Changes in the Cyber Security Industry
REvisiting Software Security – State the Art
Software exploitation has been done for many years and the research keeps continuing, resulting in different types of attacks that have been approached to prove the issue in the software itself are breakable. Back in the early days of software exploitation, vendors kept denying vulnerability exists in their products and some took years to fix the problem. Until then, full disclosure was introduced to the public and everyone doing the same research keeps posting the exploits on the Internet and being abused either in a good or bad way.
Vulnerability research is one of the methods of securing a software that usually involves complex processes, such as reverse engineering, fuzzing, secure code auditing, developing proof-of-concept or could be a full chain exploit. These days, we can see many resources that could help in this process, including tools that can be used for fuzzing or even libraries to speed up exploit development. The speed of mitigations developed by giant tech vendors such as Microsoft has brought some attention to researchers and reduced many attack surfaces. With this, the cost of vulnerability research has slightly changed.
Disclosing vulnerability to a vendor could be a pain process, months of conversation over email, either with updates or no progress at all. In our talk, we will be discussing research that has been done on different types of software, including our approach and analysis. We will discuss the vulnerability we found and the exploitation strategy. To add some fun facts, we will talk about how we approach one of the Malaysia government agency on coordinating vulnerability disclosure about software security.
EW & SIGINT: Swiss Army Knife of Modern Combat
I CAN Fuzz my Junks for less than 50 dollars
Shall we play a game in car hacking? CAN you fuzz? Oh wait! We don’t want to test our own car and brick it. Hmmm, how about building our own car hacking labs? Too many components and ECU kits though. Building a car hacking labs will surely take some time, resources and analysis. What if I have zer0 knowledge in automotive wiring and CAN Bus hacking?
Say no more because I got you! In this talk, we don’t need roads. Seat tight and no need to fasten your seatbealts because this will be a quick, cheap, practical and dirty approach in car hacking specifically CAN Bus hacking. Using one component of your car you could just acquire from a junkyard or by any means necessary to start Car Hacking by yourself from fuzzing a simulator to an actual hardware with open source tools and hardware. We will also talk about building your own lost-cost CAN fuzzer and Metasploit module creation geared towards the hwbridge.
Warning: this talk could produce future car hackers who will be at your nearest Car Hacking Village and bug bashes.
Who owns your servers: scavengers of cybercrime
Examining “Living off the land” malicious infrastructure
Do you know who else is using your servers? I am sure you do not. In this presentation we examine how many servers and exposed assets in the Internet live a double life, on one hand serving their owners, while on the other serving secretly serving the goals of international cybercriminals.
Attackers have been using “Living off the land” in the attack kill chain for some time, leveraging locally available tools rather than introducing their own. What is less known, that many threat actors use the same techniques when building their infrastructure. From professional target attack groups to traditional cybercrime investigations: attribution of an attack is often performed based on the Infrastructure used by the attacker. However, we conducted a large-scale research of the attackers infrastructure and identified that many of the systems used for hosting of phishing content, command and control servers or data exfiltration, are actually 3rd party compromised systems, repurposed for malicious use.
In this talk we examine the post-compromise life of servers and exposed assets, by looking into several forensic case studies. We describe the ecosystem and modus operandi for underground actors responsible for these different stages of monetization. We also demonstrate how the prices on the underground market for compromised assets depend on the stage and available monetization options. Attackers maintain their own criteria of interest for servers. Some are to be monetized through ransomware, while others are resold to a higher-end “consumers”.
We developed a kill-chain analogue for monetization of compromised assets. This could be helpful to compromised organizations to properly assess the risk. For example, detection of crypto-mining software within corporate networks is often overlooked as not a significant threat, however, this should be considered to be a warning sign – often this is a temporal utilization of the system for the attacker, while they are trying to sell the asset on the open market. When neglected, the organization may face evolvement of the attacker activities, including further lateral movement or a ransomware outbreak.
Our hope is that increasing awareness of the ecosystem and modus of operandi of such attackers will help increase the capabilities of blue teams in effective detection and handling of server compromise incidents.
