finds vulnerabilities.

2021 - Our Journey Back To The Future Of Windows Vulnerabilities and the 0-days we brought back with us

45 minutes | Demo, Tool, Exploit

Tomer Bar Director of Security Research @ SafeBreach

Eran Segal Security Researcher @ SafeBreach Labs

Speaker(s) will be at DEF CON!

In 2020, security researchers reported a record number of Windows vulnerabilities. We were curious what superpowers will we get from researching this huge number of vulnerabilities? Can we leverage our findings to discover 0-days?

We decided to go back in time to 2016 to search for patterns and automatically classify all the public vulnerabilities since then. We believed that only by connecting the dots to a bigger picture, we will be able to come back 2021 with the success of achieving our goal.

We adopted a new approach, in terms of both the goal and how to get there. Until now, the main goal of patch-diff was focused on the root cause of the vulnerability and building a 1-day to exploit it Usually patch-diff was done manually on a single patch.

We reached higher for the holy grail. We understood that in order to find 0-days we needed to build an automated process that would gather all the insights from all the patches in a single, searchable db.

It worked! We discovered the root causes of multiple classes of vulnerabilities. We used these discoveries on a fully patched Windows 10 host in order to highlight opportunities for exploitation. As a consequence, we found and reported (1) 6 information disclosure vulnerabilities to Microsoft, (2) 2 post exploitation techniques allowing covert exfiltration of private user data, and (3) an additional surprise.

In this presentation, we'll describe our research process, demonstrate a live exploitation of the vulnerabilities we found, share the tools we developed, and explain how other researchers can use it to discover 0-days.

Tomer Bar
Tomer Bar is hands-on security researcher and head of research manager with ~20 years of unique experience in the cyber security. In the Past, he ran research groups for the Israeli government and then lead the endpoint malware research for Palo Alto Networks. Currently, he leads the SafeBreach Labs research which is the research and development arm of SafeBreach.

His main interest is focused on Windows vulnerability research, reverse engineering and APT research.

His recent discoveries are vulnerabilities in the Windows Spooler mechansim and a research on the most persistent Iranian APT campaign. He is a contributor to Mitre Attack framework and a Speaker at BlackHat, Defcon and Sector conferences.

Eran Segal
Eran Segal is a security researcher, having 7+ years experience in cyber security research. He is working on security research projects in SafeBreach Labs in the last 2 years after serving in various sec positions at the IDF.

His experience involves research on Windows and embedded devices

Abusing SAST tools! When scanners do more than just scanning

45 minutes | Demo

Rotem Bar Head of Marketplace Integrations @ Cider Security

Speaker(s) will be at DEF CON!

When we write code, we often run many scanners for different purposes on our code - from linters, to testing, security scanning, secret scanning, and more.

Scanning the code occurs on developers' machines and in CI/CD pipelines, which assumes the code is untrusted and unverified and based on this assumption scanners shouldn't have the ability to dynamically run code.

Our research focuses on the many static analyzers out there if this is really the case. Many of the scanners allow different ways of interaction - From requesting external resources, overriding the configuration and to remote code execution as part of the process.This talk will be technical and show examples of well-known scanning tools and how we created code that attacks them.

TLDR -
When integrating and using new tools in our CI systems and especially when running on unverified code, Which tools can we trust and how can we scan safe untrusted code in a secure way?

REFERENCES:
https://github.com/jonase/kibit/issues/235 - Issue I raised in the past in one of the tools

Hiroki Suezawa in a thread in cloud security forum talked about exploiting terraform plan https://cloudsecurityforum.slack.com/archives/CNJKBFXMH/p1584035704035800

This reference was released after I've started my research but nevertheless a good resource and has interesting perspectives and I will reference it: https://alex.kaskaso.li/post/terraform-plan-rce

Rotem Bar
Rotem Bar has over a decade of experience in the security field including penetration testing both application and network, design reviews, code reviews, architecture reviews, tech management, and of course development.

Over the years Rotem has gained experience in a diversity of industries from the financial services, to insurance, through high-tech & the automotive industry, along with other complex environments.

In the last couple of years Rotem has been working in concept design and development, pen testing and working with hardware in Cymotive, which is a company that focuses on end to end cyber security for the automotive industry, and after that he served as an application security expert at AppsFlyer.

Today Rotem is the Head of Marketplace Integrations at Cider Security, that is focusing on revolutionizing CI/CD security.

During his free time, Rotem plays with robotics, bug-bounty and and enjoys traveling with his family.

@rotembar
www.rotem-bar.com

The Unbelievable Insecurity of the Big Data Stack: An Offensive Approach to Analyzing Huge and Complex Big Data Infrastructures

45 minutes | Demo

Sheila A. Berta Head of Research at Dreamlab Technologies

Virtual only presentation

Honoring the term, the variety of technologies in the Big Data stack is hugely BIG. Many complex components in charge of transport, storing, and processing millions of records make up Big Data infrastructures. The speed at which data needs to be processed and how quickly the implemented technologies need to communicate with each other make security lag behind. Once again, complexity is the worst enemy of security.

Today, when conducting a security assessment on Big Data infrastructures, there is currently no methodology for it and there are hardly any technical resources to analyze the attack vectors. On top of that, many things that are considered vulnerabilities in conventional infrastructures, or even in the Cloud, are not vulnerabilities in this stack. What is a security problem and what is not a security problem in Big Data infrastructures? That is one of the many questions that this research answers. Security professionals need to count on a methodology and acquire the necessary skills to competently analyze the security of such infrastructures.

This talk presents a methodology, and new and impactful attack vectors in the four layers of the Big Data stack: Data Ingestion, Data Storage, Data Processing and Data Access. Some of the techniques that will be exposed are the remote attack of the centralized cluster configuration managed by ZooKeeper; packet crafting for remote communication with the Hadoop RPC/IPC to compromise the HDFS; development of a malicious YARN application to achieve RCE; interfering data ingestion channels as well as abusing the drivers of HDFS-based storage technologies like Hive/HBase, and platforms to query multiple data lakes as Presto. In addition, security recommendations will be provided to prevent the attacks explained.

REFERENCES:
I plan to release a white paper at the conference, in the white paper there will be all the references. Anyway, as the attacks are novel, the references are related to infrastructure stuff mostly, not so much about security.

Sheila A. Berta
Sheila A. Berta is an offensive security specialist who started at 12 years-old by learning on her own. At the age of 15, she wrote her first book about Web Hacking, published in several countries. Over the years, Sheila has discovered vulnerabilities in popular web applications and software, as well as given courses at universities and private institutes in Argentina. She specializes in offensive techniques, reverse engineering, and exploit writing and is also a developer in ASM (MCU and MPU x86/x64), C/C++, Python and Go. The last years she focused on Cloud Native and Big Data security. As an international speaker, she has spoken at important security conferences such as Black Hat Briefings, DEF CON, HITB, Ekoparty, IEEE ArgenCon and others. Sheila currently works as Head of Research at Dreamlab Technologies.

@UnaPibaGeek

Hacking G Suite: The Power of Dark Apps Script Magic

45 minutes | Tool

Matthew Bryant Red Team @ Snapchat

Speaker(s) will be at DEF CON!

You’ve seen plenty of talks on exploiting, escalating, and exfiltrating the magical world of Google Cloud (GCP), but what about its buttoned-down sibling? This talk delves into the dark art of utilizing Apps Script to exploit G Suite (AKA Google Workspace).

As a studious sorcerer, you’ll discover how to pierce even the most fortified G Suite enterprises. You’ll learn to conjure Apps Script payloads to bypass powerful protective enchantments such as U2F, OAuth app allowlisting, and locked-down enterprise Chromebooks.

Our incantations don’t stop at the perimeter, we will also discover novel spells to escalate our internal privileges and bring more G Suite accounts under our control. Once we’ve obtained the access we seek, we’ll learn various curses to persist ourselves whilst keeping a low profile so as to not risk an unwelcome exorcism.

You don’t need divination to see that this knowledge just might rival alchemy in value.

REFERENCES:
No real academic references, this is all original research gleaned from real-world testing and reading documentation.

Matthew Bryant
mandatory (Mathew Bryant) is a passionate hacker currently leading the red team effort at Snapchat. In his personal time he’s published a variety of tools such as XSS Hunter, CursedChrome, and tarnish. His security research has been recognized in publications such as Forbes, The Washington Post, CBS News, Techcrunch, and The Huffington Post. He has previously presented at Blackhat, RSA, Kiwicon, Derbycon, and Grrcon. Previous gigs include Google, Uber, and Bishop Fox.

@IAmMandatory
https://thehackerblog.com

PunkSPIDER and IOStation: Making a Mess All Over the Internet

45 minutes | Demo,Tool

_hyp3ri0n aka Alejandro Caceres Director of Computer Network Exploitation at QOMPLX, former owner of Hyperion Gray

Jason Hopper Hacker

Speaker(s) will be at DEF CON!

We've been getting asked a lot for "that tool that was like Shodan but for web app vulns.” In particular WTF happened to it? Punkspider (formerly known as PunkSPIDER but renamed because none of us could remember where tf the capital letters go) was taken down a couple of years ago due to multiple ToS issues and threats. It was originally funded by DARPA. We weren’t sure in which direction to keep expanding, and it ended up being a nightmare to sustain. We got banned more than a 15 year old with a fake ID trying to get into a bar. It became a pain and hardly sustainable without a lot of investment in time and money. Each time we got banned it meant thousands of dollars and countless hours moving sh** around.

Now we’ve solved our problems and completely re-engineered/expanded the system. It is not only far more efficient with real-time distributed computing and checks for way more vulns, we had to take some creative ways through the woods – this presentation covers both the tool itself and the story of the path we had to take to get where it is, spoiler alert: it involves creating our own ISP and data center in Canada and integrating freely available data that anyone can get but most don’t know is available. Come play with us and see what the wild west of the web looks like and listen to our story, it’s fun and full of angry web developers. We’ll also be releasing at least 10s of thousands of vulnerabilities and will be taking suggestions from the audience on what to search. Fun vulns found get a t-shirt, super fun ones get a hoodie thrown at them.

REFERENCES:
https://www.youtube.com/watch?v=AbS_EGzkNgI (Shmoo 2013 talk)
https://hadoop.apache.org/
https://aws.amazon.com/kubernetes/
https://www.docker.com/
https://www.python.org/
https://www.apache.org/licenses/LICENSE-2.0
https://kafka.apache.org/
https://owasp.org/www-project-top-ten/

_hyp3ri0n aka Alejandro Caceres
Bio coming soon!

Jason Hopper
Bio coming soon!

Why does my security camera scream like a Banshee? Signal analysis and RE of a proprietary audio-data encoding protocol

45 minutes | Demo, Tool

Rion Carter

Speaker(s) will be at DEF CON!

All I wanted was a camera to monitor my pumpkin patch for pests, what I found was a wireless security camera that spoke with an accent and asked to speak with my fax machine. Join me as I engage in a signals analysis of the Amiccom 1080p Outdoor Security Camera and hack the signal to reverse engineer the audio tones used to communicate and configure this inexpensive outdoor camera. This journey takes us through spectrum-analysis, APK decompiling, tone generation in Android and the use of Ghidra for when things REALLY get hairy.

REFERENCES:
- JADX: Dex to Java Decompiler - https://github.com/skylot/jadx
- Efficiency: Reverse Engineering with ghidra - http://wapiflapi.github.io/2019/10/10/efficiency-reverse-engineering-with-ghidra.html
- Guide to JNI (Java Native Interface) - https://www.baeldung.com/jni
- JDSP - Digital Signal Processing in Java - https://psambit9791.github.io/jDSP/transforms.html
- Understanding FFT output - https://stackoverflow.com/questions/6740545/understanding-fft-output
- Spectral Selection and Editing - Audacity Manual - https://manual.audacityteam.org/man/spectral_selection.html
- Edit>Labelled Audio>everything greyed out - https://forum.audacityteam.org/viewtopic.php?t=100856
- Get a spectrum of frequencies from WAV/RIFF using linux command line - https://stackoverflow.com/questions/21756237/get-a-spectrum-of-frequencies-from-wav-riff-using-linux-command-line
- How to interpret output of FFT and extract frequency information - https://stackoverflow.com/questions/21977748/how-to-interpret-output-of-fft-and-extract-frequency-information?rq=1
- Calculate Frequency from sound input using FFT - https://stackoverflow.com/questions/16060134/calculate-frequency-from-sound-input-using-fft?rq=1
- Intorduction - Window Size - https://support.ircam.fr/docs/AudioSculpt/3.0/co/Window%20Size.html
- Android: Sine Wave Generation - https://stackoverflow.com/questions/11436472/android-sine-wave-generation
- Android Generate tone of a specific frequency - https://riptutorial.com/android/example/28432/generate-tone-of-a-specific-frequency
- Android Tone Generator - https://gist.github.com/slightfoot/6330866
- Android: Audiotrack to play sine wave generates buzzing noise - https://stackoverflow.com/questions/23174228/android-audiotrack-to-play-sine-wave-generates-buzzing-noise

Rion Carter
Rion likes to solve interesting problems- the more esoteric and niche the better! He has varied interests ranging from software development and reverse-engineering to baking and recipe hacking. Rion currently works in DevSecOps where he and his colleagues wonder how they'll be rebranded next (DevSecBizFinOps?). Rumor has it that he bakes a mean batch of fudge brownies.

@7thzero.com

Hack the hackers: Leaking data over SSL/TLS

20 minutes | Demo, Exploit

Ionut Cernica PHD Student @Department of Computer Science, Faculty of Automatic Control and Computer Science, University Politehnica of Bucharest

Speaker(s) will be at DEF CON!

Have you considered that in certain situations the way hackers exploit vulnerabilities over the network can be predictable? Anyone with access to encrypted traffic can reverse the logic behind the exploit and thus obtain the same data as the exploit.

Various automated tools have been analyzed and it has been found that these tools operate in an unsafe way. Various exploit databases were analyzed and we learned that some of these are written in an insecure (predictable) way.

This presentation will showcase the results of the research, including examples of exploits that once executed can be harmful. The data we obtain after exploitation can be accessible to other entities without the need of decrypting the traffic. The SSL/TLS specs will not change. There is a clear reason for that and in this presentation I will argue this, but what will change for sure is the way hackers will write some of the exploits.

Ionut Cernica
Ionut Cernica started his security career with the bug bounty program from Facebook. His passion for security led him to get involved in dozens of such programs and he found problems in very large companies such as Google, Microsoft, Yahoo, AT&T, eBay, VMware. He has also been testing web application security for 9 years and has had a large number of projects on the penetration testing side.

Another stage of his career was to get involved in security contests and participated in more than 100 such contests. He also reached important finals such as Codegate, Trend Micro and Defcon with the PwnThyBytes team. He also won several individual competitions, including the mini CTF from the first edition of Appsec village - Defcon village.

Now he is doing research in the field of web application security, being also a PhD student at University Polytechnic of Bucharest. Through his research he wants to innovate in the field and to bring a new layer of security to web applications. He has also been working as a Security Researcher @Future Networks 5G Lab for a few months now and hopes to make an important contribution to the 5G security area through research.

@CernicaIonut

Taking Apart and Taking Over ICS & SCADA Ecosystems: A Case Study of Mitsubishi Electric

45 minutes | Demo, Tool

Mars Cheng Threat researcher for TXOne Networks

Selmon Yang Staff Engineer at TXOne Networks

Virtual only presentation

Diversified Industrial Control System (ICS) providers create a variety of ecosystems, which have come to operate silently in the background of our lives. Among these organizations, Mitsubishi Electric ranks among the most prolific. Because the operation of this ecosystem is so widely used in key manufacturing, natural gas supply, oil, water, aviation, railways, chemicals, food and beverages, and construction, it is closely-related to people's lives. For this reason, the security of this ecosystem is extraordinarily important.

This research will enter the Mitsubishi ecosystem’s communication protocol, using it as a lens with which to deeply explore the differences between itself and other ecosystems. We will show how we successfully uncovered flaws in its identity authentication function, including how to take it over and show that such an attack can cause physical damage in different critical sectors. We’ll explain how we accomplished this by applying reverse engineering and communication analysis. This flaw allows attackers to take over any asset within the entire series of Mitsubishi PLCs, allowing command of the ecosystem and full control of the relevant sensors. A further complication is that making a fix to the various communication protocols in the ICS/SCADA is extremely difficult. We will also share the various problems we encountered while researching these findings and provide the most workable detection and mitigation strategies for those protocols.

REFERENCES
[1] https://ladderlogicworld.com/plc-manufacturers/
[2] https://www.mitsubishielectric.com/fa/products/cnt/plc/pmerit/case.html
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5594
[4] https://www.mitsubishielectric.com/fa/products/cnt/plc/pmerit/index.html

Mars Cheng
Mars Cheng (@marscheng_) is a threat researcher for TXOne Networks, blending a background and experience in both ICS/SCADA and enterprise cybersecurity systems. Mars has directly contributed to more than 10 CVE-IDs, and has had work published in three Science Citation Index (SCI) applied cryptography journals. Before joining TXOne, Mars was a security engineer at the Taiwan National Center for Cyber Security Technology (NCCST). Mars is a frequent speaker and trainer at several international cyber security conferences such as Black Hat Europe, SecTor, FIRST, HITB, ICS Cyber Security Conference Asia and USA, HITCON, SINCON, CYBERSEC, CLOUDSEC and InfoSec Taiwan as well as other conferences and seminars related to the topics of ICS and IoT security. Mars is general coordinator of HITCON (Hacks in Taiwan Conference) 2021 and was vice general coordinator of HITCON 2020.

@marscheng_

Selmon Yang
Selmon Yang is a Staff Engineer at TXOne Networks. He is responsible for parsing IT/OT Protocol, linux kernel programming, and honeypot development and adjustment. Selmon also spoke at ICS Cyber Security Conference Asia, HITCON, SecTor and HITB.

Crossover Episode: The Real-Life Story of the First Mainframe Container Breakout

45 minutes | Demo

Ian Coldwater Hacker

Chad Rikansrud (Bigendian Smalls) Hacker

Speaker(s) will be at DEF CON!

You've seen talks about container hacking. You've seen talks about mainframe hacking. But how often do you see them together? IBM decided to put containers on a mainframe, so a container hacker and a mainframe hacker decided to join forces and hack it. We became the first people on the planet to escape a container on a mainframe, and we’re going to show you how.

Containers on a mainframe? For real. IBM zCX is a Docker environment running on a custom Linux hypervisor built atop z/OS - IBM’s mainframe operating system. Building this platform introduces mainframe environments to a new generation of cloud-native developers-and introduces new attack surfaces that weren’t there before.

In this crossover episode, we’re going to talk about how two people with two very particular sets of skills went about breaking zCX in both directions, escaping containers into the mainframe host and spilling the secrets of the container implementation from the mainframe side.

When two very different technologies get combined for the first time, the result is new shells nobody’s ever popped before.

