Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
This presentation from ShmooCon 2016 elaborates on a trivial bypass of Apple’s Gatekeeper, a core OS X security mechanism, which still remains flawed following Apple’s patch efforts to the vulnerabilities previously reported and presented by Patrick Wardle at Virus Bulletin 2015.
This presentation from Virus Bulletin 2015 will provide a solid technical overview of Gatekeeper's design and implementation, and will discuss both patched and currently unpatched vulnerabilities or weaknesses, in this core OS X security mechanism.
DEF CON 23: Stick That In Your (root)Pipe & Smoke ItSynack
DEF CON 23
You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea!
The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
DEF CON 23
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment).
By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
"In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!"
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
How to Install & Configure Your Own Identity Manager GEFIWARE
How to Install & Configure Your Own Identity Manager GE, by Alvaro Alonso & Federico Fernández (UPM)
Security Team. How-to session. 1st FIWARE Summit, Málaga, Dec. 13-15, 2016.
Speaking from experience building MyGet.org: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
In comparison to Windows malware, known OS X threats are really quite lame. As an Apple user that has drank the 'Apple Juice,' I didn't think that was fair!
From novel persistence techniques, to native OS X components that can be abused to thwart analysis, this talk will detail exactly how to create elegant, bad@ss OS X malware. And since detection is often a death knell for malware, the talk will also show how OS X's native malware mitigations and 3rd-party security tools were bypassed. For example I'll detail how Gatekeeper was remotely bypassed to allow unsigned download code to be executed, how Apple's 'rootpipe' patch was side-stepped to gain root on a fully patched system, and how all popular 3rd-party AV and personal firewall products were generically bypassed by my simple proof-of-concept malware.
However, don't throw out your Macs just yet! The talk will conclude by presenting several free security tools that can generically detect or even prevent advanced OS X threats. Armed with such tools, we'll ensure that our computers are better protected against both current and future OS X malware.
So unless you work for Apple, come learn how to take your OS X malware skills to the next level and better secure your Mac at the same time!
DEF CON 23: 'DLL Hijacking' on OS X? #@%& Yeah!Synack
DEF CON 23
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment).
By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijacker libraries, or detect if you've been hijacked.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.
DEF CON 23: Internet of Things: Hacking 14 DevicesSynack
DEF CON 23
Internet of Things: Hacking 14 Devices
It is easy to find poorly designed devices with poor security, but how do the market leading devices stack up? Are they more secure than a Linux-powered rifle? This presentation documents our effort to assess the state of security of top selling Internet of Things Devices.
We procured 14 of the leading “connected home” IoT devices and tore them down, all the way from software to hardware and compared their relative security. This talk will demonstrate techniques useful for assessing any IoT device, while showing how they were applied across a wide range of devices.
Attend for stories of device rooting, SSL interception, firmware unpacking, mobile app vulnerabilities and more. Stay to find out why your favorite new gadget might just be a backdoor into your home. If you own (or are considering buying) one of the following devices, come and find out how secure it actually is!
Devices:
Dlink DCS-2132L
Dropcam Pro
Foscam FI9826W
Simplicam
Withings Baby Monitor
Ecobee
Hive
Honeywell Lyric
Nest Thermostat
Nest Protect
Control4 HC-250
Lowes Iris
Revolv
SmartThings
Samsung Smart Refrigerator (model RF28HMELBSR)
Samsung LED Smart TV (model UN32J5205AFXZA)
REASON:
The best thing about this talk is that it covers a large number of devices, all devices which are among the industry leaders for their category.
While we have published the high level findings from assessing these devices, this talk will include full technical details on how to attack each of these devices, and full tech details on any of the vulns which we found. Those details have not yet been released, and will be of interest to anyone who owns or wants to hack any of these devices.
"In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed. Luckily security-conscious users will (hopefully) heed such warning dialogues—stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability (CVE-2017-7150) found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!
And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!"
