ULTIMATE HACKER SUMMER CAMP — Part Three: Black Hat USA

From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry.

Now in its 23rd year, Black Hat USA is the world’s leading information security event, providing attendees with the very latest security research, development and trends. Black Hat USA 2020 will be entirely virtual this year, held over the same dates, August 1–6 in Pacific Daylight Time (UTC−07:00).

This is the BIG coprorate convention of the Information Security world. Very suit and tie, bring your resume, talking about numbers and projections type of convention. Get use to hearing the words “cyber”, “mitigation”, “”deployment” “corporate”, “blockchain” and “pipeline” being thrown around like candy on Halloween without eye roll. Attendees will also introduce them selves with their job title and workplace as if they are their last names.

This year, because of virtualization due to the COVID-19 Pandemic, we feel this has been the most diverse and easily accessable Black Hat USA ever created. From the Business Pass being completely free, reduced (but still expensive for Blue Collar prices) and various way to interact these inclusive elements has put the convention back on our radar. If you want to network and rub shoulders with the InfoSec big leagues (or to land a job), this is the convention that will be on your priority list!

This year’s event will be fully virtual. We have provided information and resources below to make your experience at Black Hat a successful one. Please contact Black Hat Registration with any questions or for more information.

When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.

Please note that your event login information will come in an email from
Sender: “Black Hat USA <hello@swapcard.com>”

You should add hello@swapcard.com to your allowed email list to ensure receipt of your login details.

CREDENTIALS

You can access the Swapcard platform directly at login.swapcard.com.

There you can log in by entering the email you used to register for Black Hat USA and creating a password. If you’ve forgotten your password, click on “Send me a magic link” to receive an email to reset your password.

SETTING YOUR PROFILE VISIBILITY

Your profile will be automatically created in Swapcard using the information you supplied when you registered for the event.

You have the option to connect with other attendees and sponsors, just as you would at a live event.

Once you’ve logged into the platform, click on the “Attendee” tab. On the left side of the page, look for the “Visibility” setting to turn your Profile visibility on or off. You may change this setting at any time.

SESSIONS

Learn how to access sessions and content

NETWORKING

Learn how to network with other attendees:

INTERACTING

Learn how to find virtual exhibit booths

In addition to all of the chat and networking opportunities within GoToTrainings and Swapcard, you can stay up-to-date and join the conversations on social media by following and tweeting @BlackHatEvents, using the hashtags #BHUSA and #BHTrainings.

Sat, August 1 — Tues, August 4
Provides hands-on offensive and defensive skill-building opportunities. These courses are taught by some of the most sought-after international industry & subject matter experts, with the goal of defining and defending tomorrow’s InfoSec landscape.

View Trainings: https://www.blackhat.com/us-20/training/schedule/index.html

Wed, August 5 — Thurs, August 6
Network with InfoSec professionals and evaluate a broad range of security products, open-source tool solutions and more. The virtual Business Hall offers unique opportunities for community engagement between vendors and attendees.

During these uncertain times, Black Hat is providing some tools for the Community to connect and stay healthy. Keep checking back, as we will be regularly updating the information below and providing opportunities to engage with your fellow InfoSec professionals.

Feeling lonely or overwhelmed and not sure what resources are available — check out this list of resources from Mental Health Hackers.

NETWORK WITH FELLOW INFOSEC PROFESSIONALS

CSA — Join CSA’s global community Circle that facilitates resources and security discussions.

ISC2 — A platform from ISC2 to share your cybersecurity knowledge and experience with other pros.

WSC — Gain access to educational tools, study groups, workshops and networking opportunities, as well as special discounts on respected training, certifications and education programs.

WISP — Their mission is to advance, advocate for, and increase the participation of women in the Privacy and Information Security fields.

COVID-19 RESOURCES FROM THEIR PARTNERS

JOIN A VIRTUAL MEET-UP OR PARTICIPATE IN COMPETITION

More Info At: https://www.blackhat.com/html/community-connectedness.html

Here is a FREE bonus convention that is happening a day before BLACK HAT USA 2020 into the first day of BHUSA that we could not fit anywhere else. If you can’t get into the briefings, this is a great way to get your hacker talk fix!

h@cktivitycon is a HackerOne hosted hacker conference built by the community for the community. h@cktivitycon is a place for hackers to learn, share, and meet friends. Hear talks and panelists exploring offensive hacking techniques, recon skills, target selection and more.

Stay connected throughout the event and join the Hacker101 Discord.

TUESDAY, AUGUST 4, 2020

The Black Hat CISO Summit is an approval-only event during Black Hat USA which brings together top security executives from global corporations and government agencies for a full day of unique discussions. Offered the day before the main Black Hat USA Briefings sessions, the CISO Summit is intended to give CISOs and other InfoSec executives leading-edge insight into the latest security trends, technologies and enterprise best practices.

VIRTUAL BLACK HAT USA 2020
CISO SUMMIT APPLICATION

All applications will be reviewed by Black Hat management, and notifications will be sent to applicants by July 24. Attendee guidelines are located within the application form.

12:00–12:30 PM

Welcome and Introductions

12:30–1:00 PM

THE NEXT-GENERATION CISO: DEPLOYING A VALUE-BASED APPROACH TO CYBERSECURITY

1:00–1:15 AM

Networking Break

1:15–1:45 PM

SHADOW IT: ADVERSARY OR ALLY?

1:45–1:00 PM

Networking Break

1:00–1:30 PM

ZEROTRUST

1:30 PM — 2:15 PM

Networking Break/Lunch

2:15–2:45 PM

HIDE AND SEEK: A CISO’S GUIDE TO THE “NEW NORMAL” OF INSIDER THREAT

2:45–3:00 PM

Networking Break

3:00–3:30 PM

HOW MICROSOFT ENABLED A FULLY REMOTE WORKFORCE DURING A GLOBAL PANDEMIC

3:30–3:45 PM

Networking Break

3:45–4:15 PM

CYBERSECURITY FUTURES 2025

4:15–4:30 PM

Networking Break

4:30–5:00 PM

WHAT GOT US HERE (MAY) GET US THERE: TRENDS FROM OVER A DECADE OF DBIR REPORTING

5:00–6:00 PM

Closing Reception

Arsenal brings independent researchers to showcase their open-source tools with the Black Hat community. Tools cover a variety of tracks, from mobile hacking to network defense. Learn about the latest resources and developments for tool creators and developers.

ARSENAL HILIGHTS:

Taichi Kotake

Date: Wednesday, August 5 | 10:00am-11:00am

Track: Android, iOS and Mobile Hacking

Session Type: Arsenal

Apk-medit is a memory search and patch tool for debuggable APK without root & android NDK. It was created for mobile game security testing.

Memory modification is the easiest way to cheat in games, it is one of the items to be checked in the security test. There are also cheat tools that can be used casually like GameGuardian. However, there were no tools available for non-root devices and CUI, so apk-medit was created as a security testing tool.

Many mobile games have rooting detection, but apk-medit does not require root privileges, so memory modification can be done without bypassing the rooting detection.

GitHub: https://github.com/aktsk/apk-medit

Yu Wang

Date: Wednesday, August 5 | 10:00am-11:00am

Track: Vulnerability Assessment

Session Type: Arsenal

mBAS is a set of Bluetooth tools for macOS platforms, including Bluetooth HCI request sniffer, fuzzer and Broadcom firmware SoC tools, etc. Among them, the HCI fuzzer helped me discover many Bluetooth kernel vulnerabilities, such as CVE-2020–3892, CVE-2020–3893, CVE-2020–3905, CVE-2020–3907, CVE-2020–3908 and CVE-2020–3912. With these tools, we can better understand the design and implementation of Bluetooth subsystem of macOS and other platforms.

Justin Searle

Date: Wednesday, August 5 | 11:00am-12:00pm

Track: Smart Grid/Industrial Security

Session Type: Arsenal

For years we’ve had pen test distributions like BackTrack, Kali, and SamuraiWTF to help us perform penetration testing for most IT environments, however these distributions have been generic in nature to enable their use in a wide variety of different environments. One environment where these distributions have failed to meet the needs of their users is in Industrial Control Systems (ICS) like SCADA, DCS, Field Devices, and Field Buses. We are fixing this problem.

Taking our experience running SamuraiWTF and SamuraiSTFU over the last 15+ years, we have created an open source linux distribution specifically for ICS cyber security teams. ControlThings Platform takes the best-in-breed security assessment tools for traditional IT infrastructures and adds specialized tools for embedded electronics, proprietary wireless, and a healthy dose of ICS specific assessment tools, both from the greater community and custom created from our own teams.

But we don’t stop there. In addition to all the assessment tools, we’ve added additional resources to help our users better understand essential ICS context through a healthy dose of documentation (for defense and offense), sample captures of ICS network traffic, and other resources to help you when you are disconnected from the Internet, as you should be when in any ICS environment.

