PACific SECurity - applied security conferences and training in Pacific Asia: CanSecWest | PacSec |

PacSec2013 Speakers and Slides

Speakers for PacSec2013

PacSec2013 Speakers and Slides

Day 1

"Public-Private Partnership in Proactive Online Security"
Jeff Williams, DellSecureWorks CTU,
English Slides / Japanese Slides

Microsoft has received criticism in the security researcher community regarding certain tactics used in the takedown of botnets. Yet at the same time, the considerable impact of that work demonstrates that internet-based crime can be defeated, dramatically impaired or suffer substantial economic and operational impact. Law enforcement, including the FBI in the US and the National High Tech Crime Unit in the Netherlands as well as others, also work to dismantle botnets. While there are elements in these approaches which are similar, (the eradication/disruption/impairment of specific botnets) there are also two very specific goals. One goal is to protect the customer, while the other is to take legal action against threat actors. This presentation will not only highlight these differences and similarities but offer a proposed model which should maximize the effectiveness of future disruption in operations while preserving the opportunity for law enforcement to pursue attribution and file criminal charges against the actors responsible.

"Compromising Industrial Facilities From 40 Miles Away"
Lucas Apa & Carlos Mario Penagos, IOActive,
English Slides / Japanese Slides

The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities. When sensores and transmitters are attacked, remote sensor measurements on which critical decisions are made might be modified, this could lead to unexpected, harmful, and dangerous consequences. This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made by three leading industrial wireless automation solution providers. We will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions. The audience will learn the weaknesses in current wireless sensor network key distribution systems and where vendors can fail at implementing them. The audience will experience the process and methodologies used to discover these vulnerabilities by reverse engineering the deviceʼs embedded firmware and how we implemented an attack using thalso point out future research directions in this area.

"Pivoting in the Amazon Clouds"
Andres Riancho, Bonsai, @w3af
English Slides / Japanese Slides

From no access at all, to the company Amazon's root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code and Amazon's services through it's API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user. Except from the initial vulnerability, a classic remote file include in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.

"Android games + free Wi-Fi = Privacy leak"
Takayuki Sugiura & Yosuke Hasegawa, NetAgent, @hasegawayosuke
English Slides / Japanese Slides

Most free Android apps include ads that use the webview interface. With the right permissions, this exploit can be used to steal an Android user's information (phone number, contacts list, SIM serial number, IMEI) and send SMS messages over snare Wi-Fi AP without installing any malicious binary apps. This is not about Ad SDK. Victims just use FREE apps and FREE games. This exploit is very effective (more than 500 million users) but not easy to fix on all devices. And this vulnerability must be known by all security specialists.

"Breaking MetaTrader"
Boris Petrov & Alex Behar, ECL-Labs,
English Slides

To our knowledge, we are the first to disclose any security issues within MT4, the most widely used platform for FOREX trading on the planet. During preliminary research, we discovered that the MetaTrader 4 protocol contains significant design flaws that have been addressed and widely discussed in alternative open protocols in circulation. Given the fact that MT4 alone is responsible for 60% of retail trading (or about $3 trillion/month), we figured this has to be put out infront of the security community. We uncovered vulnerabilities allowing attackers to recover passwords, bruteforce accounts, MitM sessions, DoS the liquidity bridges connecting brokers to banks, DDoS banks through multiple brokers and overall cause serious trouble in the FOREX world. Nothing is known about the MT4 protocol to date, and with this talk, we will release a tool that parses the "custom encrypted" protocol and paves the way to further research in a space otherwise clouded by proprietary protocols, expensive lawyers and caffeinated MBAs.

"Defeating Signed BIOS Enforcement"
Corey Kallenberg, John Butterworth, Xeno Kovah, MITRE,
English Slides / Japanese Slides

The integrity of the BIOS is paramount to the security of the platform.Research such as "BIOS Chronomancy" shows that an attacker who exists inthe BIOS can evade detection by the Trusted Platform Module and evensurvive BIOS reflashing attempts. Furthermore, Invisible Things Labsshowed in "Attacking Intel Trusted Execution Technology" that a SystemManagement Mode (SMM) present malware can interfere with TXT execution.As it is the BIOS that initially configures SMM, it follows that BIOScontrol implies SMM control. However, as we will see, SMM control *can*also imply BIOS control. The central role of the BIOS in the platform'ssecurity, as well as the need to patch the BIOS with legitimate vendorupdates poses an interesting problem. The most common solution thatvendors adopt to solve this problem is to utilize Intel architectureflash-chip protection mechanisms to provide a BIOS update routine thatverifies the signature on an incoming update before writing the updateto the BIOS. In this secure BIOS update scheme, there are two primaryattack surfaces that can be targeted in an attempt to break the signedBIOS requirement: the Intel architecture protection mechanisms, and thevendor's implementation of the signature enforcement and update routine.This presentation demonstrates two attacks; one against each of thesetargets. Both of these attacks allow an attacker to arbitrarily reflashthe BIOS on a number of systems despite the presence of signed BIOSenforcement. We will also provide some bonus content discussing attacks against our Copernicus BIOS checking tool, as well as Copernicus 2's use of Intel TXT in order to provide more trustworthy BIOS integrity checking.

