by: Magda Lilia Chelly, CISSP, PhD
This speech is technically describing the attack vectors of LockerGoga and how the ransomware could have penetrated the network of the Norwegian aluminium manufacturer Norsk Hydro.
With 31 variations and continuous improvements, LockerGoga has powerful characteristics to ensure evasion from traditional security tools. Unlike NotPetya and WannaCry, LockerGoga doesn’t follow the same propagation method, but rather is being copied manually. Researches are publicly discussing RDP stolen credentials or brute force attacks as the initial attack for the ransomware to get on to the network.
The speech will describe the LockerGoga technical variants as well as will focus on the latest attack, including the possible scenarios, as per the use of tools for red teaming and standard penetration testing operations.
The speech will as well practically demonstrate how variants of ransomware can evade traditional anti-malware solutions and attack the systems. Showcasing processes like Doppelgänging and hollowing with a focus on the code injection and heavy binary obfuscation methods that takes advantage of NTFS transactions used in Windows to run a malicious executable code hidden under a legitimate process.
The goals of the speech are understanding ransomware variations, and evasion methodologies.
by: Tim Shelton aka redsand
In this presentation, we will explore how physical access systems work. Specifically aimed at Wiegand RF attacks over UHF/VHF, this process demonstrates how KeyFob security systems can be reverse engineered, understood, and then re-engineering it to gain access, clone keyfobs, enumerate data sets and disrupt service.
What we will learn:
1. Basics of Software Defined Radios
2. Basics of Radio Waves
3. Demodulating data from RF by hand, learning Pulse Position Modulation (AM/PPM)
4. Writing Gnu Radio plugins to automate demodulation (Reading the data, now lets record our entire complex's keyfobs)
5. Learning Modulation (AM/PPM) (We have lots of data, but can we send/replay/write it?)
6. Writing Gnu Radio plugins to automate the modulation (Writing the data in style...)
7. Brute forcing new keyfobs (Steriod use only!)
What we will touch on:
1. Cloning/debugging keyfobs (snicker)
2. Concepts of Keyspace and how it relates to Business Risk
3. How this actually isn't really security when we look at it from an application developers goggles.
4. Is safety and security a reasonable expectation for these types of physical "security" access systems?
What does this mean? We can copy and clone keyfobs from 500m+ away!
If you would like to participate, you can purchase an RTL-SDR (Software Defined Radio) for $30 at the following link: https://www.amazon.com/RTL-SDR-Blog-RTL2832U-Software-Telescopic/dp/B011HVUEME/ref=sr_1_3?keywords=RTL-SDR&qid=1551306572&s=gateway&sr=8-3
by: Tamaghna Basu
As fraudsters continually refine their techniques to steal customers' credentials, organizations have found new ways to fight back with new tools that use behavioral bio-metrics and cognitive fraud detection.
It is critical to know how cognitive abilities would help in managing risks, compliance and governance as well as help in maximizing detection, reducing false positives and optimizing strong authentication.
The session will describe various models used for behavior pattern analysis and demonstrate how this may be integrated into a real-world SOC to achieve a proactive posture. It will address:
Developing a risk framework with cognitive security;
The technological expertise available to detect these anomalies and patterns.
by: Ali Abdollahi
One of the most important part of avionic systems is the communication. Airplanes use mobile communication to connect to stations on the ground. In many cases the connection is base on LTE-Advanced technology and in some cases when an airplane is on the seas or somewhere else that there is no base station on the ground, It uses the satellite as a hub. In this presentation I will explain the architecture of the communication between an airplane and a ground station, after that review the technology used like mobile communications. In the next part I will review the vulnerabilities around the mobile communications particularly in radio segment which used by both airplane and the ground base station. In the last part of the presentation I will cover and show how a hacker or criminal can take advantage from the communication line between airplane and the base station to passive sniffing, manipulate the data, active sniffing, airplane functions disruption, privileged escalation to other avionic system which threaten both airplane and passengers.
by: Ali Abdollahi
The most accessible part of mobile telecommunication is radio waves and equipment. When you are walking or driving, you may see radio tower that makes you to have a call, sending SMS or data. In this presentation, I will show you how you can perform both physical and logical attacks against LTE radio cell tower to initiate your attacks against subscriber and telecom core network.
The main objectives in the presentation is show all techniques, demos and security solutions to perform passive sniffing, active sniffing, mobile subscriber data manipulation, fraud and pivoting into the core.
by: Samit Anwer
In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.
The key to adding authorization or SSO measures to your app is to ensure you are balancing security with usability. Developers likely make trade-offs when making decisions about specific implementation - and there are a lot of decisions to make. Developers still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.
In this work we will discuss common malpractices that relying party devs perform when implementing OAuth/OpenID based relying party solutions. However, all is not in the hands of relying party developers, the authorization service providers have a big role to play as well.
There are mainly 4 entities involved in a typical OAuth setup, they are – relying party/client, user/resource owner, resource provider, authorization server. In this work, we discuss the goof-ups that each of these entities can introduce with special focus on vulnerabilities that the authorization server can introduce.
The highlight - We present our case study on OAuth authorization providers and detail the issues we found in their solutions. This includes vulnerability in Microsoft's authorization server - login.windows.net. As can be seen in the PoC video (https://drive.google.com/file/d/1ZFratBPO6qP0hWiCsQH6qJ5fbbx7ghSn/view?usp=sharing) the auth code can be replayed to generate fresh access tokens and id tokens. Moreover, the code verifier is not being validated which can lead to a compromise of the access/id tokens on native apps which use Microsoft's identity provider - login.windows.net.
by: Soya Aoyama
How many sites do you use? Is the password long enough and secure? Do
not tell me you reused it.
Unfortunately, we have not a memory good enough to remember so many
passwords long and secure.
For this reason, there are several companies providing password
management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password
Surprisingly, the password was exchanged in plain text between .exe
and .dll, and it was very easy to steal it.
The program I created is generic and, under certain conditions, can
steal information between all .exe and .dll in Windows.
In this talk, I will demonstrate the actual attack, and provide
technical explanations to enable this attack. And finally, I suggest
ways to protect other apps from this attack.