• windknown

    Pangu Team

    dm557

    Pangu Team

    TOPIC

    How Pangu Jailbreak Untethered on Your iOS Devices

    ABSTRACT

    Pangu team released Pangu untether jailbreak for iOS 7.1.x last month which support all iOS 7 compatible devices. Actually after they gathered all the vulnerabilities needed for an untether jailbreak, it still took them about two months to finish developing the tool. Since it’s the first time for them to develop an untether jailbreak tool, they were faced with various problems and thanks for all the people who helped them.


    In this topic the author will mainly talk about the vulnerabilities they found and used in Pangu jailbreak for untether. They will give details about their code signing bypass, kernel information leak and kernel memory overwrite vulnerabilities. Then they will show how to exploit these bugs so that Pangu jailbreak could survive on iOS devices.

    BIOGRAPHY

    windknown is currently working on security research and APP development of OSX/iOS. And he also has years of experience in Windows security. His major research field covers security of OSX/iOS/Windows, vulnerabilities, rootkit, virtualization technology etc. He has presented his research at international security conferences including XCON, POC, SyScan,SyScan360.


    dm557 is a security researcher which focus on advanced vulnerability exploitation research. He participated in network security field since 2000, and have over 15 years experience in network security industry, and now he mainly focuses innovative research on software vulnerability, exploitation for Microsoft and Apple system.

  • Rosario Valotta

    TOPIC

    Browser fuzzing in 2014 - David vs Goliath (a.k.a. learn where to throw your stones)

    ABSTRACT

    Fuzzing techniques have proved to be very effective for discovering vulnerabilities in web browsers. Over time several valuable fuzzing approaches and frameworks have been developed and some of them have became a "de-facto" standard, being widely adopted by the security research community. With the introduction of bounty programs by browser vendors and the growth of 0-days marketplaces, a much wider audience have been lately involved into vulnerabilities research. Moreover all major browser vendors have deployed a fuzzing infrastructures running 24/7 on their private cloud made up of thousands CPUs. So the only chance for indipendent researchers to stand against this majestic bug-killing armada is to embrace smart fuzzing and take aim at specific browser APIs/behaviours.


    In this talk the author will give an overview of common memory corruption bugs, current browser fuzzing techniques and limitations, finally he will introduce a novel fuzzing algorithm targeting some specific browsers aspects, explain the rationales behind them and discuss a bunch of exploitable memory corruption bugs uncovered using this approach.

    BIOGRAPHY

    Rosario Valotta is an IT security professional with over 13 years experience. He has been actively finding vulnerabilities and exploits since 2007 and has released a bunch of advisories and new attack techniques including:
    - Abusing browser user interfaces (presented at HITB 2013, PHDays 2013, Nuit Du Hack 2013): a research presenting a couple of effective tricks to fool users into running code on their browsers, leveraging some UI weaknesses
    - Nduja Fuzzer (presented at DeepSec 2012): an innovative fuzzer levaraging on DOM Level 2 and 3 APIs that proved to be effective in discovering several 0-day in major browsers
    - Cookiejacking, a new attack technique to steal any cookie on Internet Explorer (presented at HITB 2011 AMS and Swiss Cyber Storm 2011)
    - Nduja connection, the first cross webmail XSS worm
    - Memova exploit, affecting over 40 millions users worldwide
    - Outlook web access for Exchange CSRF vulnerability
    - Information gathering through Windows Media Player vulnerabilities

  • pLL

    TOPIC

    Be cautious, there is an attack window in your android app

    ABSTRACT

    Although the security of broadcast receiver has been studied by academic, the real attack for this kind of vulnerability has not been made explicit, this cause app vender actively avoidance for this kind of problem. The abuse of the unsafe broadcast receiver break the security mechanism provided by Android, which causes a large variety of apps can be hijacked.


    In this talk, the authors firstly analyzes the principle of this vulnerability. Then, they study the attack model for the stealthy vulnerability and the trick for performing attack. For facilitating analysis, the Vulnerable Window for the app is defined. Secondly, a static data flow analysis tool aDFAer which has properties as dalvik specific, flow-sensitive, interprocedural and contextsensitive is used to find the vulnerabilities and generate the simple attack vector automatically to prove our findings. At last, a dynamic message interceptor and an elaborately designed re-player are used to prove our findings. The dynamic verification system can grab the Vulnerable Window and play the attack vector.