REFERENCES: Getting started with z/OS Container Extensions and Docker: https://www.redbooks.ibm.com/abstracts/sg248457.html
The Path Less Traveled: Abusing Kubernetes Defaults: https://www.youtube.com/watch?v=HmoVSmTIOxM
Attacking and Defending Kubernetes Clusters: A Guided Tour: https://securekubernetes.com
Evil Mainframe penetration testing course :https://www.evilmainframe.com/
z/OS Unix System Services (USS): https://www.ibm.com/docs/en/zos/2.1.0?topic=system-basics-zos-unix-file
z/OS Concepts: https://www.ibm.com/docs/en/zos-basic-skills?topic=zc-zos-operating-system-providing-virtual-environments-since-1960s
Docker overview: https://docs.docker.com/get-started/overview/

Ian Coldwater
Ian is a leading expert on containers and container security.

@IanColdwater

Chad Rikansrud (Bigendian Smalls)
Chad is the same, but for mainframes and mainframe security.

@bigendiansmalls

D0 N0 H4RM: A Healthcare Security Conversation

105 minutes | Demo

Christian “quaddi” Dameff MD Physician & Medical Director of Cyber Security at The University of California San Diego

Jeff “r3plicant” Tully MD Anesthesiologist at The University of California San Diego

Jessica Wilkerson Cyber Policy Advisor at the US Food and Drug Administration FDA

Josh Corman Chief Strategist for CISA, Founder of I am The Cavalry

Gabrielle Hempel Cloud Security Engineer/Medical Security Researcher

Stephanie Domas Director of Cybersecurity Strategy and Communications at Intel

Speaker(s) will be at DEF CON!

Mired in the hell of a global pandemic, hospital capacity stressed to its limit, doctors and nurses overworked and exhausted... surely the baddies would cut us a little slack and leave little 'ol healthcare alone for a bit, right? Well, raise your hand if you saw this one coming. Another year of rampaging ransomware, of pwned patient care- only this time backdropped by the raging dumpster fire that is COVID. Can we once and for all dispel with the Pollyannas telling us that nobody would knowingly seek to harm patients? And if we can't convince the powers that be- whether in the hospital C-suite or in DC- that we need to take this $%& seriously now, then what hope do we have for pushing patient safety to the forefront when things return to some semblance of normal? With a heavily curated panel including policy badasses, elite hackers, and seasoned clinicians - D0 N0 H4RM remains the preeminent forum where insight from experts collide with the ingenuity and imagination of the DEF CON grassroots to inspire activism and collaboration stretching far beyond closing ceremonies.

Moderated by physician hackers quaddi and r3plicant, this perennially packed event always fills up fast - so make sure you join us. As always- the most important voice is yours.

Dr. Christian Dameff MD
Christian (quaddi) Dameff MD is an Assistant Professor of Emergency Medicine, Biomedical Informatics, and Computer Science (Affiliate) at the University of California San Diego. He is also a hacker, former open capture the flag champion, and prior DEF CON/RSA/Blackhat/HIMSS speaker. Published works include topics such as therapeutic hypothermia after cardiac arrest, novel drug targets for myocardial infarction patients, and other Emergency Medicine related works with an emphasis on CPR optimization. Published security research topics including hacking critical healthcare infrastructure, medical devices and the effects of malware on patient care. This is his seventeenth DEF CON.

@CDameffMD

Dr. Jeff Tully MD
Jeff (r3plicant) Tully is an anesthesiologist, pediatrician and security researcher with an interest in understanding the ever-growing intersections between healthcare and technology.

@JeffTullyMD

Jessica Wilkerson
Jessica Wilkerson is a Cyber Policy Advisor with the All Hazards Readiness, Response, and Cybersecurity (ARC) team in the Center for Devices and Radiological Health (CDRH) within the Food and Drug Administration (FDA). As part of ARC, she examines issues and develops policy related to the safety and effectiveness of connected medical devices. She received a B.A. in Policy Studies and minors in Computer Science and Mathematics from Syracuse University, and is currently pursuing a J.D. from the Catholic University of America’s Columbus School of Law.

Josh Corman
Joshua Corman is a Founder of I am The Cavalry (dot org), and serves as Chief Strategist for CISA regarding COVID, healthcare, and public safety. He previously served as CSO for PTC, Director of the Cyber Statecraft Initiative for the Atlantic Council, CTO for Sonatype, and other senior roles. He co-founded RuggedSoftware and IamTheCavalry to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. His unique approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security. He also serves as an Adjunct Faculty for Carnegie Mellon’s Heinz College, and was a member of the Congressional Task Force for Healthcare Industry Cybersecurity.NOTE: My CISA Emergency CARES Act Service may extend/change after July 15.

@joshcorman

Gabrielle Hempel
I am a graduate of the University of Cincinnati, where I studied Neuroscience and Psychology with a minor in Criminal Justice. I started out at an institutional review board in regulatory pharmaceutical and medical device compliance, and led specialized committees targeting Phase I research and emergency research. I moved to IT consulting in 2018, and currently work as a Security Engineer in healthcare while pursuing an MS in Global Security, Conflict, and Cybercrime at NYU. I continue to serve as a genetic scientist for NIH-regulated recombinant genetic studies, and sit on multiple advisory boards. My continued areas of focus include medical device security, connected healthcare security, and the intersections of the healthcare and information security industries.

@gabsmashh

Stephanie Domas
Stephanie Domas is the Director of Cybersecurity Strategy and Communications at Intel. Here, she leads development of complex security strategies for the critical role that hardware and firmware security play in the digital ecosystem. Prior to Intel, Stephanie was spent 8 years focused on medical device cybersecurity, consulting with a broad range of manufacturers from the newest startups to the industry giants. She is the founder and lead trainer for cybersecurity training company DazzleCatDuo. Her past experience includes 10 years of reverse engineering and vulnerability analysis research as a defense contractor. Stephanie is a recognized expert on embedded systems, healthcare and medical device security, a seasoned executive, a prominent consultant, a passionate educator, and x86 enthusiast.

No Key? No PIN? No Combo? No Problem! P0wning ATMs For Fun and Profit

45 minutes | Demo

Roy Davis Senior Security Engineer, Zoom Video Communications

Speaker(s) will be at DEF CON!

Since the late great Barnaby Jack gave us “Jack Potting” in the late 2000s, there have been several talks on ATM network attacks, USB port attacks, and digital locks attacks which apply to several brands of ATM safes. In this session, I’ll discuss and demonstrate how most of these known attack vectors have been remediated, while several fairly simple attacks against the machine and the safe still remain. We’ll dive into how ATMs work, the steps I went through to become a “licenced ATM operator” which enabled my research, and how I identified the vulnerabilities. I’ll show how, with very little technical expertise and 20 minutes, these attacks lead directly past “secure” and allow attackers to collect a lot more than $200.

REFERENCES
Barnaby Jack - “Jackpotting Automated Teller Machines” - (2010) from DEFCON - https://www.youtube.com/watch?v=FkteGFfvwJ0
Weston Hecker - “Hacking Next-Gen ATM's From Capture to Cashout” - (2016) from DEFCON - https://www.youtube.com/watch?v=1iPAzBcMmqA
Trey Keown and Brenda So - “Applied Cash Eviction through ATM Exploitation” (2020) from DEFCON - https://www.youtube.com/watch?v=dJNLBfPo2V8
Triton - “Terminal Communications Protocol And Message Format Specification” (2004) from Complete ATM Services - tinyurl.com/7nf2fdy5
Rocket ATM - “Hyosung ATM Setup Part 1 - Step by Step” (2018) from Rocket ATM - https://www.youtube.com/watch?v=abylmrBkOGM&t=3s
Rocket ATM - “Hyosung ATM Setup Part 2 - Step by Step” (2018) from Rocket ATM - https://www.youtube.com/watch?v=IM9ZG46fwL8
Hyosung - “NH2600 Service Manual v1.0” (2013) From Prineta - https://tinyurl.com/c6jd4hd9
Hyosung - “NH2700 Operator Manual v1.2” (2010) From AtmEquipment.com - https://tinyurl.com/rp2cad8

Roy Davis
Roy Davis is a security researcher and engineer with 15 years of pentesting, security research and programming experience. He has worked on security teams at Zoom, Salesforce, Apple, Barclays Bank, and Thomson Reuters. He holds a B.S. degree in Computer Science from Purdue University and an M.S. in Cybersecurity and Digital Forensics from WGU. Roy has presented at several security conferences from 2008 to his most recent talk at the “HackerOne Security@” conference in San Francisco.

@hack_all_things
https://www.linkedin.com/in/roy-davis/
https://www.davisinfosec.com

Unlocking KeeLoq – A Reverse Engineering Story

45 minutes | Demo, Tool, Exploit

Rogan Dawes Researcher, Orange Cyberdefense’s SensePost Team

Virtual only presentation

KeeLoq Remote Keyless Entry systems make use of radio frequency transmissions to operate and have many known weaknesses. A 64-bit manufacturer key is used in transmissions to encrypt an incrementing transmission sequence number in order to provide replay protection. This presentation is a journey into bringing existing research together to make personal Keeloq projects practical, ultimately repurposing a commercial receiver as part of a home automation system integration project.

I will demonstrate how I recovered the manufacturer key by extracting and reverse engineering the receiver’s firmware using a JTAG adapter and Ghidra. Next, I will cover decoding and decrypting the KeeLoq transmissions (verified using a logic analyzer), cloning the captured serial and sequence numbers to a new transmitter, and finally, how to export the received transmissions to a home automation system via an add-on WiFi-capable microcontroller.

REFERENCES:
http://ww1.microchip.com/downloads/en/appnotes/00744a.pdf
https://link.springer.com/chapter/10.1007/978-3-540-78967-3_1
https://link.springer.com/chapter/10.1007/978-3-540-85174-5_12
https://github.com/jpleger/hcs301_programming
https://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/

Rogan Dawes
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

@RoganDawes

Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages

20 minutes | Demo, Tool

Jeff Dileo Technical Director, NCC Group

Virtual only presentation

Modern programming languages are, more and more, being designed not just around performance, ease-of-use, and (sometimes) security, but also performance monitoring and introspectability. But what about the languages that never adopted such concepts from their peers? Or worse, what about the languages that tacked on half-hearted implementations as an afterthought? The answer is simple, you write your own and instrument them into the language dynamically.

In this talk, we will discuss the process for developing generalized parasitic tracers targeting specific programming languages and runtimes using Ruby as our case study. We will show how feasible it is to write external tracers targeting a language and its runtime, and discuss best practices for supporting different versions over time.

REFERENCES:
* https://github.com/ruby/ruby
* https://frida.re/docs/javascript-api/

Jeff Dileo
Jeff Dileo (chaosdata) is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He likes candy and arguing about text editors and window managers he doesn't actually use.

@chaosdatumz

Vulnerability Exchange: One Domain Account For More Than Exchange Server RCE

45 minutes | Demo, Tool, Exploit

Tianze Ding Senior security researcher, Tencent Security Xuanwu Lab

Virtual only presentation

Microsoft Exchange Server is one of the most famous mail servers in the world. It not only stores a large amount of sensitive corporate information, but also plays an important role in Microsoft Active Directory, so it has become a high-value target for both APT groups and red teams.

In the past few months, some high-risk vulnerabilities in Exchange Server have been exposed, which mainly target vulnerable ASP.NET code. But the architecture of Exchange Server is complicated, and its attack surface is not limited to ASP.NET, this talk will analyze and attack Exchange Server from a different perspective.

I will share the following two new vulnerabilities I found, as well as the new attack surfaces and how I chained several techniques to successfully exploit them in detail.

1. One of them can result in arbitrary mailbox takeover, attackers can read emails, download attachments, send emails, etc. as any Exchange user.

2. The other can lead to remote code execution on Exchange Server, attackers can gain local administrator privileges and execute arbitrary commands. Furthermore, there is an interesting point, even if you have applied the latest Exchange Server patches, your Exchange Server may still be compromised by this type of attack.

For red teams, Exchange Server RCE is only the beginning. Usually, there are some high-privileged domain users and groups on Exchange Server, I will also introduce a new method in depth to help you perform lateral movement and even privilege escalation to Domain Admin after achieving Exchange Server RCE.

These vulnerabilities have been reported to MSRC and the exploit tools will be released after the talk.

References:
[1] https://www.zerodayinitiative.com/blog/2018/12/19/an-insincere-form-of-flattery-impersonating-users-on-microsoft-exchange
[2] https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[3] https://docs.microsoft.com/en-us/exchange/client-developer/web-service-reference/ews-operations-in-exchange
[4] https://github.com/quickbreach/ExchangeRelayX
[5] https://blog.compass-security.com/2020/05/relaying-ntlm-authentication-over-rpc/
[6] https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
[7] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/425a7c53-c33a-4868-8e5b-2a850d40dc73
[8] https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
[9] https://github.com/SecureAuthCorp/impacket
[10] https://github.com/gdedrouas/Exchange-AD-Privesc
[11] https://labs.f-secure.com/tools/sharpgpoabuse/

Tianze Ding
Tianze Ding is a senior security researcher at Tencent Security Xuanwu Lab. His research focuses on web security, active directory security and red teaming. He reported some vulnerabilities to Microsoft, Apple, Google, etc. He has spoken at BlackHat Asia.

@D1iv3

Privacy Without Monopoly: Paternalism Works Well, But Fails Badly

45 minutes

Cory Doctorow Author, journalist, activist.

Virtual only presentation

Governments around the world (US, UK, EU) are planning to force interoperability on the biggest tech platforms. Companies like Facebook say that this is a privacy disaster because it would hurt their ability to keep us safe from privacy invasions. Yeah, I know. But even if you DO think Facebook has our best interests at heart, monopoly is a deeply stupid way protect privacy. I will present "Privacy Without Monopoly," a major EFF white paper I co-authored with Bennett Cyphers, which sets out a framework for understanding how privacy and interop aren't just compatible - they rely on one another!

https://www.eff.org/wp/interoperability-and-privacy

Cory Doctorow
Cory Doctorow (craphound.com) is a science fiction novelist, journalist and technology activist. He is a contributor to many magazines, websites and newspapers. He is a special consultant to the Electronic Frontier Foundation (eff.org), a non-profit civil liberties group that defends freedom in technology law, policy, standards and treaties. He holds an honorary doctorate in computer science from the Open University (UK), where he is a Visiting Professor; he is also a MIT Media Lab Research Affiliate and a Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science. In 2007, he served as the Fulbright Chair at the Annenberg Center for Public Diplomacy at the University of Southern California.

His novels have been translated into dozens of languages and are published by Tor Books, Head of Zeus (UK), Titan Books (UK) and HarperCollins (UK). He has won the Locus, Prometheus, Copper Cylinder, White Pine and Sunburst Awards, and been nominated for the Hugo, Nebula and British Science Fiction Awards.

His recent books include ATTACK SURFACE (2020), a standalone sequel to LITTLE BROTHER intended for adults, POESY THE MONSTER SLAYER, a picture book for young children (2020), the nonfiction tech/politics book HOW TO DESTROY SURVEILLANCE CAPITALISM (2020), RADICALIZED (2019) and WALKAWAY (2017), science fiction for adults; and IN REAL LIFE, a young adult graphic novel created with Jen Wang (2014).

His latest young adult novel is HOMELAND, the bestselling sequel to 2008’s LITTLE BROTHER. His New York Times Bestseller LITTLE BROTHER was published in 2008. His latest short story collection is WITH A LITTLE HELP, available in paperback, ebook, audiobook and limited edition hardcover. In 2011, Tachyon Books published a collection of his essays, called CONTEXT: FURTHER SELECTED ESSAYS ON PRODUCTIVITY, CREATIVITY, PARENTING, AND POLITICS IN THE 21ST CENTURY (with an introduction by Tim O’Reilly) and IDW published a collection of comic books inspired by his short fiction called CORY DOCTOROW’S FUTURISTIC TALES OF THE HERE AND NOW. THE GREAT BIG BEAUTIFUL TOMORROW, a PM Press Outspoken Authors chapbook, was also published in 2011.

LITTLE BROTHER was nominated for the 2008 Hugo, Nebula, Sunburst and Locus Awards. It won the Ontario Library White Pine Award, the Prometheus Award as well as the Indienet Award for bestselling young adult novel in America’s top 1000 independent bookstores in 2008; it was the San Francisco Public Library’s One City/One Book choice for 2013. It has also been adapted for stage by Josh Costello.

He co-founded the open source peer-to-peer software company OpenCola, and serves on the boards and advisory boards of the Participatory Culture Foundation, the Clarion Foundation, the Open Technology Fund and the Metabrainz Foundation. He maintains a daily blog at Pluralistic.net.

@doctorow

Response Smuggling: Pwning HTTP/1.1 Connections

45 minutes | Demo, Exploit

Martin Doyhenard Security Researcher at Onapsis

Speaker(s) will be at DEF CON!

Over the past few years, we have seen some novel presentations re-introducing the concept of HTTP request smuggling, to reliably exploit complex landscapes and systems. With advanced techniques, researchers were able to bypass restrictions and breach the security of critical web applications.

This presentation will take a new approach, focusing on the response pipeline desynchronization, a rather unexplored attack vector in HTTP Smuggling.

First, I will introduce a Desync variant, using connection-tokens to hide arbitrary headers from the backend. This technique does not abuse discrepancy between HTTP parsers, but instead relies on a vulnerability in the protocol itself!

The issue was found and reported under Google’s Vulnerability Reward Program for a nice bounty!

Next, I will show how it is possible to inject multiple messages at the backend server, mixing the pipeline’s connection order, and hijack users sessions from login requests.

Finally, using a novel technique known as Response Scripting, I will demonstrate how to create malicious outbound messages using static responses as the building blocks. This will be leveraged to write custom responses and take control of one of the most popular protocols in history!

REFERENCES:
RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
https://tools.ietf.org/html/rfc2616

RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
https://tools.ietf.org/html/rfc7231

CHAIM LINHART, AMIT KLEIN, RONEN HELED, STEVE ORRIN:
HTTP Request Smuggling
https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

James Kettle:
HTTP Desync Attacks: Request Smuggling Reborn
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
https://portswigger.net/research/http-desync-attacks-what-happened-next

Emile Fugulin
HTTP Desync Attacks with Python and AWS
https://medium.com/@emilefugulin/http-desync-attacks-with-python-and-aws-1ba07d2c860f

Amit Klein
HTTP Request Smuggling in 2020
https://i.blackhat.com/USA-20/Wednesday/us-20-Klein-HTTP-Request-Smuggling-In-2020-New-Variants-New-Defenses-And-New-Challenges.pdf

Martin Doyhenard
Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player. Martin has spoken at different conferences including RSA, Troopers, Hack In The Box and EkoParty and presented multiple critical vulnerabilities.

@tincho_508

Worming through IDEs

20 minutes | Demo, Exploit

David Dworken Security Engineer, Google

Virtual only presentation

You might think that as long as you never hit run, opening up that interesting new POC in your IDE and checking out the code is safe. But it isn't. IDEs and developer tools are complex pieces of software that have vulnerabilities, just like everything else.

We'll start by discussing what a reasonable threat model is for IDEs. How do companies threat model their IDEs? What do users expect of their IDEs? Is viewing a file equivalent to executing it?

