3. Заголовокwhoami
• Positive Technologies (from 2009)
• Application security researcher (from 2009)
• Banking systems security senior expert (from 2012)
• Big fan of #nullcon
• Always in search/research ;)
10+ ATMs for the last year
24. ЗаголовокApp control software bypass
Story so far…
• https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
• https://cansecwest.com/slides/2016/
CSW2016_Freingruber_Bypassing_Application_Whitelisting.pdf
25. ЗаголовокSecurity software bypass
• McAfee Solidcore - https://www.ptsecurity.com/ww-en/about/news/131496/
• MS Applocker - http://www.blackhillsinfosec.com/?p=5257 – State of Art!
• etc (6 total different products) – stay tuned!
• 0days (5 total, in process of fixing): network, local, logical
• Misconfiguration
• Whitelist Memory Execution: IE, rundll32, powershell, java, etc
41. ЗаголовокSummary
Windows 7 SP1 ATM Windows XP SP3 ATM
Kiosk bypass Hotkeys/Safe mode KeyboardDisabler bypass
App control bypass 0day/Trusted soft Untrusted booting
Privilege escalation 0day/MS15-051 Untrusted booting
VPN/TLS disabling Misconfiguration/FS Untrusted booting
Social Engineering Misconfiguration/FS -
Untrusted boot BIOS accessing from OS No password
Network attacks MAC/TLS/VPN/App service MAC/TLS/VPN/OS services
42. ЗаголовокHow all that happens?
• Security through obscurity is not an option!
• You should know your landscape and your threat model
• Use compliance management tools instead of paper
• In case of impossibility of fixing vulns, use
mitigation measures like SIEM