    Statistical data show that this kind of vulnerability is prevailing in the specification. They discovered this kind of vul-nerabilities in pre-installed app of MIUI rom, SAMSUNG rom, even google services framework. Experiment on the android antivirus software show that over 50% of antivirus software provide vulnerable product which using the broadcast receiver in an unsafe manner.

    BIOGRAPHY

    As a PhD student at Shanghai Jiao Tong University, pLL is focused on program analysis theory and algorithm, including Fuzz Testing, security check, reliability verification and vulnerability automation analysis of programs.

  • The Grugq

    TOPIC

    Click and Dagger: Denial and Deception on Android Smartphones

    ABSTRACT

    This presentation will cover techniques used to secure the phone against forensic analysis when the adversary has physical possession of the device. The Grugq developed a hardened Android ROM which is resistant against analysis and monitoring. There are a few novel techniques to allow for a convenient duress system, and for robust anti-forensic properties. The ROM is supported on a few devices.

    BIOGRAPHY

    The Grugq is a pioneering information security researcher with over a decade of professional experience. He has worked extensively with digital forensic analysis, binary reverse engineering, rootkits, Voice over IP, telecommunications and financial security. The Grugq's professional career has included Fortune 100 companies, leading information security firms and innovative start-ups.
    Claims to fame:
    - pioneered anti-forensics
    - developed "userland exec"
    - released voip attack software
    - decade of experience in info sec
    - long term liaison w/ digital underground
    - described as "extremely handsome" [by his mom]
    - 1992 sussex County 3-legged race, 2nd place
    The Grugq has spoken at dozens of conferences over the last 7 years; provided expert training courses to .gov, .mil, police and businesses; domain expertise on forensics, voip, telecommunications and financial systems.

  • Jon Erickson

    iSIGHT

    TOPIC

    Using and Abusing Microsoft’s Fix It Patches

    ABSTRACT

    Microsoft has often used Fix it patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. A common Fix It patch type used to prevent exploitation is the previously undocumented In Memory Fix It. This research first focuses on analyzing these in-memory patches. By extracting information from them researchers are able to better understand the vulnerabilities that Microsoft intended to patch. The research then focuses on reverse engineering the patches and using this information to provide the ability to create patches which can be used to maintain persistence on a system.

    BIOGRAPHY

    Jon Erickson is an engineer within the research lab at iSIGHT Partners. Before joining iSIGHT he made the rounds with various government contractors and before that was in the United States Air Force. He has a short list of CVE’s and other hackery’ish accomplishments to his name. His most notable recent accomplishment is the two month old he’ll have at the time of this talk.

  • Rob Ragan

    Bishop Fox

    Oscar Salazar

    Bishop Fox

    TOPIC

    CloudBots: Harvesting Crypto Coins like a Botnet Farmer

    ABSTRACT

    What happens when computer criminals start using friendly cloud services for malicious activities? In this presentation the author explore how to (ab)use free trials to get access to vast amounts of computing power, storage, and premade hacking environments. Oh! Also we violate the hell out of some terms of service.


    The author explore just how easy it is to generate massive amounts of unique email addresses; in order to register free trial accounts, deploy code,and distribute commands (C2). They managed to build this cloud-based botnet all for the low cost of $0 and semi-legally. This botnet doesn’t get flagged as malware, blocked by web filters, or get taken over. This is the stuff of nightmares!


    While riding on the fluffy Kumobot (kumo means cloud in Japanese), it was discovered that they were not the only ones doing this! With the rise of crypto currency we now face the impending rise of botnets that mine for digital gold on someone else’s systems with someone else's dime footing the electric bill. Through our efforts in building a cloud-based botnet the author built enough tools to share a framework for penetration testers and security researchers. The anti-anti-automation framework will show those tasked with defense exactly what it looks like when their free trial gets assaulted.

    BIOGRAPHY

    Rob Ragan is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. Rob’s primary areas of expertise are application security assessment, source code review, and secure software design. Rob actively conducts web application security research and has repeatedly presented at Black Hat, DEF CON, RSA, B-Sides, InfoSec World, Hacker Halted, and Adobe’s annual private Security Summit conference. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition.