Then we'll dive into the reality of it. Nearly every IDE examined was trivially vulnerable. But there were also a variety of subtle bugs lying underneath. We'll look at bugs in both local IDEs (like VSCode and IntelliJ) and cloud-based IDEs (like AWS Cloud9 and Github Codespaces).

Finally, we'll show how an attacker could make a worm that would spread through attacking IDEs. View a malicious project? Let's automatically backdoor every project on a computer and keep spreading.

REFERENCES:
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
https://nvd.nist.gov/vuln/detail/CVE-2012-3479
http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
https://www.cvedetails.com/vulnerability-list/vendor_id-15146/product_id-49160/year-2019/Jetbrains-Intellij-Idea.html

David Dworken
David is a bug bounty hunter turned software engineer turned security engineer. He started in security in high school hacking on bug bounties and then spent four years learning how to be an effective software engineer. He's worked on five different product security teams ranging from startups to large corporations. He previously published a research paper on tracking malicious proxies in ACSAC. Currently, he works as a security engineer at Google working on deploying an alphabet soup of security headers across hundreds of services.

@ddworken
daviddworken.com

eBPF, I thought we were friends !

45 minutes | Demo, Tool

Guillaume Fournier Security Engineer at Datadog

Sylvain Afchain Staff Engineer at Datadog

Sylvain Baubeau Staff Engineer at Datadog

Virtual only presentation

Since its first appearance in Kernel 3.18, eBPF (Extended Berkley Packet Filter) has progressively become a key technology for observability in the Linux kernel. Initially dedicated to network monitoring, eBPF can now be used to monitor and trace any kind of kernel space activity.

Over the past few years, many vendors have started using eBPF to speed up their services or introduce innovative features. Cilium, Calico, Cloudflare, Netflix and Facebook are leading the charge, showing off new complex networking use cases on a monthly basis. On the security side of things, Google recently contributed the Kernel Runtime Security Instrumentation which opens the door to writing Linux Security Modules with eBPF.

In other words, eBPF is the new kid in town and a growing number of companies are running services with eBPF access in production. This leads us to a simple question: how bad can things get if one of those services were to be compromised ? This talk will cover how we leveraged eBPF to implement a full blown rootkit with all the features you would expect: various obfuscation techniques, command and control with remote and persistent access, data theft and exfiltration techniques, Runtime Application Self-Protection evasion techniques, and finally two original container breakout techniques.

Simply put, our goal is to demonstrate that rogue kernel modules might have finally found a worthy opponent. We will also detail how to detect such attacks and protect your infrastructure from them, while safely enjoying the exciting capabilities that eBPF has to offer.

REFERENCES:
Bibliography and documentation links cited in the submission:

1. Russian GRU 85th GTsSS deploys previously undisclosed drovorub malware, NSA / FBI, August 2020 https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
2. Kprobe-based Event Tracing, https://www.kernel.org/doc/html/latest/trace/kprobetrace.html
3. Linux Kernel tracepoints, https://www.kernel.org/doc/html/latest/trace/tracepoints.html
4. “bpf_probe_write_user” bpf helper, https://elixir.bootlin.com/linux/v5.11.11/source/include/uapi/linux/bpf.h#L1472
5. Uprobe-based Event Tracing, https://www.kernel.org/doc/html/latest/trace/uprobetracer.html
6. Cilium’s XDP documentation, https://docs.cilium.io/en/latest/bpf/#xdp

Previous eBPF related talks & projects that helped us build the rootkit:

7. Evil eBPF In-Depth: Practical Abuses of an In-Kernel Bytecode Runtime, Jeff Dileo, DEF CON 27, https://www.defcon.org/html/defcon-27/dc-27-speakers.html#Dileo
8. Process level network security monitoring and enforcement with eBPF, Guillaume Fournier, https://www.sstic.org/2020/presentation/process_level_network_security_monitoring_and_enforcement_with_ebpf/

9. Runtime Security with eBPF, Sylvain Afchain, Sylvain Baubeau, Guillaume Fournier, https://www.sstic.org/2021/presentation/runtime_security_with_ebpf/
10. Monitoring and protecting SSH sessions with eBPF, Guillaume Fournier, https://www.sstic.org/2021/presentation/monitoring_and_protecting_ssh_sessions_with_ebpf/

Guillaume Fournier
Guillaume Fournier is a Security Engineer at Datadog where he focuses on developing a new generation of runtime security tools powered by eBPF. In his free time, he likes to build defensive and offensive security tools such as a chrome-like sandbox for VLC on Linux, or various projects to automate drones and wireless keyboards hacking.

@gui774ume

Sylvain Afchain
Sylvain Afchain is a staff software engineer at Datadog. He's been working on linux for more than 15 years. He mostly worked on distributed systems, cloud infrastructure and SDN solutions. In his spare time, he enjoys cycling, playing tennis and badminton.

Sylvain Baubeau
Sylvain Baubeau is a staff software engineer, mostly working on Linux, cloud and infrastructure technologies. In his spare time, he likes to play drums, reverse engineer old games and build arcades.

DoS: Denial of Shopping – Analyzing and Exploiting (Physical) Shopping Cart Immobilization Systems

20 minutes

Joseph Gabay Hacker

Speaker(s) will be at DEF CON!

Many supermarkets and shopping centers have implemented devices that “lock” their shopping carts if they’re taken outside of an approved boundary (e.g, a parking lot). This talk examines some of the technology that’s used to do this, as well as ways to capture and spoof the control signals to defeat these devices.

We will go over the anatomy of remotely lockable shopping cart wheels, their basic theory, and get into how they’re controlled. We’ll deconstruct some samples of the lock and unlock signals captured using a homemade antenna and a HackRF, and briefly discuss methods of rebroadcasting them – as well as the challenges inherent to this process.

DISCLAIMER
This talk is the result of a personal project.

Any views, opinions, or research presented in this talk are personal and belong solely to the presenter. They do not represent or reflect those of any person, institution, or organization that the presenter may or may not be associated with in a professional or personal capacity unless explicitly stated otherwise.

REFERENCES
- The ARRL handbook for radio communications, 2007. Newington, CT: American Radio Relay League, 2006. Print.
- https://www.tmplab.org/2008/06/18/consumer-b-gone/
- http://www.woodmann.com/fravia/nola_wheel.htm
-The wonderful people over at /r/rfelectronics
-FCC.gov

Joseph Gabay
Joseph is a robotics engineer in Boston, Massachusetts where he works on a variety of projects ranging from electromechanical designs to embedded systems.

His passion lies in further understanding the way the world works and uncovering the small secrets that we encounter in our day to day lives. This project started as an idle curiosity and grew into an opportunity to further explore the complex and deep world of RF communications and embedded systems.

Joseph is an avid part of the local maker community, with extensive experience in 3D printing, rapid-fabricobbling, and breaking stuff for fun and profit. Outside of his day job, he enjoys woodworking and metalworking and is constantly collecting new hobbies and interests.

Robots with lasers and cameras (but no security): Liberating your vacuum from the cloud

45 minutes | Tool, Exploit

Dennis Giese Hacker

Speaker(s) will be at DEF CON!

Vacuum robots are becoming increasingly popular and affordable as their technology grows ever more advanced, including sensors like lasers and cameras. It is easy to imagine interesting new projects to exploit these capabilities. However, all of them rely on sending data to the cloud. Do you trust the companies promise that no video streams are uploaded to the cloud and that your personal data is safe? Why not collect the dust with open-source software?

I previously showed ways to root robots such as Roborock and Xiaomi, which enabled owners to use their devices safely with open-source home automation. In response, vendors began locking down their devices with technologies like Secure Boot, SELinux, LUKS encrypted partitions and custom crypto that prevents gaining control over our own devices. This talk will update my newest methods for rooting these devices.

The market of vacuum robots expanded in the past 2 years. In particular, the Dreame company has recently released many models with interesting hardware, like ToF cameras and line lasers. This can be a nice alternative for rooting. I will show easy ways to get root access on these devices and bypass all security. I will also discuss backdoors and security issues I discovered from analysis. You will be surprised what the developers left in the firmware.

REFERENCES:
Unleash your smart-home devices: Vacuum Cleaning Robot Hacking (34C3)
https://dontvacuum.me/talks/34c3-2017/34c3.html

Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices
https://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.html

https://linux-sunxi.org/Main_Page

Dennis Giese
Dennis is a PhD student and a cybersecurity researcher at Northeastern University. He was a member of one european ISP's CERT for several years.

While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices.

His most known projects are the rooting and hacking of various vacuum robots

@dgi_DE
https://dontvacuum.me

Defeating Physical Intrusion Detection Alarm Wires

45 minutes | Tool

Bill Graydon Principal, Research, GGR Security

Speaker(s) will be at DEF CON!

Alarm systems are ubiquitous - no longer the realm of banks and vaults only, many people now have them in their homes or workplaces. But how do they work? And the logical follow-up question - how can they be hacked?

This talk focuses on the communication lines in physical intrusion detection systems: how they are secured, and what vulnerabilities exist. We’ll discuss the logic implemented in the controllers and protections on the communication lines including end of line resistors - and all the ways that this aspect of the system can be exploited.

In particular, we’ll release schematics for a tool we’ve developed that will enable measuring end-of-line resistor systems covertly, determining the necessary re-wiring to defeat the sensors, and deploy it without setting off the alarm.

After the talk, you can head over to the Lock Bypass Village to try these techniques out for yourself!

Bill Graydon
Bill Graydon is a principal researcher at GGR Security, where he hacks everything from locks and alarms to critical infrastructure; this has given him some very fine-tuned skills for breaking stuff. He’s passionate about advancing the security field through research, teaching numerous courses, giving talks, and running DEF CON’s Lock Bypass Village. He’s received various degrees in computer engineering, security, and forensics and comes from a broad background of work experience in cyber security, software development, anti-money laundering, and infectious disease detection.

@access_ctrl
https://github.com/bgraydon
https://www.youtube.com/channel/UCzZK3vjJL9rKNPXNoCPFO5g/videos

Phantom Attack: Evading System Call Monitoring

45 minutes | Demo, Tool, Exploit

Rex Guo Head of Research, Confluera

Junyuan Zeng Senior Software Engineer, Linkedin

Speaker(s) will be at DEF CON!

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

After adversaries gain an initial foothold on a Linux system, they typically perform post-exploitation activities such as reconnaissance, execution, privilege escalation, persistence, etc. It is extremely difficult if not impossible to perform any non-trivial adversarial activities without using Linux system calls.

Security monitoring solutions on Linux endpoints typically offer system call monitoring to effectively detect attacks. Modern solutions often use either ebpf-based programs or kernel modules to monitor system calls through tracepoint and/or kprobe. Any adversary operations including abnormal and/or suspicious system calls reveal additional information to the defenders and can trigger detection alerts.

We will explain the generic nature of the vulnerabilities exploited by Phantom attack. We will demonstrate Phantom attack on two popular open source Linux system call monitoring solutions Falco (Sysdig) and Tracee (Aquasecurity). We will also explain the differences between Phantom v1 and v2 attacks. Finally, we will discuss mitigations for Phantom attack and secure tracing in the broader context beyond system call tracing.

REFERENCES:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33505
https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf
https://www.youtube.com/watch?v=MIJL5wLUtKE
https://dl.packetstormsecurity.net/1005-advisories/khobe-earthquake.pdf

Rex Guo
Rex Guo works as Head of Research at Confluera where he leads the security research and development of the cloud XDR product which includes the real-time threat storyboarding capabilities (a.k.a. attack narrative). Before joining Confluera, he was an engineering manager at Cisco Tetration where his team bootstrapped the server EDR product deployed on millions of cloud endpoints. Before that, Rex worked at both Intel Security and Qualcomm. In these positions, he has worked on application security, infrastructure security, malware analysis, and mobile/ IoT platform security. He has presented at Blackhat multiple times. He has 30+ patents and publications. He received a PhD from New York University.

@Xiaofei_REX
https://www.linkedin.com/in/xiaofeiguo/

Junyuan Zeng
Junyuan Zeng is Senior Software Engineer at Linkedin. Before Linkedin, he was Staff Security Architect at JD.com where he designed and architected container security monitoring solutions. Before that he was Staff Software Engineer for mobile payment security at Samsung and a security researcher at FireEye where he worked on mobile malware analysis. He has published in ACM CCS, USENIX ATC, and other top academic conferences. He obtained his PhD in Computer Science from The University of Texas at Dallas.

https://www.linkedin.com/in/junyuanzeng/

TEMPEST radio station

45 minutes | Tool

Paz Hameiri Hacker

Virtual only presentation

TEMPEST is a cyber security term that refers to the use of electromagnetic energy emissions generated by electronic devices to leak data out of a target device. The attacks may be passive (where the attacker receives the emissions and recovers the data) or active (where the attacker uses dedicated malware to target and emit specific data).

In this talk I present a new side channel attack that uses GPU memory transfers to emit electromagnetic waves which are then received and processed by the attacker. Software developed for this work encodes audio on one computer and transmits it to the reception equipment positioned fifty feet away. The signals are received and processed and the audio is decoded and played. The maximum bit rate achieved was 33kbit/s and more than 99% of the packets were received.

Frequency selection not only enables maximization of signal quality over distance, but also enables the attacker to receive signals from a specific computer when several computers in the area are active. The software developed demonstrates audio packets transfers, but other types of digital data may be transmitted using the same technique.

REFERENCES:
Eck W. “Electromagnetic radiation from video display units: an eavesdropping risk?” Computers and Security, 4, no. 4: 269-286, 1985.
Kuhn, M. G., and Anderson, R. J. Soft. “Tempest: Hidden Data Transmission Using Electromagnetic Emanations.” In Information Hiding (1998), ed. D. Aucsmith, vol. 1525 of Lecture Notes in Computer Science, (Springer): 124–142.
Thiele, E., “Tempest for Eliza.” 2001. http://www.erikyyy.de/tempest/.
Kania B., “VGASIG: FM radio transmitter using VGA graphics card.” 2009. http://bk.gnarf.org/creativity/vgasig/vgasig.pdf.
Guri M., Kedma G., Kachlon A., Elovici Y. “AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies.” In Malicious and Unwanted Software: The Americas (MALWARE), 2014 9th International Conference on IEEE, 2014: 58-67.
2pkaqwtuqm2q7djg,"OVERCLOCKING TOOLS FOR NVIDIA GPUS SUCK, I MADE MY OWN". 2015. https://1vwjbxf1wko0yhnr.wordpress.com/2015/08/10/overclocking-tools-for-nvidia-gpus-suck-i-made-my-own/
nvapioc project: https://github.com/Demion/nvapioc
SDRplay API Specification v3, https://www.sdrplay.com/docs/SDRplay_API_Specification_v3.pdf
Simon Rockliff's Reed-Solomon encoding-decoding code at http://www.eccpage.com/rs.c

Paz Hameiri
Paz started his professional life 30 years ago, hacking games and developing tools in his teen years. Since then, he has worked in several companies, developing both hardware and software.

Paz has six years of experience with telecommunication systems design and circuits. He explored GPU hardware and software design in his Master's thesis. For 12 years, Paz led multidisciplinary systems development as a systems engineer in an international homeland security company.

At home, Paz explores ideas he finds interesting. In 2019 he published his work on a body-tracking device that records keystrokes on a safe's keypad.

https://il.linkedin.com/in/paz-hameiri-251b11143

Old MacDonald Had a Barcode, E-I-E-I CAR

45 minutes | Demo

Richard Henderson

Speaker(s) will be at DEF CON!

For decades, the EICAR test string has been used by antivirus and security vendors to safely test their detection engines without having to use live virulent samples which could cause harm. What would happen if you took that string, encoded it into a machine readable format like a QR code and started scanning various devices with the QR code? This talk shows how there are a lot of systems out there that aren't expecting an input string like EICAR and how many of them just collapse when shown the code. We will also discuss the types of systems you can target and how you may be able to extend this to more than a nuisance attack.

REFERENCES:
EICAR test string: https://www.eicar.org/?page_id=3950
EICAR wikipedia entry: https://en.wikipedia.org/wiki/EICAR_test_file
QR codes: https://en.wikipedia.org/wiki/QR_code
Risks surrounding QR codes: https://en.wikipedia.org/wiki/QR_code#Risks

Richard Henderson
Richard Henderson is a writer, researcher, and ham radio/electronics nerd who has worked in infosec and technology for almost two decades. Richard has taught multiple times at DEF CON and leads the annual DEF CON Ham Radio Fox Hunt Contest. Richard is currently co-authoring a book on cybersecurity for ICS/Scada systems.

@richsentme

Sleight of ARM: Demystifying Intel Houdini

45 minutes | Demo

Brian Hong Security Consultant, NCC Group

Speaker(s) will be at DEF CON!

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. However, you might be surprised to know that Intel has long supported ARM to x86 transition with their binary translator, Houdini, which runs ARM binaries on x86.

In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.

REFERENCES:
* Ye, Roger. Android System Programming: Porting, Customizing, and Debugging Android HAL. Packt Publishing, 2017.
* JNI Functions, Oracle, 12 Nov. 2002, https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html
* Chromium OS Docs. Linux System Call Table, https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md
* The Development Environment : Android Developers. Android Developers, https://developer.android.com/topic/arc/development-environment
* Nachoparker. Own Your Bits, 14 June 2018, https://ownyourbits.com/2018/06/13/transparently-running-binaries-from-any-architecture-in-linux-with-qemu-and-binfmt_misc/
* Git at Google. Android container in Chrome OS, archived at https://web.archive.org/web/20200128052853/https://chromium.googlesource.com/chromiumos/platform2/+/master/arc/container-bundle/
* Oberheide, J. & Miller, C. 2012, June. Dissecting the Android Bouncer [Presentation] @ SummerCON, Brooklyn, New York

Brian Hong
Brian Hong is a security consultant at NCC Group, a global information assurance specialist providing organizations with expert security consulting services. He specializes in hardware penetration testing, reverse engineering, and has performed security research related to embedded systems, firmware analysis, web application penetration testing, and Android security and malware analysis. Brian has a B. Eng. in Electrical Engineering and Computer Science from The Cooper Union.

Caught you - reveal and exploit IPC logic bugs inside Apple

45 minutes | Demo, Exploit

Zhipeng Huo Senior Researcher, Tencent Security Xuanwu Lab

Yuebin Sun Senior Researcher, Tencent Security Xuanwu Lab

Chuanda Ding Senior Researcher, Tencent Security Xuanwu Lab

Virtual only presentation

Apple's iOS, macOS and other OS have existed for a long time. There are numerous interesting logic bugs hidden for many years. We demonstrated the world's first public 0day exploit running natively on Apple M1 on a MacBook Air (M1, 2020). Without any modification, we exploited an iPhone 12 Pro with the same bug.

In this talk, we will show you the advantage and beauty of the IPC logic bugs, how we rule all Apple platforms, Intel and Apple Silicon alike, even with all the latest hardware mitigations enabled, without changing one line of code. We would talk about the security features introduced by Apple M1, like Pointer Authentication Code (PAC), System Integrity, and Data Protection. How did they make exploiting much harder to provide better security and protect user's privacy. We will talk about different IPC mechanisms like Mach Message, XPC, and NSXPC. They are widely used on Apple platforms which could be abused to break the well designed security boundaries.