Who stole My 100,000 Dollars’ Worth Bitcoin Wallets – Catch Them All With New Deceptive Bait
Millions of malicious Internet-wide scanning are happening on a daily basis, looking for exposed sensitive files on insecure Internet-facing servers. Corporate info, sensitive data, or personal files are always the popular juicy targets. What if we can easily craft a ‘tailor-made’ deceptive file, let it get stolen on the Internet and notify us with the ‘thief’ information?
In this session, we will showcase a 90-days interesting real-world use case, by spreading ‘$100,000 worth’ Bitcoin wallets on the Internet with different means selectively. These wallets were embedded in ‘tailor-made’ archive file, with custom alerting mechanisms.
Surprisingly all wallets were stolen, and some of them even get stolen within minutes! We will share the technique in detail, do’s and don’ts with lessons learned. We will deep dive into the interesting collected results, unexpected fruitful observations and expose the ‘thief’.
We will introduce ‘Honeybag’ – a new open source honeyfile which everyone can easily craft the deceptive archive, with tailored alerting mechanism and support for any embedded decoy documents. This will be useful in data breach detection and cyber crime investigation.
Qiling Framework: Instrumenting the Uninstrumentable
Qiling Framework (https://qiling.io) is a sandbox emulator framework with a rich set of Python API to enable highly customizable analysis tools built on top. Using emulator technology inside, our engine can run the executable binary in a cross-platform-architecture way, so we can analyze Windows PE files on Linux Arm64, IoT firmware based on Mips on MacOS, and so on.
In this session, we will discuss how we can use Qiling to work with IDA Pro, to combine the greatest static analysis tools with an emulation engine to archive cross platform and multi arch analysis. In this lab we also cover how we can dynamically analyze MBR binary (eg petya) with Qiling Framework.
StreamCrime: Leveraging modern apps platform for old crimes
Live streaming applications have become a trend since 2016, from the Bigo Live application which became the predecessor to the application of its followers. Today, many people use live streaming applications to find entertainment, partners and even make money easily.
This talk will discuss real cases of illegal activities or crimes committed by using applications, especially live streaming applications. From ordinary crimes to financial crimes. What kind of illegal activities occur. Anyone who is involved in such illegal activity. Why did this crime happen. And of course how that activity happened.
Do you know that the daily turnover of money on live streaming applications is very large?
Do you know if there are syndicates who launder money on live streaming applications?
Do you know there is online gambling under the guise of live streaming applications?
Do you know that some drug dealers use live streaming applications to recruit drug couriers?
This is happening in Indonesia, and very likely to happen in other countries.
Chinese Police and CloudPets
This talk offers an entertaining balance between outrageous vulnerabilities, politics, privacy and surveillance, it will not leave any attendant indifferent and eyebrows may raise beyond what you thought possible before, come and have fun 🙂
We cover a summary of 4 different security audits with an interesting background.
Part 1: CloudPets
Wouldn’t it be cool, for a parent far from home, to be able to record a voice message with their phone and make the sound come out from a soft toy that children can hug? That’s the idea of CloudPets, children can even respond directly from the soft toy and communicate with their parents. What could possibly go wrong? Let your imagination go wild and you will still fall short 🙂 Database dumps, blackmailing, ransoms, millions of people affected, our findings and other intrigues, not to be missed!
Next, 2 mobile apps by Chinese Police: “BXAQ” and “IJOP”, both related to surveillance of ethnic minorities, but in different ways. This part starts with two surveillance mobile apps that Chinese authorities employ to gather data on the Muslim minorities of China’s Xinjiang region, the applications: “IJOP” and “BXAQ”. These audits were sponsored by Human Rights Watch (HRW) and the Open Technology Fund (OTF) respectively. The Chinese government faced international criticism for this when the results of these audits became public.
Finally, a Chinese Government promoted app: “Study the Great Nation” will also be covered, this audit was sponsored by the Open Technology Fund (OTF) and relates to a point-based reward system that depends on how much you know about China, its history and leaders. There were concerns with potential spy capabilities being built into the app, we will go over some of the human rights activists’ questions and the evidence we found to answer them.
While the audits focused on evidence gathering of the surveillance activities, which will be covered in this talk, we will also discuss some interesting vulnerabilities that we found along the way and were not the focus of the audit itself. Also, for those interested in learning about mobile security we will talk about the challenges faced with these apps and how we overcame them.
Exactly what kind of data are these apps collecting? Can we guess what they might use the data for? Come to find out.