Talks

Behind LockerGoga – A walk through a ransomware attack worth 40m$

by: Magda Lilia Chelly, CISSP, PhD

This speech is technically describing the attack vectors of LockerGoga and how the ransomware could have penetrated the network of the Norwegian aluminium manufacturer Norsk Hydro. With 31 variations and continuous improvements, LockerGoga has powerful characteristics to ensure evasion from traditional security tools. Unlike NotPetya and WannaCry, LockerGoga doesn’t follow the same propagation method, but rather is being copied manually. Researches are publicly discussing RDP stolen credentials or brute force attacks as the initial attack for the ransomware to get on to the network. The speech will describe the LockerGoga technical variants as well as will focus on the latest attack, including the possible scenarios, as per the use of tools for red teaming and standard penetration testing operations. The speech will as well practically demonstrate how variants of ransomware can evade traditional anti-malware solutions and attack the systems. Showcasing processes like Doppelgänging and hollowing with a focus on the code injection and heavy binary obfuscation methods that takes advantage of NTFS transactions used in Windows to run a malicious executable code hidden under a legitimate process. The goals of the speech are understanding ransomware variations, and evasion methodologies.

Breaking and Entering with SDR: Hacking Physical Access Control Systems and Garage Door Openers, or How I Beat Up Wiegand Over VHF/UHF

by: Tim Shelton aka redsand

In this presentation, we will explore how physical access systems work. Specifically aimed at Wiegand RF attacks over UHF/VHF, this process demonstrates how KeyFob security systems can be reverse engineered, understood, and then re-engineering it to gain access, clone keyfobs, enumerate data sets and disrupt service.

What we will learn:
1. Basics of Software Defined Radios
2. Basics of Radio Waves
3. Demodulating data from RF by hand, learning Pulse Position Modulation (AM/PPM)
4. Writing Gnu Radio plugins to automate demodulation (Reading the data, now lets record our entire complex's keyfobs)
5. Learning Modulation (AM/PPM) (We have lots of data, but can we send/replay/write it?)
6. Writing Gnu Radio plugins to automate the modulation (Writing the data in style...)
7. Brute forcing new keyfobs (Steriod use only!)


What we will touch on:
1. Cloning/debugging keyfobs (snicker)
2. Concepts of Keyspace and how it relates to Business Risk
3. How this actually isn't really security when we look at it from an application developers goggles.
4. Is safety and security a reasonable expectation for these types of physical "security" access systems?


What does this mean? We can copy and clone keyfobs from 500m+ away!

If you would like to participate, you can purchase an RTL-SDR (Software Defined Radio) for $30 at the following link: https://www.amazon.com/RTL-SDR-Blog-RTL2832U-Software-Telescopic/dp/B011HVUEME/ref=sr_1_3?keywords=RTL-SDR&qid=1551306572&s=gateway&sr=8-3

Detecting and Fighting Identity Frauds With Cognitive and Behavioral Bio-metrics

by: Tamaghna Basu

As fraudsters continually refine their techniques to steal customers' credentials, organizations have found new ways to fight back with new tools that use behavioral bio-metrics and cognitive fraud detection. It is critical to know how cognitive abilities would help in managing risks, compliance and governance as well as help in maximizing detection, reducing false positives and optimizing strong authentication. The session will describe various models used for behavior pattern analysis and demonstrate how this may be integrated into a real-world SOC to achieve a proactive posture. It will address:

Developing a risk framework with cognitive security; The technological expertise available to detect these anomalies and patterns.

Hacking Airplane Air to Ground System

by: Ali Abdollahi

One of the most important part of avionic systems is the communication. Airplanes use mobile communication to connect to stations on the ground. In many cases the connection is base on LTE-Advanced technology and in some cases when an airplane is on the seas or somewhere else that there is no base station on the ground, It uses the satellite as a hub. In this presentation I will explain the architecture of the communication between an airplane and a ground station, after that review the technology used like mobile communications. In the next part I will review the vulnerabilities around the mobile communications particularly in radio segment which used by both airplane and the ground base station. In the last part of the presentation I will cover and show how a hacker or criminal can take advantage from the communication line between airplane and the base station to passive sniffing, manipulate the data, active sniffing, airplane functions disruption, privileged escalation to other avionic system which threaten both airplane and passengers.

Hacking LTE Radio Tower

by: Ali Abdollahi

The most accessible part of mobile telecommunication is radio waves and equipment. When you are walking or driving, you may see radio tower that makes you to have a call, sending SMS or data. In this presentation, I will show you how you can perform both physical and logical attacks against LTE radio cell tower to initiate your attacks against subscriber and telecom core network.

The main objectives in the presentation is show all techniques, demos and security solutions to perform passive sniffing, active sniffing, mobile subscriber data manipulation, fraud and pivoting into the core.

Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it

by: Samit Anwer

Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a seamless and secure SSO experience between unrelated servers/services. OAuth is an open protocol to allow secure authorization in a standard method from web, mobile and desktop application. The OAuth 2.0 authorization framework enables third-party applications to obtain discretionary access to a web service. Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients.

In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.

The key to adding authorization or SSO measures to your app is to ensure you are balancing security with usability. Developers likely make trade-offs when making decisions about specific implementation - and there are a lot of decisions to make. Developers still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.

In this work we will discuss common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions. However, all is not in the hands of relying party developers, the authorization service providers have a big role to play as well.

There are mainly 4 entities involved in a typical OAuth setup, they are – relying party/client, user/resource owner, resource provider, authorization server. In this work, we discuss the goof-ups that each of these entities can introduce with special focus on vulnerabilities that the authorization server can introduce.

The highlight - We present our case study on OAuth authorization providers and detail the issues we found in their solutions. This includes vulnerability in Microsoft's authorization server - login.windows.net. As can be seen in the PoC video (https://drive.google.com/file/d/1ZFratBPO6qP0hWiCsQH6qJ5fbbx7ghSn/view?usp=sharing) the auth code can be replayed to generate fresh access tokens and id tokens. Moreover, the code verifier is not being validated which can lead to a compromise of the access/id tokens on native apps which use Microsoft's identity provider - login.windows.net.

The Man-In-The-Middle attack against a certain password manager

by: Soya Aoyama

How many sites do you use? Is the password long enough and secure? Do not tell me you reused it. Unfortunately, we have not a memory good enough to remember so many passwords long and secure. For this reason, there are several companies providing password management applications. However, are they really secure?

I have executed a man-in-the-middle attack against a certain password management application. Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it. The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows. In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.


Talks Index

Behind LockerGoga – A walk through a ransomware attack worth 40m$

Breaking and Entering with SDR: Hacking Physical Access Control Systems and Garage Door Openers, or How I Beat Up Wiegand Over VHF/UHF

Detecting and Fighting Identity Frauds With Cognitive and Behavioral Bio-metrics

Hacking LTE Radio Tower

Hacking Airplane Air to Ground System

Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it

The Man-In-The-Middle attack against a certain password manager