99 Problems but a Microkernel ain't one!
- Alex Plaskett
Cars, Safety Critical Systems and consumer devices (phones) all run QNX, however, very little security research has been performed in this area. This talk will provide an overview of QNX security architecture with Blackberry 10 used as the primary target. It will discuss research on a locked down highly secured embedded OS, the OS attack surface and methods of identifying vulnerabilities from both a reverse engineering perspective and automated fuzzing approach. This talk will also highlight some of the novel QNX weaknesses identified with this research and the challenges faced with exploit development on the platform.
An Adversarial View of SaaS Malware Sandboxes
Anyone attending this conference knows the usefulness of running malware in a sandbox to perform triage, speed security analysts' workflow, extract indicators of compromise (IOCs), and to gather useful information for detection and mitigation. When analysts do this, what are the OPSEC concerns regarding tipping the adversary off? Which sandbox providers are better than others in this regard? In this talk we will present some research on taking an adversarial view of the free and widely used SaaS malware sandboxes. When an adversary's malware is detonated in a sandbox, what network artifacts can they see? Can they determine which sandbox provider based on the network? How do malware and related IOCs submitted to these sandboxes propagate to security companies and ultimately threat intelligence feeds? In this talk, we will answer all these questions and more.
Beyond IDS: Practical Network Hunting
- Josh Liburdi (@jshlbrd)
Aimed at incident response and threat detection attendees, this talk highlights practical hunting techniques for identifying adversaries in network-based data. The talk will review general hunting techniques that can be applied to any dataset, discuss tools that make network-based hunting possible, and dive deep into practical ways to hunt adversaries in network-based data. Open source code for the Bro network security monitor tool will be released on the day of the talk to support some of the hunting techniques that will be discussed.
Change is the only constant: A day in the life of DNS changes
- Ben April (@bapril)
We took a one-day snapshot of Farsight's new DNS Changes channel and tore into it like an unsupervised 9 year old with a screwdriver. Inside we found CDNs, DGAs, phone-home services, VPN tunnels, some RTFM moments, and some WTF moments. Catch this inside glimpse of what you can learn about your network or your adversary by monitoring DNS.
Defense at Scale
- Jan Schaumann (@jschauma)
An old infosec truism notes that companies are divided into those who have been hacked and those who don't know they've been hacked. As the industry evolves, systems grow more and more complex, simultaneously increasing the attack surface manifold. What's worse, the Internet of (Insecure) Things combines brand new attack vectors with decades old bugs. How can we keep up?
This talk delves into the idea of defending smarter, not harder; the techniques we need to apply to develop intelligent and automated defenses; the necessity of scaling your team beyond a reactive stance.
Docker Containers for Malware Analysis
There are wonderful malware analysis applications out there that run well on Linux; however, installing and configuring them could be quite challenging. A relatively new approach using such tools involves running them as application containers. This session will discuss how you can use malware analysis tools that are already distributed as Docker images as part of the REMnux project. These tools include Thug, Viper, JSDetox, and others. It will also offer tips for packaging your favorite apps in a similar manner.
Attend this session to start learning about Docker containers, so you can not only use them when examining malicious software, but also so you better understand what application containers are and what role they might play alongside other infrastructure technologies.
How Hackers View Your Web Site
- Patrick Laverty (@plaverty9)
We know about web vulnerabilities. We know web sites have them. In this talk, we see them all together, maybe including some that you weren't thinking of or aware of. Let's see how a hacker sees your web site and all those vectors for attack.
Making & Breaking Machine Learning Anomaly Detectors in Real Life
- Clarence Chio (@cchio)
Machine learning (ML) techniques used in network intrusion detection are susceptible to adversarial 'model poisoning'. We demonstrate this attack & analyze some proposals for how to circumvent it, then consider specific use cases of ML and anomaly detection in a security context. We analyze how ML can be used in security and why it is not as straightforward as once thought.
Mobile implants in the age of cyber-espionage
- Dmitry Bestuzhev (@dimitribest)
This research is about mobile implants used in APT attacks. I will go through implants used ITW to spy on targets using iOS, Android, Windows Mobile and Android. I'll present current APT-threat actors mobile capabilities based on the code analysis/reversing I did. All samples are not PoC but real in-the-wild samples.
No Silver Bullet. Multi contextual threat detection via Machine Learning
Current threat detection technologies lack the ability to present an accurate and complete picture of how threats are executed and fail to put together the multi contextual relationship of exploit chain indicators. A combination of behavioral and machine learning technologies can provide a more effective and complete assessment and prevention of threats in organizations relying on dispersed, static single indicator technologies. This approach also makes use of current static and single threat indicator technologies using Big Data computational models.
The Insecurity Of Things
- Stephen A. Ridley (@s7ephen)
There is a latent distrust of the growing "Internet Of Things" market. The data collected by them is becoming more personal all while proliferation of internet connected devices is continuing without regard to privacy or security. Recent news stories have consumers concerned not only with privacy but also surveillance and data handling. The enterprise, medtech, industrial control, and other verticals have plenty to worry about also. To compound the problem, "IoT" and internet connected consumer devices are each made from custom hardware and software. This lack of homogeneity in design makes traditional software based security (like "antivirus") virtually impossible. Since the traditional solutions aren't applicable to these new ubiquitous devices, new techniques and technologies are needed. We'll talk about how we've been approaching the problem with a new platform called "Senrio" (http://senr.io)
At Xipiter we've been working on the security of embedded systems and IOT devices. Xipiter has built several industry unique trainings on mobile security and embedded device security. Each of which has sold out at Blackhat (the largest security conference in the world) for three years in a row. We've helped numerous manufacturers secure their embedded devices. From Point Sales and Entertainment Systems to the more esoteric vendors of Gaming systems (lotto, casino, etc) and Industrial Controls Systems.
This talk is about our experiences over the last several years and how we're tackling the problem of visibility into the security of these "blackbox" systems. We'll talk about how we've been approaching the problem with a new platform called "Senrio"
The Pagentry of Lateral Movement
- Stuart Morgan (@ukstufus)
In order to meaningfully compromise a client, you need to take advantage of every opportunity to gather information and laterally move around the network. This talk will discuss ways of abusing Pageant (PuTTY's SSH agent) on a fully patched Windows host, including a demonstration of a meterpreter extension which can tunnel SSH agent traffic in a manner that is almost undetectable with default logging options, and the way that an existing reconnaissance tool from 2012 was improved to make its output easier to use during a simulated attack or penetration test.
The Ransomware Threat: Tracking the Digital Footprints
- Kevin Bottomley (@k3v_b0t)
The continuing evolution of ransomware is a constant threat to businesses of all types. Taking a stroll through the timeline of ransomware from it's infancy to current variants, this session will walk through the methodologies for prevention, containment, and detection... both inside the system and by following the digital footprints to hunt it in the wild.
Warranty Void If Label Removed - Attacking MPLS Networks
- G. Geshev (@munmap)
This talk will be a walk-through of research findings from assessing multiple MPLS implementations and the various key weaknesses that were found to affect a number of leading vendors. General MPLS and MPLS related terms and concepts will be briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies. It should be noted that none of the examples and demonstrations require access to the MPLS backbone. This talk will be concluded with both general and, where applicable, vendor specific best practices and recommendations on reducing the attack surface of an MPLS network.