We will walk you through some incredibly fun logic bugs we have discovered, share the stories behind them and methods of finding them, and also talk about how to exploit these logic bugs to achieve privilege escalation.

REFERENCES:
https://www.youtube.com/watch?v=Kh6sEcdGruU
https://support.apple.com/en-us/HT211931
https://support.apple.com/en-us/HT211850
https://support.apple.com/en-us/HT212011
https://support.apple.com/en-us/HT212317
https://helpx.adobe.com/security/products/acrobat/apsb20-24.html
https://helpx.adobe.com/security/products/acrobat/apsb20-48.html
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html

Zhipeng Huo
Zhipeng Huo is a senior security researcher on macOS and Windows platform security at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018 and DEF CON 28.

@R3dF09

Yuebin Sun
Yuebin Sun is a senior security researcher at Tencent Security Xuanwu Lab.

@yuebinsun2020

Chuanda Ding
Chuanda Ding is a senior security researcher on Windows platform security. He leads EcoSec team at Tencent Security Xuanwu Lab. He was a speaker at Black Hat Europe 2018, DEF CON China 2018, CanSecWest 2017, CanSecWest 2016, and QCon Beijing 2016.

@FlowerCode_

New Phishing Attacks Exploiting OAuth Authentication Flows

45 minutes | Demo, Tool

Jenko Hwong Netskope Threat Research team

Speaker(s) will be at DEF CON!

OAuth 2.0 device authorization gives users on limited-input devices like TVs an easier way to authenticate against and authorize a cloud website/app by entering a code on a computer/phone. This authentication and authorization flow leads to new phishing attacks that:

- do not need server infrastructure--the login page is served by the authorization provider using their domain and cert
- do not require a client application--application identities can be reused/spoofed
- do not require user consent of application permissions

Since the phish attacks hijack oauth session tokens, MFA will be ineffective as the attacker does not need to reauthenticate. The ability to defend against these attacks is hindered by limited info and functionality to detect, mitigate, and prevent session token compromise.

I'll demonstrate these new phishing attacks, access to sensitive user data, and lateral movement.

Defensive measures against these phishing attacks will be discussed, specifically the challenges in detection, mitigation, and prevention, and the overall lack of support for managing temporary credentials.

Open-source tools have been developed and will be used to demonstrate how users can:

- self-phish their organizations using these techniques
- audit security settings that help prevent/mitigate the attacks

REFERENCES:
1.0 Evolving Phishing Attacks

1.1 A Big Catch: Cloud Phishing from Google App Engine and Azure App Service: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service

1.2 Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks: https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/

1.3 Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps: https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/

1.4 Office 365 Phishing Attack Leverages Real-Time Active Directory Validation: https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/

1.5 Demonstration - Illicit Consent Grant Attack in Azure AD: https://www.nixu.com/blog/demonstration-illicit-consent-grant-attack-azure-ad-office-365
https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/

1.6 Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD: https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/

1.7 HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor: https://securecloud.blog/2019/12/17/helsec-azure-ad-write-up-phishing-on-steroids-with-azure-ad-consent-extractor/

1.8 Pawn Storm Abuses OAuth In Social Engineering Attack: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html


2.0 OAuth Device Code Flow

2.1 OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6749

2.2 OAuth 2.0 Device Authorization Grant RFC: https://datatracker.ietf.org/doc/html/rfc8628

2.3 OAuth 2.0 for TV and Limited-Input Device Applications: https://developers.google.com/identity/protocols/oauth2/limited-input-device

2.4 OAuth 2.0 Scopes for Google APIs: https://developers.google.com/identity/protocols/oauth2/scopes

2.5 Introducing a new phishing technique for compromising Office 365 accounts: https://o365blog.com/post/phishing/#oauth-consent

2.6. Office Device Code Phishing: https://gist.github.com/Mr-Un1k0d3r/afef5a80cb72dfeaa78d14465fb0d333


3.0 Additional OAuth Research Areas

3.1 Poor OAuth implementation leaves millions at risk of stolen data: https://searchsecurity.techtarget.com/news/450402565/Poor-OAuth-implementation-leaves-millions-at-risk-of-stolen-data

3.2 How did a full access OAuth token get issued to the Pokémon GO app?: https://searchsecurity.techtarget.com/answer/How-did-a-full-access-OAuth-token-get-issued-to-the-Pokemon-GO-app
===

Jenko Hwong
Jenko Hwong is on the Netskope Threat Research team, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

@jenkohwong

The PACS-man Comes For Us All: We May Be Vaccinated, but Physical Access Control Still Sucks

45 minutes | Demo, Tool, Exploit

Babak Javadi Co-Founder, Red Team Alliance

Nick Draffen

Eric Betts

Anze Jensterle

Speaker(s) will be at DEF CON!

It's 2021. You’re still here! You’re vaccinated! You should be happy and carefree! And yet…the PACS-man still haunts us all. Why should this be? Don’t we have newer, better tech with more bits of encryption and fewer wires? Haven’t the professional sentinels we’ve entrusted with our physical security software-defined ALL THE THINGS and made them better?

Nay, these are but fruits of the poisonous physical security tree! Come, fellow hackers and weary travelers, visit with the ghosts of access control and learn of the lies they’ve laid before us!

Come see how false guardians have used BLE slight-of-hand to increase complexity and cost while reducing security and ask that they be paid a tithing for the privilege! Witness young software-defined gladiators do battle in an arena they did not prepare for and falter!

Behold as our friendly ghosts of access control forge never-before seen tools to help slay false security prophets!

Babak Javadi
Babak Javadi is the Founder of The CORE Group and Co-Founder of the Red Team Alliance. In 2006 he co-founded of The Open Organisation of Lockpickers, serving as Director for 13 years. As a professional red teamer with over a decade of field experience, Babak’s expertise includes disciplines from high-security mechanical cylinders to alarms and physical access controls.

@babakjavadi

Nick Draffen
Nick Draffen sometimes gives off a mad scientist vibe, an engineer who dives deep into technology, namely in the area where the physical and digital world meet. By day a security engineer/architect working to secure lab instruments and everything around them, and by night building/breaking things in his lab.

@tcprst

Eric Betts
Eric Betts is an exuberant, passionate, pragmatic software engineer. He is an avid open-source contributor. He likes to buy all the latest gadgets, and then take them apart. His claim to fame is making $10k from Snapchat (without taking his clothes off) for an RCE bug bounty. He responds to "Bettse" both online and in-person.

@aguynamedbettse

Anze Jensterle
Anze Jensterle is a Computer Science student by day, professional door opener by night that comes from Slovenia (not Slovakia). Having been involved with InfoSec since he was 17, when he made his first bug bounty, he has continuously been developing his skills in different areas including Web, RFID and Embedded System Security.

@applejacksec

Wibbly Wobbly, Timey Wimey – What's Really Inside Apple's U1 Chip

45 minutes | Demo, Tool

jiska TU Darmstadt, SEEMOO

Alexander Heinrich TU Darmstadt, SEEMOO

Virtual only presentation

Apple introduced an Ultra Wideband (UWB) chip in the iPhone 11. Its cryptographically secured spatial measurement capabilities are accessible via the Nearby Interaction framework since iOS 14. As of now, it only supports interaction with other Apple devices including the latest Apple Watch and HomePod mini. These are the first steps to support UWB in a larger ecosystem, as measuring precise distance and direction can be an enabler for various future applications. The automotive industry already announced UWB support for mobile car keys on the iPhone.

But what’s really inside Apple’s U1 chip, internally called Rose? In this talk, we will travel through time, space, firmware and kernel components—and fight daemons to modify firmware interaction from user space. This will not only cover one or two, but three firmwares that process or forward each Rose time measurement: The Rose Digital Signal Processor (DSP), Rose Application Processor (AP), and the Always-On Processor (AOP).

REFERENCES:
There's almost nothing known about UWB on the iPhones... So the only reference is this:
https://support.apple.com/guide/security/ultra-wideband-security-sec1e6108efd/web

jiska
Jiska breaks things.

@naehrdine

Alexander Heinrich
Alexander is a security researcher at the Secure Mobile Networking Lab at the Technical University of Darmstadt. Before he joined the university as a researcher he gained a lot of experiences an an app developer on Apple operating systems starting with iOS 5. This deep understanding of the systems naturally resulted in a focus on those systems in his security research. He joined the Secure Mobile Networking Lab 2020 as a PhD student right after his Master Thesis on the security of Apple’s Handoff and Universal Clipboard features. After working with a team of skilled researchers on AirDrop and Apple’s Find My network his focus now shifted to the security and privacy of ultra-wideband and Apple U1 chip.

@Sn0wfreeze

Rotten code, aging standards, & pwning IPv4 parsing across nearly every mainstream programming language

45 minutes | Demo, Exploit

Kelly Kaoudis

Sick Codes Hacker

Virtual only presentation

Openness to responsibly disclosed external vulnerability research is crucial for modern software maintainers and security teams. Changes in upstream dependency code may have pulled the safety rug out from underneath widely trusted core libraries, leaving millions of services vulnerable to unsophisticated attacks. The impact of even a single reasonably well-distributed supply-chain security vulnerability will be felt by engineering teams across many applications, companies, and industries.

We'd like to discuss an IP address parsing vulnerability first discovered in private-ip, a small and infrequently maintained yet critically important NodeJS package for determining if an IP address should be considered part of a private range or not. We'll talk about not only the implications of this CVE but taking the main idea and applying it across multiple programming languages in uniquely disturbing ways.

Sometimes, the effects of code rot are even more far-reaching than we could possibly expect, and if you pull on a thread, it just keeps going. Sometimes, you get lucky when you know exactly what you're looking for. Sometimes, it's hard to convince other technically-minded folks that a seemingly trivial implementation flaw is dangerous in capable hands.

This talk is beginner as well as advanced-friendly; we'll show you the basics a hacker or a programmer needs to know about IP address parsing and how to tell your octal from your decimal along the way.

REFERENCES:

Researchers involved in this work:
- Victor Viale: https://github.com/koroeskohr, koroeskohr
- Sick Codes: https://github.com/sickcodes, sickcodes
- Kelly Kaoudis: https://github.com/kaoudis, kaoudis
- John Jackson: https://www.johnjhacking
- Nick Sahler: https://github.com/nicksahler, tensor_bodega
- Cheng Xu: https://github.com/xu-cheng

Selected press coverage (as of May '21)
- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
- https://www.theregister.com/2021/03/29/netmask_cve/
- https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/

Currently released advisories related to this work (as of May '21)
- https://sick.codes/sick-2021-011/
- https://vuln.ryotak.me/advisories/6
- https://sick.codes/sick-2021-018/
- https://sick.codes/sick-2020-022/

Additional
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/
- https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
- https://blog.dave.tf/post/ip-addr-parsing/
- https://security-tracker.debian.org/tracker/CVE-2021-29424
- https://security-tracker.debian.org/tracker/CVE-2021-29662
- https://www.npmjs.com/package/netmask
- https://github.com/rs/node-netmask
- https://bugs.python.org/issue36384#msg392423
- https://github.com/rust-lang/rust/pull/83652
- https://github.com/rust-lang/rust/issues/83648

Kelly Kaoudis
Kelly Kaoudis is a senior software engineer working in application security in Colorado. Following working with the group to validate and test the node-netmask bypass Viale discovered, Kaoudis wrote many of the proofs-of-concept which demonstrate the critical impact of this cascade of unique vulnerabilities.

@kaoudis
https://github.com/kaoudis

Sick Codes
Sick Codes maintains popular open source projects, publishes high-profile security vulnerabilities in good faith, and administers his namesake https://sick.codes, a security research and tutorial resource for developers. Sick Codes' work coordinating communication across many companies, foundations, and other open source organisations was invaluable in getting these vulnerabilities patched and responsibly disclosed.

@sickcodes
https://sick.codes
https://github.com/sickcodes
https://www.linkedin.com/in/sickcodes/

HTTP/2: The Sequel is Always Worse

45 minutes | Demo, Tool, Exploit

James Kettle Director of Research, PortSwigger Web Security

Virtual only presentation

HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC oversights.

I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties.

After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.

Finally, I'll drop multiple exploit-primitives that resurrect a largely-forgotten class of vulnerability, and use HTTP/2 to expose fresh application-layer attack surface.

I'll leave you with an open-source scanner, a custom, open-source HTTP/2 stack, and free interactive labs so you can hone your new skills on live systems.

REFERENCES:
The HTTP/2 RFC is essential reading: https://tools.ietf.org/html/rfc7540
This research is built on my previous work on this topic:
https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn
This presentation by defparam has good explanations of response queue poisoning and self-desync attacks:
https://www.youtube.com/watch?v=3tpnuzFLU8g
I had a partial research collision with Emil Lerner. His work provides an alternative perspective on certain techniques:
https://github.com/neex/http2smugl

James Kettle
James Kettle is Director of Research at PortSwigger Web Security, where he cultivates novel web attack techniques. Recent work has focused on HTTP Request Smuggling, and using web cache poisoning to turn caches into exploit delivery systems. Past research includes server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He is also the author of multiple popular Burp Suite extensions including HTTP Request Smuggler, Param Miner and Turbo Intruder. He has spoken at numerous prestigious venues including DEF CON, both BlackHat USA and EU, and OWASP AppSec USA and EU.

@albinowax
https://skeletonscribe.net/

Over-the-air remote code execution on the DEF CON 27 badge via Near Field Magnetic Inductance
or
World’s first NFMI exploitation, sorta
or
OTARCEDC27NFMIOMGWTFBBQ

45 minutes | Demo, Tool, Exploit

Seth Kintigh Hardware Security Engineer, Dell

Speaker(s) will be at DEF CON!

The DEF CON 27 badge employed an obscure form of wireless communication: Near Field Magnetic Inductance (NFMI). The badges were part of a contest and while poking through the firmware for hints I noticed a buffer overflow flaw. All it required to exploit it was an oversized packet… via a chip with no datasheet and no documentation on the proprietary protocol. Thus started a 2 year odyssey.

I used Software Defined Radio tools to study the signal’s modulations. I built a receiver in GNURadio and Python to convert signals into symbols, symbols obfuscated by a pattern that I had to deduce while only controlling a fraction of the bytes. Data was encoded in those symbols using proprietary convolution for even bits and Trellis Code Modulation for odd bits. I then reversed their bizarre CRC and wrote tools to craft and send packets. Using those tools I chained bugs in 2 chips and remotely crashed the badge. However, limitations in the NFMI protocol made more sophisticated attacks impossible.

But after a year and a half invested, I was not about to give up. I soldered leads to middle layer traces, extracted and reverse engineered the NFMI firmware, fixed their protocol, and patched a badge FW to patch the NFMI FW. At long last I achieved what may be the world’s first, over-the-air, remote code exploit via NFMI.

Seth Kintigh
Seth Kintigh learned to program at age 12 on an IBM PC jr and his grandmother taught him how to crack ciphers. His first hack was to get infinite lives and beat the Atari 2600 game Solaris. He earned a BS EE with minors in CS and physics and a MS EE with concentration in cryptography and information security from WPI. He worked 6 years as a hardware engineer and 17 in security. Hobbies include cracking historical ciphers and restoring a Victorian home

HACKERS INTO THE UN? Engaging in the cyber discussions on war & peace - DEF CON Policy Panel

45 min panel

Alexander Klimburg DEF CON Policy Dept, Panel Moderator

Chris Painter Global Forum of Cyber Expertise, Former head of US cyber diplomacy

Lauren Zabierek Harvard Belfer Cyber Project

Maarten Van Horenbeeck Forum of Incident Responders and Security Teams (VIRTUAL)

Sheetal Kumar Global Partners Digital (VIRTUAL)

Bill "Woody" Woodcock Chair of the Foundation Council, Quad9, Packet Clearing House

Speaker(s) will be at DEF CON!

As if 2020 and 2021 were not bad enough, the Covid-19 pandemic seemed to have been accompanied by a new rash of bad cyber- attacks on major platforms like Solarwinds and Microsoft, infrastructures worldwide subverted in ransomware campaigns, and even the very organizations researching and fighting the pandemic have been hit.

Meanwhile, the hard work of cyber diplomacy continues, with talks on war and peace in the United Nations reaching a new stage as two working groups presented their final report and a third one is in the process of being born. Mostly the topics are on establishing norms on cyber behavior, rules of the road of what states can do in cyberspace.  But where are the hackers in all this? The Internet is famously not run by intergovernmental organizations, so the companies, civil society groups and others should somehow be involved – and one of the UN processes did in fact make a small step in that direction. But the staid ways of pin-striped cyber are hard to change. What is the best way for the community to engage?

Alexander Klimburg
Alexander Klimburg is a cyber policy wonk, infosec geek, and free Internet advocate. The director of the Global Commission on the Stability of Cyberspace, he is also a director at The Hague Center for Strategic Studies (HCSS) and a senior-associate of the Center of Strategic and International Studies (CSIS). Previously he held positions and affiliations with Harvard University and the Atlantic Council. Since around 2010 Alex has been trying to mediate between the policy and technical world, with marginal success, having previously spent too much time in consulting and dot-bomb venture capital. He has accompanied the diplomatic work on cyber norms at the UN and OSCE, helped draft national cyber security strategies and relevant legislation for several governments, and has advised on the set-up and operation of national cybersecurity centers and infosec practices. Alex has been responsible for some of the world’s most important track 1.5. diplomatic discussions and occasionally gets to opine on offensive cyber effect operations and TTPs. Hobbies include supporting cybercrime investigations, tutoring on basic infosec practices, and helping lead the DEF CON Policy department. He is the author of several publications, including the critically acclaimed "The Darkening Web" published 2017 by Penguin Press.

Chris Painter
Chris Painter is a globally recognized leader and expert on cybersecurity and cyber policy, cyber diplomacy and combatting cybercrime. He is the President of the Global Forum on Cyber Expertise Foundation, serves on the Board of the Center for Internet Security, is a non-resident Senior Advisor at the CSIS, an Associate Fellow at Chatham House, and is on the Public Sector Advisory Board for Palo Alto Networks. He was also a co-chair of the Ransomware Task Force and a Commissioner on the Global Commission on the Stability of Cyberspace.

Chris has been on the vanguard of U.S. and international cyber issues for over thirty years. In his most recent government role as Coordinator for Cyber Issues ((2011-2017) in the State Department, he coordinated and led the United States’ diplomatic efforts to advance an open, interoperable, secure and reliable Internet and information infrastructure. Prior to joining the State Department, Mr. Painter served in the White House as Senior Director for Cyber Policy in the National Security Council. He was a senior member of the team that conducted the President’s Cyberspace Policy Review in 2009.

Among other distinctions, Chris received The Order of the Rising Sun from the Government of Japan for promoting U.S-Japan cyber cooperation in 2018 and received the Order of Terra Mariana from the President of Estonia in 2020 for promoting cyber cooperation.  He is also the recipient of the RSA Award for Excellence in the Field of Public Policy (2016), the Attorney General’s Award for Exceptional Service, and the Intelligence Community Legal Award (2008).