Oh, and I shouldn’t forget the inclusion of emulators to help you learn, and later calibrate your testing tools before using them against actual systems, thus providing you with a full test lab. So whether you work for an ICS company or are simply interested in gaining sufficient experience to do work in these environments, please check out our ControlThings Platform and our various ControlThings Tools.

Join us to see demonstrations of the first stable release of v1.0 of both the ControlThings Platform and the first batch of ControlThings Tools which have been completely re-written in Golang instead of the Python-based beta versions.

Pablo Gonzalez
Francisco Ramirez Vicente

Date: Wednesday, August 5 | 12:00pm-1:00pm

Track: Exploitation and Ethical Hacking

Session Type: Arsenal

ATTPwn is a computer security tool designed to emulate adversaries. The tool aims to bring emulation of a real threat into closer contact with implementations based on the techniques and tactics from the MITRE ATT&CK framework. The goal is to simulate how a threat works in an intrusion scenario, where the threat has been successfully deployed. It is focused on Microsoft Windows systems through the use of the Powershell command line. This enables the different techniques based on MITRE ATT&CK to be applied. ATTPwn is designed to allow the emulation of adversaries as for a Red Team exercise and to verify the effectiveness and efficiency of the organization’s controls in the face of a real threat.

Dimitry Snezhkov

Date: Wednesday, August 5 | 1:00pm-2:00pm

Track: Malware Offense

Session Type: Arsenal

Introducing DeepSea, the phishing gear you will want to take with you on your next offensive expedition.

It is designed to help Red Team operators and teams with the tactical delivery of opsec-tight, flexible email phishing campaigns carried out in a portable manner on the outside as well as on the inside
of a perimeter.

Have you ever wanted to seamlessly operate with external and internal email providers; quickly re-target connectivity parameters per campaign; flexibly add headers, targets, attachments, correctly format and inline email templates, images and multipart messages; use content templates for personalization; clearly separate artifacts and content delivery for multiple (parallel or sequential) phishing campaigns; get actionable context help and deploy with minimal dependencies?

In this session, we will show how you can do this and more in a portable, one binary cross platform setup, with less than 50 lines in a configuration file.

With DeepSea, you will be able to keep campaign persistence with DNS tricks and an embedded email server used for running advanced two-way threaded campaigns you have always wanted. Catch and respond to those often missed inquiry emails, solidifying pretext and pacifying your marks.

Whether you plan on executing phishing campaigns deep on the inside of the perimeter, or bounce across multiple email providers for an external stealthy campaign delivery, DeepSea is very likely able to help.

KaiJern Lau
Bo Wen Sun
Yu Tong
Tian Zhe Ding

Date: Wednesday, August 5 | 1:00pm-2:00pm

Track: Hardware/Embedded

Session Type: Arsenal

With household appliances and wearable gadgets integrated with network capabilities, we are surrounded by an increasing number of IoT devices. Coming together with the popularity of IoT devices are two critical questions.

IoT devices normally come with a “call home” feature, through which users can interact with IoT devices through an App. As a result, users are typically curious about what kind of information they are sending back home.
Along with the facilitation from the “call home” feature, users are also curious about whether/how IoT devices could potentially allow hackers to gain unauthorized access and thus control the device remotely.

To answer the questions above, an analysis framework or tool is usually needed. Unfortunately, there has not yet been an effective, efficient analysis framework or tool available for answering such questions. Today, to analyze IoT devices and the corresponding applications, researchers still heavily rely upon qemu-usermode/qemu. However, it has already been demonstrated qemu-usermode/qemu is a very inefficient solution for IoT because it was designed for Linux and development boards.

In this talk, we will summarize and discuss some common IoT firmwares, which hurdle the analysis of security researchers. Followed by our analysis and discussion, we will then reveal the fundamental problems hidden behind the obstacle. As is specified in our presentation outline, these obstacles include (1) the difficulty of using primitive emulation methods to simulate IoT firmware, (2) the difficulty of using similar specification hardware and general purpose OS to emulate IoT firmware, (3) the difficulty imposed by device drivers and, (4) the concern of insufficient computation and memory resources.

Motivated by our analysis and discussion, we introduce Qiling — a fully sandboxed, controlled and highly customized framework designed for performing the emulation for IoT devices. In this talk, we will discuss how Qiling Framework empowers security researchers to perform IoT firmware reverse engineering. To be more specifically, we will talk about

- how to emulate various CPU such as ARM, ARM Big Endian, MIPS32, MIPS32 Big Endian, ARM64, X86 and X64;
- how to emulate various OS such as Linux, MacOS, Windows, FreeBSD;
- how to simulate all stdio input and output and thus reply expected results;
- how to build all the network requests through an auto responder in virtualized network
- how to utilize the instrumentation support to redirect code execution whenever is needed
- how to fully customize emulated OS, giving researchers the ability to replace syscall or APIs with their own
- how to enable full CPU control (e.g., updating CPU registers during execution)
- how to support full gdbserver for platform and multi architecture debugging and thus allow allow researchers to use their preferred debuggers for their debugging tasks
- how to enable cross-platform and multi-architecture fuzz testing by integrating it with AFL

Along with this talk, we will share all the firmware that we have tested and will provide a live demo showcasing how easily a researcher can build an isolated testing environment to analyze, instrument, and fuzz a IoT device. In November of 2019, we have already released the source code of our Qiling Framework.

Ryan Cobb

Date: Wednesday, August 5 | 2:00pm-3:00pm

Track: Malware Offense

Session Type: Arsenal

Covenant is a .NET command and control platform and web application that aims to highlight the attack surface of the .NET Framework and .NET Core, make the use of offensive .NET tradecraft easier, and serve as a collaborative platform for red teamers.

Covenant is multi-platform, multi-user, provides an intuitive web application interface, and is extendible through an API.

Covenant includes multiple built-in implants that utilize the traditional .NET Framework and .NET Core, which gives Covenant multi-platform implants that run on Windows, Linux, and MacOS. Additionally, Covenant allows operators to edit and add additional custom implants.

Covenant includes built-in support for custom and complex command and control routing. The platform includes built-in outbound listeners, including an HTTP and TCP listener, and peer-to-peer SMB communications over named pipes, which allows for complex implant networking. The platform also includes a protocol for adding new, custom communication protocols that gives the operator complete control over how the command and control traffic appears on the wire.

Covenant includes tons of built-in tasks based on libraries such as SharpSploit and GhostPack, and uses dynamic C# compilation and ConfuserEx obfuscation on tasks and payloads.

Covenant also has an emphasis on implant and network communication security to protect the data accessed by implants. Covenant implements an Encrypted Key Exchange protocol between implants and listeners to achieve forward secrecy for new implants and enforces SSL certificate pinning for implants.

In the age of EDR and threat hunting, red teamers need flexible, robust, and intuitive command and control platforms. Red teamers need the ability to collaborate with teammates, customize implant behavior and command and control traffic, track artifacts, and quickly adapt for defensive technologies. In this demo, you’ll be shown how to accomplish this with Covenant.

Cesare Pizzi

Date: Wednesday, August 5 | 2:00pm-3:00pm

Track: Network Defense

Session Type: Arsenal

A lots of words has been spent in the last years about IoT security: but instead of thinking to deploy a new device, let’s try to stay on what we already have: we have a TCP/IP stack. And what we don’t want to have? Complicated and cumbersome security configurations.

The aim of SYNwall is to build an easy to configure, no new hardware, low footprint, lightweight and multi-platform security layer on TCP/IP: with a one way OTP authentication, SYNwall can make every device more secure and resilient to the real world networking reconnaissance and attacks.

If we think at some of the IoT installations (may be directly internet exposed, in difficult environments, with no support infrastructure available), the possibility to have an on-board and integrated way to control access, can make a huge difference in terms of security.

The device will became virtually unaccessible to anyone who don’t have the proper OTP key, blocking all the communications at the very first level of it: the SYN packet. No prior knowledge of who need to access is required at this point, making configuration and deploy a lot easier.

Szymon Ziolkowski
Tyron Kemp

Date: Thursday, August 6 | 10:00am-11:00am

Track: Network Attacks

Session Type: Arsenal

Routopsy is a new network attack toolkit that leverages a “virtual router” in a Docker container to scan for and attack various networking protocols and misconfigurations. Vulnerabilities include overly broad configured network statements within routing protocols, unauthenticated or plaintext authentication for protocols such as OSPF and HSRP, and the lack of passive interface usage within routing protocols.

Routopsy was designed in a way that will allow users to trivially perform attacks without requiring extensive networking knowledge. Attacks include the injection of new routes, discovery of new networks and gateway takeover attacks which ultimately could lead to Person-in-the-Middle attacks. Additionally, a fully-fledged router interface is also available for more experienced users and for more advanced attacks.

