Presentations
David DeCoster: Lies, Damn Lies, and Uncertainty
This presentation is about the manipulation of charts and infographics to make a dataset portray information in a way that tells the story that the presenter wants told.
Artem Dinaburg: Bit -squatting: DNS Hijacking Without Exploitation
Barring deliberate sabotage, we generally assume that computer hardware will work as described. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction manifests in DRAM chips as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed.
This presentation will show that bit flips pose a real attack vector. First, the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data, the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party.
The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors.
Marc Eisenbarth: Active Exploitation Detection and the Arrhythmia of the Threat Landscape
Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.
Martin Holste: Detection is the New Prevention: Using Open-Source Software on Big Data to Defend
The security industry must continually evolve to cope with the vast amount of data required to defend complex environments. Security is now a race in which defenders try to find and contain attackers before they capitalize on information stolen after trivial compromises. Learn how to create, analyze, and understand Big Data for security through IDS and basic log collection using Enterprise Log Search and Archive (ELSA) to contain adversaries before they leverage footholds. Then learn how to add tools like StreamDB and Cuckoo Sandbox to automate much of the security detection cycle to accelerate containment and hunting. Participants who have access to a server or VM can install the software during the talk and leave with a fully-functional appliance for use in their org when they return.
http://ossectools.blogspot.com/2012/03/detection-is-new-prevention.html
Khash Kiani: Identity X - Securing the Insecure
There are a number of existing and emerging open protocols designed to deliver mechanisms for enabling the Authentication and Authorization attributes of users to be shared between web sites. Technologies such as OAuth and OpenID are being adopted by small and large size organizations to share or consume user resources across the web. This session is a technical study of some of these emerging user-centric Identity technologies and their security implications. We will present scenarios of how insecure implementations of these protocols can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and focus on secure implementation and countermeasures.
John McNabb: Vulnerabilities of Wireless Water Meter Networks
Why research wireless water meters? Because they are a potential security hole in a critical infrastructure, which can lead to a potential leakage of private information, and create the potential to steal water by lowering water bills? It's a technology that's all around us but seems too mundane to think about. Because a hacker can't resist exploring technology to see how it works and how to break it… because they are there? In this talk the speaker, who managed a small water system for 13 years, will first present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year, and will then take a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.
Tom Parker: Stuxnet Redux: Malware Attribution & Lessons Learned
Recent incidents commonly thought to be linked to state sponsored activities have given rise to much discussion over the reliability of technical analysis as a source for adversary attribution - specifically in regards to what is commonly termed as the Advanced Persistent Threat (or APT). We now live in a world where the reverse engineering of a malicious binary, or analysis of a compromised host may very well play into a world-changing decision, such as whether a country should declare war on another - or indeed, whether it is no longer viable for a large, multinational corporation to continue doing business in a given part of the globe.
Of perhaps most note - stuxnet has dominated much of the information security media since its public acknowledgment in June 2010. Multiple schools of thought have emerged, casting speculation over the identities of those responsible for the authorship and operation of what some suggest is the most advanced piece of malware observed in the public domain. Nation state? Organized crime? Disgruntled vendor employee? This talk will take a close look at what we really know about this mysterious culmination of bits, closely analyzing some of the popular hypotheses, and identifying others which have perhaps not drawn as much momentum.
As a basis for our analysis, we will discuss in depth the merits and demerits of technical analysis; demonstrating ways in which various techniques including static binary analysis and memory forensics may be utilized to build a granular profile of the adversary, and where the same techniques may fall short. The presentation will discuss detailed characterization matrix that can be leveraged to assess and even automate assessment of multiple aspects of the adversary (such as motive, technical skill, technological research resources) that may all play into the way in which we respond to an incident, or reposition ourselves to handle a specific threat over the long term.
Finally, we will review what lessons we can learn from stuxnet - to further attribution related research efforts, and ways in which we might adjust our security posture when it comes to protecting our nation's most critical assets.
David Schuetz: Inside Apple's MDM Black Box
Mobile Device Management (MDM) has become a hot topic as organizations are pressured to bring iStuff into their organization, especially as BYOD (Bring Your Own Device) gains steam. Mobile devices are invading every level of corporate society, making the need to remotely manage and control them increasingly urgent. Apple has provided some enterprise management features, first via over-the-air configuration profiles, and beginning in 2010, full MDM support. Unfortunately, the exact features availble through MDM are tightly controlled by Apple, as is the protocol itself.
This talk dissects how Apple MDM works. Starting with basic iOS configuration principles, the talk explores mobile config profiles generated by the iPhone Configuration Utility, over-the-air profile delivery, and the key features and mechanisms behind MDM. Finally, we explore how to implement your own MDM server, which allows you to manage iOS devices using official device management APIs. You can wipe your device, and perform many other actions, using these custom MDM services. Finally, some bugs and vulnerabilities, as well as one interesting attack, are discussed.
Originally presented at Black Hat, this talk has been updated to include changes from iOS 5.x and other more recent discoveries.
Richard Perlotto: Past, Present, and Future Threat Landscape
We will be talking about how the threat landscape has changed over the last several decades and how the rapid changes of today will have a severe effect on our ability to understand and defend in the future.