Our physical environments become increasingly packed with new, computerized, devices that increase our comfort and productivity and augment our everyday experience. These devices maintain a wealth of new and existing types of sensors into our surroundings and offer new channels of communications between humans and machines (voice, gestures), between machines themselves (new wireless protocol standards) and between machines and their motherships in the cloud.
The coexistence of these new devices and interaction models with our "legacy" IT infrastructure have not escaped the eyes of the digital world's most early adopters – the hackers. In their minds, we've just created so many more gateways into our corporate networks with new types of sensorial data to collect (AKA steal) and subvert, and new protocols and formats to abuse in the process of getting access to corporate assets.
As we researched the potential effect of this trend on enterprise cybersecurity we focused on one specific, much hyped, type of interaction: voice. In particular, we examined the voice interaction capabilities that are most prominent in an enterprise environment – those of Microsoft's voice activated assistance Cortana.
During our research, which will be detailed in this session, we were able to fully demonstrate the following scenarios:
Using voice as a gateway into enterprise: We will expose a previously unknown vulnerability in Microsoft Cortana's voice interface (responsibly disclosed to Microsoft and now patched) that allows close proximity attackers to take over an unattended locked Windows 10 computer.
Using voice for lateral movement: We will show how this attack can be further amplified to allow remote attackers to move laterally within the victim's network.
Systematically subverting information produced and used by sensorial systems: We will analyze, in technical details, the protocol Cortana uses to talk to its cloud and will expose the "Newspeak" tool that utilize this knowledge to fiddle with the protocol for fun (pranks!) and profit (additional custom functionality!), or just monitor it for security purposes.
We will conclude our presentation with some practical suggestions regarding defending against this new breed of threats against enterprise networks and assets.
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Open Sesame: Picking Locks with CortanaPriyanka Aash
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
Slides of our Blackhat USA 2018 talk:
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
As more businesses migrate their employee email and data into collaborative cloud platforms, default configurations, even in a secured environment, could leave them susceptible to attacks. While these platforms create a centralized way to collaborate, manage access and view the world from a single pane of glass -- they also create unique attack paths that attackers can leverage using built-in APIs.
In this presentation, we will explore an innovative approach to red teaming organizations that use Google Suite as their main cloud provider. We will walk through leveraging features to inject calendar events, phishing credentials, capturing 2-factor tokens, backdooring accounts and finally pilfering secrets. Techniques presented will also be incorporated and released as modules within MailSniper.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Open Sesame: Picking Locks with CortanaPriyanka Aash
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
Slides of our Blackhat USA 2018 talk:
Many new devices are trying to fit into our life seamlessly. As a result, there’s a quest for a “universal access methods” for all devices. Voice activation seems to be a natural candidate for the task and many implementations for it surfaced in recent years. A few notable examples are Amazon’s Alexa, Google’s Assistant and Microsoft’s Cortana.
The problem starts when these “Universal” access methods, aimed for maximal comfort, meet the very “specific” use-case of the enterprise environment which requires comfort to be balanced with other aspects, such as security. Microsoft Cortana is used on Mobile and IoT devices, but also in the enterprise computers as it comes enabled by default with Windows10 and always ready to respond to users’ commands even when the machine is locked.
Allowing interaction with a locked machine is a dangerous architectural decision, and earlier this year, we exposed the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network fiddling to deliver a malicious payload to the victim machine.
In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
We would conclude by suggesting some defense mechanisms and compensating controls to detect and defend against such attacks.
Peter Hoddie's keynote for IEEE at CES 2016. He explores upcoming trends for developers in the IoT space, scriptable IoT leading us to the right standards, and JavaScript for the IoT.
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
With the emergence of IoT, which stands for Internet of Things, our daily life is being convenient more than ever. IoT market today grow continuously. To manage a plethora of IoT devices at once, it is changing to the way to control all IoT devices easily and conveniently, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high risk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches.
We will present the overall process of exploitation in IoT hub from acquiring root shells to analyzing the multiple IoT Hub firmware for showing how we derive the vulnerabilities. We made a data flow diagram(called as DFD) through the network packet analysis, firmware analysis, security threats we defined, and vulnerabilities. Subsequently, We will also discuss the vulnerabilities found in recently commercialized IoT Hub, and introduce the critical threats that could be derived from the vulnerabilities.
Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock, sniffing password and Eavesdropping through the device's microphone control”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.