Internally, Routopsy leverages a “virtual router” which has been around for a number of years, is well maintained and supports a variety of protocols. Once the scan phase of Routopsy is complete a simple configuration is loaded within the virtual router and used to attack the target protocol.

Mauricio Velazco

Date: Thursday, August 6 | 11:00am-12:00pm

Track: Network Defense

Session Type: Arsenal

Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task. Executing adversary simulations in monitored environments produces the telemetry that allows security teams to identify gaps in visibility as well as build, test and enhance detection analytics

PurpleSharp is an open source adversary simulation tool written in C# that executes adversary techniques against Windows Active Directory environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection engineering program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.

PurpleSharp executes simulations on remote hosts by leveraging administrative credentials and native Windows services/features such as Server Message Block (SMB), Windows Management Instrumentation (WMI), Remote Procedure Call (RPC) and Named Pipes.

PurpleSharp can assist blue teams in the following use cases:

- Verify prevention controls ( are Lsass dumps being blocked ? )
- Build new detection controls ( build a detection rule for T1117)
- Test/verify existing detection controls (are we really detecting process injection ?)
- dentify gaps with existing detection analytics ( broken logic, lack of coverage, etc. )
- Identify gaps in visibility ( broken agents, broken event pipelines, etc. )
- Train the SOC with credible simulations

Tim Frazier
Dave Herrald
Kyle Champlin

Date: Thursday, August 6 | 12:00pm-1:00pm

Track: Network Defense

Session Type: Arsenal

This project provides a set of tooling for repeatedly executing and detecting adversary techniques in order to improve detection engineering. This project uses the MITRE ATT&CK Enterprise techniques taxonomy and the MITRE ATT&CK navigator web app. Once set up, you will be able to repeatedly execute specific techniques, observe the resulting events, and refine your detection rules and methodology.

Greg Johnson

Date: Thursday, August 6 | 1:00pm-2:00pm

Track: OSINT — Open Source Intelligence

Session Type: Arsenal

Secrets like API tokens, encryption keys, and passwords are a keystone in the development world. They facilitate important functionality not only in the software that developers build, but also in the deployment, maintenance, integration, and security of both closed and open-source projects. Many companies providing services on the internet offer API tokens in multiple flavors that allow interaction with their systems, as does GitLab. Token-Hunter and Gitrob are complementary tools developed, augmented, and heavily used by GitLab’s red team to support their engagements and, most importantly, find those exposed secrets and demonstrate their abuse!

Bahman Rashidi

Date: Thursday, August 6 | 2:00pm-3:00pm

Track: AppSec

Session Type: Arsenal

Public GitHub is the most common place where developers share their code and tools that they develop (i.e., developed for an organization or themselves). Most developers and repository contributors do their best to remove sensitive information before they push their code into the GitHub. However, there are developers who often unknowingly/inadvertently neglect to remove sensitive information such as API tokens and user credentials (username & passwords) from their code prior to posting it. As a result, an organization’s internal secrets and token are exposed publicly. Therefore, an unauthorized access to the secrets GitHub by bad actors can have significant consequences for organizations. In order to address the issue, we offer xGitGuard, a full-fledge AI-based tool that detects organizations’ secrets and user credentials posted on the public GitHub in a scalable and timely-manner fashion. xGitGuard, takes advantage of a new text processing algorithm that can find secrets within files with a high level of accuracy. This can significantly help operations to take proper actions in timely manner.

Michihiro Imaoka

Date: Thursday, August 6 | 2:00pm-3:00pm

Track: Internet of Things

Session Type: Arsenal

Introduces a method of embedding information in the padding part of ARP and performing secret communication with only one small 8-bit microcomputer. The transmitter uses an 8-bit microcomputer called Atmega328P. A 10BASE-T Ethernet frame is generated using only the GPIO of the microcomputer without using a dedicated chip such as an Ethernet controller. By using this method, it is possible to perform a covert channel attack with a smaller and cheaper method than the conventional method.

Since this attack can be performed with a single inexpensive and small microcomputer, it can be hidden and operated inside devices that can be connected to various networks. This lecture introduces some attack scenarios, discusses various attack methods that use this attack method, and discusses their defense methods.

Expert led 50-minute sessions and workshops offer presentations on a number of security strategies and themes. From application security to security consulting and implementation, these sessions & workshops will present a broad range of the latest industry developments and resources.

SPONSORED SESSIONS & WORKSHOPS HILIGHTS (PST)

Nir Zuk | Founder and CTO, Palo Alto Networks

Date: Wednesday, August 5 | 8:00am-8:15am

Format: 15-Minute On Demand Zone Sponsored Session

Tracks: Cloud Security, Infrastructure Protection

The COVID-19 pandemic has pushed traditional remote access security solutions past their breaking point. Hear from Nir Zuk, founder and CTO of Palo Alto Networks, as he discusses why traditional approaches are failing, and what you can do about it.

Date: Wednesday, August 5 | 8:00am-8:15am

Format: 15-Minute On Demand Zone Sponsored Session

Tracks: Endpoint Security, Risk, Compliance and Security Management

Finally, a network-quality video series that will have your users asking for MORE security training!

‘The Inside Man’ is an award-winning KnowBe4 Original Series that delivers security awareness principles embedded in each episode that teach your users key cybersecurity best practices and makes learning how to make smarter security decisions fun and engaging.

From social engineering, insider threats and passwords, to third-party apps and AI, ‘The Inside Man’ reveals how easy it can be for an outsider to penetrate your organization’s security controls and network.

See it for yourself, get your sneak peek of ‘The Inside Man’ Season 2 now!

Maya Horowitz | Director, Threat Intelligence & Research, Check Point Software Technologies

Date: Wednesday, August 5 | 8:10am-8:25am

Format: 15-Minute On Demand Zone Sponsored Session

Tracks: Security Operations & Incident Response, Application Security

If there was a hack, then there was a hacker — cyber threat analysis is a detective’s job, like an Agatha Christie novel. See how Check Point Research unravels cyber mysteries, what clues they look for and what tools they use to solve cases such as “Cyber on the Orient Express” and “Eye on the Nile”.

Marcus Carey | Enterprise Architect, ReliaQuest
Jayson Street | VP of InfoSec, SphereNY
Jeffery Man | Information Security Evangelist, Online Business Systems

Date: Wednesday, August 5 | 8:10am-8:25am

Format: 15-Minute On Demand Zone Sponsored Session

Track: Security Operations & Incident Response

Cybersecurity leaders featured in the Tribe of Hackers book series join us as we talk tech, trends, what they did on their COVID “vacation” and more.

Featuring: Jayson E. Street, SphereNY, Jeff E. Man, Online Businsess Systems, Marcus J. Carey, ReliaQuest

Find out why these leaders deem the following to be the new reality:

Kody Kinzie | Field Security Researcher, Varonis

Date: Wednesday, August 5 | 8:10am-8:25am

Format: 15-Minute On Demand Zone Sponsored Session

Tracks: Data & Collaboration Security, Endpoint Security

Wi-Fi is ubiquitous, but the ease and convenience make it ripe for attack. In this session, we dive into tips & tricks for hacking Wi-Fi passwords. First, we explore how a Wi-Fi Duck & brief access to a machine can allow attackers to establish control from a distance. Next, we’ll demonstrate how an attacker in close proximity to a Wi-Fi router can phish victims into divulging the network password while posing as a router update. Last, we’ll go on the defense, and examine a novel approach to “war driving” designed to detect Wi-Fi devices following you.

Tarik Saleh | Sr. Malware Researcher, DomainTools
Chad Anderson | Sr. Security Researcher, DomainTools

Date: Wednesday, August 5 | 8:15am-8:30am

Format: 15-Minute On Demand Zone Sponsored Session

Track: Security Operations & Incident Response

Since the initial outbreak of COVID-19, cybercriminals have since found many ways to take advantage of anxious and fearful users. There have been reports of TrickBot campaigns, Ryuk ransomware targeting hospitals, and hackers hijacking routers’ DNS to spread malicious COVID-19 Apps. The DomainTools Security Research Team recently discovered a website luring users into downloading an Android application under the guise of a COVID-19 heat map.

Join Senior Security Researcher, Chad Anderson and Senior Security Malware Researcher, Tarik Saleh as they walk through the entire process of identifying a nefarious domain, mapping connected infrastructure, and reverse-engineering a ransomware attack.

David Grady | Chief Security Evangelist, Verizon
Terrance Robinson | Head of Enterprise Security Solutions, Verizon

Date: Wednesday, August 5 | 8:15am-8:30am

Format: 15-Minute On Demand Zone Sponsored Session

Tracks: Cloud Security, Risk, Compliance and Security Management

Two recent research reports from Verizon — the 2020 Data Breach Investigations Report (DBIR) and the 2020 Mobile Security Index (MSI) — can help you optimize your security efforts and better mitigate mobile risks. Verizon’s Dave Grady and Terrance Robinson share key report findings and introduce several free risk assessment tools in this short video.

