Cortana has several components that could be exploited by attackers to compromise systems or retrieve sensitive information:
1. The Cortana agent on devices is powerful and can accept input even when screens are locked, allowing commands through the "Open Sesame" vulnerability.
2. Cortana's voice actions could be used to invoke unsafe browsing on locked screens through the "Voice of Esau" attack, potentially leading to remote code execution.
3. Third-party Cortana skills could be authorized on locked screens, allowing the invocation of skills with malicious payloads through the "Skill of Death" scenario.
Proper design is needed to secure new interfaces like Cortana, as adding capabilities to locked screens
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud.
The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets.
As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana.
During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios:
Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer.
Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network.
Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes.
We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Chuck McAuley, Ixia Communications
The Mirai botnet has brought public awareness to the danger of poorly secured embedded devices. Its ability to propagate is fast and reliable. Its impact can be devastating and variants of it will be around for a long time. You need to identify it, stop it, and prevent its spread. I had the opportunity to become familiar with the structure, design, and weaknesses of Mirai and its variants. At this talk you'll learn how to detect members of the botnet, mess with them through various means and setup a safe live fire lab environment for your own amusement. I will demonstrate how to join a C2 server, how to collect new samples for study, and some changes that have occurred since release of the source code. By the end you'll be armed and ready to take the fight to these jerks. Unless you're a botnet operator. Then you'll learn about some of the mistakes you made.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Recent trends in 2014-15 in the IT field. Big shots from the major companies, including rumours of shift in focus to car manufacturing. Seamless integration between devices etc.
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
This is a talk I gave in St. Louis in April 2018 about how businesses need to understand the Internet of Things and how they can better protect themselves.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES Tal Be'ery
Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud.
The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets.
As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana.
During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios:
Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer.
Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network.
Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes.
We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Chuck McAuley, Ixia Communications
The Mirai botnet has brought public awareness to the danger of poorly secured embedded devices. Its ability to propagate is fast and reliable. Its impact can be devastating and variants of it will be around for a long time. You need to identify it, stop it, and prevent its spread. I had the opportunity to become familiar with the structure, design, and weaknesses of Mirai and its variants. At this talk you'll learn how to detect members of the botnet, mess with them through various means and setup a safe live fire lab environment for your own amusement. I will demonstrate how to join a C2 server, how to collect new samples for study, and some changes that have occurred since release of the source code. By the end you'll be armed and ready to take the fight to these jerks. Unless you're a botnet operator. Then you'll learn about some of the mistakes you made.
The Hardcore Stuff I Hack:
This talk is going to give a run through of some of the technical challenges paul and his team have overcome over the years - in as much hardcore detail as possible
Recent trends in 2014-15 in the IT field. Big shots from the major companies, including rumours of shift in focus to car manufacturing. Seamless integration between devices etc.
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
Alexa and Cortana in Windowsland - OWASP Global AppSec Tel-Aviv, May 2019Yuval Ron
“Alexa and Cortana in Windowsland”: Hacking an Innovative Partnership and Other Adventures
Recording can be found here: https://youtu.be/10Y5iYdti54
Abstract:
This is a presentation about the essence of Cyber Security – what happens when you take new and innovative concepts, spice them up with business partnerships and plug them into existing security mechanisms.
In our talk, we will demonstrate a variety of new “Evil Maid” attacks on locked Windows machines. We will show vulnerabilities that stem from the high-profile business partnership between Cortana and Alexa – the voice assistants of Microsoft and Amazon, as well as code execution vulnerabilities in Cortana’s internal integrations.
We will take our audience on an amusing journey of our discovery process and the fascinating battle of Microsoft to patch these vulnerabilities with minimum effort and public exposure. This journey demonstrates the difficulty of tying up together new usage concepts with older security assumptions, the catastrophic outcome of breaking these assumptions, and the importance of implementing the learned lessons in future integrations between AI technologies and IoT devices.
https://globalappsectelaviv2019.sched.com/event/NucT/alexa-and-cortana-in-windowsland-hacking-an-innovative-partnership-and-other-adventures
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts.
The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign.
To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation.
In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently.
We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings.
We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
Decentralized Finance (DeFi) is one of today’s most compelling crypto narratives and Compound is one of its most prominent examples. ZenGo research team has taken a deeper look into one of the most intriguing and novel aspects of the Compound protocol, the Liquidation process.
This whitepaper (originally published on early 2020) offers a step-by-step technological explanation and financial survey of Compound’s Liquidation process and thus offers a learning opportunity on a prominent DeFi project, relevant for both experts and beginners.
Web3 Security: The Blockchain is Your SIEMTal Be'ery
2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms.
First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.”
While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks.
Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.
