CanSecWest 2013 Speakers and Talk Information
Keynote Talk - DARPA's Peiter "mudge" Zatko
The Most Unusual APT - Ryan McGeehan and Chad Greene, Facebook
We will be discussing the strangest incident Facebook Security has had to respond to so far, which occurred very early in 2012. This incident changed how our team operates forever, and we'll be sharing the details why.
Cracking and Analyzing Apple iCloud backups, Find My iPhone, Document Storage. - Vladimir Katalov (@vkatalov), ElcomSoft
Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user.
Backups: iCloud suggests backing up iMessage, SMS, photos and videos, device settings, documents, music and other things on-the-fly which is useful for syncing or restoring in case your iDevice is lost or damaged, however there is only one way to access iCloud backup data by organic means - you can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now we can show you a method to simply download everything onto any desired computer at hand, provided we have Apple ID and password.
Find My iPhone: this application was also meant to help you track your own iDevices geographically and should be available strictly to the user under his/her own Apple account, however there is a way to get geo-location data having neither Apple device tethered to that account readily available nor access to iCloud website. If location services are switched on, geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other), which I'm also ready to demonstrate.
Storage: apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage, for example, some application files (e.g. data generated by SoundHound) you may have on your iPad or whatever won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly and even without launching a work session in iCloud.
Conclusion: iCloud stores large amounts of information and before now access to this info was restricted either by the necessity to have iDevice available or by using Internet and web-browser (knowing Apple ID and password is required). Now, that we have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and download iCloud data and its changes in standalone mode.
iOS6.1 - Exploitation 280 Days Later - Stephan Esser (@i0n1c)
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
An Android Hacker's Journey: Challenges in Android Security Research - Joshua J. Drake (@jduck1337)
Android is currently the world's most popular smartphone operating system. This kind of popularity traditionally draws the eye of security researchers and attackers alike. However, Android presents a number of challenges to security practioners. Several of these challenges will be discussed in detail during this presentation. Specific topics covered range from business relationships to deeply technical design and implementation weaknesses. Finally, methods and processes for dealing with these challenges will be offered.
Physical Privilege Escalation and Mitigation in the x86 World - Oded Horovitz and Steve Weis (@sweis)
In light of the the growing trend of cloud computing, being private cloud outsourcing all the way to multi-tenant public cloud computing infrastructure, organizations lose physical control over their compute environment, exposing their application and data to a wide range of physical attacks. In this talk we will educate about the risk of physical access and suggest a software architecture to defend against such attacks that can operate on commodity x86 systems.
Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington (@sockstail)
Godel's Gourd builds on the Peach framework to create a new class of fuzzing tool. Current fuzzers are limited to identifying memory corruption and related issues due to an overreliance on debuggers for fault detection. Typical fuzzer design creates mutated data and loads it into a target program. A debugger or simple script is responsible for detecting if something has gone awry. This severely limits the ability of most fuzzers to detect faults outside of memory corruption. Godel's Gourd is a fuzzer capable of identifying logic errors and invalid state transitions in a target program. This presentation will cover the design, theory, and implementation of creating such a fuzzer. Godel's Gourd was created by Deja vu Security as part of the DARPA CFT program.
DEP/ASLR bypass without ROP/JIT - Yu Yang "tombkeeper"
This presentation will share a new exploit technology which can almost perfectly bypass DEP/ASLR in 32-bit process in x64 Windows 7 or Vista. It work well with almost all use-after-free/vtable-overflow. This technology is different from previous public technology, it does not depend on ROP, JIT or any third-party plug-ins. It even does not depend on shellcode
This technology is never published
Sandbox Escapes: When the Broker is Broken - Peter Vreugdenhil (@WTFuzz)
This talk will examine the Adobe Reader XI sandbox. Following a quick high level overview, the focus of this talk will move to cover the communications between the client (LOW integrity Process) and the Broker (MED Integrity process). A brief recap on previously published research will be given, to build upon and expand with a vast set of information on the internal workings of the Broker Client communication. Topics covered include how to enumerate all of the 268 Broker Endpoint functions, and the intercepted Windows API functions (roughly 224). Presented are most of the calls the client can perform, showing which ones are secured and which ones involve minimal or no security checks. This talk also covers the specifics of a (currently 0day) sandbox escape using client broker calls to demonstrate the concepts discussed.