Roger Grimes | Data-Driven Defense Evangelist, KnowBe4

Date: Wednesday, August 5 | 11:00am-11:40am

Format: 40-Minute Sponsored Session

Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response

The bad guys constantly evolve their attacks while you, the vigilant defender, must expand your know-how to prevent intrusions into your network. Staying a step ahead may involve forensically examining phishing emails to determine the who, the where, and the how of an attack.

Become your own digital private investigator by learning:

May Wang | Sr. Distinguished Engineer, Palo Alto Networks
Mark Baik | Healthcare Security Architect, Palo Alto Networks

Date: Wednesday, August 5 | 11:40am-12:30pm

Format: 50-Minute Lunch & Learn

Track:

Gartner predicts that the number of connected devices that the internet of things (IoT) will hit 25 billion by 2021. While IoT opens the door for innovative new approaches and services, it also presents new cybersecurity risks. This is particularly true in healthcare, where a vast array of connected devices and instruments are being deployed to deliver on the promise of improved patient care. From our analysis of 1.2 million IoT devices over two years, however, we discovered that 98% of IoT traffic is unencrypted and 83% of medical imaging systems are using out of support OS. IoT security in hospitals not only impacts data security but it also impacts patient safety. We will discuss the current state of IoT security in Healthcare, explore the top threats from our recent publication of IoT Threat Report and best practices that you can adopt to secure your organization.

Matthew Olney | Director, Threat Intelligence and Interdiction, Cisco Talos

Date: Wednesday, August 5 | 12:30pm-1:10pm

Format: 40-Minute Sponsored Session

Tracks: Government & Nonprofit, Infrastructure Protection

Shortly after the June 14, 2016 Washington Post report that first detailed how adversaries breached servers for one of America’s two major national political parties, monitored staff chats and exfiltrated thousands of emails and documents, Talos initiated what would become a long-running investigation into election security issues. This talk shares four years of lessons learned by Talos and four years of progress made in defending elections and defending the faith the electorate has in American democracy.

Oded Vanunu | Head of Products Vulnerability Research , Check Point Software Technologies
Roman Zaikin | Security Researcher , Check Point Software Technologies

Date: Wednesday, August 5 | 12:50pm-1:10pm

Format: 20-Minute Sponsored Session

Track: Application Security

TikTok used in 75 languages globally, and with over 1.5 billion users, TikTok has definitely cracked the code to the term “popularity” across the globe. So far so good BUT In the last year we have seen evidence of the potential risks embedded within the TikTok application. Following our research, we discovered multiple vulnerabilities within the TikTok application. In our session we share first time behind the scene stories and detailed of how chaining multiple vulnerabilities could allowed hackers to take full control over TikTok users! sharing how a mix of web and mobile vulnerabilities together in one exploit chain

Tim Wilson | Editor-in-Chief, Dark Reading
Owanate Bestman | Founder, Bestman Solutions

Date: Wednesday, August 5 | 2:30pm-2:50pm

Format: 20-Minute Sponsored Session

Track: Security Operations & Incident Response

How has the Covid-19 pandemic affected the employment prospects of cybersecurity professionals? While some organizations are cutting back on cyber staff, others are expanding their teams to address the new threats and vulnerabilities posed by an instantly-remote workforce. What types of positions are most needed in today’s cyber job market, and where can security professionals find those positions? In this discussion with Dark Reading editor Tim Wilson, one of the globe’s top experts on cybersecurity hiring and recruiting will offer insights on how the job market is evolving — and how you can find your next position.

Jordan Wright | Sr. Security Architect, Duo Security
Olabode Anise | Data Scientist, Duo Security
Nick Steele | Lead Security Researcher, Duo Security

Date: Thursday, August 6 | 10:00am-10:20am

Format: 20-Minute Sponsored Session

Tracks: Data & Collaboration Security, Risk, Compliance and Security Management

Location data collected from mobile devices can be the most personal in nature, showing where we live, where we travel, and where we spend our day. A multi-billion dollar industry thrives on silently collecting this data from millions of unsuspecting users and selling it to companies and governments to use as they see fit. In this talk, we explore how this economy functions, what data is collected, and how location data makes its way from users to those who purchase and consume it. By shining a light on this industry, we open the door to a larger discussion around the state of consumer privacy and consent.

Kevin Mitnick | Chief Hacking Officer, KnowBe4
Perry Carpenter | Chief Evangelist & Strategy Officer, KnowBe4

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Sponsored Session

Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response

Ever want to pick the brain of The World’s Most Famous Hacker? This is your chance! Kevin Mitnick will share stories from trenches and answer questions in this unique and informative “Ask Me Anything” session.

Plus, he’ll share an eye-opening hacking demo. You don’t want to miss this one-of-a-kind session!

Brian Vecci | Field CTO, Varonis

Date: Thursday, August 6 | 12:50pm-1:10pm

Format: 20-Minute Sponsored Session

Track: Security Operations & Incident Response

In this session, we see how some clever social engineering results in a complete account takeover in Microsoft Office 365 — even bypassing standard security controls like Multi-Factor Authentication — which can lead to access and exfiltration of data on prem as well. You will experience an O365 attack both as the victim, as well as from the attacker’s perspective. Join us for a technical dive as we set up a social engineering scenario, hijack a user’s account through a man-in-the-middle attack that bypasses MFA, and use that account to get access to data in Office 365 and on servers behind the firewall.

Tim Wilson | Editor-in-Chief, Dark Reading

Date: Thursday, August 6 | 2:50pm-3:10pm

Format: 20-Minute Sponsored Session

Track: Security Operations & Incident Response

Every year, Black Hat surveys its most recent conference attendees to find out what they’re worried about, what their challenges are, and what their plans might be for the coming year. In 2020, security pros are more concerned than ever about the safety of their data and critical infrastructure, particularly in light of the massive changes spurred by the Covid-19 pandemic. In this informative session, Dark Reading editor Tim Wilson will offer a look at the results of the 2020 Black Hat Attendee Survey. You’ll learn what the nation’s top security pros think about potential data breaches, the effectiveness of current security technology, future spending/staffing plans, and even the integrity of the U.S. presidential elections.

PANOPLY

Panoply is a free capture the flag competition conducted by the CIAS — founders of Panoply and the US National Collegiate Cyber Defense Competition. Open to all Black Hat USA attendees, the contestant with the highest score will be awarded a Black Hat Black Card valid for a full Briefing pass to a Black Hat 2021 core event (Asia, Europe or USA).

Competition will run on Tuesday, August 4 from
4:00 PM — 8:00 PM PDT.

Think you can outsmart a hacker? Join the Trend Micro Threat Defense Challenge and prove it. Compete in the race to stop a cyberattack in real time. Save your spot.

SPIDERLABS CTF

Demonstrate your technical expertise in sophisticated challenges specifically crafted based on field experiences from elite global threat intelligence teams at Palo Alto Networks and Trustwave SpiderLabs. During the 48-hour competition, participants will work to solve a variety of different exploit challenges for the chance at various prizes.

https://spiderlabsctf.com/

DEFCON 201 TALK HILIGHTS FOR BLACK HAT USA 2020 (PST)

This is the section where we have comb through the entire list of talks on both days and list our hilights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention scheduel beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizzare. (Sometimes, all three!)

Matt Blaze | McDevitt Chair in Computer Science and Law, Georgetown University

Date: Wednesday, August 5 | 9:00am-10:00am

Format: 60-Minute Briefings

Track: Keynote

Technologists have long warned that much of the technology and infrastructure we depend on for voting suffers from exploitable vulnerabilities that could be used to cast doubt on the integrity of elections. Those problems are extremely challenging under normal circumstances, but a global pandemic adds a new dimension to the mix: protecting the health of voters and election workers. How do we securely and robustly scale up safer, broadly accessible voting mechanisms between now and November? This talk will explore the challenges — technological, logistical, and political — of keeping our elections running during a crisis.

Renée DiResta | Research Manager, Stanford Internet Observatory

Date: Thursday, August 6 | 9:00am-10:00am

Format: 60-Minute Briefings

Track: Keynote

Online disinformation has reached fever pitch: grifters pushing fake cures for COVID-19, nation states spinning pandemic conspiracies, domestic ideologues coordinating to push manipulative videos about presidential candidates. Malign actors are finding and exploiting divisions in our society using vulnerabilities in our information ecosystem. The flood of conflicting messages is overwhelming individuals and manipulating communities — and social networks are struggling to keep up.

Information operations aren’t new; they are conducted within the confines of the information environment at the actor’s disposal and evolve along with technology and media infrastructure. The rules are determined by the infrastructure — in this case, the features and algorithms of social platforms. The most sophisticated players — nation states — leverage not only social networks but network infiltration to influence, distract, and manipulate large communities of people.