Elliptic Curve Cryptography (ECC) protects many relevant everyday technologies, including the SSL/TLS protocol that protects our Internet communications and ECDSA signatures that protect Bitcoin and Ethereum transactions against modifications. In this talk we will learn about ECC cryptography, using the Billiards game analogy which make ECC understandable even for non-experts. We will describe some attacks against flawed ECC and signatures implementations, including the recent BlueTooth pairing vulnerability discovered by Technion researchers recently
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
how automation changes both offensive side and defensive side, focusing on the full automation of targeted attacks. Technical analysis of the orchestration and automation of the Lateral Movement phase with BloodHound and GoFetch tools
The Industrial Revolution of Lateral MovementTal Be'ery
Tal Maor & Tal Be'ery Blackhat USA 2017 talk
Recent advancements in the Targeted Attacks technology, and specifically to the Lateral Movement phase of it, are about to ignite an Industrial Revolution in this field.
The original Industrial Revolution and its use of modern methods of mass production is said to had brought "improvements in the cost, quality, quantity, and variety of goods available". The Lateral Movement Industrial Revolution will have similar effects on the attack side.
Consequently, it will have grave repercussions on the defensive side. As always when facing a stressful situation, defenders can respond either by: Fight, Flight, or Freeze.
In this talk, we will describe these recent advancements in the field of automated Lateral, followed by a demo and the release of 'GoFetch', a new open-source lateral movement automation tool. We will conclude with a discussion on the implications of Lateral Movement industrialization on both attackers and defenders.
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks.
Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.
In this report, we breakdown the Target attack to 11 detailed steps, beginning with the initial credential theft of Target’s HVAC contractor to the theft of PII and credit cards. Particular attention is given to those steps, unknown until now, such as how the attackers were able to propagate within the network. Throughout this report we highlight pertinent insights into the Tactics, Techniques and Procedures (TTPs4) of the attackers. Finally, we provide recommendations on the needed security measures for mitigating similar advanced targeted attacks.
I wrote this paper on 2014 as the VP of Research for Aorato
Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware.
You are now working under the assumption of a breach. How do you find the attackers--before they cause damage?
In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
One Key to Rule Them All: Detecting the Skeleton Key MalwareTal Be'ery
Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC.
Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior.
On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality.
The talk was given on TCE2015 summer school, Technion, Israel
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
1. Open Sesame: Picking Locks with Cortana
Ron Marcovich, Yuval Ron, Amichai Shulman, Tal Be'ery
1
2. Amichai Shulman
• Independent Security Researcher
• Advisor for multiple cyber security start up
companies
• Former CTO and Co-Founder of Imperva
• Blackhat, RSA, Infosec speaker
• @amichaishulman
Tal Be’ery
• Co-Founder @ Kzen Networks
• Formerly VP Research @Aorato (Acquired by
Microsoft), Imperva, Singtel Innov8 VC
• Blackhat, RSA, SAS speaker
• @talbeerysec
2
Who are we?
3. Also Featuring…
Yuval Ron
Twitter: @RonYuval
LinkedIn: ronyuval
Ron Marcovich
Twitter: @RonMarcovich
LinkedIn: ronmarcovich
B.Sc. Software Engineering students at the Technion,
Israel Institute of Technology. Both will start their M.Sc.
In Computer Science this year.
3
4. Agenda
• Understanding Cortana
• What is it, how does it work and key elements
• Attacking Cortana on all fronts
• Cortana agent: Open Sesame (CVE-2018-8140)
• Cortana actions: The voice of Esau
• Cortana cloud: Malicious skills
• Protecting against Cortana attacks
• Voice Firewalls: NewSpeak
• Summary and Conclusions
4
6. What is Cortana?
• "Your intelligent assistant across
your life."
• Translate human intent into
computer actions
• Retrieve data
• Browse the web
• Launch programs
6
7. What is Cortana?
• Multi-platform: Mobile, PC,
devices
• Multi inputs (“intents”):
keyboard, mouse, voice, touch,
…
7
8. Cortana Architecture
8
Cortana
Service
Speech to
Text
Text to Intent
(Action)
Cortana
Skill
Internet
3rd party
web
service
Cortana
Client
Speech
Text
Text
Intent + p
Intent + p
Card data
Speech
Text
Resolve!
Card
Action
Provider
(Azure
Bot)
Intent to
Card
(Azure
Bot)
9. Cortana Architecture - Example
9
Cortana
Service
Speech to
Text
Text to Intent
(Action)
Action
Provider
(Azure
Bot)
Internet
3rd party
web
service
Cortana
Client
Speech
Who is George Washington
Who is George Washington
Search
Query = “George Washington”
Card data
Speech
Who is George Washington
Resolve!
Action
Provider
(Azure
Bot)
Intent to
Card
(Azure
Bot)
Search
Query = “George Washington”
10. Cortana Agent
• Very fat Client
• Can do a lot of stuff!