    Oscar Salazar is a Senior Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing, source code review, and secure software design. Oscar has presented at RSA, Hacker Halted, B-Sides, and Adobe’s annual private Security Summit conference.

  • Pk001

    Wayne Yan

    VisualThreat

    TOPIC

    Hack Your Car and I’ll Drive You Crazy: the Design of Hack-proof CAN-based Automotive System

    ABSTRACT

    “I can see you've got your motor running. But don't you feel I am just behind the wheels and control your car without your awareness?”


    This scene sounds scary. More and more people are talking about car hacking, e.g. Blackhat 2013 and Syscan 2014, you name it. CAN (Controller Area Network) is the most used protocol in the auto industry. It is based on broadcast bus, which means all message packets are sent to all ECUs. Long time ago, CAN-based automotive system is isolated and safe. Nowadays, advanced diagnostics enables cars to generate lots of profile data of engines and drivers, and submit them to the connected vehicle cloud. Meanwhile, with the fast evolvement of mobile technology, the number of mobile devices grows exponentially. When mobile connects both car and the vehicle cloud via mobile apps, the car becomes the new threat target.


    In this talk, the author will show how to build the hack-proof security system for CAN-based automotive network. They will first go through how to reverse engineer a car by sharing our hands-on experiences with ECU, OBD2, CANBUS, how to build up a testing platform either from a real car or a simulator, and how data transmitted on CAN bus among ECUs are monitored. They will also build up the car-hacking attack scenario database, and explain how to defend against each type of attack, including the attack scenes mentioned by other car-hacking researchers. Besides, each car mode has its own ECU language. So hack-proof system should take consider of this. Our presentation will explain in details about ECU languages differences among various auto manufacturers.


    The last but not the least, we also share our new research findings on security vulnerabilities of current commercial vehicle-related mobile products. Lots of vendors are offering vehicle cloud services and products, and they are actually selling good. Unfortunately, the security vulnerabilities existing inside their products will put users at high risks of car controlling and personal privacy information leakage.

    BIOGRAPHY

    Pk001 has years of experiences of reverse engineering in embedded automotive networks and systems. He has extensive expertise on CAN messaging, ECU and OBD protocol analysis. Pk00a also has thorough knowledge of the car engines & its architecture. He is still young and has passion on the cutting-edge technology to address the security problems of car hacking.


    Dr. Yan works as the CEO role of VisualThreat, a leading mobile security vendor. He previously worked in McAfee, Trend Micro and Symantec joint venture, and has deep understanding of security services. Dr. Yan is also an active referee and serves as Editorial Board member of peer-reviewed professional journals and technique committee member of many international security conferences. He is the author of leading industry and academic conferences, such as Virus Bulletin and AVAR, and SYSCAN.

  • Chen Zhangqi

    Qihoo360

    Shen Di

    Qihoo360

    TOPIC

    Advanced Bootkit Techniques on Android

    ABSTRACT

    Oldboot, a stealthy malware discovered by Qihoo in 2013, is recognized as the first Android-based Bootkit. While not surprisingly, its very appearance on Android still poses serious challenges for detection.


    In this talk, the authors will examine the nature of such malware and aim to better understand and defend against them. In particular, they will explore a variety of advanced Bootkit techniques, such as surreptitiously infecting boot partitions, bypassing built-in kernel-level security restrictions, and launching a kernel-mode Rootkit (earlier than the rest system) while completely remaining invisible to COTS anti-virus software. Finally, if time allows, the authors will give a live demo to show all the above-mentioned techniques.

    BIOGRAPHY

    Chen Zhangqi is a security researcher in Qihoo360. He has years of experience in embedded Linux development and deep understanding of Linux kernel and ARM architecture.


    Shen Di is a security researcher in Qihoo360. His research mainly covers from Android malware and system security to reverse engineering.

  • Łukasz Pilorz

    Paweł Wyleciał

    TOPIC

    Mobile Browsers Security: iOS

    ABSTRACT

    This year, mobile and tablet browsers reached 30% share of web traffic, according to data provided by StatCounter. Both Android and iOS surpassed e.g. OSX and Windows 8 in these statistics. It is not surprising that many companies are trying to introduce their own browsers on Apple’s mobile platform. While some of them use proxy-rendering solutions, other try to bypass limitations of the native UIWebView component to deliver full, flexible user experience.