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitianLiang Chen
With the popularity of Apple's system, many OS X kernel vulnerabilities were discovered by fuzzing IOKit. OS X kernel exploitation technology has developed in the past few years, yet recent Apple patches have mitigated most of those technology to avoid generic address leak as well as zone Feng Shui approaches, which, as a result, make harder to exploit OS X kernel vulnerabilities.
In the first part of this talk, we will show several vulnerabilities discovered by KeenTeam whose details have never been published before. Then we conclude about several root causes to Apple IOKit driver's weakness, and how to take advantage of those weakness to find bugs more efficiently.
The second part will cover how to exploit a vulnerability in such case, and how to pave a road from crash to root with the presence of Apple’s new mitigation.
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
How to Install & Configure Your Own Identity Manager GEFIWARE
How to Install & Configure Your Own Identity Manager GE, by Alvaro Alonso & Federico Fernández (UPM)
Security Team. How-to session. 1st FIWARE Summit, Málaga, Dec. 13-15, 2016.
Speaking from experience building MyGet.org: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
Exploring Thermal Related Stuff in iDevices using Open-Source ToolKoan-Sin Tan
This is the era of so-called “dark silicon.” Thermal control is an important but seldom-talked topic. I could not find public information on how iOS does it. Recent checkm8 and follow-on checkra1n enable jailbreaking of iPhone 5s – iPhone X running iOS 12.3 and up. So that we can explore these devices with open-source tools
Kernel Recipes 2015 - Porting Linux to a new processor architectureAnne Nicolas
Getting the Linux kernel running on a new processor architecture is a difficult process. Worse still, there is not much documentation available describing the porting process.
After spending countless hours becoming almost fluent in many of the supported architectures, I discovered that a well-defined skeleton shared by the majority of ports exists. Such a skeleton can logically be split into two parts that intersect a great deal.
The first part is the boot code, meaning the architecture-specific code that is executed from the moment the kernel takes over from the bootloader until init is finally executed. The second part concerns the architecture-specific code that is regularly executed once the booting phase has been completed and the kernel is running normally. This second part includes starting new threads, dealing with hardware interrupts or software exceptions, copying data from/to user applications, serving system calls, and so on.
In this talk I will provide an overview of the procedure, or at least one possible procedure, that can be followed when porting the Linux kernel to a new processor architecture.
Joël Porquet – Joël was a post-doc at Pierre and Marie Curie University (UPMC) where he ported Linux to TSAR, an academic processor. He is now looking for new adventures.
VISUG - Approaches for application request throttlingMaarten Balliauw
Speaking from experience building a SaaS: users are insane. If you are lucky, they use your service, but in reality, they probably abuse. Crazy usage patterns resulting in more requests than expected, request bursts when users come back to the office after the weekend, and more! These all pose a potential threat to the health of our web application and may impact other users or the service as a whole. Ideally, we can apply some filtering at the front door: limit the number of requests over a given timespan, limiting bandwidth, ...
In this talk, we’ll explore the simple yet complex realm of rate limiting. We’ll go over how to decide on which resources to limit, what the limits should be and where to enforce these limits – in our app, on the server, using a reverse proxy like Nginx or even an external service like CloudFlare or Azure API management. The takeaway? Know when and where to enforce rate limits so you can have both a happy application as well as happy customers.
Every wondered how to make your code physically interact with things in the real world? Got a home automation project in mind? In this presentation we will cover:
o) How to get started with Raspberry Pi and C#
o) The numerous sensors and actuators you can control
o) How to navigate basic electronics
o) Different interfaces and how to program them
o) Demonstrations of devices at work
o) Azure IoT Hub to control your code from the cloud
Un aperçu du format Mach-O, en particulier où sont situées les chaînes de caractères constantes et où sont définies les classes, méthodes ObjC 1.0/2.0. Mais tout cela avec un besoin concret effectivement rencontré : pouvoir réusiner du code après sa compilation.
Real-time Computer Vision With Ruby - OSCON 2008Jan Wedekind
Computer vision software requires image- and video-file-I/O as well as camera access and fast video display. Ruby and existing open source software allowed us to develop a machine vision library combining performance and flexibility in an unprecedented way. Native array operations are used to implement a variety of machine vision algorithms. This research was funded by the Nanorobotics grant.