• Merely an execution engine
• Exposes a powerful Javascript API
• Works on a locked devices
• By Default!
• SpeechRuntime.exe listens for
“Hey Cortana”
• SearchUI.exe has the “Cortana
Logic”
10
11. Cortana Cloud Service
• Processing and decision making is done in the cloud
• Two phases
• Audio processing – Speech to Text
• wss://websockets.platform.bing.com/ws/cu/v3
• Binary + JSON
• Semantic processing – Text to Intent & Intent to Card
• https://www.bing.com/speech_render - GET request, HTML response
• https://www.bing.com/DialogPolicy - GET / POST request, Javascript response
• Machine Learning
• Improve speech recognition
• Extend intent resolution capabilities
11
14. Cortana Skills
• Cortana can be extended with
cloud based “skills”
• A Skill is an Azure bot registered
to the Cortana channel
• Receive all user input after an
invocation name
• Interacts with the Cortana client
using Cards that include voice,
text and LIMITED COMMANDS
14
16. • Fat client executes on locked screen
• Many possible actions
• Action choice by cloud logic
• Can be changed without any apparent sign on the device
• Might depend on Machine Learning
• Choice of action can be affected by unknown 3rd parties
Summary
16
18. Putting Murphy to Work
• Set up a research project with the
Technion
• Undergraduate students exploring
different aspects of the system
• Some avenues we explored
• Local input to Cortana
• Intents that invoke exploitable actions
• Intents that retrieve malicious
content
• Capabilities of 3rd party Cortana skills
18
19. Attacking Cortana
19
Cortana
Service
Speech to
Text
Text to Intent
(Action)
Cortana
Skill
Internet
3rd party
web
service
Cortana
Client
Speech
Text
Text
Intent + p
Intent + p
Card data
Speech
Text
Resolve!
Card
Action
Provider
(Azure
Bot)
Intent to
Card
(Azure
Bot)
Expressing bad
intents
Local commands
through lock screen
Malicious
skills
Bad content
provider
23. Open Sesame: Attack Model
• Impact:
• by Abusing The “Open Sesame” vulnerability, “Evil Maid” attackers can gain
full control over a locked machine
• Evil Maid attack model:
• Attackers have physical access for a limited time, but the Computer is locked
• Why it’s called Evil Maid?
• Think of the laptop you left in your room last night when you went out…
• But also borders control, computers in the office during breaks and night, …
• But isn’t that exactly what Locked Screen suppose to stop?
23
24. Lock Screen: You Had One Job
• Lock Screen is not magic!
• Lock Screen is merely another
“Desktop” ( Winlogon desktop )
with very limited access
• The security stems from the
reduced attack surface
• If Microsoft adds more apps on
Lock Screen: The attack surface
expands → security is reduced
24
27. “Open Sesame” Root Cause
• Lock screen restricts keyboard, but allows Cortana invocation through
voice
• Once Cortana is invoked, the Lock Screen no longer restricts it
• Cortana is free to accept input from the keyboard too
• The fix: Make Cortana Search UI state aware. Different behavior when
the UI is locked
• Shift of responsibility:
• In the past, the OS made sure the UI is not accessible when computer is
locked, therefore developers do not need to think about it.
• Now, it’s the developers’ responsibility
27
28. Disclosure Timeline
16 APR 18:
We report
CVE-2018-
8140 to MS
23 APR 18:
McAfee
reports
CVE-2018-
8140 to MS
12 JUN 18:
MS patch
(Very quick
+ Bug
Bounty!)
26 JUN 18:
We report
CVE-2018-
8369 to MS
28
29. “Open Sesame” Summary
• Impact: Evil Maid Attackers can gain full control on a locked machine
• The fix is
• Tactical: making Cortana Search aware of UI state
• Not Strategical: Cortana still gets keyboard input and launches processes from
a locked screen in some other scenarios
• There are more where it came from: CVE-2018-8369
• Design lessons: Adding more capabilities to Lock Screen is very
tempting, but dangerous
29
31. Attacking Cortana: Cruel Intentions
31
Cortana
Service
Speech to
Text
Text to Intent
(Action)
Cortana
Skill
Internet
3rd party
web
service
Cortana
Client
Speech
Text
Text
Intent + p
Intent + p
Card data
Speech
Text
Resolve!
Card
Action
Provider
(Azure
Bot)
Intent to
Card
(Azure
Bot)
Expressing bad
intents
Local commands
through Lock Screen
32. Voice of Esau Attack
• Evil Maid Attack (First presented in Kaspersky SAS 2018)
• Attackers:
1. Achieve Man-in-the-Middle position: Plug into the network interface
2. Use Cortana on locked screen to invoke insecure (Non-HTTPS) browsing
3. Intercept request, respond with malicious payload
• Exploit browser vulnerabilities
• Capture domain credentials
32
33. The VOE Attack - Evil Maid (Local)
I’m in! but the
computer is locked!