Day 2

"Fighting advanced malware using machine learning"
Junichi Murakami, FFRI, @junichi_m
English Slides / Japanese Slides

In this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection. Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).

"Defeating the protection mechanism on Android platform"
Tim Xia, Baidu,
English Slides / Japanese Slides

It is very easy to repackage android Apps with your own code and republish it as a brand new one, and it hurts Apps developers very much since their work of months even years could be stolen in few minutes. Now developers have ways to protect their Apps from being hacked by loading their Apps dynamically, of course with anti-debug tricks. However, hackers still have ways to bypass the protection and get the original App code. The war still continues... this presentation will introduce the current status and give some predictions how the war develops.

"Bypassing DDoS Mitigation "
Tony Miu, Albert Hui, Wai Leng Lee, Alan Chung, Bloodspear Laboratories,
English Slides / Japanese Slides

Over the years, the DDoS landscape is changing, becoming so advanced that attacks are hard to detect and hard to mitigate. They nowadays are no longer concerned with how much volume to bombard with, but rather, how much volume actually reaches the backend servers. In order to gain access to the backend, we have developed a proof-of- concept attack tool, giving it near-perfect DDoS mitigation bypass capability against almost every existing commercial DDoS mitigation solutions. The ramifications are huge. For the vast majority of web sites, these mitigation solutions stand as the last line of defense. Breaching this defense can expose these web sites' backend to devastating damages. The effectiveness of this tool is illustrated via testing results against specific DDoS mitigation products and popular web sites known to be protected by specific technologies. To conclude our research, a next-gen mitigation technique is also proposed as a countermeasure against our attack methodology.

"How to win Pwnium - You've got 4 months, this is where to start"
Ian Beer, Google,
English Slides / Japanese Slides

in-depth technical exposé of the attack surface of the google chrome browser from the inside. * What were the root causes of some of the most critical bugs we've seen over the last year? * How you can exploit them (with some obligatory calculator popping) * What we're doing to make it harder. * Just how much code can you reach from the web and what areas will your fuzzer struggle to hit? * The attack surface of the sandbox across multiple platforms.

"Mobile Phone Baseband Exploitation in 2013: Hexagon challenges"
Dr. Ralf-Philipp Weinmann, , @esizkur
English Slides

Exploitation of baseband vulnerabilities has become significantly harder on average. With Qualcomm having grabbed 86% of the market share of shipped LTE chipsets, you see their chipset in every single top-of-the-line smartphone, whether it is an Android, an iPhone, a Windows Phone or a Blackberry. While almost all other current baseband CPUs are ARM-based, Qualcomm has transitioned their entire modem software stack to their own DSP-based architecture, the Hexagon architecture. The architecture switch together with recent hardening of the baseband stack introduces significant challenges for exploit development which we will explore in this talk.

"attacking microchips through the backside"
Starbug & Dmitry Nedospasov T-Labs, Chaos Computer Club,
English Slides / Japanese Slides

Most high security microchips are heavily secured against attacks through the frontside of the chip. But when it comes to the backside there are no security measurements at all. Nearly all chips on the marketare vulnerable to thattacks. Also in the future it will be hard to harden chips against them, optical fault injection in particular.

"Deeper than ever before: Exploring, Subverting, Breaking and Pivoting with NAND Flash Memory"
Josh m0nk Thomas, ,
English Slides / Japanese Slides

Almost every device we use or rely upon during our daily lives uses NAND Flash for embedded storage. The technology has a handful of inherent weaknesses that can be taken advantage of to exploit devices and subvert securty architectures. These weaknesses can also be exploited to break the current generation of forensic analysis tools. This talk will be a highly technical deep dive into those issues.

"UEFI and PCI BootKits"
Pierre Chifflier, ANSSI,
English Slides / Japanese Slides

The purpose of this paper is to describe how the hardware (in this case, a PCI graphics card) can be used to compromise the operating systems, using the new interfaces provided by UEFI firmwares. It also illustrates how this can be used to implement a persistent, stealth and platform-independent rootkit. Finally, it explains the possible countermeasures and discusses their applicability and effectiveness.