Eclipse Edje: A Java API for MicrocontrollersMicroEJ
The Eclipse Edje project, initiated by MicroEJ, defines a standard high-level Java API for accessing hardware features delivered by 32-bit microcontrollers for using serial links, general purpose inputs/outputs, or digital/analog converters. MCUs are small, low-cost, low-power processors designed to run software in resource-constrained environments: low memory (typically KB), flash (typically MB) and frequency (typically MHz). MCUs are provided by silicon vendors along with evaluation kits and are typically the ideal vectors for large scale deployments of low-power and cost-effective IoT, embedded or wearable devices. Edje aims at unifying and easing the programming of apps for MCUs with the largely adopted Java language.
What really happens when your Java program runs? After the transformation from Java source through bytecode and machine code to microcode, and the various optimizations that take place along the way, the instructions that are actually executed may be very different from what you imagined when you wrote the program. This session shows what a simple program actually looks like when it really hits the hardware.
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
The networking equipment like switches and routers have historically been considered as passive elements in implementations of the security architecture. However, the new programming capabilities of these devices involve the risk of malicious software. If this risk materializes, imagine the consequences to the company\'s information. This presentation shows proof of concept on what features could support a malware inside IOS devices, how to detect it, how to remediate it and how to minimize the risk of occurrence within a security architecture.
Similar to [DefCon 2016] I got 99 Problems, but Little Snitch ain’t one! (20)
As presented at this year's RSA Conference, a 2016 survey of critical infrastructure companies and officials demonstrates that this scenario could be reality. Jay and Julia will take you through the spine-chilling specifics of why the nation's critical infrastructure is at an ever increased risk of cyber attacks as hackers make them their prime target.
DEF CON 23: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simplex ...Synack
DEF CON 23
Recently there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.
In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I’ll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.
Colby Moore is Synack's Manager of Special Activities. He works on the oddball and difficult problems that no one else knows how to tackle and strives to embrace the attacker mindset during all engagements. He is a former employee of VRL and has identified countless 0day vulnerabilities in embedded systems and major applications. In his spare time you will find him focusing on that sweet spot where hardware and software meet, usually resulting in very interesting consequences.
Black Hat '15: Spread Spectrum Satcom Hacking: Attacking The GlobalStar Simpl...Synack
Black Hat 2015
Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.
In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.
Presentation by Wesley Wineberg at B-Sides Vancouver 2015. It includes an analysis of EMU-2, introduction to hardware security and the ZigBee Smart Energy device.
Synack completed a benchmarking test in a series of home automation devices from cameras to home automation controllers to thermostats. The devices were examined head to head to derive conclusions on the relative state of security across the board. Interested in what we found?
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
2. WHOIS
“leverages the best combination of humans and technology to discover
security vulnerabilities in our customers’ web apps, mobile apps, IoT
devices and infrastructure endpoints”
@patrickwardle
security for the
21st century
career
hobby
3. making little snitch our b!tch
OUTLINE
understanding bypassing reversing
owning
little snitch
versions < 3.6.2
apple os x 10.11
note:
5. the de-facto host firewall for macOS
LITTLE SNITCH
"Little Snitch intercepts
connection attempts, and lets
you decide how to proceed."
-www.obdev.at
little snitch alert
in the news (red team vs. palantir)
6. the puzzle pieces
LITTLE SNITCH COMPONENTS
ring-0
ring-3 (root session)
LittleSnitch.kext
Little Snitch Daemon
Little Snitch Configuration
Little Snitch Agent
›network, process monitoring
'authentication'›
›rules management
›rules management
preferences›
›ui alerts
ring-3 (user/UI session)
ring-0 bug
8. abusing system rules to talk to iCloud
LITTLE SNITCH BYPASS 0X1
iCloud
little snitch's iCloud rule
o rly!?...yes!