Lauren Zabrieck
Lauren Zabierek is the Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center. She comes to this role as a 2019 graduate of the Kennedy School's mid-career MPA program. Lauren served as an intelligence officer in the United States Air Force at the beginning of her career.  Later, as a civilian intelligence analyst with the National Geospatial Intelligence Agency (NGA) assigned to the Office of Counterterrorism, she completed three war zone deployments. Throughout her six years at NGA, she became a subject matter expert on Activity Based Intelligence (ABI) and served as an adjunct professor in ABI at the NGA college. After leaving NGA, she joined the cybersecurity threat intelligence startup Recorded Future, and was instrumental in building its Public Sector business practice.

A Gold Star Sister, Lauren is committed to supporting families of the fallen and has volunteered several times as a mentor with the Tragedy Assistance Program for Survivors (TAPS).  She also co-founded the Recorded Future Women's Mentorship Initiative, helped to start a women's initiative at NGA, is a member of the NatSecGirlSquad, and is the co-founder of the online social media movement called #ShareTheMicInCyber, which aims to dismantle racism in cybersecurity and privacy. 

Maarten Van Horenbeeck
Maarten a former Board Member and Chairman of the Forum of Incident Response and Security Teams (FIRST), a non-profit association of 530 security teams in 96 countries. He is also Lead Expert to the UN Internet Governance Forum's Best Practices Forum on Cybersecurity, and works as Chief Information Security Officer at Zendesk.

Maarten has over 15 years of experience managing security organizations, which includes building the cybersecurity threat intelligence team at Amazon and work on the Security teams at Google and Microsoft. He holds a master’s degree in information security from Edith Cowan University and a master’s degree in international relations from the Freie Universitat Berlin.

Sheetal Kumar
Sheetal currently provides strategic oversight for a global cybersecurity capacity building programme which supports civil society organisations from the global South to protect and promote human rights in cybersecurity and cybercrime related discussions. She also facilitates civil society engagement in key relevant forums, including the UN, through research, facilitation and coordination support on a day-to-day basis.

Sheetal holds an MSc in Media, Communications and Development from the London School of Economics and an MA in International Relations with French from the University of St Andrews. Her studies included global internet and communications policy, the evolution of the internet, communication for development, media in the global South and more broadly, theories relating to power, media and communications and technology.

Bill Woodcock
Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system, and he’s the chairman of the Quad9 Foundation. Bill is best known for developing anycast routing (1989), multicast DNS (2000), the INOC-DBA infrastructure protection hotline system (2001), and being one of the two international liaisons in the Estonian CERT during the Russian cyber-attack in 2007. Bill served on the Global Commission on the Stability of Cyberspace, and was on the board of the American Registry for Internet Numbers for fifteen years. Now, Bill’s work focuses principally on the security and economic stability of critical Internet infrastructure.

Offensive Golang Bonanza: Writing Golang Malware

45 minutes | Demo, Tool, Exploit

Ben Kurtz Principal Anarchist, SymbolCrash Founder of Binject, Host of the Hack the Planet podcast

Speaker(s) will be at DEF CON!

The past two years have seen the rise of Golang-based malware from its beginnings as a way to win at CCDC and red team engagements to its current use by actual threat actors. This talk will break down why Golang is so useful for malware with a detailed tour through the available components used for exploitation, EDR and NIDS evasion, and post-exploitation, by one of the main authors of the core components. Although focused on the offensive perspective, there will be valuable insights into the challenges in detecting Golang malware. Interested in learning Golang? Interested in writing or detecting malware? This is your invitation into the weird and wonderful world of Golang malware.

REFERENCES:

List of Golang Security Tools:
https://github.com/Binject/awesome-go-security

C-Sto:
https://github.com/c-sto/goWMIExec
https://github.com/C-Sto/BananaPhone
https://github.com/C-Sto/gosecretsdump

capnspacehook:
https://github.com/capnspacehook/pandorasbox
https://github.com/capnspacehook/taskmaster

Vyrus / gscript crew:
https://github.com/gen0cide/gscript
https://github.com/vyrus001/go-mimikatz
https://github.com/vyrus001/msflib

secretsquirrel / Josh Pitts:
https://github.com/secretsquirrel/the-backdoor-factory
https://github.com/Genetic-Malware/Ebowla
https://github.com/secretsquirrel/SigThief
https://github.com/golang/go/issues/16292

malwareunicorn on OSX loading:
https://malwareunicorn.org/workshops/macos_dylib_injection.html

Misc:
https://github.com/sassoftware/relic
https://github.com/EgeBalci/sgn
https://github.com/moonD4rk/HackBrowserData
https://github.com/emperorcow/go-netscan
https://github.com/CUCyber/ja3transport
https://github.com/swarley7/padoracle

Command and Control:
https://github.com/BishopFox/sliver
https://github.com/DeimosC2/DeimosC2
https://github.com/t94j0/satellite

Obfuscation/RE:
https://github.com/unixpickle/gobfuscate
https://github.com/mvdan/garble
https://github.com/goretk/redress

Of interest for defense, but breaks Docker & Terraform:
https://github.com/unsecureio/gokiller

Ben Kurtz
Ben Kurtz is a hacker, a hardware enthusiast, and the host of the Hack the Planet podcast (https://symbolcrash.com/podcast). After his first talk, at DefCon 13, he ditched development and started a long career in security. He has been a pentester for IOActive, head of security for an MMO company, and on the internal pentest team for the Xbox One at Microsoft. Along the way, he volunteered on anti-censorship projects, which resulted in his conversion to Golang and the development of the ratnet project (https://github.com/awgh/ratnet). A few years ago, he co-founded the Binject group to develop core offensive components for Golang-based malware, and Symbol Crash, which focuses on sharing hacker knowledge through trainings for red teams, a free monthly Hardware Hacking workshop in Seattle, and podcasts. He is currently developing a ratnet-based handheld device for mobile encrypted mesh messenging, planned for release next year.

@symbolcrash1
symbolcrash.com

Fuzzing Linux with Xen

45 minutes | Demo, Tool

Tamas K Lengyel Senior Security Researcher, Intel

Virtual only presentation

Last year we've successfully upstreamed a new feature to Xen that allows high-speed fuzzing of virtual machines (VMs) using VM-forking. Recently through collaboration with the Xen community external monitoring of VMs via Intel(r) Processor Trace has also been upstreamed. Combined with the native Virtual Machine Introspection (VMI) capability Xen now provides a unique platform for fuzzing and binary analysis.

To illustrate the power of the platform we'll present the details of a real-world fuzzing operation that targeted Linux kernel-modules from an attack-vector that has previously been hard to reach: memory exposed to devices via Direct Memory Access (DMA) for fast I/O. If the input the kernel reads from DMA-exposed memory is malformed or malicious - what could happen?

So far we discovered: 9 NULL-pointer dereferences; 3 array index out-of-bound accesses; 2 infinite-loops in IRQ context and 2 instances of tricking the kernel into accessing user-memory but thinking it is kernel memory. The bugs have been in Linux for many years and were found in kernel modules used by millions of devices. All bugs are now fixed upstream.

This talk will walk you through how the bugs were found: what process we went through to identify the right code-locations; how we analyzed the kernel source and how we analyzed the runtime of the kernel with Xen to pinpoint the input points that read from DMA. The talk will explain the steps required to attach a debugger through the hypervisor to collect kernel crash logs and how to perform triaging of bugs via VM-fork execution-replay, a novel technique akin to time-travel debugging. Finally, we'll close with the release of a new open-source tool to perform full-VM taint analysis using Xen and Intel(r) Processor Trace.

REFERENCES:
https://github.com/intel/kernel-fuzzer-for-xen-project
https://www.youtube.com/watch?v=3MYo8ctD_aU

Tamas K Lengyel
Tamas works as Senior Security Researcher at Intel. He received his PhD in Computer Science from the University of Connecticut where he built hypervisor-based malware-analysis and collection tools. In his free time he is maintainer of the Xen Project Hypervisor's VMI subsystem, LibVMI & the DRAKVUF binary analysis project. He currently serves as the Chief Research Officer at The Honeynet Project, a leading international non-profit organization that coordinates the development of open-source tools to fight against malware. Tamas gave prior talks at conferences such as BlackHat, CCC and Hacktivity.

@tklengyel

Hacking Humans with AI as a Service

45 minutes | Demo, Tool

Eugene Lim Cybersecurity Specialist, Government Technology Agency of Singapore

Glenice Tan Cybersecurity Specialist, Government Technology Agency of Singapore

Tan Kee Hock Cybersecurity Specialist, Government Technology Agency of Singapore

Speaker(s) will be at DEF CON!

As the proliferation of Artificial Intelligence as a Service (AIaaS) products such as OpenAI's GPT-3 API places advanced synthetic media generation capabilities in the hands of a global audience at a fraction of the cost, what does the future hold for AI-assisted social engineering attacks? In our talk, we will present the nuts and bolts of an AIaaS phishing pipeline that was successfully deployed in multiple authorized phishing campaigns. Using both paid and free services, we emulated the techniques that even low-skilled, limited resource actors could adopt to execute effective AI-assisted phishing campaigns at scale. By repurposing easily-accessible personality analysis AIaaS products, we generated persuasive phishing emails that were automatically personalized based on a target's public social media information and created by state-of-the-art natural language generators. We will also discuss how an AI-assisted phishing workflow would impact traditional social engineering teams and operations. Finally, we look at how AIaaS suppliers can mitigate the misuse of their products.

REFERENCES
1. T. Karras, S. Laine, and T. Aila, “A Style-Based Generator Architecture for Generative Adversarial Networks,” arXiv:1812.04948 [cs.NE], 2019.
2. S. Gehrmann, H. Strobelt, and A. M. Rush, “GLTR: Statistical Detection and Visualization of Generated Text,” arXiv:1906.04043 [cs.CL], 2019.
3. G. Jawahar, M. Abdul-Mageed, and L. V. S. Lakshmanan, “Automatic Detection of Machine Generated Text: A Critical Survey,” arXiv:2011.01314 [cs.CL], 2020.
4. J. Seymour and P. Tully, “Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing on Twitter,” 2016.
5. P. Tully and F. Lee, “Repurposing Neural Networks to Generate Synthetic Media for Information Operations,” 2020.
6. OpenAI, “OpenAI Charter,” OpenAI, 09-Apr-2018. [Online]. Available: https://openai.com/charter/.
7. G. Brockman, M. Murati, and P. Welinder, “OpenAI API,” OpenAI, 11-Jun-2020. [Online]. Available: https://openai.com/blog/openai-api/.
8. A. Pilipiszyn, “GPT-3 Powers the Next Generation of Apps,” OpenAI, 25-Mar-2021. [Online]. Available: https://openai.com/blog/gpt-3-apps/.

Would like to thank contributing author Timothy Lee
Timothy is a security researcher who likes to break things and tries to understand how the system works during the process. In the past year, he is researching with iOS security and is starting his journey on iOS vulnerability research. Additionally, he has contributed to red team social engineering operations and security tooling, with practical experience in vishing and in-person social engineering. https://www.linkedin.com/in/timothylee0/

Eugene Lim
Eugene Lim, also known as spaceraccoon, is a security researcher and white hat hacker. He regularly participates in live-hacking events and was awarded the Most Valuable Hacker title in the h1-213 Live-Hacking Event by Hackerone. Besides white hat hacking, he enjoys building security tools, including a malicious npm package scanner and an open-source intelligence social engineering honeypot that were presented at Black Hat Asia Arsenal 2019 and Black Hat USA Arsenal 2020. His writeups on https://spaceraccoon.dev are regularly cited by other white hat hackers.

@spaceraccoonsec
https://www.linkedin.com/in/limzhiweieugene/

Glenice Tan
Glenice is a security researcher that enjoys exploring the quirks of different systems, applications, and processes. In the past year, she had the opportunity to conduct social engineering exercises, which includes phishing and vishing. Apart from applications and human hacking, she also experiments on ways to automate or improve red team operations.

https://www.linkedin.com/in/glenicetan/

Tan Kee Hock
Tan Kee Hock is a Cybersecurity Specialist who simply likes to 'hack' things. He loves to play CTFs and is always keen to explore more!

https://www.linkedin.com/in/tankeehock/

Do you like to read? I know how to take over your Kindle with an e-book

20 minutes

Slava Makkaveev Security Researcher, Check Point

Virtual only presentation

Since 2007, Amazon has sold tens of millions of Kindles, which is impressive. But this also means that tens of millions of people can be hacked through a software bug in those same Kindles. Their devices can be turned into bots, their private local networks can be compromised, and perhaps even information in their billing accounts can be stolen.

The easiest way to remotely reach a user's Kindle is through an e-book. A malicious book can be published and made available for free access in any virtual library, including the Kindle Store, or sent directly to the end-user device via Amazon services. While you might not be happy with the writing in a particular book, nobody expects to download one that is malicious. No such scenarios have been publicized. Antiviruses do not have signatures for e-books. But... we succeeded in making a malicious book for you. If you open this book on a Kindle device, it causes a hidden piece of code to be executed with root rights. From this moment on, you lost your e-reader, account and more.

Want to know the details?

Slava Makkaveev
Slava Makkaveev is a Security Researcher at Check Point Software Technologies Ltd. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken a particularly strong interest in mobile platforms and firmware security.

PINATA: PIN Automatic Try Attack

45 minutes | Demo

Salvador Mendoza Security Researcher, Ocelot Offensive Security Team

Speaker(s) will be at DEF CON!

A brute force attack is a trial-and-error method used to obtain information such as user passwords or personal identification numbers (PINs). This attack methodology should be impossible to apply to the actual secured EMV bank cards. In this talk, we will analyze how an inadequate implementation could rely on an extreme and sophisticated PIN brute force attack against 10,000 combinations from 4 digit PIN that could affect millions of contact EMV cards.

Salvador Mendoza
Salvador Mendoza is a Metabase Q security researcher and member of the Ocelot Offensive Security Team.

Salvador focuses on tokenization processes, payment systems, mag-stripe information and embedded prototypes. He has presented on tokenization flaws and payment methods in different conferences such as Black Hat USA, DEF CON, HITB, Troopers and many others. Also, Salvador designed different tools to pentest mag-stripe information and tokenization processes.

Author of “Show me the (e-) money Hacking a sistemas de pagos digitales: NFC. RFID, MST y Chips EMV“. A Spanish-written book with a collection of different attacks against payment systems.

@Netxing
salmg.net

Ransomware’s Big Year – from nuisance to “scourge”? - DEF CON Policy Panel

45 minutes

Jason Healey Columbia University

Chris Painter co-chair, Ransomware Task Force

Kurtis Minder CEO, GroupSense

Robert Graham Erratasec

Kevin Collier NBC News, Panel Moderator

LawyerLiz

Speaker(s) will be at DEF CON!

According to a former senior White House official, 2020 was the year that ransomware went from being a nuisance to a full-scale national security threat and a “scourge”. After an awkward adolescence spent shaking down individual users for a couple hundred dollars and a big debut in 2017 with WannaCry and NotPetya , ransomware really hit the big time in 2020. Ransom payments may have topped $400 million plus that year. But those sums are nothing compared to the damage that ransomware campaigns can cause, especially when they hit critical infrastructure like Colonial Pipeline. And even months after Colonial Pipeline, ransomware continues to regularly subvert and cripple enterprises in the US and Europe. Are we not learning the right lessons on defense? Or is it not just an infosec problem, but also an international security issue, with cybercrime being actively wielded – yet again – as a political weapon?

Jason Healey
Jason Healey is a Senior Research Scholar at Columbia University’s School for International and Public Affairs specializing in cyber risk and conflict. Prior to this, he was the founding director of the Cyber Statecraft Initiative of the Atlantic Council where he remains a Senior Fellow. He is the editor of the first history of conflict in cyberspace, A Fierce Domain: Cyber Conflict, 1986 to 2012 and helped create the world’s first cyber command in 1998, the Joint Task Force for Computer Network Defense, where he was one of the pioneers of cyber threat intelligence. During his time in the White House, he was a director for cyber policy, coordinating efforts to secure US cyberspace and critical infrastructure. He created Goldman Sachs’ first cyber incident response team and later oversaw the bank’s crisis management and business continuity in Asia. He is a founding member and past president of the Cyber Conflict Studies Association and is a review board member of the DEF CON and Black Hat security conferences.

Chris Painter
Chris Painter is a globally recognized leader and expert on cybersecurity and cyber policy, cyber diplomacy and combatting cybercrime. He is the President of the Global Forum on Cyber Expertise Foundation, serves on the Board of the Center for Internet Security, is a non-resident Senior Advisor at the CSIS, an Associate Fellow at Chatham House, and is on the Public Sector Advisory Board for Palo Alto Networks. He was also a co-chair of the Ransomware Task Force and a Commissioner on the Global Commission on the Stability of Cyberspace.

Chris has been on the vanguard of U.S. and international cyber issues for over thirty years. In his most recent government role as Coordinator for Cyber Issues ((2011-2017) in the State Department, he coordinated and led the United States’ diplomatic efforts to advance an open, interoperable, secure and reliable Internet and information infrastructure. Prior to joining the State Department, Mr. Painter served in the White House as Senior Director for Cyber Policy in the National Security Council. He was a senior member of the team that conducted the President’s Cyberspace Policy Review in 2009.

Among other distinctions, Chris received The Order of the Rising Sun from the Government of Japan for promoting U.S-Japan cyber cooperation in 2018 and received the Order of Terra Mariana from the President of Estonia in 2020 for promoting cyber cooperation.  He is also the recipient of the RSA Award for Excellence in the Field of Public Policy (2016), the Attorney General’s Award for Exceptional Service, and the Intelligence Community Legal Award (2008).

Kurtis Minder
Kurtis Minder is the CEO and co-founder of GroupSense, a leading provider in Digital Risk solutions. Kurtis built a robust cyber reconnaissance operation protecting some of the largest enterprises and government organizations.

Kurtis has been the lead negotiator at GroupSense for ransomware response cases. He has successfully navigated and negotiated some of the largest ransomware, breach, and data extortion cases world-wide. With over 20 years in the information security industry, Kurtis brings a unique blend of technical, sales and executive acumen.

Robert Graham
Robert Graham is a well-known cybersecurity. He created the BlackICE personal firewall in 1998, and created the first network intrusion prevention system (IPS). He's also known for creating "sidejacking" of session cookies from the network. Recently, he's known for masscan, which can scan all 4 billion addresses of the Internet within a few minutes. He regularly blogs at https://blog.erratasec.com on technical topics, cyber rights, and tech policy.

Time Turner - Hacking RF Attendance Systems (To Be in Two Places at Once)

20 minutes | Demo, Tool

Vivek Nair Ph.D. Student, EECS department, UC Berkeley

Speaker(s) will be at DEF CON!

It's a tale as old as time: a graduating senior needs two more courses to graduate, but the lectures happen to be scheduled at the same time and the school's new high-tech wireless attendance tracking system makes it impossible to attend both courses... in theory. By reverse-engineering the attendance devices and emulating them using a hidden Arduino, the system can be tricked into giving attendance credit for both courses without being physically present. It's a real-life "time turner," allowing him to be in two places at once.