Hi Cortana!
Go to bbc.com
Browse http://www.bbc.com
I’m BBC and here’s my
malicious payload!
http://www.bbc.com
33
35. VOE Attack – Lateral movement
• Use initial compromise to install agent on compromised machine
• Achieve Man-in-the-Middle position
• Some local routing attack: e.g. ARP spoofing
• Invoke Cortana insecure browsing
• Play sound file – “GOTO BBC DOT COM”
• RDP (Remote Desktop Protocol) sound file to target
• NLA must be disabled for it to work
• Intercept traffic of targeted machines and compromise, as in before.
35
38. VOE Disclosure Timeline
16 JUN 17:
We report
VOE to MS
29 JUN 17:
MS Cloud
patch (no
CVE)
8 MAR 18:
Our talk @
Kaspersky
SAS
25 JUN 18:
We report
CVE-2018-
8271 (and
more) to MS
38
39. The Voice of Esau
• Impact: Evil Maid or even remote attacker can invoke unsafe
browsing on a locked machine. Using additional vulns attacker can
gain full control
• The fix is
• Tactical: making Cortana cloud aware of UI state and safely Bing instead of
direct browse in certain scenarios
• Not Strategical: Cortana may still allow unsafe browsing in some other
scenarios
• There are more where it came from: CVE-2018-8271 (and more)
• Design lessons: Adding more capabilities to Lock Screen is tempting
but dangerous
39
41. Skill of Death
• VOE attack took advantage of
existing intent resolution
mechanisms
• What about adding our own
interpretation mechanism?
• Skills interact with client through
cards
• Cards have “limited
functionality”
41
42. Navigate to an attacker controlled
server
Open malicious MS Office document
Skill of Death – Limited Functionality
42
44. Skill of Death
• How can attacker invoke a
“malicious” skill?
• Invoking a new skill on a machine
requires user consent
• Cortana Skill can be invoked and
granted consent from locked
screen!
44
46. Skill of Death
• Timeline
• Authorization of skills in locked screen detected March 2018
• Guy Feferman and Afik Friedberg of The Technion, Israel
• Takeover methods detected June 2018
• Natanela Brod and Matan Pugach of the Technion, Israel
• Fixed on June 25th 2018
• Fixed in the cloud
• No formal announcement of fix
• Skills can no longer be INVOKED (authorized or not) from locked screen
• Adding functionality on locked screen is a slippery slope
• Soon you find yourself allowing NON Microsoft code to run over locked screen
46
48. Preventing Voice Attacks:
Speaker Identification
• Respond only to me
• “try” doesn’t sound very
reassuring
• “Hey Cortana” can be easily
recorded
• Can be subverted, see other talk
48
49. Preventing Voice Attacks:
Compensating Controls Take 1
• Take 1: Put a security
Microphone on each room?
• Disadvantages:
• Privacy
• Cost
• Audio directionality
• Audio semantics
• Not all attacks are audible
• Detection only
49
50. Preventing Voice Attacks:
Compensating Controls Take 2
• NewSpeak: a Network-based Intercepting proxy
• TLS/SSL certificate must be installed on monitored devices
• In many organization already exists for web gateway monitoring, DLP
• Can monitor all Cortana requests and responses
• Origin details: IP, computer name, user, UI State, etc.
• Request audio and Text to Speech results
• Intents and Action cards
• Can block or modify all Cortana requests and responses
• Much better than previous suggestion: Centrally located, does not
rely on audio analogic capture, can mitigate not just detect
50
51. Network monitoring with NewSpeak
51
I’m the NewSpeak Proxy
Hi Cortana!
Go to cnn.com
Browse http://www.cnn.com
Browse
http://www.foxnews.com
54. Summary: Attacking Cortana
54
Cortana
Service
Speech to
Text
Text to Intent
(Action)
Cortana
Skill
Internet
3rd party
web
service
Cortana
Client
Speech
Text
Text
Intent + p
Intent + p
Card data
Speech
Text
Resolve!
Card
Action
Provider
(Azure
Bot)
Intent to
Card
(Azure
Bot)
Expressing bad
intents
Local commands
through Lock Screen
Malicious
skills
Bad content
provider
55. Takeaways: Defenders
• For the time being:
• Disable Cortana voice in corporate
environments
• Or at least on locked screen
• Reconsider when compensating
controls are there
• “voice firewall”: If voice
becomes mainstream,
considering specialized solutions
is a must for corporate adoption
55
https://www.pcgamer.com/how-to-disable-cortana/
56. Takeaways: Builders & Breakers
• New interfaces are much more than “just an interface”
• When introducing innovative concept into existing environments
• Secure Coding is not enough
• We need Secure System Engineering
• We found 3 different CVEs and numerous issues that enables
attackers to bypass the lock screen
56