PacSec 2016 Speakers
"The inner workings of the Microsoft Bounty Program"
Akila Srinivasan, Microsoft Security Response Center,
Money and recognition is available to security professionals who identify and responsibly disclose security vulnerabilities and zero-day exploits to software developers. Bug bounties are incredibly useful and efficient to find security bugs in products. A program of this nature has become an integral part of a company's regular penetration testing effort. Here at Microsoft, we started running our own bug bounty program in November 2013 by initiating the Mitigation Bypass Bounty and the Bounty for Defense. Since then we have expanded our programs to pay out more than $1 Million. Our bounty programs now include our services offerings with Office 365 and Azure, and, our software with Server, ASP.NET, Browsers and Mitigation Bypasses. In this talk, I will discuss the types of bugs that grab our attention and get high payouts. I'll discuss how Microsoft evaluates a bug for bounties and how security professionals can find high quality, high impact bugs to get higher bounties. I'll discuss the changes in the vulnerability reporting trends from Asia and how a researcher can make it to the MSRC top 100 list.
"Science Fiction Becomes Reality: Emerging Threats in our Connected World"
Mickey Shkatov + Jesse Michael, Intel Security Advanced Threat Research,
In our modern world, smart devices with wireless network connectivity providing enhanced user experiences have become central parts of our lives, but with those new capabilities come new threats and vulnerabilities. Let us walk you through a day in the life in our connected world and along the way, we will discuss and demonstrate real vulnerabilities weâ ve discovered in new and unexpected places.
Takeaways from this talk are that with our modern world of pervasive wireless network connectivity in devices we use every day, new threats are emerging and shifting the security landscape in unexpected ways and we need to think outside of the box to defend ourselves and others. This talk includes a couple of "world's first" live and working demonstrations of dumping physical memory over the air and IVI ransomware, it also includes a smart home ransomware demo using a touch screen router and a Belkin WeMo.
"Attacking DSMx Spread Spectrum Frequency Hopping Drone Remote Control with SDR(Software Defined Radio)"
Jonathan Andersson, Trend Micro,
"Smashing the Jars"
Anthony Kasza, Palo Alto Networks, @anthonykasza
Due to the cross compatible nature of Java applications, malware authors are able to write one implant which will execute on any system. The ability to control a Windows or a Macintosh system with a single malware family is an attractive capability making Java a viable choice for attackers targeting multisystem environments. This presentation will discuss the current threat landscape around Java based malware, analysis tools and techniques, as well as how to build detections organizations can use to better protect themselves.
Java based threats are used by threat actors of varying skill levels. Opportunistic, financially motivated, and targeted attacks have all made use of Java based malware. Considering historic and current trends in these types of threats can assist organizations in building more efficient detections.
"New wave of Cyber terror in the Korea Financial Sector"
Kyoung-Ju Kwak, Korea Financial Security Institute,
Several years ago, the largest banks in South Korea were attacked by APT(Advanced Persistent Threat) and stopped service for several hours and employees' PCs were entirely destroyed. In 2016, There was the new wave of Cyber terror. It isn't attacking the Banks or Company directly. They're trying to find vulnerability from the security solution which is used by large company employees or most Korean who uses Internet Banking service. As the result of the attack, certificate for code sigining used by major security company is leaked out and malware signed by the certificate was spread out to people and companies.
"ATM. How to make the fraud."
Olga Kochetova + Alexey Osipov, Kaspersky Lab,
ATM is a perfect target for criminals. Successful attack gives them real cash, instead of bytes and bits on accounts in Panama. When people spend thousands of dollars (not Zimbabwe dollars, US ones) in shopping malls, attacker get millions from ATMs at the same places. When bankers read financial ratings, hackers clean out their banks.
In our presentation we will cover topics on how to create botnet from ATM network, that will gather all card data, network attacks specific to ATMs connection to processing centers, direct control of the ATM software. And all of that spiced by attacking ATMs of major vendors.
"How FIRST will save you time reverse engineering"
Angel Villegas, Cisco Systems,
Reverse Engineering benign or malicious samples can take a considerable amount of time. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. In particular the problem that code reuse has on reversing efforts, whether it is via staticallylinked libraries or integrating existing software, can slow efforts. In this presentation we want to provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.
"Demystifying the Secure Enclave Processor"
Mathew Solnik, OffCell Research, @msolnik
The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.
"In the Zone: OSX Heap Exploitation"
Tyler Bohan, Cisco Talos, @1blankwall1
The most recent literature on exploiting the OS X heap was written in Phrack in 2005. Though the same region allocation scheme is still in use, the implementation has changed significantly. I am going to dive into how the OS X heap is laid out in memory, what is unique about it's region-based allocator, and how this changes common exploitation techniques. We will also be releasing tooling that works with LLDB to further enhance the users ability to look into the current state of the heap and query the various zones for information. We will also be releasing the most advanced LLDB init available and truly push LLDB to be much more user friendly and functional. After an overview of the heap and how it is laid out we will present a case study of real world heap exploitation based on vulnerabilities found at Cisco Talos.
"Active fuzzing as complementary for passive fuzzing"
Moony Li + Jack Tang, TrendMicro, @Flyic + @jacktang310
In practice of passive fuzzing, we have encountered many problems, hence we have found out many complementary method tricks (e.g. active fuzzing )to enhance fuzzing effect. Active fuzzing would be one of the good complementary for PFACE. We would like to introduce the best practice and detail tricks we have ever encountered.
First time, we would introduce a new root example using vulnerabilities (i.e. AppleHDAEngineUserClient) we found by bringing approach.
Actually, the PFACE framework would generate new vulnerabilities on latest 10.11.6 currently. We hope more and more researcher would contribute to the security defense of Apple system. First time, we would open source our PFACE fuzzing framework and the two root example source code after the conference.
"Finding Vulnerabilities in Firefox for iOS"
Muneaki Nishimura, Recruit Technologies,
Firefox for iOS is a new mobile browser that rolled out last November. This browser is written in Swift and uses Apple's WKWebView for rendering web contents. I have found 10+ bugs in the browser and received a total reward of $19,000 so far. Most of the bugs I reported were discovered using keyword searches in the source code. In this talk, let me introduce useful keywords to find bugs easily and show you what sort of bugs can be found from my experience.
WKWebView is commonly used in iOS applications but there has never been any information on how to use it securely. In this talk I will introduce few ways to find a bug. These are NOT Firefox specific and are applicable in many iOS applications that use WKWebView. I think this information would be valuable for many iOS developers to make their application secure.
"Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles"
Wenyuan Xu + Chen Yan + Jianhao Liu + MinRui Yan, Zhejiang University, Qihoo360,
To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of thesensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end ofthe talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.
"Windows Metafiles: an analysis of the EMF attack surface and recent vulnerabilities."
Mateusz Jurczyk, Google,
The old 16-bit Windows Metafile (WMF) image format and its successors (EMF, EMF+) are little known today, but it would be wrong to believe that they went away into oblivion and are no longer a valid attack vector. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. Internally, metafiles are collections of records instructing the parser which GDI functions to call, and what parameters to pass to them. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases to validate against that it's very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered in 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.
Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws.
*note: Due to various circumstanses, speakers, topics, date and stage order may be changed without notice.