A 60-slide survey of the Internet of things: market philosophy and theory. Philosophy: Horizontal IoT platforms are stupid. Build something people love. You earn the right for others to base their business upon yours with deeply entrenched vertical value. Making: a survey of a few elements to crafting connected products. Local connectivity, Intelligence, internet connectivity, and – if you insist – IoT platforms.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
Join the CASC Wednesday April 30 for a Google+ hangout on the Heartbleed Bug. We’ll cover everything from what the bug does to how to tell if your site is at risk and how certificate authorities are responding.
Panel of CASC members:
• Robin Alden- Comodo
• Jeremy Rowley- DigiCert
• Bruce Morton- Entrust
• Rick Andrews- Symantec
• Wayne Thayer- Go Daddy
Watch the recording: http://bit.ly/1jAQCtk
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
Not a lot was said about adware, especially not about adware for Mac. Adware is usually dismissed for being too benign and not interesting. After all – it just displays ads. But what if you were hit with an aggressive variant with malware-like features that has root access to your machine and has the ability to do what ever its creators wanted it to do?
A Mac OS X port of the Pirrit adware includes properties like hidden users, traffic redirection, persistence, and weird DGA-looking domains, all showing that an aggressive malvertiser is now targeting Macs. In the case of OSX.Pirrit, it uses simple social engineering to escalate its privileges and eventually take total control of your Mac. And with control of your machine, Pirrit’s creators could have done pretty much anything, like stolen your company’s secret sauce or installed a keylogger to capture the log-in credentials for your bank account. The creators of Pirrit were trying very hard to avoid being detected by antiviruses, personal firewalls and even from some advanced users.
In this talk, we’ll review OSX/Pirrit, dissect its methods and show it could have carried out much more sinister activities besides bombard a browser with ads.
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts.
The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign.
To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation.
In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently.
We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings.
We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
More Related Content
Similar to THE VOICE OF ESAU: HACKING ENTERPRISES THROUGH VOICE INTERFACES
Peter Hoddie's keynote for IEEE at CES 2016. He explores upcoming trends for developers in the IoT space, scriptable IoT leading us to the right standards, and JavaScript for the IoT.
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
With the emergence of IoT, which stands for Internet of Things, our daily life is being convenient more than ever. IoT market today grow continuously. To manage a plethora of IoT devices at once, it is changing to the way to control all IoT devices easily and conveniently, rather than operating IoT devices independently. Since the IoT Hub can control the connected IoT devices, it is at high risk for serious damage such as malicious control by an attacker, privacy invasion, leakage of personal information in case of security breaches.
We will present the overall process of exploitation in IoT hub from acquiring root shells to analyzing the multiple IoT Hub firmware for showing how we derive the vulnerabilities. We made a data flow diagram(called as DFD) through the network packet analysis, firmware analysis, security threats we defined, and vulnerabilities. Subsequently, We will also discuss the vulnerabilities found in recently commercialized IoT Hub, and introduce the critical threats that could be derived from the vulnerabilities.
Finally we will show the live demonstration of the full-chain exploitation scenarios in smart home such as “opening door lock, sniffing password and Eavesdropping through the device's microphone control”. By doing so, we will contribute improvement of the security of IoT Network and smart home with the awareness of the threats of IoT Hub.
A 60-slide survey of the Internet of things: market philosophy and theory. Philosophy: Horizontal IoT platforms are stupid. Build something people love. You earn the right for others to base their business upon yours with deeply entrenched vertical value. Making: a survey of a few elements to crafting connected products. Local connectivity, Intelligence, internet connectivity, and – if you insist – IoT platforms.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
Join the CASC Wednesday April 30 for a Google+ hangout on the Heartbleed Bug. We’ll cover everything from what the bug does to how to tell if your site is at risk and how certificate authorities are responding.
Panel of CASC members:
• Robin Alden- Comodo
• Jeremy Rowley- DigiCert
• Bruce Morton- Entrust
• Rick Andrews- Symantec
• Wayne Thayer- Go Daddy
Watch the recording: http://bit.ly/1jAQCtk
OSX/Pirrit: The blue balls of OS X adwareAmit Serper
Not a lot was said about adware, especially not about adware for Mac. Adware is usually dismissed for being too benign and not interesting. After all – it just displays ads. But what if you were hit with an aggressive variant with malware-like features that has root access to your machine and has the ability to do what ever its creators wanted it to do?
A Mac OS X port of the Pirrit adware includes properties like hidden users, traffic redirection, persistence, and weird DGA-looking domains, all showing that an aggressive malvertiser is now targeting Macs. In the case of OSX.Pirrit, it uses simple social engineering to escalate its privileges and eventually take total control of your Mac. And with control of your machine, Pirrit’s creators could have done pretty much anything, like stolen your company’s secret sauce or installed a keylogger to capture the log-in credentials for your bank account. The creators of Pirrit were trying very hard to avoid being detected by antiviruses, personal firewalls and even from some advanced users.