This talk offers an overview of the mechanics of modern-day information operations. Using a deep dive into the tactics behind some of the most impactful recent operations, the speaker will demonstrate the ways in which hacking the information environment is similar and different from the kind of intrusions the audience normally deals with. We will conclude with a look ahead to the 2020 elections and a call-to-action for the audience to deploy their skills in the defense of democracy.

Robert Buhren | Security Researcher, Technische Universität Berlin — Security in Telecommunications
Alexander Eichner | Mr, Technische Universität Berlin — Security in Telecommunications

Date: Wednesday, August 5 | 10:00am-10:40am

Format: 40-Minute Briefings

Tracks: Reverse Engineering, Cloud & Platform Security

AMDs Zen (and later) CPUs contain the “(Platform) Secure Processor” (PSP) which is an embedded ARM core inside your x86 CPU responsible for initial system bootstrapping. The PSP is running even before the main x86 cores and has full access to the main memory. During system runtime it serves as a trust anchor for features like AMDs “Secure Encrypted Virtualization” feature and recently a generic TEE interface for which there are Linux kernel patches pending currently. The firmware running on the PSP is completely proprietary and there is almost no public documentation available. These are more than enough reasons for us to have a closer look at this system.

During the last two years, we reverse engineered several components of the PSP firmware and hardware in order to gain an understanding of the capabilities of this critical component looking for possible security issues. We found multiple security issues that allow us to gain code execution on the PSP.

Lately, we developed an emulator for the PSP which enables us to trace the execution of the firmware and to make it easier to develop and test our own code which will later run on the PSP by exploiting found security issues. The emulator is able to run the on-chip and off-chip bootloader that are used to bootstrap the systems. In the emulated setup, it is also possible to put the firmware into a debug mode where signature verifications are disabled, and additional debug output is generated.

We’ll also present a mode where a stub is running on the physical PSP and takes commands from the emulator to forward hardware accesses from the firmware in order to bootstrap the real system using the firmware running inside the emulator.

The emulator and all other developed tools are open source and available on github: https://github.com/PSPReverse

Kevin Livelli | Director of Threat Intelligence, BlackBerry

Date: Wednesday, August 5 | 11:00am-11:40am

Format: 40-Minute Briefings

Track: Malware

While 2020 is the Year of the Rat for the Chinese, it’s felt more like the Decade of the RATs. In this talk, I reveal a nearly decade-long, undetected, state-sponsored effort to strategically target the Linux servers that comprise the backbone of modern-day government and industry. Having discovered a full stack of handcrafted, tailored, Linux malware, from interactive installation script to kernel rootkits to the attacker’s control panel, I was able to construct a rare and uniquely detailed narrative of a concerted espionage effort.

The talk reveals how five Chinese APT groups that originally stemmed from the notorious WINNTI collective formed a Linux splinter cell. Set against the backdrop of recent, renewed efforts by the US Department of Justice to expose and prosecute Chinese espionage, the talk sheds light on a new and troubling chapter in an otherwise old story of Chinese IP theft — one that crosses into the Android and Windows platforms as well. The talk demonstrates how the attackers successfully preyed upon defender assumptions regarding the security of Linux, the treatment of Windows adware, and the overall deployment of security products and services.

Finally, attendees will also encounter new and intriguing questions, including:

Cooper Quintin | Senior Staff Technologist, Electronic Frontier Foundation

ALSO AT DEF CON SAFE MODE

Date: Wednesday, August 5 | 11:00am-11:40am

Format: 40-Minute Briefings

Tracks: Mobile, Applied Security

4G/LTE IMSI-catchers (such as the Hailstorm) are becoming more popular with governments and law enforcement around the world, as well as spies, and even criminals. Until now, IMSI-catcher detection has focused on 2G IMSI-catchers (such as the Stingray), despite the fact that 2G IMSI-catchers are quickly falling out of favor.

In this talk, we hope to clear up myths about what modern IMSI-catchers can and can’t do, based on results from recent cell network security research. We will also demonstrate software and heuristics to detect fake 4G/LTE base stations that anyone can build. We will also present an outline for the path towards fixing some of the fundamental issues in cell network security, so that hopefully IMSI-catchers are one day a thing of the past.

Patrick Kiley | Principal Security Consultant, Rapid7

ALSO AT DEF CON SAFE MODE

Date: Wednesday, August 5 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Reverse Engineering, Hardware/Embedded

Tesla released the dual motor performance Model S in late 2014. At that time the vehicle came with “insane mode” acceleration and an advertised 0–60 time of 3.2 seconds. Later, in July of 2015, Tesla announced “Ludicrous mode” that cut the 0–60 time down to 2.8 seconds. This upgrade was offered as a hardware and firmware change to the existing fleet of P85D vehicles and was offered for new purchases as well. Since then, Tesla has released the P90D and P100D that also have incremental performance improvements. What makes the P85D upgrade unique was how the process offered a unique insight into how the vehicle’s Battery Management System(BMS) handles power requests from the front and rear drive units of the car. I was able to reverse engineer this upgrade process by examining the CAN bus messages, CAN bus UDS routines, and various firmware files that can be extracted from any rooted Tesla Model S or X. I also decrypted and decompiled Python source code used for diagnostics to determine that the process involved removing the battery pack and replacing the fuse and high voltage contactors with units that could handle higher amperage levels as well as modifying the current sensing high voltage “shunt” inside the battery pack so that it would properly respond to the higher Amperage. I then performed this process on an actual donor P85D. I then modified the firmware of the Battery Management System and the appropriate files on the security gateway to accept the modified battery pack, bricking the car in the process and forcing me to pay to have it towed to another state so I could troubleshoot. I came to understand that the BMS is the deciding module that allows the drive units to have only as much power as the BMS allows.

Xinyu Xing | Assistant Professor, The Pennsylvania State University
Wenbo Guo | PhD Student, Pennsylvania State University
Xian Wu | PhD Student, Pennsylvania State University
Jimmy Su | Senior Director, JD Security Research Center

Date: Wednesday, August 5 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Track: AI, ML, & Data Science

With recent breakthroughs of deep neural networks in problems like computer vision, machine translation, and time series prediction, we have witnessed a great advance in the area of reinforcement learning. By integrating deep neural networks into reinforcement learning algorithms, the machine learning community designs various deep reinforcement learning algorithms and demonstrates their great success in a variety of games, ranging from defeating world champions of Go to mastering the most challenging real-time strategy game — StarCraft.

Different from conventional deep learning, deep reinforcement learning refers to goal-oriented algorithms, through which one could train an agent to learn how to attain a complex objective (e.g., in StarCraft game, balancing big-picture management of the economy and at the same time managing low-level control of individual worker units). Like a kid incentivized by spankings and candy, reinforcement learning algorithms penalize a game agent when it takes the wrong action and reward when the agent takes the right ones.

In light of the success in many reinforcement-learning-powered games, we recently devoted energies to investigating the security risk of reinforcement learning algorithms in the context of video games. More specifically, we explore how to design an effective learning algorithm to learn an adversarial agent (or in other words an adversarial bot), which could automatically discover and exploit the weakness of master game bots driven by a reinforcement learning algorithm. In this talk, we will introduce how we design and develop such a learning algorithm. Then, we will demonstrate how we use this algorithm to train an adversarial agent to beat a world-class AI bot in one of the longest-played video games — StarCraft. In addition to the game of StarCraft, we explore the effectiveness of our adversarial learning algorithm in the context of other games powered by AI, such as RobotSchool’s Pong and MuJoCo’s games. Along with the talk, we will publicly release our code and a variety of adversarial AI bots. By using our code, researchers and white-hat hackers could train their own adversarial agents to master many — if not all — multi-party video games. To help the BlackHat technical board to assess our work, we release some demo videos at https://tinyurl.com/ugun2m3, showing how our adversarial agents play with world-class AI bots.

Justin Wynn | Senior Security Consultant, Coalfire Systems
Gary Demercurio | Senior Manager, Coalfire Systems

Date: Wednesday, August 5 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Policy, Community

In-depth discussion and review of the red team engagement of Iowa courthouses which resulted in an unprecedented outcome. Gary and Justin will take you through the engagement, arrest, and ensuing legal battle, and wrap up with lessons learned and how the community can benefit.

Cheng-Yu Chao | Senior Researcher, TeamT5
Hung Chi Su | Senior Researcher, TeamT5
Che-Yang Wu | Senior Researcher, TeamT5

Date: Wednesday, August 5 | 1:30pm-2:10pm

Format: 40-Minute Briefings

Tracks: Mobile, Exploit Development

Being the highest market share smartphone manufacturer, Samsung conducts a series of protection on Android called Knox Platform to ensure the security of its smartphones. During the booting process, Samsung uses S-boot (Secure Boot) to make sure it can only boot a stocked image. If the device tries to boot a custom image, it will trip a one-time programmable bit e-fuse (a.k.a Knox bit). Once a trustzone app (trustlet) detects the Knox bit tripped, it will delete the encryption key for the sensitive data to prevent unauthorized data access to the locked phone.