    During the talk, the author will discuss how iOS third-party web browsers are built. They will go through the main properties and limitations of UIWebView, common features added by browser developers, and common design or programming flaws that result in security vulnerabilities.

    They will also present some of the security weaknesses of Mobile Safari and UIWebView itself, and discuss the new WebKit API of iOS 8: WKWebView.

    BIOGRAPHY

    Lukasz Pilorz – previously an application security specialist in an international e-commerce platform, he now works as a penetration tester in a large British bank. Regular speaker at OWASP Poland meetings and initiator of their branch in Poznan. His career in web security started in 2006 on sla.ckers.org.

    Pawel is a penetration tester and a bug hunter. His main area of interest includes fuzzing, exploitation techniques, static analysis and mobile security. Recently focused on browsers and mobile applications testing. He is currently working as a penetration testing specialist in a large British bank.

  • Edgar Barbosa

    COSEINC

    TOPIC

    Program analysis and constraint solvers

    ABSTRACT

    The objective of the presentation is to show how to use constraint solvers, including SMT solvers for program analysis applications like reverse engineering and bug finding. It will show details about the translation of x86 assembly code to Intermediate languages and to SMT formulas. Also it will discuss the pros and cons of using solvers for program analysis, the relationship between solvers and taint analysis and at last it will include some demonstrations in real time.

    BIOGRAPHY

    Edgar Barbosa is a senior security researcher working at COSEINC. He was a member of the team of the developers of “Blue Pill”, a virtual machine rootkit, and has published several papers. Edgar is an expert in kernel development, rootkit research, reverse engineering, hardware virtualization and program analysis.

  • Joxean Koret

    COSEINC

    TOPIC

    Breaking Antivirus Software

    ABSTRACT

    How to find vulnerabilities in AV products, show typical problems and drop some 0days in AV products

    BIOGRAPHY

    Joxean Koret has been working for the past 14 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowdlege to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti-malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is currently a security researcher in Coseinc.

  • Pedro Vilaça

    TOPIC

    F**k you Hacking Team! From Portugal, with Love.

    ABSTRACT

    This presentation will be dedicated to reversing of HackingTeam’s OS X commercial spyware software known as Crisis. It starts by describing the dropper implementation and tricks, and also giving a hint or two to improve it. Next is the backdoor module because the latest samples found in the wild have it packed with MPRESS to “avoid” easy reverse engineering. My goal is to spend some time talking about the packer, how to unpack it, how to build an automatic unpacker, and some debugging tips & tricks. Follows an overview of encryption usage, configuration and available features and how most features are implemented, which means talking about bundle injection. Closes with a brief overview of the C&C communications and the kernel rootkit. The presentation goal is to show how Crisis is implemented but also how OS X malware can be implemented.

    BIOGRAPHY

    Professional troublemaker in the OS X scene, love rootkits, cracking software protections, and pissing off Hacking Team (until I find Gamma/FinFisher OS X malware/rootkit in the wild). Recently converted to whitehat and trying to build the best enterprise endpoint solution for OS X.

  • Nguyen Anh Quynh

    TOPIC

    Capstone disassembly engine

    ABSTRACT

    Disassembling is a fundamental part of all reversing, binary analysis & exploitation tools. This talk presents Capstone, a disassembly framework targeting to be the ultimate choice for the security community. Capstone offers a superior set of features compared to all other engines available in the public: multi-architectures, multi-platforms, providing semantics details of disassembled instructions, support bindings for all important programming languages with a friendly license and so much more.


    This talk will present the internals of Capstone, focusing on why we chose the current design, which allows Capstone to have full support for 8 hardware architectures in a record time. We will explain why these wise decisions guarantee that Capstone will get bugs fixed frequently, quickly and always updated in the future.


    The talk will go into details of Capstone’s implementation, and tell some stories on our efforts to make Capstone more stable and robust against malware. A quick introduction on how to write security tools on top of Capstone will also be introduced. Capstone has a website at the address http://www.capstone-engine.org

    BIOGRAPHY

    Researcher & coder:http://www.capstone-engine.org