REFERENCES:
https://github.com/wizard97/iSkipper/releases/download/v1.0.0/iskipper.pdf
https://courses.ece.ubc.ca/cpen442/termproject/reports/2010/iclicker.pdf
https://people.ece.cornell.edu/land/courses/ece4760/FinalProjects/f2015/cs886_kdv8/cs886_kdv8/cs886_kdv8/index.html
https://github.com/wizard97/iSkipper
https://github.com/charlescao460/iSkipper-Software

Vivek Nair
Vivek Nair is a Ph.D. student studying applied cryptography in the EECS department at UC Berkeley. He was the youngest-ever recipient of Bachelor’s and Master’s degrees in Computer Science at the University of Illinois at the ages of 18 and 19 respectively. He is also a National Science Foundation CyberCorps Scholar and a National Physical Science Consortium Fellow.

https://github.com/VCNinc/Time-Turner

REBOOTING CRITICAL INFRASTRUCTURE PROTECTION

45 minutes

Joseph Marks Washington Post, Panel Moderator

Alexander Klimburg Director, Global Commission on the Stability of Cyberspace

Faye Francy Executive Director, Automotive Information Sharing and Analysis Center

Eric Goldstein Executive Assistant Director, DHS CISA

Amélie Koran Senior Technology Advocate, Splunk

Danny McPherson Executive Vice President & Chief Security Officer, Verisign

Perri Adams

Speaker(s) will be at DEF CON!

In 1998 the US government issued the first major policy document on Critical Infrastructure Protection (CIP). Since then, CIP has become one of the most fundamental tasks for governments everywhere, and has given birth to a plethora of institutions and processes seeking to manage what is called a “Public Private Partnership” between government, industry, and civil society. But despite all the efforts put into information exchanges, incident management, but also supply chain protection and even national industrial policies, cyber-attacks have not decreased, both in the United States and elsewhere. What else needs to be done? What lessons learned are there from international experiences? And how can the community help best?

Joseph Marks
Joseph Marks writes The Washington Post's daily Cybersecurity 202 newsletter focused on the policy and politics of cybersecurity. Before joining The Washington Post, he covered cybersecurity for Politico and Nextgov. He began his career at Midwestern newspapers covering city and county governments, crime and features. He spent two years covering higher education for the Grand Forks Herald in North Dakota and is originally from Iowa City, Iowa.

Alexander Klimburg
Alexander Klimburg is a cyber policy wonk, infosec geek, and free Internet advocate. The director of the Global Commission on the Stability of Cyberspace, he is also a director at The Hague Center for Strategic Studies (HCSS) and a senior-associate of the Center of Strategic and International Studies (CSIS). Previously he held positions and affiliations with Harvard University and the Atlantic Council. Since around 2010 Alex has been trying to mediate between the policy and technical world, with marginal success, having previously spent too much time in consulting and dot-bomb venture capital. He has accompanied the diplomatic work on cyber norms at the UN and OSCE, helped draft national cyber security strategies and relevant legislation for several governments, and has advised on the set-up and operation of national cybersecurity centers and infosec practices. Alex has been responsible for some of the world’s most important track 1.5. diplomatic discussions and occasionally gets to opine on offensive cyber effect operations and TTPs. Hobbies include supporting cybercrime investigations, tutoring on basic infosec practices, and helping lead the DEF CON Policy department. He is the author of several publications, including the critically acclaimed "The Darkening Web" published 2017 by Penguin Press.

Faye Francy
Faye Francy is the Executive Director of the Automotive Information Sharing and Analysis Center (Auto-ISAC). The Executive Director serves the global automotive industry by providing strategic leadership and vision to foster collaboration for mitigating the risks of a cyber-attack. The Auto-ISAC was established in 2015 with the goal of developing a more resilient global automotive industry through member collaboration and sharing of timely cyber threat information. Faye is actively engaged with private-sector stakeholders, partners, and government agencies to facilitate information sharing to help strengthen the industry's capability and capacity to detect, prevent, respond to, and mitigate disruptions related to the connected vehicle and supporting infrastructure. The Auto-ISAC is a non-profit organization operating in Washington, D.C.

Previously Ms. Francy stood up and led the Aviation-ISAC while at the Boeing Company. She held numerous leadership positions before retiring from Boeing, including Cyber ONE Leader, Director Enterprise Technologies, Director of Research in Phantom Works, and Director for Air Traffic Management.

Eric Goldstein
Eric Goldstein serves as the Executive Assistant Director for Cybersecurity for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) as of February 19, 2021. In this role, Goldstein leads CISA’s mission to protect and strengthen federal civilian agencies and the nation’scritical infrastructure against cyber threats. Previously, Goldstein was the Head of Cybersecurity Policy, Strategy, and Regulation at Goldman Sachs, where he led a global team to improve andmature the firm’s cybersecurity risk management program. He served at CISA’sprecursor agency, the National Protection and Programs Directorate, from 2013 to 2017 in various roles including Policy Advisor for Federal Network Resilience, Branch Chief for Cybersecurity Partnerships and Engagement, Senior Advisor to the Assistant Secretary for Cybersecurity, and Senior Counselor to the Under Secretary. At other points in his career, Goldstein practiced cybersecurity law at an international law firm, led cybersecurity research and analysis projects at a federally-funded research and development center, and served as a Fellow in Advanced Cyber Studies at the Center for Strategic and International Studies, among other roles.

Amélie Koran
D’oer of things, say’er of stuff. Amélie is a Senior Technology Advocate at Splunk, focused on helping organizations transform, grow and secure themselves in the ever-evolving world of technologies and their accompanying challenges. She arrives at Splunk after nearly 25 years as a technologist, from systems administration and engineering to executive technology leadership in various industries, academia, NGOs, and the government. In the last decade, she’s supported various Federal agencies, leading various projects and initiatives, including modernization activities, cybersecurity policy, and security architecture and operations. Often seen “soapboxing” about technology workforce development, training and recruiting policies, practices and techniques. She’s a serial volunteer who tries to return the help she’s received in her own career through mentorship, conversation and community building.

Danny McPherson
Danny McPherson is Executive Vice President and Chief Security Officer at Verisign, where he is responsible for Verisign's information systems, services, and security. Prior to joining Verisign, McPherson has held technical leadership positions with Arbor Networks, Qwest Communications, MCI Communications, and the U.S. Army Signal Corps. McPherson is an active contributor in the network, security, operations, and research communities and has authored several books, numerous internet protocol standards, network and security research papers, and other publications. He is currently a member of ICANN’s SSAC and the FCC’s CSRIC, and has served on the IAB and IRSG, and chaired an array of IETF and other standards and research working groups and committees in these and related forums.

Gone Apple Pickin': Red Teaming macOS Environments in 2021

45 minutes | Demo

Cedric Owens Offensive Security Engineer

Speaker(s) will be at DEF CON!

Though the vast majority of US companies are enterprise Windows shops, there is a growing percentage of companies that are shifting away from this model. Most of these types of companies tend to be based in the SF Bay Area and are often tech companies. This talk will provide a glimpse into what common attack paths in these environments look like in the absence of typical enterprise Active Directory implementations. Examples include techniques for targeting macOS endpoints, cloud and IdaaS, CI/CD pipeline, and other fun approaches. I will begin by discussing common tech stacks and macOS deployments and then move into macOS initial access (including the Gatekeeper bypass I found) and post exploitation options in these modern tech environments as well as detection opportunities.

Cedric Owens
Cedric is currently an offensive security engineer who came from a blue team background. His passion revolves around red teams and blue teams working closely together to improve each other's tradecraft. Cedric enjoys researching techniques and writing tools related to macOS post exploitation and infrastructure automation.

His blogs can be found here: https://medium.com/@cedowens
His tools can be found here: https://github.com/cedowens

@cedowens

Warping Reality - creating and countering the next generation of Linux rootkits using eBPF

45 minutes | Demo, Tool

PatH Security Researcher

Virtual only presentation

With complete access to a system, Linux kernel rootkits are perfectly placed to hide malicious access and activity. However, running code in the kernel comes with the massive risk that any change to a kernel version or configuration can mean the difference between running successfully and crashing the entire system. This talk will cover how to use extended Berkley Packet Filters (eBPF) to create kernel rootkits that are safe, stable, stealthy, and portable.

eBPF is one of the newest additions to the Linux kernel, designed to easily load safe, constrained, and portable programs into the kernel to observe and make decisions about network traffic, syscalls, and more. But that’s not it’s only use: by creating eBPF programs that target specific processes we can warp reality, presenting a version of a file to one program and a different version to another, all without altering the real file on disk. This enables techniques such as presenting a backdoor user to ssh while hiding from sysadmins, or smuggling data inside connections from legitimate programs. This talk will also cover how to use these same techniques in malware analysis to fool anti-sanbox checks.

These ideas and more are explored in this talk alongside practical methods to detect and prevent this next generation of Linux rootkits.

REFERENCES:
- DEFCON 27 - Evil eBPF Practical Abuses of In-kernel Bytecode Runtime
- A talk about abusing eBPF for exploitation and privilege escalation

- eBPF Website
- https://ebpf.io
- A website by the eBPF community with documentation and links to existing projects

- eBPF Slack
- https://ebpf.io/slack
- A Slack channel run by the eBPF community

- Libbpf Bootstrap
- https://github.com/libbpf/libbpf-bootstrap
- A sample project designed to provide a template to creating eBPF programs with Libbpf
----------------------------

PatH
Pat is a loving partner, a comedian to his daughter, and a dedicated ball retriever to his dog.

When he's not spending time being those things, he's a senior security researcher at a public cybersecurity company. Having previously worked as a low-level software dev, he now helps threat hunters uncover and stop advanced actors across the globe.

@pathtofile
https://path.tofile.dev/

Hi! I'm DOMAIN\Steve, please let me access VLAN2

45 minutes | Demo, Tool, Exploit

Justin Perdok Security Specialist, Orange Cyberdefense Netherlands

Virtual only presentation

By responding to probing requests made by Palo Alto and SonicWALL firewalls, it's possible to apply security policies to arbitrary IPs on the network, allowing access to segmented resources.

Segmentation using firewalls is a critical security component for an organization. To scale, many firewall vendors have features that make rule implementation simpler, such as basing effective access on a user identity or workstation posture. Security products that probe client computers often have their credentials abused by either cracking a password hash, or by relaying an authentication attempt elsewhere. Prior work by Esteban Rodriguez and by Xavier Mertens cover this. In this talk I will show a new practical attack on identity-based firewalls to coerce them into applying chosen security policies to arbitrary IPs on a network by spoofing logged in users instead of cracking passwords.

Logged on user information is often gathered using the WKST (Workstation Service Remote Protocol) named pipe. By extending Impacket with the ability to respond to these requests, logged on users on a device can be spoofed, and arbitrary firewall rules applied.

We will dive into the details of how client probing has historically been a feature that should be avoided while introducing a new practical attack to emphasize that fact.

REFERENCES
https://www.coalfire.com/the-coalfire-blog/august-2018/the-dangers-client-probing-on-palo-alto-firewalls
https://isc.sans.edu/forums/diary/The+Risk+of+Authenticated+Vulnerability+Scans/24942/
https://github.com/SecureAuthCorp/impacket
https://www.rapid7.com/blog/post/2014/10/14/palo-alto-networks-userid-credential-exposure/
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXHCA0

Justin Perdok
Justin is a Security Specialist at Orange Cyberdefense. Prior to working in 'The Cybers' he has worked at multiple MSPs as a jack of all trades with a focus on security and automation. Stuck in his old ways he's always trying to learn new things; Followed up by him spending 6 hours automating the 'new thing' instead of relying on 5 minutes of manual labor.

@justinperdok

You're Doing IoT RNG

45 minutes | Demo

Dan "AltF4" Petro Lead Researcher, Bishop Fox

Allan Cecil (dwangoAC)Security Consultant, Bishop Fox

Virtual only presentation

Think of a random number between '0' and infinity. Was your number '0'? Seriously? Crap. Well unfortunately, the hardware random number generators (RNG) used by your favorite IoT devices to create encryption keys may not work much better than you when it comes to randomness. In this talk, we'll delve into murky design specs, opaque software libraries, and lots of empirical results. We wrote code for many popular IoT SoC platforms to extract gigabytes of data from their hardware RNGs and analyze them. What we found was a systemic minefield of vulnerabilities in almost every platform that could undermine IoT security. Something needs to change in how the Internet of Things does RNG. The vulnerabilities are widespread and the attacks are practical. RNG is bad out there - "IoT Crypto-pocalypse" bad.

Dan "AltF4" Petro
Dan "AltF4" Petro is Lead Researcher at Bishop Fox. Dan is widely known for the tools he creates: Eyeballer (a convolutional neural network pentest tool), the Rickmote Controller (a Chromecast-hacking device), Untwister (pseudorandom number generator cracker), and SmashBot (a merciless Smash Bros noob-pwning machine).

@2600AltF4

Allan Cecil (dwangoAC)
Allan Cecil (dwangoAC) is a Security Consultant with Bishop Fox and the President of the North Bay Linux User’s Group. He acts as an ambassador for Tasvideos.org, a website devoted to using emulators to complete video games as quickly as the hardware allows. He participates in Games Done Quick charity speed running marathons using TASBot to entertain viewers with never-before-seen glitches in games.

@mrtasbot

Hacking the Apple AirTags

45 minutes | Demo, Tool

Thomas Roth Hacker

Speaker(s) will be at DEF CON!

Apple’s AirTags enable tracking of personal belongings. They are the most recent and cheapest device interacting with the Apple ecosystem. In contrast to other tracking devices, they feature Ultrawide-band precise positioning and leverage almost every other Apple device within the Find My localization network.

Less than 10 days after the AirTag release, we bypassed firmware protections by glitching the nRF52 microcontroller. This opens the AirTags for firmware analysis and modification. In this talk, we will explain the initial nRF52 bypass as well as various hacks built on top of this. In particular, AirTags can now act as phishing device by providing malicious links via the NFC interface, be cloned and appear at a completely different location, used without privacy protections that should alert users as tracking protection, act as low-quality microphone by reutilizing the accelerometer, and send arbitrary data via the Find My network. Besides these malicious use cases, AirTags are now a research platform that even allows access to the new Ultrawide-band chip U1.

REFERENCES:
LimitedResults nRF52 APPROTECT Bypass:
https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/

Positive Security’s Send My Research for sending arbitrary data via the find my network:
https://positive.security/blog/send-my

Colin O’Flynn’s notes on the AirTag Hardware:
https://github.com/colinoflynn/airtag-re

Thomas Roth
Thomas Roth, also known as stacksmashing, is a security researcher from Germany with a focus on embedded devices: From hacking payment terminals, crypto wallets, secure processor, the Nintendo Game & Watch, up to Apple’s AirTag he loves to explore embedded & IoT security. On how YouTube channel “stacksmashing” he attempts to make reverse-engineering & hardware hacking more accessible.

@ghidraninja
https://youtube.com/stacksmashing

MAVSH> Attacking from Above

45 minutes | Demo, Tool

Sach Hacker

Speaker(s) will be at DEF CON!

Over the course of 2020 and 2021, drone enthusiasts and the FAA have been locked in a series of legal battles over the future of unmanned aviation.

New regulations and restrictions, such as Remote Identification, aim to leave drone and model aviation hobbyists with a grim choice: incur countless financial costs, or lose the ability to fly freely.

Not only do these regulations impact hobbyists, they also restrict our ability to use drones as recon and payload delivery tools, but the FAA gave us a loophole.

In this talk, I'll share my knowledge of the MAVLink protocol and how it can be modified to take advantage of that loophole. I'll also show you how to build a drone capable of 20+ minute flights, potentially multiple miles of range, and hosting a Raspberry Pi 0 W onboard, enabling remote command execution without the use of onboard WiFi or cellular networks ALL while exploiting that loophole.

Come learn how and why the FAA "Can't Stop the Signal"!

REFERENCES
Ardupilot:
https://ardupilot.org/
https://github.com/ArduPilot/ardupilot

MAVLink:
https://mavlink.io/en/

Danger Drone and Defense Measures:
https://resources.bishopfox.com/files/slides/2017/DEF_CON_25_(2017)-Game_of_Drones-Brown_Latimer-29July2017.pdf
https://resources.bishopfox.com/resources/tools/drones-penetration-testers/attack-tools/

Watch Dogs Drone:
https://hackaday.com/2018/05/27/watch-dogs-inspired-hacking-drone-takes-flight/

FAA vs RDQ:
https://www.racedayquads.com/pages/rdq-vs-faa
https://www.gofundme.com/f/savefpv?utm_campaign=p_cp_url&utm_medium=os&utm_source=customer
https://www.suasnews.com/2021/03/racedayquads-com-vs-faa-court-case-in-defense-of-all-drone-pilots-and-model-aviators/

Sach
Sach is a self taught developer, an aspiring pentester, and a drone enthusiast. In his spare time he enjoys playing chess, reading Sci-Fi novels, learning about cryptocurrencies, and flying drones.

@0xkayn

UPnProxyPot: fake the funk, become a blackhat proxy, MITM their TLS, and scrape the wire

45 minutes | Tool

Chad Seaman Lead & Senior Engineer @ Akamai SIRT

Speaker(s) will be at DEF CON!

UPnP sucks, everybody knows it, especially blackhat proxy operators. UPnProxyPot was developed to MITM these operators to see what they're doing with their IoT proxy networks and campaigns. We'll cover SSDP, UPnP, UPnProxy research/campaigns as well as cover a new Golang based honeypot, so we can all snoop on them together!

REFERENCES:
http://www.upnp-hacks.org (OG disclosure)
https://www.youtube.com/watch?v=FU6qX0-GHRU (DEF CON 19 talk I attended)
https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf (my initial UPnProxy research)
https://blogs.akamai.com/sitr/2018/11/upnproxy-eternalsilence.html (additional UPnProxy campaign researcher, also mine)

Chad Seaman
Chad is the SIRT team lead @ Akamai Technologies. He spends his time being an internet dumpster diver and emerging threats researcher focusing on DDoS, malware, botnets, and digital hooliganism in general.

https://www.linkedin.com/in/that-chad-seaman/

Adventures in MitM-land: Using Machine-in-the-Middle to Attack Active Directory Authentication Schemes

45 minutes | Demo

Sagi Sheinfeld Sr. Engineer, CrowdStrike

Eyal Karni Sr. Engineer, CrowdStrike

Yaron Zinar Sr. Manager, Engineering, CrowdStrike

Virtual only presentation

Over the years, researchers were able to break many secure protocols using MitM attacks. A common theme in this family of vulnerabilities is the lack of proper validation for any of the communicating parties. We will review previous MitM attacks found on AD authentication protocols and the mitigation strategies previously implemented. We will show that the relay attack technique is not limited to NTLM alone and can be used to attack the newer Kerberos authentication protocol. In addition, we will show several injection attacks compromising client systems. We’ll show how the lack of validation can lead to devastating issues ranging from authentication bypass to remote code execution on various critical infrastructure systems. However, the issues do not stop on Windows on-premises networks but span to other infrastructure such as domain-joined unix machines, virtualization infrastructure, open-source security audit tools and even cloud directories. The talk will deep-dive into multiple vulnerabilities we have discovered along with several demos. Demos include a MitM attack which allows an attacker to inject user passwords in a hybrid AD environment allowing the attacker to authenticate as any user in the network. We will also show how to use a similar technique to compromise many other IT infrastructure.