In this presentation, we’ll present several vulnerabilities we found in S-Boot that are related to USB request handling. By exploiting these vulnerabilities, we’re allowed to bypass the mitigation of S-boot through the USB device and obtain code execution in early boot stage. In other words, as long as we have the phone (whether locked or not) and an USB-C connector, we’ll be able to boot a custom image without tripping the Knox bit, allowing us to retrieve sensitive data from a locked device.

We will also describe how we discover and exploit the vulnerabilities in detail, demonstrate the exploit on a Samsung Galaxy S10 smartphone, and discuss the possible impact of these vulnerabilities.

Chris Wlaschin | VP, Systems Security and CISO, ES&S
Mark Kuhr | CTO, Synack

Date: Wednesday, August 5 | 1:30pm-2:10pm

Format: 40-Minute Briefings

Track: Policy

Election vendors are an integral part of American democracy. Because voting machines and the companies that manufacture them are so vital to our nation, their security practices and protections are under intense scrutiny, especially since the 2016 presidential election when Russian hackers attempted to disrupt American elections. This talk will explore the perspectives of voting vendors as well as security researchers.

Ensuring that critical vulnerabilities are found and fixed is a complicated and sensitive process — and urgently requires a comprehensive solution. There are challenges such as privacy, communication, the certification processes, and remediation. The voting industry and the security researchers who are examining their products need a Vulnerability Disclosure Program so both communities can effectively work together to fix problems in election systems and ultimately make America’s democracy stronger and more resilient.

The companies that make voting equipment and election systems are innovating to improve security, and looking for new ways to harden their systems against attacks. This presentation will explore those efforts as well as examine new models for researcher and election vendor collaboration including Coordinated Vulnerability Disclosure (CVD) programs, collaboration at the Voting Village at DEF CON and similar efforts, and Crowdsourced Penetration Testing. It will also look at ideas for improving the relationship between researchers and voting vendors. Additionally, the election industry has many lessons to share that leaders across the manufacturing space can learn from to better protect their own critical assets, information and customer base.

Nate Beach-Westmoreland | Head of Strategic Cyber Threat Intelligence, Booz Allen Hamilton

Date: Wednesday, August 5 | 2:30pm-3:10pm

Format: 40-Minute Briefings

Track: Policy

Election security faces a persistent problem: defenders are often thinking tactically, while the most capable, deliberate adversaries are thinking strategically. Getting ahead of ever evolving election interference operations will require understanding adversaries’ long-term goals and how they are shaping their election interference activities to outmaneuver tactical defenses.

In this talk, we will look at lessons learned from nearly a decade of election interference activities linked to the Russian military’s espionage and special forces agency, the GRU. We will examine how Russia’s policy elites believe information has a fundamental role in international relations and how this perspective shapes GRU strategies and tactics. This perspective reframes historic GRU operations and suggests how different GRU tactics could be brought to bear in future instances of election interference. The analysis will be used to provide a framework and guidance for organizations — both obvious targets and those that may have a more subtle strategic value — that may need to prepare for these operations.

As defenders, it is not enough for us to know that attacks occur or that vulnerabilities exist without considering the attackers and their motivations. By understanding why adversaries act, we can better anticipate when, where, and in what form those actions may occur and take deliberate action to mitigate risk based on that insight.

Patrick Wardle | Principal Security Researcher, Jamf

ALSO AT DEF CON SAFE MODE

Date: Wednesday, August 5 | 2:30pm-3:10pm

Format: 40-Minute Briefings

Tracks: Malware, Exploit Development

In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.

In this talk, we will begin by analyzing recent macro-laden documents targeting Apple’s desktop OS, highlighting the macOS-specific exploit code and payloads. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.

However, things could be far worse! Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019–1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!

To conclude, we’ll explore Apple’s new Endpoint Security Framework illustrating how it can beleveraged to thwart each stage of our exploit chain, as well as generically detect advanced “document-delivered” payloads and even persistent nation-state malware!

Sourcell Xu | Security Researcher, DBAPPSecurity
Xin Xin | Security Researcher, DBAPPSecurity

Date: Wednesday, August 5 | 2:30pm-3:10pm

Format: 40-Minute Briefings

Track: Mobile

Every Android phone loves Bluetooth, a short-range wireless communication technology. We can find a large number of Bluetooth devices in any public place. Many of their security issues have been exposed before, such as BlueBorne, KNOB, and BadBluetooth. Today, due to the security risks in AOSP (Android Open Source Project) and the negligence of some well-known mobile phone manufacturers, we have another 0day vulnerability that can be played. And it was named BlueRepli (Bluetooth Replicant).

At the application layer, Bluetooth is like a parent who over-disciplined. It defines various implementation standards for a variety of complex application scenarios. These standards are called profiles. Some of these profiles will access extremely sensitive user data, such as PBAP (Phone Book Access Profile) for synchronizing phonebook, MAP (Message Access Profile) that can access SMS data, SAP (SIM Access Profile) that serves remote devices using local SIM cards and so on. Of course, the use of these profiles by remote devices requires authorization from local users and strict authentication from local Android phones.

However, this study found two new ways to bypass these authentications and gain profile access. The first method is a new attack idea. It can obtain permissions when the target has only one interaction, and attackers can make this interaction very deceptive. The second method will use the undisclosed 0day vulnerability BlueRepli, which can get profile access without any sense. We also prepared rich video demos to show the exploits we implemented, such as stealing mobile phone contact information, call history, stealing SMS verification codes, and sending fake text messages using the vulnerable phone.

Joshua Maddux | Security Engineer, Latacora

ALSO AT DEF CON SAFE MODE

Date: Wednesday, August 5 | 2:30pm-3:10pm

Format: 40-Minute Briefings

Track: AppSec

Lots of people try to attack the security of TLS. But, what if we use TLS to attack other things? It’s a huge standard, and it turns out that features intended to make TLS fast have also made it useful as an attack vector.

Among other things, these features provide a lot of flexibility for Server-Side Request Forgery (SSRF). While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further. In this talk, I present a novel, cross-platform way of leveraging TLS to target internal services.

Uniquely, these attacks are more effective the more comprehensively a platform supports modern TLS, so won’t go away with library upgrades. It is also unlikely that the TLS spec will change overnight at the whim of a random security researcher. Instead, we need to walk through scenarios and dispel common assumptions so the audience can make informed code and infrastructure decisions. Of course, the best way to do so is with demos!

Yuval Avrahami | Senior Security Researcher, Palo Alto Networks

Date: Thursday, August 6 | 10:00am-10:40am

Format: 40-Minute Briefings

Tracks: Cloud & Platform Security, AppSec

Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container’s OS.

One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata’s virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM.

Several Cloud Service Providers are deploying Kata in production to support customer multitenancy in their Serverless and CaaS offerings. With its focus on isolation, does Kata Containers actually contain?

In this talk, we’ll put Kata’s isolation to the test, and attempt to escape the container, break out of the encapsulating VM, and finally, compromise the host.

Tamaghna Basu | CTO, neoEYED

Date: Thursday, August 6 | 10:00am-10:40am

Format: 40-Minute Briefings

Tracks: Human Factors, AI, ML, & Data Science

This talk is inspired by an episode of Black Mirror. I will be demonstrating a live demo creating a bot who talks like me and can be used to impersonate me online and do social engineering. I will be showing a live demo of how to a create such bots over text, voice or video and walk through various techniques which the attendees can use to create such smart social engineering attacks.

I will also release my github of the AI notebooks as open source for the attendees to try out and experiment.

Ben Nassi | PhD Student & Cyber Security Researcher, Ben-Gurion University of the Negev

Date: Thursday, August 6 | 10:00am-10:40am

Format: 40-Minute Briefings

Tracks: Applied Security, Hardware/Embedded

Recent studies have suggested various side-channel attacks for eavesdropping sound by analyzing the side effects of sound waves on nearby objects (e.g., a bag of chips and window) and devices (e.g., motion sensors). These methods pose a great threat to privacy, however they are limited in one of the following ways: they (1) cannot be applied in real time (e.g., Visual Microphone), (2) are not external, requiring the attacker to compromise a device with malware (e.g., Gyrophone), or (3) are not passive, requiring the attacker to direct a laser beam at an object (e.g., laser microphone).

