best of usenix def con 2015
TRANSCRIPT
Best of BlackHat USA, DEFCON,
Usenix Security 2015
2015-10-01
BlackHat Briefings 5-6.Aug, DEFCON 6-9.Aug, Usenix Security 10-14.Aug
BlackHat USA
● Trainings (4 Tage)● Briefings (2 Tage)
● US$ 1800-2600● 8 parallel Tracks + 10 Tool Tracks● Business Hall
● Keynote (Jennifer Granick) ● We currently accept censorship, because it only affects
marginal groups
BlackHat USA
● Vorwort: LibStagefreight
● Android state of the Union (Adrian Ludwig)● Neues Update Programm: Security Updates für Nexus jedes
Monat für 3 Jahre; LG & Samsung folgen ● PHA – Potential Harmful Application ● Extensive data collection
– Looking for high risk devices– Rare App collection
● Targeted Attacks
– Huge geographical differences (e.g. China, Russia)
High Risk Devices
BlackHat
● Android Security State of the Union (cont)● Collection on developers, as well
– If many users answer “no” to SMS-sending dialog in an app, that the app should probably not exist
– Usage of old libs, wrong usage of keys, .. etc● e.g. OpenSSL by Google, not platform provider● Over 60000 warnings to app developers in the last years
● Working on Inter-App Intent-Firewall (now being tested/used in Russia)
● Security rewards now up to USD 38K, will increase
BlackHat
● Breaking HTTPS with BGP Hijacking (Artyom Gavrichenkov)● BGP hijacking can be used to get false certificates● With CAs that test domain ownership automatically
(e.g. email, whois, html-cookie, dns-txt record)
BlackHat
● Adventures In Femtoland: 350 Yuan for Invaluable Fun● Huawei 4G Femtocell reversed● VXworks, bruteforced JTAG, reversed protocols and keys● Able to simulate 4G cell; make identity requests,
change time and send SMS (not included in integrity checks, or ignored)
● No data and calling though.● Sold out on Alibaba in minutes.
Fuzzing is back!Fuzzing is back!
Defcon, BlackHat, Usenix Security
● Fuzzing is back!● Stagefright● SSL stack state machine reversing● Universal Android Rooting (Blackhat + Usenix)● Many more….
Defcon
● Dan Kaminski – Clickjacking● Adobe Flash actually does screen scraping to detect
clickjacking!● Clickjacking around for 10+ Years● W3C standard soon: “Iron Frames” (like IFRAMES)
– Always on top– Produce events when
● not in viewport (scrolling)● partially covered/shown ● fully visible but not long enough● fully visible
Usenix Security
● WOOT with “Breaking TLS” session● FlexTLS (tool for verifying TLS implementations)
– Used for SKIP & FREAK● KCI Attacks against TLS (Clemens Hlauschek, RISE)● Non-ephemeral Diffie-Hellman key exchange with
fixed Diffie-Hellman client authentication– e.g. used by Facebook
● Complete compromise; full MITM
Usenix Security
● Session (&Paper) Names● Run-DMA● Measurement: We Didn't Start the Fire● Now You're Just Something That I Used to Code● Tic-Attack-Toe● Sock It To Me: TLS No Less● Ace Ventura: PETS Detective● ORAMorama!● But Maybe All You Need Is Something to Trust● And the Hackers Gonna Hack, Hack, Hack, Hack● Let's Get Ethical, Ethical● It's a Binary Joke: Either You Get It, or You Don't● Pain in the App● Oh, What a Tangled Web We Weave● ADDioS!
Usenix Security
● Protocol State Fuzzing of TLS Implementations (Joeri de Ruiter)● Fuzzing SSL stack state machines● Reconstructing state machines, finding illegal
transitions● e.g. Switch to CipherMode without key exchange
Usenix Security
● To Pin or Not to Pin—Helping App Developers Bullet Proof Their TLS Connections● Marten Oltrogge and Yasemin Acar, Leibniz
Universität Hannover; Sergej Dechand and Matthew Smith, Universität Bonn; Sascha Fahl, Fraunhofer FKIE
● 640.000 apps, only 45 use SSL pins
Usenix Security
● Rocking Drones with Intentional Sound Noise on Gyroscopic Sensors
Yunmok Son et al.● MEMS Gyroscope & Accelerometers● Resonant Frequencies of Sensors