This is a complete breakdown of the available Client -> Broker calls in the Adobe sandbox including a sandbox escape.
Smart TV Security - SeungJin Lee (@beist)
Smart TV sold over 80,000,000 around the world in 2012. The next generation "smart" platform is becoming more and more popular. On the other hand, we hardly see security researches on Smart TV. This presentation will talk about what we've found on the platform.
You can picture that Smart TV has almost all attack vectors that PC and Smart Phone have. Also, Smart TV has its own attack vectors such as remote controller. We'll talk about attack points of Smart TV platform and discover security bugs we found. Moreover, what attackers can do on a hacked Smart TV. For example, fancy Smart TVs have many hardware modules like Camera or Mic which means bad guys could watch you in a way that users never notice about it. Even more, they possibly make Smart TV working 24/7 even though users turn off their TV that means #1984 could be done.
In addition, we'll point out a difference of viewpoint of leaked information type among on PC, Smart Phone and Smart TV. Lastly, we'll give demo of capturing photos lively taken and sending to attacker's server at this talk.
SMS to Meterpreter - Fuzzing USB Modems - Rahul Sasi (@fb1h2s)
Offensively focused research is of high importance mainly because of the increase in no of targeted attacks. This paper focus on an innovative new attacks surface [USB Data Modems] that could possibly be a potential target to attacks in the future. The paper demonstrates fuzzing approaches and code execution on computers via USB modems.
Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw (@tiraniddo)
The paper will present how reflection is implemented in the two biggest platforms which have this capability, Java and Microsoft's .NET, how these can be abused to circumvent sandboxing and how to go about finding similar vulnerabilities. It will also compare the two against each other and will demonstrate why the model used in Java is potentially more susceptible to security vulnerabilities. Some example security vulnerabilities I found will be presented in detail to show how they worked to circumvent the security mechanisms in the platforms.
Evil Maid Just Got Angrier: Why Full-Disk Encryption With TPM is Insecure on Many Systems - Yuriy Bulygin, McAfee
Talk description to be announced
MS SQL Post Exploitation Shenanigans: You're In, Now What? - Rob Beck
This presentation focuses on MS-SQL post-exploitation techniques not commonly employed or even known by most professional pen-testers and attackers. The talk focuses on the expanded functionality afforded to attackers through the MS-SQL architecture and underlining extended stored procedure API and CLR integration. Using these facilities it is possible to perform many of the functions of a typical penetration test from with in the confines of the MS-SQL environment.
This material will present new and interesting tactics that may be incorporated into an MS-SQL post-exploitation scenario. These techniques can permit an attacker to operate with minimal monitoring of their actions and communications, as well as manipulation of the database and data-sets housed inside. This talk will also present methods for creating and deploying persistent MS-SQL rootkits and trojans for persistence.
Shining Some Light on the Evolution of BlackHole - Chris Astacio, Websense
BlackHole is hugely successful - arguably the most successful exploit kit in history. In this session, Chris will discuss how the BlackHole Exploit kit has evolved since its identification and explore why the developers have been so successful. He will also track the innovations that have enhanced this kit throughout the years that have contributed to its success.
Analysis of a Windows Kernel Vulnerability; From Espionage to Criminal Use - Julia Wolf (@foxgrrl)
A series of targeted attacks, now known as "Duqu", was discovered in 2011. The initial vector for these attacks was a Windows TrueType Font 0-day vulnerability [CVE-2011-3402]. A year later, this exploit begins to appear in Russian exploit kits. These exploit kits use the *exact* same exploit code as "Duqu". (Right down to the metadata.)
This presentation explains the technical details of this exploit. It is not about "Duqu" nor Russian exploit kits.
The vulnerability itself only allows the attacker to perform an "OR" operation on a value of their choice, at a memory location of their choice. This exploit leverages the functionality of the TrueType Font Finite State Machine itself to manipulate memory to provide for a reliable execution of the shellcode.