In this talk, I introduce “Lamphone,” a novel side-channel attack for eavesdropping sound; this attack is performed by using a remote electro-optical sensor to analyze a hanging light bulb’s frequency response to sound. I show how fluctuations in the air pressure on the surface of the hanging bulb (in response to sound), which cause the bulb to vibrate very slightly (a millidegree vibration), can be exploited by eavesdroppers to recover speech and singing, passively, externally, and in real time. I analyze a hanging bulb’s response to sound via an electro-optical sensor and learn how to isolate the audio signal from the optical signal. Based on our analysis, I develop an algorithm to recover sound from the optical measurements obtained from the vibrations of a light bulb and captured by the electro-optical sensor. I evaluate Lamphone’s performance in a realistic setup and show that Lamphone can be used by eavesdroppers to recover human speech (which can be accurately identified by the Google Cloud Speech API) and singing (which can be accurately identified by Shazam and SoundHound) from a bridge located 25 meters away from the target room containing the hanging light bulb.

Vandana Verma Sehgal | Security Architect, IBM

Date: Thursday, August 6 | 10:00am-10:40am

Format: 40-Minute Briefings

Track: Community

India is one of the most diverse and fastest growing countries in the world and due to the fast growth, women often are left behind. The world average female literacy rate is 79.7%, while in India the average rate is just 65.46, and for women that enter the technology workforce it is even lower and for those entering into cyber security it is even less. The talk is about the journey of Infosecgirls community which started in India with the goal of bringing more women into the cyber security workforce and integrating them with the larger community and is now reaching a global audience. The Initiative was conceptualized because of a need to have a warm and nurturing environment for women where they can easily discuss information security and over a period of time moulded to help women, students, kids, and underprivileged communities to come forward and be part of cyber security ecosystem.

In the talk, I will share how we started, the challenges encountered on the way, what we have achieved so far, and the learnings from our journey. I will also talk about the free technical training we provide at conferences or colleges and how these trainings have enabled individuals start their InfoSec journey or make themselves better and more confident in their roles.

Laura Tich | Cyber security consultant, Shehacks_KE
Evelyn Kilel | Security Researcher, Shehacks_KE

Date: Thursday, August 6 | 11:00am-11:40am

Format: 40-Minute Briefings

Track: Community

The increase in cyber attacks in sub-Saharan Africa has become an issue of major concern for the region and its people. With the increase in use of digital technology, cyber security is becoming a critical aspect of the day-to-day lives of individuals and organisations. A 2019 report by The World Economic Forum placed cybercrime as one of the three greatest threats in Africa.

Sub-Saharan Africa is well connected to the global economy with regard to commerce and finance. This means that the cyber threats affecting the regions with both local and international origins should be put into consideration with the onset of every new technology. Globally, Africa has been geographically segmented with the Middle East in the cyber security market. However, there is a big divide in the adaptation of technology and cyber security between sub-Saharan Africa and North Africa/The Middle East.

A report based on IDC’s Sub-Saharan Africa CIO survey of 2019 estimates the total sub-Saharan ICT market to grow from $95.4bn in 2020 to $104.2bn by 2023. According to the same report, technologies such as cloud, social media and big data are some of the key areas of growth in 2020.

As the use of technology has become widespread across the region, Sub-Saharan Africa experiences a great many cyber attacks annually, both attacks that are seen in other parts of the world but also attacks that are specific to the region.

A study conducted by the International Data Group connect shows that sub-Saharan Africa’s economy has been hard hit by cybercrime. The data shows that cybercrime costs South Africa an estimated $573m annually with Nigeria and Kenya losing $500m and $36m respectively. Seen in proportion to GDP of the countries, this represents tremendous sums lost to cybercrime. While these figures show the size of the problem in this part of the world, 96% of African organizations set an average annual budget of $5,000 for cyber security. Pan-African Cybersecurity and Business consulting firm Serianu ranked banking sectors and government as the most targeted by cyber criminals.

Cyber crime in Africa has been on a rapid increase compared to the rest of the world with an estimate of 80% of personal computers being infected with some kind of malicious software. One of the most affected industries in sub-Saharan Africa is the financial sector. Globally, Africa leads in the use of mobile money transfers with an estimated 14% citizens receiving money through mobile money transfer like Kenya’s MPesa. With sub-Saharan Africa hosting some of the biggest mobile money transfer services, mobile money has over the years been a primary target for criminals. Some of the threats that have affected the mobile banking industry are social engineering and reverse engineering of mobile money apps for malicious purposes. A lot of mobile money users and providers have been immensely affected by criminal activities targeting the platform.

With cybercrime on the rise, Sub-Saharan countries lack proper legislation, such as cyber laws, to govern the cyber space thus creating a permissive environment for cyber criminals. Most countries in the region struggle to implement cyber security measures due to budgetary concerns and the small number of skilled cyber security practitioners.

Some of the common challenges faced in the cyber security industry in sub-Saharan Africa include:

In order for sub-Saharan Africa to realize its full potential in cyber security, effective policies have to be implemented. Solutions designed must be geared toward the distinct operating environment of the sub-Saharan region. The question of cost is an inescapable facet of any technology implementation, even more so in the African context. Local currency values tend to be volatile thus depending on foreign solutions might be costly compared to the amount local companies can afford to budget for cyber security.

Encouraging local security practitioners to develop open source or affordable tools that will work for the local market. Tools such as the mth3l3m3nt for web app pentesting and MARA framework for reverse engineering which were both designed by Kenyan cyber security practitioners can strengthen the security stature of the sub-Saharan region.

As the technology grows complex and diverse by the day, so does the surface for malevolent exploitation. Sub-Saharan countries however, continue to emulate technologies, policies and strategies implemented by more developed countries. These fall short in addressing needs specific to the threat landscape in the region thus creating a need to adapt available resources and formulate comprehensive regulatory policies that would better govern the cyber security ecosystem in the region. A more sophisticated and organized cybersecurity system is required in order to curb existing and emerging threats. Our goal is to examine how sub-Saharan Africa can exploit existing skill sets and resources to create a system that works for the region.

Nicolas Joly | Security Engineer, Microsoft

Date: Thursday, August 6 | 11:00am-11:40am

Format: 40-Minute Briefings

Track: Exploit Development

The Microsoft Security Response Center has a unique position in monitoring exploits in the wild. While we have seen several cases in the past years of exploits targeting Office applications, often PowerPoint or Word, exploits targeting online applications are less common. Are they only possible? And in which case, how would one attack the Office Web Application server (WAC)? Can a malicious document be used? How hard would that be, how much time would it take?

This is the story of a project realized during summer 2018 to try to answer these questions with Excel Online. This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018–8331) and how one could chain Excel formulas together to get RCE on the server. This talk will detail the research from scratch up to showing a demo of the exploit against Excel OnPrem.

Matt Wixey | Research Lead, PwC UK

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Human Factors, Community

Many of us got into security because we like solving hard problems, and problem-solving is often listed as a specific requirement in security job descriptions. You might need problem-solving skills to crack niche technical issues in exploit development or mitigation, or when investigating threats and compromises. Or it might be more general, like developing strategies and policies. But what does it mean to be ‘good’ at problem-solving? How do our minds work when solving problems? More importantly, how do we get better at it?

In this talk, I’ll present findings from over two years of creating and setting puzzles and riddles designed specifically for a team of 300 cyber security professionals as part of a dedicated program. Some were technical challenges, similar to CTFs; others focused on linguistics, lateral-thinking, probability, mathematics, and logic.

I’ll cover the program’s inception; how its puzzles were designed and solved; and the findings — including an analysis of improvements over time, which types of puzzles were most popular/solved and why, and case studies of where improvements in problem-solving actively helped with day-to-day work. I’ll set all this against a background of academic research on problem-solving, discussing the mental processes which take place and how they can be strengthened with practice and exposure to different types of challenges.

I’ll also share some observations on how the program fostered collaboration and cooperation between staff from different teams, technical abilities, and backgrounds — sometimes deliberately, sometimes completely accidentally.

Finally, I’ll conclude by sharing some resources which have helped me, give you tips on starting your own puzzle program, and suggest ways in which the community can work together to build and maintain a repository of puzzles and findings. I’ll also set a puzzle during the talk — first to message me with the correct answer wins a prize!

Yonghwi Jin | PhD Student, Georgia Institute of Technology
Jungwon Lim | PhD Student, Georgia Institute of Technology
Insu Yun | PhD Student, Georgia Institute of Technology
Taesoo Kim | Associate Professor, Georgia Institute of Technology

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Exploit Development, Reverse Engineering

Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely difficult, seemingly impossible.

In this talk, we will share our Safari exploit submitted to Pwn2Own 2020. Combining six different vulnerabilities, our exploit successfully compromises the macOS kernel starting from the Safari browser. It breaks every mitigation in macOS including ASLR, DEP, sandbox, and even System Integrity Protection (SIP). Inspecting every vulnerability used in this exploit, we will show not only state-of-the-art hacking techniques but also challenges in protecting complicated systems (i.e., browsers and operating systems) and in introducing their mitigations. Moreover, we will introduce a new technique that reliably exploits a TOCTOU vulnerability in macOS.