REFERENCES:
https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
https://labs.f-secure.com/archive/practically-exploiting-ms15-014-and-ms15-011/
https://www.securityfocus.com/bid/1616/info

Sagi Sheinfeld
Sagi Sheinfeld is a Sr. Engineer at CrowdStrike working on Identity Protection products (previously Preempt). Sagi spent over 14 years researching cyber security projects. Previously, he served 8 years in an elite unit of the IDF in Cyber Security Research and Development and in IBM Security. Sagi is an expert on Windows internals. Sagi holds a B.Sc in Computer Science.

@sagish1233

Eyal Karni
Eyal Karni is a Sr. Engineer at CrowdStrike working on Identity Protection products (previously Preempt). Eyal spent over 11 years researching cyber security projects. Previously, he served 5 years in an elite unit of the IDF in Cyber Security Research and Development. Eyal is an expert on Windows Internals and has previously found numerous vulnerabilities. Eyal holds a B.Sc in Mathematics and Physics.

@eyal_karni

Yaron Zinar
Yaron Zinar is a Sr. Manager at CrowdStrike working on Identity Protection products (previously Preempt). Previously, Yaron spent over 16 years at leading companies such as Google where he held various positions researching and leading big data, machine learning and cyber security projects. Yaron is an expert on Windows Authentication protocols and has previously presented his research at top conferences such as Black Hat and DEFCON. Yaron holds an M.Sc. in Computer Science with focus on statistical analysis.

@YaronZi

High-Stakes Updates | BIOS RCE OMG WTF BBQ

45 minutes | Demo, Tool, Exploit

Mickey Shkatov Hacker

Jesse Michael HAcker

Speaker(s) will be at DEF CON!

With attacks moving below the operating system and computer firmware vulnerability discovery on the rise, the need to keep current platforms updated becomes important and new technology is developed to help defend against such threats. Major computer manufacturers are adding capabilities to make it easier to update BIOS.

Our research has identified multiple vulnerabilities in Dell's BiosConnect feature used for remote update and recovery of the operating system. These vulnerabilities are easy to exploit by an adversary in the right position, and are not prevented by protective technologies such as Secured Core PCs, BitLocker, BootGuard, and BIOS Guard.

Join us and together we will explore the new attack surfaces introduced by these UEFI firmware update mechanisms -- including a full walk-through of multiple vulnerability findings and the methods we used to create fully working exploits that gain remote code execution within the laptop BIOS and their effects on the operating system.

Mickey Shkatov
Mickey has been doing security research for almost a decade, one of specialties is simplifying complex concepts and finding security flaws in unlikely places. He has seen some crazy things and lived to tell about them at security conferences all over the world, his past talks range from web pentesting to black badges and from hacking cars to BIOS firmware.

@HackingThings

Jesse Michael
Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

@JesseMichael

The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.

20 minutes | Demo, Exploit

Sick Codes

Virtual only presentation

How I hacked the entire American Food Supply Chain over the course of 3 months, assembled a team of hacker strangers, and how we used a "full house" of exploits on almost every aspect of the agriculture industry. See the process in which it happened, the private exploits we used, the vectors we attacked from, and how it could happen again, or be happening right now.

How the ongoing analytics arms race affects everyone, and how Tractor companies have metastasized into Tech companies, with little to no cyber defenses in place. Learn how farms are not like they used to be; telemetry, crop & yield analytics, and more telemetry.

REFERENCES:
https://github.com/sickcodes/Docker-OSX
https://github.com/sickcodes/osx-serial-generator
https://www.vice.com/en/article/akdmb8/open-source-app-lets-anyone-create-a-virtual-army-of-hackintoshes
https://www.bleepingcomputer.com/news/security/python-also-impacted-by-critical-ip-address-validation-vulnerability/
https://sick.codes/sick-2021-012/
https://sick.codes/sick-2021-031/
https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/
https://www.vice.com/en/article/4avy8j/bugs-allowed-hackers-to-dox-all-john-deere-owners
https://www.youtube.com/watch?v=rB_SleNKBus
wabaf3t https://twitter.com/wabafet1
D0rkerDevil https://twitter.com/D0rkerDevil
ChiefCoolArrow https://twitter.com/ChiefCoolArrow
johnjhacking https://twitter.com/johnjhacking
rej_ex https://twitter.com/rej_ex
w0rmer https://twitter.com/0x686967
https://climate.com/press-releases/transform-data-into-value-with-climate-fieldview/14
https://www.agriculture.com/news/business/john-deere-to-acquire-precision-plting_5-ar50937
https://www.reuters.com/article/us-monsanto-m-a-deere-idUSKBN17X2FZ
https://twitter.com/sickcodes/status/1385218039734423565?s=20

Sick Codes
Sick Codes: I am a Hacker, an Independent Security Researcher, an Australian, and an Open Source maintainer. I regularly publish nasty vulnerabilities in everyone's favorite products, from all the best vendors. I've published CVEs in Smart TV's, Browsers, missile design software, and entire programming languages. Freelance automation specialist by day and hacker by trade. I publish weaponized code on GitHub, namely Docker-OSX, which was my first big "thing," which now has 15k stars, and my biggest project, Docker-OSX has over 100,000 downloads on DockerHub.

@sickcodes
https://github.com/sickcodes
https://www.linkedin.com/in/sickcodes/
https://sick.codes

Your House is My House: Use of Offensive Enclaves In Adversarial Operations

20 minutes | Demo, Tool

Dimitry "Op_Nomad" SnezhkovAssociate Director, Protiviti

Speaker(s) will be at DEF CON!

As developers start to rely more on hardware-based memory encryption controls that isolate specific application code and data in memory - secure enclaves, adversaries can use enclaves to successfully coexist on the host and enjoy similar protections.

In this talk we venture into a practical implementation of such an offensive enclave, with the help of Intel SGX enclave technology, supported on a wide variety of processors present in enterprise data-centers and in the cloud.

We discuss how malware can avoid detection in defensively instrumented environments and protect their operational components from processes running at high privilege levels, including the Operating System. We dive deeper into using enclaves in implants and stagers, and discuss the design and implementation of an enclave that is capable of facilitating secure communication and storage of sensitive data in offensive operations. We cover how the enclaves can be built to help secure external communication while resisting system and network inspection efforts and to achieve deployment with minimal dependencies where possible.

Finally, we release the enclave code and a library of offensive enclave primitives as a useful reference for teams that leverage Intel SGX technology or have the hardware platform capable to support such adversarial efforts.

Dimitry "Op_Nomad" Snezhkov
Dimitry Snezhkov is an Associate Director at Protiviti. In this role he hacks code, tools, networks, apps and sometimes subverts human behavior too. Dimitry has spoken at DEF CON, BlackHat, THOTCON conferences, and presented tools at BlackHat Arsenal.

@Op_Nomad

Racketeer Toolkit. Prototyping Controlled Ransomware Operations

20 minutes | Demo, Tool

Dimitry "Op_Nomad" SnezhkovAssociate Director, Protiviti

Speaker(s) will be at DEF CON!

Offensive testing in organizations has shown a tremendous value for simulating controlled attacks. While cyber extortion may be one of the main high ROI end goals for the attacker, surprisingly few tools exist to simulate ransomware operations.

Racketeer is one such tool. It is an offensive agent coupled with a C2 base, built to help teams to prototype and exercise a tightly controlled ransomware campaign.

We walk through the design considerations and implementation of a ransomware implant which emulates logical steps taken to manage connectivity and asset encryption and decryption capabilities. We showcase flexible and actionable ways to prototype components of fully remote ransomware operation including key and data management, as well as data communication that is used in ransomware campaigns.

Racketeer is equipped with practical safeguards for lights out operations, and can address the goals of keeping strict control of data and key management in its deployment, including target containment policy, safe credential management, and implementing operational security in simulated operations.

Racketeer can help gain better optics into IoCs, and is helpful in providing detailed logs that can be used to study the behavior and execution artifacts of a ransomware agent.

Dimitry "Op_Nomad" Snezhkov
Dimitry Snezhkov is an Associate Director at Protiviti. In this role he hacks code, tools, networks, apps and sometimes subverts human behavior too. Dimitry has spoken at DEF CON, BlackHat, THOTCON conferences, and presented tools at BlackHat Arsenal.

@Op_Nomad

SPARROW: A Novel Covert Communication Scheme Exploiting Broadcast Signals in LTE, 5G & Beyond

45 minutes | Demo, Exploit

Reza Soosahabi Senior R&D Engineer, Keysight Technologies

Chuck McAuley Principal security researcher (ATIRC), at Keysight Technologies

Speaker(s) will be at DEF CON!

When researching methods for covert communications in the wireless space, we noticed most hackers are barely looking below the IP layer, and even the wireless guys are focused on creating their own radio (PHY layer) solutions rather than looking at what’s already available to them. We discovered a sweet spot that takes advantage of MAC layer protocols in LTE and 5G, enabling long range communication using other people’s networks, GSMA CVD-2021-0045. We can use SPARROW devices almost everywhere in a variety of scenarios, such as data exfiltration and command and control. Despite limited data rates, the new scheme can defeat known covert communication schemes with dedicated PHY in the following ways:

- Maximum Anonymity: SPARROW devices do not authenticate with the host network while operating. This eliminates their exposure to network security and lawful intercept systems as well as spectrum scanners. Utilizing limited resources, they cause very minimal impact on the host network services.
- More Miles per Watt: SPARROW devices can be several miles apart exploiting broadcast power of base stations or non-terrestrial technologies. The range can be further extended by deploying several of them in a geographically sparse mesh network.
- Low Power & Low Complexity: SPARROW devices can utilize existing protocol implementation libraries installed on commodity SDRs. They can operate on batteries or harvest energy from the environment for long durations, just like real sparrows!

REFERENCES:
There are no direct references of prior study that I (Reza) have (aside from general knowledge of 5G standard and RF), however the following talks and items led me towards this discovery:
- DEF CON Safe Mode - James Pavur - Whispers Among the Stars - https://www.youtube.com/watch?v=ku0Q_Wey4K0
- DNS Data Exfiltration techniques
- My boss buying me a 5G base station emulator and saying "find something wrong with this!"

Reza Soosahabi
Reza Soosahabi is a lead R&D engineer with Application & Threat Intelligence Research Center (ATIRC) at Keysight Technologies. His current field of research includes RAN security, data exfiltration and ML / statistical algorithms. He has been a 5G system engineer prior to joining Keysight in 2018. He contributes in IEEE proceedings related to signal processing and information security. As a math-enthusiast, Reza often tries unconventional analytical approaches to discover and solve technically diverse problems. He also enjoys cutting boxes with Occam’s Razor and encourages the others around him to do so.

@darthsohos
https://scholar.google.com/citations?user=SNFxK60AAAAJ&hl=en

Chuck McAuley
Chuck McAuley is a principal security researcher with the Application & Threat Intelligence Research Center (ATIRC) at Keysight Technologies. Chuck has a variety of interests that include 5G and LTE packet core vulnerabilities, reverse engineering botnets, finding novel forms of denial of service, and researching weird esoteric protocols for weaknesses and vulnerabilities

@nobletrout

Extension-Land: exploits and rootkits in your browser extensions

45 minutes | Demo, Tool, Exploit

Barak Sternberg Senior Security Researcher

Speaker(s) will be at DEF CON!

Browser extensions are installed anywhere, they serve as an integral part of our day-to-day web routine, from AdBlockers to Auto-Translators. But - do we know what is running inside of them? Do we know what goes deep-down inside their communication routines? How do they use their internal API’s? And how do their different JS execution contexts work?

In this session, I will explore these unique internal extension API’s, hidden attack-surfaces and show how these concepts can be broken & exploited using new ways! I start showing how an attacker can "jump" from one low-permissions chrome-app/extension to another, hence elevating its permissions. Then, I will show how to gain full "browser-persistency" inside extensions' background-scripts context.

Chaining it all together, I show how attacker, starting from low permissions chrome-app, gains a fully-armed "extension-rootkit", a persistent JS-malware running inside of a “good” extension, along with C&C features, JS injection techniques to any tab/origin, obfuscation-techniques and more. Eventually, I will present a generic technique, targeting all chrome-users, for taking over any previously installed chrome extension and implant an "extension-rootkit" in it.

REFERENCES:
[1] Chrome Developers: Chrome extensions API Reference, https://developer.chrome.com/docs/extensions/reference/
[2] Chrome Developers: Chrome extensions Manfiest v2/v3 Security References, https://developer.chrome.com/docs/extensions/mv2/getstarted/ & https://developer.chrome.com/docs/extensions/mv3/security/
[3] "Websites Can Exploit Browser Extensions to Steal User Data", 2019 - https://www.securityweek.com/websites-can-exploit-browser-extensions-steal-user-data / https://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf
[4] "Web Browser Extension User-Script XSS Vulnerabilities", 2020 - https://ieeexplore.ieee.org/document/9251185
[5] "Detecting DOM-Sourced Cross-Site Scripting in Browser Extensions", 2017 - https://ieeexplore.ieee.org/document/8094406
[6] "Attacking browser extensions", Nicolas Golubovic, 2016 - https://golubovic.net/thesis/master.pdf
[7] "A Combined Static and Dynamic Analysis Approach to Detect Malicious Browser Extensions", 2018 - https://www.hindawi.com/journals/scn/2018/7087239/
[8] "Chrome Extensions: Threat Analysis and Countermeasures", 2012 - https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.374.8978&rep=rep1&type=pdf
[9] "Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies", Usenix Security 2017 - https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-sanchez-rola.pdf
[10] "Protecting Browsers from Extension Vulnerabilities", 2010 - https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/38394.pdf

Barak Sternberg
Barak Sternberg is an Experienced Security Researcher who specializes in Offensive Security. Founder of "WildPointer", and previously an author at SentinelLabs ("Hacking smart devices for fun and profit", Defcon 2020 IoT Village) and leading innovative cybersecurity research.

Barak spent more than six-years at Unit 8200, IDF, as a team leader of 5-10 security researchers. He is highly skilled in offensive cyber-security, from vulnerabilities research in various areas: Linux, IoT, embedded and web-apps to analyzing malware in the wild. Barak is also a CTF's addict, posting write-ups and technical vulnerabilty analysis in its blog (livingbeef.blogspot.com). Barak also acquires BSc, MSC (in CS) focused on algorithms from Tel-Aviv University and a DJ certificate from BPM college.

@livingbeef
https://livingbeef.blogspot.com/
https://www.linkedin.com/in/barakolo/
https://www.barakolo.me

A new class of DNS vulnerabilities affecting many DNS-as-Service platforms

20 minutes | Demo

Shir Tamari Head of Research, Wiz (Wiz.io)

Ami Luttwak CTO, Wiz

Speaker(s) will be at DEF CON!

We present a novel class of DNS vulnerabilities that affects multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM hashes. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received sensitive information carried by DNS update queries from ~1M Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. We will review possible mitigations to this problem and solutions for both DNSaaS providers and managed networks.

REFERENCES:
I. Microsoft Windows DNS Update algorithm explained - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003
II. An excellent blog post by Matthew Bryant on hijacking DNS Updates abusing a dangling domain issue on Guatemala State's Top Level Domain - https://thehackerblog.com/hacking-guatemalas-dns-spying-on-active-directory-users-by-exploiting-a-tld-misconfiguration/

Shir Tamari
Shir Tamari is a security and technology researcher, specializing in vulnerability research and practical hacking. Works as Head of Research at the cloud security company Wiz. In the past, he served in the Israeli intelligence unit, and in recent years has led a variety of research and security products in the industry. Shir's interests include Android, Linux Kernel, Web hacking and Blockchain.

@shirtamari

Ami Luttwak
Ami Luttwak is a serial entrepreneur, an experienced cyber security CTO and a hacker by heart. Mainly interested in cloud security and cloud exploits, understanding how the cloud is built to uncover its weaknesses. Currently CTO of Wiz, the fastest growing unicorn in cloud security, prior to that led research as CTO of Microsoft cloud security and prior to that founded Adallom, a pioneering cloud security startup acquired by Microsoft in 2015.

@amiluttwak

UFOs: Misinformation, Disinformation, and the Basic Truth

45 minutes

Richard Thieme AKA neuralcowboy author and professional speaker, ThiemeWorks

Speaker(s) will be at DEF CON!

The talk, "UFOs and Government: A Historical Inquiry" given at Def Con 21 has been viewed thousands of times. It was a serious well-documented exploration of the UFO subject based on Thieme's participation in research into the subject with colleagues. The book of that name is the gold standard for historical research into the subject and is in 100+ university libraries.

This update was necessitated by recent UFO incidents and the diverse conversations triggered by them. Contextual understanding is needed to evaluate current reports from pilots and naval personnel, statements from senators and Pentagon personnel, and indeed, all the input from journalists who are often unfamiliar with the field and the real history of documented UFOs over the past 70 years.

Thieme was privileged to participate with scholars and lifelong researchers into the massive trove of reports. We estimate that 95% can be explained by mundane phenomena but the remainder suggest prolonged interaction with our planetary society over a long period. Thieme also knows that when you know you don't know something, don't suggest that you do. Stay with the facts, stay with the data. Sensible conclusions, when we do that, are astonishing enough.

Reality, as Philip K. Dick said, will not go away just because we refuse to believe in it.

Richard Thieme AKA neuralcowboy
Richard Thieme, https://thiemeworks.com has addressed security and intelligence issues for 28 years. He has keynoted security conferences in 15 countries and given presentations for the NSA, FBI, Secret Service, Pentagon Security Forum, U.S. Department of the Treasury, and Los Alamos National Laboratory. He has been speaking at Def Con since Def Con 4. His sixth book, a novel, Mobius: A Memoir, about an intelligence professional looking back on his career and how it led down unexpected paths, is receiving rave reviews. He has explored UFO phenomena seriously for 43 years.

@neuralcowboy

ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Microsoft Exchange Server!

45 minutes | Demo, Exploit

Orange Tsai Principal Security Researcher of DEVCORE

Virtual only presentation

Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we’ve found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.

This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.

To unveil the beauty of this attack surface and our novel exploitation, we’ll start by analyzing this architecture, followed by 7 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 3 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, and ProxyOracle. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.

This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we’ll provide hardening actions to mitigate such types of 0days in Exchange.

# REFERENCES:
* "Hunting for bugs, catching dragons" by Nicolas Joly in Black Hat USA 2019
* CVE-2020-0688 and CVE-2018-8302 from ZDI blog
* CVE-2020-16875 from @steventseeley

Orange Tsai
Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE, CHROOT security group member, and captain of HITCON CTF team in Taiwan. He is the Pwn2Own 2021 "Master of Pwn" champion and also as the speaker in conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, and WooYun!