In this talk, we’ll review OSX/Pirrit, dissect its methods and show it could have carried out much more sinister activities besides bombard a browser with ads.
Web3’s red pill: Smashing Web3 transaction simulations for fun and profitTal Be'ery
The introduction of Web3 smart contracts has opened unlimited opportunities for decentralized apps (dApps) and users. With smart contracts, anything that can be coded can be deployed by anyone on the blockchain. As a result, in a Web3 environment, the users’ blockchain transactions, previously merely used for sending coins to peers, are now, in fact, Remote Procedure Calls (RPCs) for smart contracts.
The flip side of this expressiveness is that it’s almost impossible to know analytically in advance what would be the outcome of such RPC to an arbitrary smart contract. Attackers abuse this observability gap to trick users into signing transactions that are harmful in reality. This situation bears a close resemblance to the desktop environment: users need to evaluate in advance if a particular program behavior will be benign.
To solve this gap, Web3 security has taken a page out of the desktop’s security book by using a sandbox-style emulation to evaluate the transaction's outcome before it gets sent to the blockchain. In Web3 lingo, such sandbox emulation is referred to as transaction simulation.
In this talk, we will present our newly discovered attack methods against Web3 simulations, including the first-ever Web3 red pill exploits that allow smart contracts to know that they are running in a simulation and as a result, need to behave differently.
We have tested our findings against numerous leading simulation providers in the Ethereum Virtual Machine (EVM) domain and found that they are indeed vulnerable to such attacks. As a result of our responsible disclosure, multiple (currently three) issues were fixed, and we were awarded bug bounties. We will explain these exploits in detail, including the research methodology allowing us to inspect simulators’ inaccessible inner workings.
We will conclude with new and enlightening insights we gained through this research regarding the true capabilities and limitations of Web3 simulations.
Decentralized Finance (DeFi) is one of today’s most compelling crypto narratives and Compound is one of its most prominent examples. ZenGo research team has taken a deeper look into one of the most intriguing and novel aspects of the Compound protocol, the Liquidation process.
This whitepaper (originally published on early 2020) offers a step-by-step technological explanation and financial survey of Compound’s Liquidation process and thus offers a learning opportunity on a prominent DeFi project, relevant for both experts and beginners.
Web3 Security: The Blockchain is Your SIEMTal Be'ery
2021’s hottest new tech term, according to TechCrunch, was “definitely Web3”. Web3, as its name suggests, is considered by many as the future of the internet: decentralized, permissionless, and based on modern blockchain technology. While Web3 might have a bright future, it’s in the middle of growing pains: A number of Web3 apps were hacked in 2021, leading to theft of cryptoassets valued at hundreds of millions of US Dollars. In this talk we will present Web3 app technology, dissect new attack surfaces, and suggest new and exciting defense mechanisms.
First, we will dive into the technical details of Web3 applications, showing how Web3 technology opens new attack surfaces by moving app functionality onto the blockchain. We will then analyze these newly-exposed attack surfaces by reviewing a few examples we’ve discovered “in the wild.”
While Web3 exposes new attack surfaces, it also provides novel detection opportunities. Specifically, the public and transparent nature of the blockchain allows security researchers to immediately explore full details of any attack and, as a result, leads to quick and thorough discoveries. This is a paradigm shift in security research, as current practices only allow a few to learn actual attack details, only some portions of which are shared publicly. This shift in transparency allowed us to independently explore the aforementioned attacks.
Furthermore, we believe we can do even better and go beyond rapid post-mortem reports. We will show how the same raw data we had previously used for a post-mortem analysis can be analyzed in real-time (or even ante factum by “taking a peek” into the blocks that have yet to be mined) to detect and even prevent attacks. This capability is enabled by the online nature of the blockchain and its inherent block time delays. In fact, we can import, with relevant modifications, many of the principles and learnings of current web defenses, including Web Application Firewall (WAF) into the realm of blockchain. By doing so, we introduce a scheme for a Web3 Application Firewall (W3AF) which can greatly improve Web3 security and blockchain-based apps.
Elliptic Curve Cryptography (ECC) protects many relevant everyday technologies, including the SSL/TLS protocol that protects our Internet communications and ECDSA signatures that protect Bitcoin and Ethereum transactions against modifications. In this talk we will learn about ECC cryptography, using the Billiards game analogy which make ECC understandable even for non-experts. We will describe some attacks against flawed ECC and signatures implementations, including the recent BlueTooth pairing vulnerability discovered by Technion researchers recently
Automate or Die: How Automation Reshapes CybersecurityTal Be'ery
how automation changes both offensive side and defensive side, focusing on the full automation of targeted attacks. Technical analysis of the orchestration and automation of the Lateral Movement phase with BloodHound and GoFetch tools
The Industrial Revolution of Lateral MovementTal Be'ery
Tal Maor & Tal Be'ery Blackhat USA 2017 talk
Recent advancements in the Targeted Attacks technology, and specifically to the Lateral Movement phase of it, are about to ignite an Industrial Revolution in this field.