Paul Grubbs | Researcher, Cornell University

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Cryptography, Defense

Deploying new cryptography often means using existing building blocks in new ways. A prime example is authenticated encryption (AE). Until recently, AE schemes like Galois/Counter Mode (GCM) were mostly used in settings where key exchange first established a hidden, random encryption key (think TLS or IPSec). Increasingly, though, schemes like GCM are also being used in settings where the attacker knows, or can guess, the key. This attack setting is the subject of my talk. It is aimed at security professionals who design, implement, and deploy cryptography, but will be accessible to a general security audience.

My talk will have three main parts. First, I will explain our attack setting, specifically where, why, and how a real attacker could know (or just have a good guess about) an AE encryption key. I’ll go over a few examples, including password-based AE, and discuss the committing security property AE must have in this setting. Intuitively, if an AE is committing, it is hard to find a ciphertext that decrypts correctly under more than one key.

Next, I will show that, surprisingly, modern AE schemes lack this committing property (they are non-committing) and are insecure in our setting. For GCM, GCM-SIV, or any Poly1305-based scheme, it is easy to find ciphertexts that decrypt correctly under multiple keys. I will walk through a simple two-key example with GCM and outline how to go from two to hundreds of thousands of keys with a little bit of math.

Finally, I will demonstrate attacks that result from improper use of non-committing AE. I’ll first show that with the two-key GCM example above, any Facebook user could have bypassed the “message franking” protocol for reporting abusive content in Secret Conversations and sent unreportable abusive messages. Then I will introduce partitioning oracles, a new class of decryption error oracle (akin to padding oracles) on non-committing AE that can recover keys (instead of plaintext). Partitioning oracle attacks can lead to exponential speedups over online brute-force attacks when low-entropy secrets like passwords are used to derive AE keys. They arise in many places: for example, I will show that when the OPAQUE password-authenticated key exchange protocol is implemented incorrectly, partitioning oracle attacks result. I’ll conclude with guidance on how to recognize when committing AE is needed. I’ll also recommend committing AE schemes that can be used today.

Robert Lipovsky | Senior Malware Researcher, ESET
Stefan Svorencik | Senior Detection Engineer, ESET

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Network Security, Hardware/Embedded

We identified Kr00k (CVE-2019–15126) — a previously unknown vulnerability in chips used by a significant proportion of all Wi-Fi capable devices. Specifically, we discovered that Wi-Fi chips by Broadcom and Cypress — and possibly other manufacturers — could be forced to encrypt some packets in a WPA2-protected network with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt some wireless network packets. The number of affected devices was likely over a billion as the vulnerable chips are used in devices from Apple, Samsung, Google, Amazon, and many others.

The presentation will include technical details and a demonstration, where we will show how we were able to trigger Wi-Fi reassociations on the targeted device, force setting the all-zero encryption key and decrypt intercepted packets. We will also discuss the potential impact of these vulnerabilities, along with the limitations of exploiting them.

This new research follows our earlier discovery that some versions of the popular Amazon Echo and Kindle devices were vulnerable to Key Reinstallation Attacks (KRACK), which were discovered by Mathy Vanhoef in 2017. We will explain how Kr00k is related to the previously known research — and how it differs.

Exclusively for Black Hat USA, we will also cover our most recently discovered Wi-Fi encryption vulnerabilities affecting other chip manufacturers, including Qualcomm.

Finally, we will discuss and release our proof-of-concept testing script designed trigger and detect the Kr00k vulnerability on unpatched devices.

Björn Ruytenberg | MSc Student, Eindhoven University of Technology

Date: Thursday, August 6 | 12:30pm-1:10pm

Format: 40-Minute Briefings

Tracks: Hardware/Embedded, Cloud & Platform Security

Thunderbolt is a high-bandwidth interconnect promoted by Intel and included in laptops, desktops, and other systems. Being PCIe-based, Thunderbolt devices possess Direct Memory Access (DMA)-enabled I/O. In an “evil maid” DMA attack, where adversaries obtain brief physical access to the victim system, Maartmann-Moe (Inception), Frisk (PCILeech) and others have shown Thunderbolt to be a viable entry point in stealing data from encrypted drives and reading and writing all of system memory. In response, Intel introduced “Security Levels”, a security architecture designed to enable users to authorize trusted Thunderbolt devices only. To further strengthen device authentication, the system is said to provide “cryptographic authentication of connections” to prevent devices from spoofing user-authorized devices.

We present Thunderspy, a series of attacks that break all primary security claims for Thunderbolt 1, 2 and 3. So far, our research has found seven vulnerabilities: inadequate firmware verification schemes, weak device authentication scheme, use of unauthenticated device metadata, downgrade attack using backwards compatibility, use of unauthenticated controller configurations, SPI flash interface deficiencies, and no Thunderbolt security on Boot Camp. Finally, we present nine practical exploitation scenarios. In an “evil maid” threat model and varying Security Levels, we demonstrate the ability to create arbitrary Thunderbolt device identities, clone user-authorized Thunderbolt devices, and finally obtain PCIe connectivity to perform DMA attacks. In addition, we show unauthenticated overriding of Security Level configurations, including the ability to disable Thunderbolt security entirely, and restoring Thunderbolt connectivity if the system is restricted to exclusively passing through USB and/or DisplayPort. We conclude with demonstrating the ability to permanently disable Thunderbolt security and block all future firmware updates.

All Thunderbolt-equipped systems shipped between 2011–2020 are vulnerable. Some systems providing Kernel DMA Protection, shipping since 2019, are partially vulnerable. The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB4 and Thunderbolt 4, and will require a silicon redesign.

Mitchell Parker | CISO, Indiana University Health

Date: Thursday, August 6 | 1:30pm-2:10pm

Format: 40-Minute Briefings

Tracks: Community, Applied Security

The Opioid crisis has caused mass addiction of prescription painkillers. Tens of thousands have died from this. Families have been broken apart. Children have been born addicted. It has stretched the social support network we have to its breaking point.

A major reason for this was the manipulation of a popular Electronic Health Records (EHR) system, Practice Fusion, on behalf of a pharmaceutical company. The US Department of Justice singled out the marketing department of an Opioid manufacturer for paying approximately $1M to change a decision support tool used by physicians, a Clinical Decision Support alert, to recommend their opioid products as part of treatment plans. This led to the unnecessary prescription of opioids to tens of thousands of patients and helped fuel a major crisis.

The Electronic Health Record system utilized is targeted at smaller physician practices that do not have the resources of larger health systems to examine Clinical Decision Support alerts. In this case, Practice Fusion was utilized by over 100,000 small to medium-sized medical practices.

Most medical practices, according to the American Medical Association, have 10 or fewer physicians. Approximately one third of hospitals, according to the American Hospital Association, have negative operating budgets and lose money. These are organizations that care about keeping the lights on.

However, the HITECH Act and associated incentive programs have encouraged medical providers to get on board with Electronic Medical Records.

This presentation will show evidence of how the Opioid Crisis exposed an operational security weakness with EHR systems, and why just patching those alerts doesn’t address it. We will also discuss how to address it as part of a larger operational framework in partnership with larger health systems. With the current lack of support for smaller practices, we expect this attack type to continually occur unless resolved.

Charl van der Walt | Global Head of Security Research, Orange Cyberdefense
Wicus Ross | Senior Security Researcher, Orange Cyberdefense

Date: Thursday, August 6 | 2:30pm-3:10pm

Format: 40-Minute Briefings

Tracks: Network Security, Defense

Enterprise businesses equip staff with mobile devices such as laptops and smart phones to perform daily tasks. This makes the workforce much more mobile but places an implicit burden on the staff to ensure that they are always on-line. Security is handled by the underlying operating system and supporting solutions, for example a Virtual Private Network (VPN).

Commercial VPN technology has been around since at least 1996 when Microsoft created the Peer to Peer Tunneling Protocol (PPTP). OpenVPN and similar open source VPN technologies have advanced this tech from highly specialized to near commodity.

However, enterprise VPN solutions can be complicated and nuanced. One case involves remote workers that connect to complimentary Internet hotspots typically offered by coffee shops, airports, hotels, etc. Hotspots are Wi-Fi access points that offer free Internet bandwidth. Most hotspots today feature a captive portal that require either a password, voucher code, or some form of consent that involves agreeing to terms of use.

A robust VPN implementation should not allow a user to interact with a network resource that bypasses the VPN tunnel. What then happens in the time between connecting to the Wi-Fi hotspot and activating the VPN? How vulnerable is the user during this time? Surely the Wi-Fi hotspot securely isolates guests and surely the local firewall on the laptop will protect the user from any attacker, but does this assumption hold even if the hotspot is fully under the control of an attacker?

In this presentation, we will reveal research we conducted into the efficacy of modern commercial and open source VPN solutions in the face of modern mobile worker use cases, typical endpoint technologies, and contemporary threat models.

In short: VPNs — are they enough?

CONTINUE TO: ULTIMATE HACKER SUMMER CAMP — Part Four: RingZer0