blackhat 2014 conference and defcon 22
DESCRIPTION
Notes from the 2014 Black Hat Conference. Also some tidbits from the Defcon Conference.TRANSCRIPT
Blackhat US 2014** Now with bonus Defcon 22 content
Presented by Michael Gorman, Lipika Kumar and Neil Rhine
BlackHat Vs Defcon
Blackhat
Defcon
Top talks● Keynote● How to wear your Password● Web and Mail Filtering● Hack all the Things● Deception in Cyber● Pivoting in Amazon Clouds● Call to arms a tale of weakness of current client side XSS filtering● Survey-of-Remote-Attack-Surfaces● Panel: API Security● Third Party Libraries and Dependencies● Security in CI● Memcached Injections
What happens if you abandon your car on the side of the road?
- Someone else will eventually take ownership, why shouldn’t the same be true of software?
Keynote
Dan Geer● Source code Liability● Resiliency● Software Abandonment● Bug Bounties● Convergence
How secure is the average password?- 8 bits of security, very quick to crack- biometric fingerprint is 30 bits of data, but even less of security due to similarities between people’s prints
Wear Your Password
● Computational power● Increase authentication difficulty, but
limit its use● A device to represent you
Do we have web and email filtering?- Yes and Yes
Does it protect us from phishing?
Enumeration of Web/Mail Filter Policy
● Using non existent emails you can learn a lot about email servers
● Client side javascript can be used to test any number of policy options
In what ways can a system be compromised?- Physically (UART, EMMC readers)- Software Vulnerabilities (XSS, Command Injection)
Hack All the Things
Three main vectors of attack generally used● Software Vulnerability (XSS, command
injection)● Emmcs/Memory dumps● UART - onboard serial connectionDon’t ever give physical access to anything!
What countries are the most practiced in deception?- China- Russia- Ukrain
Deception in Cyber
● Strength in words, developing a lexicon● History of deception
Question TimeName some well known companies that are already on the cloud Amazon AT&T Google Microsoft Salesforce.com
What are some security vulnerabilities with cloud based services?
Losing security keys. Don’t share keys with anyone! even your provider
Techniques on preventing attacks?
split key encryptions.
provider will give you the infrastructure but you are responsible for security
knowing your application inside and out and not simply
Lessons
Providers give you the infrastructure but you are responsible for making sure you dont lose your secrets!
“The specific challenges differ for the three cloud delivery models, but in all cases the difficulties are created by the very nature of utility computing, which is based on resource sharing and resource virtualization and requires a different trust model than the ubiquitous user-centric model that has been the standard for a long time.”
Pivoting in Amazon Clouds
● AWS credentials stored in meta-data servers for each instance server
● IAM profile management strategieso divide up
● code demo for nimbostratuso includes hacking into AWS for credentialso provides a sample environment AWS setup to
hack
Question TimeWhat is XSS?cross site scripting
What are the different types of XSS attacks?reflected and stored
What are some techniques to prevent XSS attacks?Regular-expression-based Approaches: NoScript Internet Explorer
Call to Arms XSS
● basics of XSS: reflected and stored● Ways to prevent attacks:
o Chrome XSS Auditoro librarieso choice of framework
● Demo of hacking through Chrome XSS Auditor
Question Time
What kinds of cars can be hacked?any car that relies on software to control parts of the car. “if you can write a web based exploit you can hack into a car!” quote from talk
Define cyber physical attacksattacks that result in physical control of various aspects of the automobile
A Survey of Remote Automotive Attack Surfaces
A Survey of Remote Automotive Attack SurfacesMost hackable:
1. 2014 Jeep Cherokee2. 2015 Cadillac
Escalade3. 2014 Infiniti Q50
Least hackable:
1. 2014 Dodge Viper2. 2014 Audi A83. 2014 Honda Accord
Demo Time!
Attack against test env
Bonus Question:What does CVSS stand for?
Third Party Library and Dependencies
CVSS - Common Vulnerability Scoring System
OpenSSL - Heartbleed
Destroyed the idea of security for the average person
Question Time!
Name two of the most common types of attacks
⅔ - XSS, DDoS, SqlInjection
Name the open source Linux Distro that helps you test vulnerabilities
Kali Linux
Security in CI
Can’t wait for something to happenTechnologies that test for external dependency vulnerabilities - SensioLabs, OWASP
Request for Security Minded people
Rugged ManifestoI am rugged and, more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary and I am up for the challenge.
Start Doing...
● hackweek projects that involve hacking and prevention improvements
● considering possible security breaches when looking at teammates pull requests
● security lunch and learns ● capture the flag● Monthly Security Hacking sessions (front end,
back end)
Stop Doing...
Waiting for a problem to ariseTrusting security to other people
What do you see wrong?
Thoughts Provoked by Talks at the Conference
We are responsible for our security even if we are using third party services
Links to Blackhat Material
List of Blackhat Talks 2014 Slides, Whitepapers and Source Code
Call to arms XSS WhitepaperCall to arms XSS SlidesPivoting in Amazon Clouds WhitepaperPivoting in Amazon Clouds SlidesSurvey of Remote Attack Surfaces
Thank You