The original Industrial Revolution and its use of modern methods of mass production is said to had brought "improvements in the cost, quality, quantity, and variety of goods available". The Lateral Movement Industrial Revolution will have similar effects on the attack side.
Consequently, it will have grave repercussions on the defensive side. As always when facing a stressful situation, defenders can respond either by: Fight, Flight, or Freeze.
In this talk, we will describe these recent advancements in the field of automated Lateral, followed by a demo and the release of 'GoFetch', a new open-source lateral movement automation tool. We will conclude with a discussion on the implications of Lateral Movement industrialization on both attackers and defenders.
The Enemy Within: Stopping Advanced Attacks Against Local UsersTal Be'ery
Advanced targeted attackers utilize compromised credentials in order to move laterally within their victims' network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
In this talk, we will cover how advanced attackers are abusing local users' credentials in their attacks, including real examples as captured "in the wild". We would follow with suggested new methods and tools to detect and prevent such attacks.
Most notably, we'd expose a tool that implements a method which allows visibility to local users' activity without installing an agent on the monitored machine. The visibility is based on periodic scans of the local users' directory, the Windows Security Account Manager (SAM), using the standard SAM-Remote (SAMR) protocol, messages and APIs. Using these methods defenders gain visibility to local users' logons, group membership, password change among others. Security applications enabled by this visibility include but are not limited to, abnormal logons detection, abnormal group additions and removal detection and abnormal password changes detection.
In this report, we breakdown the Target attack to 11 detailed steps, beginning with the initial credential theft of Target’s HVAC contractor to the theft of PII and credit cards. Particular attention is given to those steps, unknown until now, such as how the attackers were able to propagate within the network. Throughout this report we highlight pertinent insights into the Tactics, Techniques and Procedures (TTPs4) of the attackers. Finally, we provide recommendations on the needed security measures for mitigating similar advanced targeted attacks.
I wrote this paper on 2014 as the VP of Research for Aorato
Today, the topic of cybersecurity has moved from IT and the datacenter to the highest levels of the boardroom. Attacks and threats have grown substantially more sophisticated in frequency and severity. Attackers reside within an internal network an average of eight months before they are even detected. In the vast majority of attacks, they compromise user credentials and they are increasingly using legitimate IT tools rather than malware.
You are now working under the assumption of a breach. How do you find the attackers--before they cause damage?
In this Blackhat talk we will discuss the TTPs (Tactics Techniques & Procedures) of advanced attackers and how they manifest themselves over the network. We will give a special attention to the Reconnaissance and Lateral Movement phases of the Cyber Kill Chain and discuss how network monitoring can be employed to mitigate these risks.
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
One Key to Rule Them All: Detecting the Skeleton Key MalwareTal Be'ery
Identity is one of the cornerstones of application security. On windows domains, identity is managed through Active Directory (AD) Domain service on the Domain Controller (DC). Therefore, it should come as no surprise that advanced attackers are actively targeting the DC.
Earlier this year, Dell Secureworks had shared a report on an advanced attack campaign utilizing a dedicated DC malware, named “Skeleton Key” Malware. The Skeleton Key malware modifies the DC behavior to accept authentications specifying a secret ”Skeleton key” (i.e. “master key”) password, thus enabling the attackers to login from any computer as any domain user without installing any additional malware while keeping the original users’ authentication behavior.
On this talk, we will explore the unique interaction between such malware functionality and the Kerberos authentication protocol; We will put a special emphasis on its manifestation over the network traffic. We will also share a script that implements the remotes detection of the skeleton key malware functionality.
The talk was given on TCE2015 summer school, Technion, Israel
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?XfilesPro
Worried about document security while sharing them in Salesforce? Fret no more! Here are the top-notch security standards XfilesPro upholds to ensure strong security for your Salesforce documents while sharing with internal or external people.