Orange participates in numerous CTF and won second place in DEF CON CTF 22/25/27 as team HITCON. Currently, Orange is a 0day researcher focusing on web/application security, his research is not only the Pwnie Awards 2019 winner for “Best Server-Side Bug” but also the first place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, and so on.

@orange_8361
https://blog.orange.tw/

Sneak into buildings with KNXnet/IP

45 minutes | Demo

Claire Vacherot Senior Security Auditor @ Orange Cyberdefense

Virtual only presentation

Building Management Systems control a myriad of devices such as lighting, shutters and HVAC. KNX (and by extension KNXnet/IP) is a common protocol used to interact with these BMS. However, the public's understanding and awareness is lacking, and effective tooling is scarce all while the BMS device market keeps on growing.

The ability to craft arbitrary KNXnet/IP frames to interact with these often-insecure BMS provides an excellent opportunity in uncovering vulnerabilities in both the implementation of KNX as well as the protocol itself. From unpacking KNX at a lower level, to using a Python-based protocol crafting framework we developed to interact with KNXnet/IP implementations, in this talk we’ll go on a journey of discovering how BMS that implement KNXnet/IP work as well as how to interact with and fuzz them.

After this talk you could also claim that “the pool on the roof has a leak”!

REFERENCES:
KNX Standard v2.1
https://my.knx.org/fr/shop/knx-specifications?product_type=knx-specifications
Scapy
https://github.com/secdev/scapy
KNXmap
https://github.com/takeshixx/knxmap
Papers & talks:
in)security in building automation how to create dark buildings with light speed
Thomas Brandstetter and Kerstin Reisinger
Presented at BlackHat USA 2017
https://www.blackhat.com/docs/us-17/wednesday/us-17-Brandstetter-insecurity-In-Building-Automation-How-To-Create-Dark-Buildings-With-Light-Speed-wp.pdf
Hacking Intelligent Building - Pwning KNX & ZigBee Networks
HuiYu Wu and YuXiang Li (Tencent)
Presented at HITB Amsterdam 2018
https://conference.hitb.org/hitbsecconf2018ams/materials/D1T2%20-%20YuXiang%20Li,%20HuiYu%20Wu%20&%20Yong%20Yang%20-%20Hacking%20Intelligent%20Buildings%20-%20Pwning%20KNX%20&%20ZigBee%20Networks.pdf
Security in KNX or how to steal a skyscraper
Egor Litvinov
Presented at Zero Nights 2015
http://2015.zeronights.org/assets/files/20-Litvinov.pdf
HVACking: Understanding the Delta Between Security and Reality
Douglas McKee and Mark Bereza
Presented at Defcon 27, 2019
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hvacking-understanding-the-delta-between-security-and-reality/
Anomaly Detection in BACnet/IP managed Building Automation Systems
Matthew Peacock – 2019
https://ro.ecu.edu.au/cgi/viewcontent.cgi?article=3180&context=theses

Claire Vacherot
Claire Vacherot is a pentester at Orange Cyberdefense. She likes to test systems and devices that interact with the real world and is particularly interested in industrial and embedded device cybersecurity. As a former software developer, she never misses a chance to write scripts and tools.

Timeless Timing Attacks

45 minutes | Demo, Tool, Exploit

Tom Van Goethem Researcher, KU Leuven

Mathy Vanhoef Postdoctoral Researcher, NYU

Virtual only presentation

25 years ago, the first timing attacks against well-known cryptosystems such as RSA and Diffie-Hellman were introduced. By carefully measuring the execution time of crypto operations, an attacker could infer the bits of the secret. Ever since, timing attacks have frequently resurfaced, leading to many vulnerabilities in various applications and cryptosystems that do not have constant-time execution. As networks became more stable and low-latency, it soon became possible to perform these timing attacks over an Internet connection, potentially putting millions of devices at risk. However, attackers still face the challenge of overcoming the jitter that is incurred on the network path, as it obfuscates the real timing values. Up until now, an adversary would have to collect thousands or millions of measurements to infer a single bit of information.

In this presentation, we introduce a conceptually novel way of performing timing attacks that is completely resilient to network jitter. This means that remote timing attacks can now be executed with a performance and accuracy that is similar as if the attack was performed on the local system. With this technique, which leverages coalescing of network packets and request multiplexing, it is possible to detect timing differences as small as 100ns over any Internet connection. We will elaborate on how this technique can be launched against HTTP/2 webservers, Tor onion services, and EAP-pwd, a popular Wi-Fi authentication method.

REFERENCES:
See page 15 to 17 in our paper for a list of references: https://www.usenix.org/system/files/sec20-van_goethem.pdf

Tom Van Goethem
Tom Van Goethem is a researcher with the DistriNet group at KU Leuven in Belgium, mainly focusing on practical side-channel attacks against web applications and browsers. By exposing flaws that result from the unintended interplay of different components or network layers, Tom aims to bring us closer to a more secure web that we all deserve. He has spoken at various venues such as Black Hat USA and Asia, OWASP Global, and USENIX Security. In his spare time, Tom provides animal sculptures with pink tutus.

@tomvangoethem

Mathy Vanhoef
Mathy Vanhoef is a postdoctoral researcher at New York University Abu Dhabi. His research interest lies in computer security with a focus on network and wireless security (e.g. Wi-Fi), software security, and applied cryptography. In these areas Mathy tries to bridge the gap between real-world code and (protocol) standards. He previously discovered the KRACK attack against WPA2, the RC4 NOMORE attack against RC4, and the Dragonblood attack against WPA3.

@vanhoefm

Central bank digital currency, threats and vulnerabilities

45 minutes | Exploit

Ian Vitek Security, Sveriges Riksbank (Central bank of Sweden)

Speaker(s) will be at DEF CON!

What are the threats and vulnerabilities of a retail central bank digital currency (CBDC)? The central bank of Sweden has built a prototype of a retail CBDC system and I will run through the procurement requirements and design and point out where a two-tier CBDC need protection against attacks. The prototype is built on Corda Token SDK and I have during tests found reliable ways to exploit weaknesses in the design. The presentation will focus on the vulnerabilities that can crash the service that handles the tokens and permanently lock tokens rendering tokens and digital wallets useless. The presentation will also go into detail how tokens are validated and how information from all earlier transactions is needed for this. With D3.js and HTML5 I will visualize the token history (backchain) and describe how this can be a problem with GDPR and the Swedish bank secrecy regulation.

The presentation will end with a summary of identified threats and weaknesses of a two-tier retail central bank digital currency prototype and how to handle them. The goal of the presentation is to give the attendees insight of the security implications, challenges depending on the design and where an attack can be carried out and everything that cannot be missed when designing a CBDC.

REFERENCES:
https://www.ingwb.com/media/3024436/solutions-for-the-corda-security-and-privacy-trade-off_-whitepaper.pdf
https://d3js.org/

Ian Vitek
Ian Vitek has a background as a pentester but has worked with information security in the Swedish financial sector the last 10 years. Currently working with security of the Swedish retail central bank digital currency prototype at the Riksbank, the Swedish central bank. Interested in web application security, network layer 2 (the writer of macof), DMA attacks and local pin bypass attacks (found some on iPhone).

Breaking Secure Bootloaders

45 minutes | Demo, Tool, Exploit

Christopher Wade Security Consultant at Pen Test Partners

Virtual only presentation

Bootloaders often use signature verification mechanisms in order to protect a device from executing malicious software. This talk aims to outline actionable weaknesses in modern bootloaders which allow attackers to deploy unsigned code, despite these protection mechanisms.

In the first phase of this talk, we will discuss exploitation of the bootloaders in modern Android smartphones, demonstrating weaknesses which allow for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption.

In the second phase, we will discuss bootloader weaknesses in the secondary hardware used by smartphones. Using an embedded RF chip as a target, we will demonstrate reverse engineering techniques which identified weaknesses in the signature verification mechanisms of the firmware update protocols used by the bootloader, allowing for deployment of custom firmware to the chip.

REFERENCES:
Travis Goodspeed - Great Ideas in Reversing the Tytera MD380: https://nullcon.net/website/archives/ppt/goa-16/Great-Ideas-in-Reversing-the-Tytera-MD380-by-Travis-Goodspeed.pdf
Roee Hay - fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations: https://www.usenix.org/system/files/conference/woot17/woot17-paper-hay.pdf

Christopher Wade
Christopher is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilizes as part of the hardware testing team at Pen Test Partners.

@Iskuri1
https://github.com/Iskuri

Bundles of Joy: Breaking macOS via Subverted Applications Bundles

45 minutes | Demo

Patrick Wardle Founder, Objective-See

Speaker(s) will be at DEF CON!

A recent vulnerability, CVE-2021-30657, neatly bypassed a myriad of foundational macOS security features such as File Quarantine, Gatekeeper, and Notarization. Armed with this capability attackers could (and were!) hacking macOS systems with a simple user (double)-click. Yikes!

In this presentation we’ll dig deep into the bowels of macOS to uncover the root cause of the bug: a subtle logic flaw in the complex and undocumented policy subsystem. Moreover, we’ll highlight the discovery of malware exploiting this bug as an 0day, reversing Apple’s patch, and discuss novel methods of both detection and prevention.

REFERENCES:
“All Your Macs Are Belong To Us”
https://objective-see.com/blog/blog_0x64.html
“macOS Gatekeeper Bypass (2021 Edition)”
https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508
“Shlayer Malware Abusing Gatekeeper Bypass On Macos”
https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/

Patrick Wardle
Patrick Wardle is the founder of Objective-See. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing free open-source security tools to protect Mac users.

@patrickwardle
https://objective-see.com/

Don't Dare to Exploit - An Attack Surface Tour of SharePoint Server

45 minutes | Demo, Exploit

Yuhao Weng Security Researcher of Sangfor

Steven Seeley Security Researcher of Qihoo 360

Zhiniang Peng Principal Security Researcher at Sangfor

Virtual only presentation

Due current global issues of 2020, organizations have been forced to make changes in how their business model operates and as such, have opened the doors to remote working. Microsoft SharePoint is one of the most popular and trusted Content Management System's (CMS) deployed today. The product is used to share and manage content, internal knowledge with embeded applications to empower teamwork and seamlessly collaborate across an organization for a truly remote experience.

After the efforts of countless talented engineers in Microsoft, SharePoint has been deployed in the Microsoft cloud as part of their office 365 offering. This presentation will analyze the security architecture of SharePoint server and how it differs from other popular CMS products. From an offensive point of view, we will also reveal several attack surfaces and mitigations implemented and how those mitigations can be bypassed. Finally we will disclose several high impact vulnerabilities detailing the discovery and exploitation.

REFERENCES:
1. http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
2. https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control
3. https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524602(v=vs.90)
4. https://www.youtube.com/watch?v=Xfbu-pQ1tIc
5. https://www.blackhat.com/us-20/briefings/schedule/#room-for-escape-scribbling-outside-the-lines-of-template-security-20292
6. https://www.spguides.com/sharepoint-csom-tutorial/

Yuhao Weng
Yuhao Weng(@cjm00nw) is an security researcher of Sangfor and a ctf player of Kap0k. He has been studying the web for three years and found a lot bugs in Sharepoint, Exchange and so on. Now he is focused on .NET security.

@ cjm00nw

Steven Seeley
Steven Seeley (@mr_me) is a member of the 360 Vulcan team and enjoys finding and exploiting bugs. Currently his focus is on web and cloud tech and has over 10 years experiance in offensive security. Steven won the Pwn2Own Miami competition with his team mate Chris Anastasio in early 2020 and has taught several classes in web security including his own, Full Stack Web Attack.

@steventseeley

Zhiniang Peng
Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published much research in both academia and industry.

@edwardzpeng

Making the DEF CON 29 Badge

45 minutes | Demo

Michael Whiteley MKFactor.com

Katie Whiteley MKFactor.com

Speaker(s) will be at DEF CON!

Come meet the new badge makers and hear the story of how this year's badge was created amidst a global pandemic. We'll share tales of chip shortages, delayed parts, and late nights, as well as discuss how the badge works and what you can do with it. Maybe even some hints about the challenges within...

Michael Whiteley
Michael is a husband, father, and electronics geek. He doesn't like long walks on the beach, but prefers to be indoors with a fast internet connection.

@compukidmike

Katie Whiteley
Katie is a wife, mother, and graphic designer. She likes long walks on the beach because there's no internet connection.

@ktjgeekmom

Combined they are MK Factor, a husband/wife badgemaker team. They've created badges for many conferences and groups like OpenWest, Saintcon, DC801, Car Hacking Village, and many unofficial DEF CON badges. Together they earned a black badge for Car Hacking at DEF CON 24.

Defending against nation-state (legal) attack: how to build a privacy-protecting service in the era of ubiquitous surveillance

45 minutes

Bill "Woody" Woodcock Chair of the Foundation Council, Quad9

Speaker(s) will be at DEF CON!

US diplomacy and the US District Court of Northern California provide a nearly impenetrable shield against legal assault from other countries for the many tech companies that choose the San Francisco Bay Area as their legal domicile. But US domicile has left companies undefended against ECPA, CALEA, Patriot Act and FISA requests and the gag orders which prevent their disclosure, and the US has little or no statutory protections for users’ privacy. So how do you hack the international legal and diplomatic system to defend the privacy of users of Internet services against nation-state legal attacks? The privacy-and-security-oriented non-profit DNS recursive resolver Quad9 spent four years working the system and learning from prior examples like ProtonMail, and Bill Woodcock, the chair of Quad9’s Foundation Council, will talk about the threat model Quad9 is defending against, how legal domicile and physical presence interact, and how Quad9 is building a model that other privacy-respecting services can follow. He’ll discuss the critical differences between jurisdictions and legal regimes that Quad9 uncovered in their four-year selection process, and the key and differentiating protections the Swiss government offers that the US and EU governments do not. And if y’all get tired of that, you might be able to convince him to talk about the injunction Sony Music got against Quad9 in the copyright-troll court in Hamburg and why more privacy may also come at the risk of more censorship.

Bill Woodcock
Bill Woodcock is the executive director of Packet Clearing House, the international non-governmental organization that builds and supports critical Internet infrastructure, including Internet exchange points and the core of the domain name system, and he’s the chairman of the Quad9 Foundation. Bill is best known for developing anycast routing (1989), multicast DNS (2000), the INOC-DBA infrastructure protection hotline system (2001), and being one of the two international liaisons in the Estonian CERT during the Russian cyber-attack in 2007. Bill served on the Global Commission on the Stability of Cyberspace, and was on the board of the American Registry for Internet Numbers for fifteen years. Now, Bill’s work focuses principally on the security and economic stability of critical Internet infrastructure.

How I use a JSON Deserialization 0day to Steal Your Money On The Blockchain

45 minutes | Demo, Exploit

Hao Xing Tencent Security Xuanwu Lab

Zekai Wu Security Researcher from Tencent Security Xuanwu Lab

Virtual only presentation

Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully. We will disclose these high-risk and universal gadgets for the first time in this talk.

Now, we can control many important websites and affect millions of users. Let's make things more interesting. We found that this fastjson vulnerability affect a multi-billion-dollar blockchain. We designed multiple complex gadgets based on the features of the blockchain, and exquisitely achieved information leakage and pointer hijacking. Putting all these gadgets together, we achieved remote code execution on the blockchain nodes.

However, generally after remote code execution, we seem to have no better exploit method other than the 51% attack, which will lead to serious accounting confusion. After a detailed analysis of the architecture design of the public blockchain, we found a way from RCE to steal the public blockchain users' assets almost without any notification.

To the best of our knowledge, this is the first published attack case on the realization of covertly stealing user assets after RCE on the public blockchain nodes. We will propose a more covert post penetration exploit method for public blockchain nodes in this talk.

Blockchain is not bulletproof to security vulnerability. We will show you how to use classical web vulnerabilities attack the blockchain and how to steal real money from the decentralized cyber world.

REFERENCES:
1. https://github.com/threedr3am/gadgetinspector
2. https://github.com/JackOfMostTrades/gadgetinspector
3. http://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf
4. http://i.blackhat.com/eu-19/Thursday/eu-19-Zhang-New-Exploit-Technique-In-Java-Deserialization-Attack.pdf
5. https://asm.ow2.io/asm4-guide.pdf

Hao Xing
Hao Xing is a Security researcher from Tencent Security Xuanwu Lab. He made some presentations at Chaos Communication Congress and BlackHat Asia. His research foucs on Web security, Andoird security and Red Team. He reported lots of vulnerabilities for many internet giants such as Google, Microsoft, Alibaba etc.

@RonnyX2017

Zekai Wu
Bio Coming Soon!

@hellowuzekai

Glitching RISC-V chips: MTVEC corruption for hardening ISA

45 minutes | Demo, Exploit

Adam 'pi3' Zabrocki Principal System Software Engineer (Offensive Security) at NVIDIA

Alex Matrosov

Speaker(s) will be at DEF CON!

RISC-V is an open standard instruction set architecture (ISA) provided under open-source licenses that do not require fees to use. ISA is based on established reduced instruction set computer (RISC) principles. RISC-V has features to increase computer speed, while reducing cost and power use.

Many industry players like Google, IBM, NVIDIA, Qualcomm, and Samsung are members of the RISC-V Foundation and have long supported RISC-V development. In 2016, NVIDIA unveiled plans to replace the internal microcontrollers of their graphic cards with next-gen RISC-V-based controllers built for upcoming NVIDIA GPUs.

NVIDIA's Product Security undertook a detailed architectural analysis and research of the RISC-V IP, discovering a potential risk with the ambiguous specification of the Machine Trap Base Address (MTVEC) register. This ambiguity leads to potential fault injection vulnerabilities under physical attack models.

Adam 'pi3' Zabrocki
Adam 'pi3' Zabrocki is a computer security researcher, pentester and bughunter, currently working as a Principal Offensive Security Researcher at NVIDIA. He is a creator and a developer of Linux Kernel Runtime Guard (LKRG) - his moonlight project defended by Openwall. Among others, he used to work in Microsoft, European Organization for Nuclear Research (CERN), HISPASEC Sistemas (known from the virustotal.com project), Wroclaw Center for Networking and Supercomputing, Cigital. The main area of his research interest is a low-level security (CPU architecture, uCode, FW, hypervisor, kernel, OS).

As a hobby, he was a developer in The ERESI Reverse Engineering Software Interface project, a bughunter (discovered vulnerabilities in Hyper-V hypervisor, Intel/NVIDIA vGPU, Linux kernel, OpenSSH, gcc SSP/ProPolice, Apache, Adobe Acrobat Reader, Xpdf, Torque GRID server, FreeBSD, and more) and studied exploitation and mitigation techniques, publishing results of his research in Phrack Magazine.

@Adam_pi3
http://pi3.com.pl

Alex Matrosov
Alex Matrosov is a well-recognized offensive security researcher. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Alex served as Chief Offensive Security Researcher at Nvidia, Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers, and is a frequent speaker at security conferences, including REcon, Zeronigths, Black Hat, DEF CON, and others. Additionally, he is awarded by Hex-Rays for open-source plugin efiXplorer and HexRaysCodeXplorer which has been developed and supported since 2013 by REhint's team.

@matrosov https://medium.com/firmware-threat-hunting