un-deletable system rule:
"anybody can talk to iCloud"
9. abusing 'proc-level' trust
LITTLE SNITCH BYPASS 0X2
$ python dylibHijackScanner.py
GPG Keychain is vulnerable (weak/rpath'd dylib)
'weak dylib': '/Libmacgpg.framework/Versions/B/Libmacgpg'
'LC_RPATH': '/Applications/GPG Keychain.app/Contents/Frameworks'
undetected exfil/C&C
"Using Process Infection to Bypass
Windows Software Firewalls" -Phrack, '04
gpg keychain; allow all
dylib hijack 'injection'
10. stop the network filter
LITTLE SNITCH BYPASS 0X3
ring-0
method 0xB
disable: 0x0
ring-3
LittleSnitch.kext
//connect & authenticate to kext
// ->see later slides for details :)
//input
// ->set to 0x0 to disable
uint64_t input = 0x0;
//stop network filter
IOConnectCallScalarMethod(connectPort, 0xB, &input, 0x1, NULL, NULL);
'invisible' to UI
//input
// ->disable is 0x0
if( (0xB == method) &&
(0x0 == scalarInput) )
{
//disable filter!
}
'stop network filter'
14. 'inter-ring' comms
I/O KIT
serial port driver
open(/dev/xxx)
read() / write()
other i/o kit drivers
find driver; then:
I/O Kit Framework
read/write 'properties'
send control requests
"The user-space API though which a process
communicates with a kernel driver is provided by
a framework known as 'IOKit.framework'"
-OS X and iOS Kernel Programming
today's focus
or
26. reliably exploiting a macOS heap overflow
WEAPONIZING
"Attacking the XNU Kernel in El
Capitan" -luca todesco
controlling heap layout
bypassing kALSR
bypassing smap/smep
payloads (!SIP, etc)
"Hacking from iOS 8 to iOS 9"
-team pangu
"Shooting the OS X El Capitan Kernel
Like a Sniper" -liang chen/qidan he
}
get root
'bring' & load buggy kext
exploit & disable SIP
run unsigned kernel code, etc
SIP/code-sign
'bypass'
(buggy) kext still
validly signed!
28. at least they fixed it...
VENDOR RESPONSE :
mov rbx, rdi ; user struct
mov edi, [rbx+8] ; size
call _OSMalloc
mov rdi, [rbx] ; in buffer
mov edx, [rbx+8] ; size
mov rsi, rax ; out buffer
call _copyin
fixed the bug
downplayed the bug
didn't assign a CVE
no credit (i'm ok with that)
maybe talking about
my exploit!?
consistent size
users won't patch
30. contact me any time :)
QUESTIONS & ANSWERS
patrick@synack.com
@patrickwardle
"Is it crazy how saying sentences backwards creates backwards
sentences saying how crazy it is?" -Have_One, reddit.com
final thought ;)
31. mahalo :)
CREDITS
- FLATICON.COM
- THEZOOOM.COM
- ICONMONSTR.COM
- HTTP://WIRDOU.COM/2012/02/04/IS-THAT-BAD-DOCTOR/
- HTTP://TH07.DEVIANTART.NET/FS70/PRE/F/
2010/206/4/4/441488BCC359B59BE409CA02F863E843.JPG
- "IOS KERNEL EXPLOITATION --- IOKIT EDITION ---" -STEFANO ESSER
- "REVISITING MAC OS X KERNEL ROOTKITS!" -PEDRO VILAÇA
- "FIND YOUR OWN IOS KERNEL BUG" -XU HAO/XIABO CHEN
- "ATTACKING THE XNU KERNEL IN EL CAPITAN" -LUCA TODESCO
- "HACKING FROM IOS 8 TO IOS 9" -TEAM PANGU
- "SHOOTING THE OS X EL CAPITAN KERNEL LIKE A SNIPER" -LIANG CHEN/QIDAN HE
- "OPTIMIZED FUZZING IOKIT IN IOS" -LEI LONG
- "MAC OS X AND IOS INTERNALS" -JONATHAN LEVIN
- "OS X AND IOS KERNEL PROGRAMMING" -OLE HALVORSEN/DOUGLAS CLARKE
images
resources