To learn more, read the blog: https://www.xfilespro.com/how-does-xfilespro-make-document-sharing-secure-and-seamless-in-salesforce/
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
4. COMFORT COMPUTING
• Many new devices
• Comfort of access becomes #1 priority
• Dedicated devices vs. Layover
• New Input method vs. new API
• We hope to find vulnerabilities
• Introduction of new input method into existing model
• Current inspection mechanisms are oblivious
5. VOICE ACTIVATION
• Amazon Echo vs. Windows 10
• Cortana + Speech Recognition
• Locked computers respond to voice
• Current anti-malware technology does not inspect voice messages
7. THE VOE ATTACK
Default Windows 10 Environment
• Cortana is on
• Cortana triggers on “Hey
Cortana” by anyone
• Cortana triggers on locked
machine
• Cortana can access some data
on locked machine
Effects
• Proximity attack to get initial
foothold
• Lateral movement after some
initial compromise
9. HIGH LEVEL CORTANA MECHANICS
• Most of the processing is done in the cloud
• Two phases
• Audio processing
• wss://websockets.platform.bing.com/ws/cu/v3
• Binary + JSON
• Semantic processing
• https://www.bing.com/speech_render
• GET request, HTML response
17. SEMANTIC PROCESSING PHASE
• Correlation to previous phase
• X-FD-ImpressionGUID -> X-Search-IG
• Rendered by Cortana client
• Javascript launches local programs / processes
• Ambiguity may require an extra iteration
• http://www.bing.com/DialogPolicy
• Response depends on whether machine is reported to be locked or
unlocked
19. INVOKING BROWSING ACTIVITY
• “GOTO someserver DOT COM”
• Two options
• “Normal” sites – launch browser process, send query to Bing with domain name
• “Privileged” sites – launch browser, navigate to selected site
• Activity is performed even when machine is locked
• For some “privileged” sites access is NOT SSL protected
• CNN.COM
19
20. VOE ATTACK – INITIAL COMPROMISE
• Evil Maid Attack
• Plug in a USB network device
• Network device can be selected on a locked machine
• “GOTO CNN DOT COM”
• Invoke insecure browsing
• Intercept request, respond with malicious code
• Exploit browser vulnerabilities
• Capture domain credentials
• Probably better to serve the actual code from an SSL protected service (e.g. Amazon S3)
20
21. THE VOE ATTACK: EVIL MAID (LOCAL)
21
I’m in! but the
computer is locked!
Hi Cortana!
Go to cnn.com
Browse
http://www.cnn.com
I’m CNN and here’s my
malicious payload!
http://www.cnn.com
23. VOE ATTACK – LATERAL MOVEMENT
• Use initial compromise to install agent on compromised machine
• Launch ARP spoofing tool
• Play sound file – “GOTO CNN DOT COM”
• Intercept traffic of affected machines
23
24. THE VOE ATTACK: REMOTE BUTLER(LOCAL)
24
I’m in! but I want to
move around!
Hi Cortana!
Go to cnn.com
Browse
http://www.cnn.com
I’m CNN and here’s my
malicious payload!
http://www.cnn.com
25. AFTER MATH AND OBSERVATIONS
• Reported to Microsoft on July 2017
• Mitigated on August 2017
• Mitigation required no patching for Windows OS
• No direct browsing is now allowed when machine is locked
• Environment mismatch
• Voice input method is available and responding when machine is locked
• Voice control introduced into laptops / desktops as though they are “hands free” devices (e.g.
Mobile phones)
• Initial compromise requires almost no code
25
26. NEWSPEAK TOOL
• Intercepting proxy
• TLS/SSL certificate must be installed on monitored devices
• In many organization already exists for web gateway monitoring, DLP
• Can monitor all Cortana requests and responses
• Originating device
• Request audio and audio processing results
• Semantic processing results (“action to be performed”)
• Can block or modify all Cortana requests and responses
26
27. NEWSPEAK PROXY: ANGEL OR DEVIL?
27
I’m a bad proxy!
Hi Cortana!
Go to cnn.com
Browse
http://www.cnn.com
Browse
http://www.foxnews.com
29. NEWSPEAK PROXY: ANGEL OR DEVIL?
29
I’m a good proxy!
Hi Cortana!
Go to cnn.com
Browse
http://www.cnn.com
Browse
https://www.cnn.com
30. FURTHER RESEARCH
• Introduction of new input methods / interaction mechanism introduces not
only “new code” vulnerabilities but new attack concepts
• Extend research to other environments (Siri)
• Find more “dangerous” Cortana commands
• Extend the concept of voice attacks
• Vocal Malware
• Cross site speaking
30
I am tired of my voice, the voice of Esau. My kingdom for a drink. On." —James Joyce, Ulysses, episode 9
Many new devices that we are trying to fit into our life seamlessly.
Trying to create a “universal access method” for all devices. A mouse is not universal since it does not connect to mobile devices. Touch is not universal as it is not comfortable with stationary device.