I want a "Red Teaming"
Michael Schneider
Since the generous folks at Black Hat were generous enough to invite me to another edition of Black Hat Europe, which returns to the beautiful city of Amsterdam this week, I felt that it would be a good idea to share a quick preview here.
First of all, I will be roaming around the event venue during both days of the briefings, so feel free to say hi when you spot me somewhere. I will also most likely drop by the usual social events and, of course, the same goes there. If you would like to get in touch, Twitter is probably the easiest way to do so.
With that out of the way, let’s take a look at the content. I thought I would follow suit with Xavier, who already shared his talk wishlist on his blog.
My set of picks differs slightly, as will everyone else’s. So please see this as a result of personal preference, not a rating of any kind. Also, there’s obviously a maximum of one pick per timeslot, so if you are attending yourself, go and check the agenda to pick your own favorites to match your own taste.
Spyphones are surveillance tools surreptitiously planted on a user’s handheld device. While malicious mobile applications, mainly phone fraud applications distributed through common application channels, target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings. How are these mobile cyber-espionage attacks carried out? In this engaging session, we present novel proof-of-concept attack techniques – both on Android and iOS devices – which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption.
Why? I spent a lot of time during the last two years dealing with Mobile Device Management platforms, whereas dealing means essentially breaking and desperately trying to fix them. So naturally, this is sort of a must-see for me.
I have discovered and provided over 100 proof-of-concept exploits to various vendors over the past 12 months, and most of these have related to security appliances. This presentation discusses common vulnerabilities found across various appliances, and some interesting attack vectors where external attackers can exploit vulnerabilities in appliances to gain control over gateways, firewalls, email and web-filters, VPN solutions and access the internal network.
Why? I’ve written it many times before: Throwing money at problems in form of security products does not work. But to add insult to injury, it might even get you owned. While I won’t go as far as implying an inherent sense of ironic justice here, the topics outlined in this talk might serve as a great argument to get CISOs to reconsider some of their old-fashioned strategic security habits.
3G/4G networks are getting popular more and more these days. Most of users nowadays have USB 3G/4G modems – they’re small, easy-to-use and pretty cheap. That’s why we started this research. The main idea of it – find an opportunity to infect as much as possible. As a result of this research we can say that software that manages the USB device is full of vulnerabilities (from Remote Code Execution to Local Privilege Execution) So, full pwnage of a box. The main goal of modem infection can become constructing world-wide botnet: from infecting one Website – to pwnage of all users of Huawei USB modems
Why? Frankly, it just sounds like entertaining research. I own a Huawei 3G AP myself and, as I like to tinker with things, this appeals to me. I guess some things just never change…
Laptop docking stations are widely used in the corporate world, often in hot-desking environments. They provide a neat connectivity solution for workers who are semi-mobile and therefore use laptops rather than desktop PCs. However, laptop docks are an attractive target for an attacker. They have access to the network, to all the ports on a laptop (and often some that aren’t) and they are permanently connected to a power supply. But most importantly, they are considered to be trusted, “dumb” devices – they just connect all the ports on your laptop to the ports in the dock right? The IT department is more concerned about someone stealing your laptop, so they’ll ask you to secure your laptop with a Kensington lock (but not necessarily to secure the dock). This talk is about how attackers can exploit the privileged position that laptop docking stations have within the corporate environment. It will also describe the construction (and show a demo) of a remotely controllable, covert hardware implant within a commonly used laptop docking station, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.
Why? Years back, I gained access to a corporate network in a red team assessment by planting a tiny USB stick on a Thinkpad docking station of an executive director. It was simple and beautiful: Plug it in, wait for the victim to dock his laptop and there you go: Game over. I still have fond memories of this and this talk seems to take the idea to the next level, essentially tweaking out a docking station into an allround surveillance pod. Therefore, this went straight to the to-see list.
Multiplayer online games security are an underestimated field, with an insane amount of players playing online games and companies pushing out new games at an incredible rate. In this ecosystem finding vulnerabilities in games turns to be a really attractive work. This talk details the current status of games security, describing game-specific issues and how to find vulnerabilities in games. Moreover this talk covers in detail the Steam Browser Protocol security and will discuss a new 0-day vulnerability affecting a well-known multiplayer game.
Why? I will admit that I have spent way too much time playing online games and still enjoy a casual game of DOTA2 now and then. But apart from that, the topic is highly relevant for other reasons. Since game publisher Blizzard Entertainment introduced a Real Money Auction House in Diablo 3, it became blatantly obvious that in-game items can carry real value and making sure that this type of feature is not being abused is a giant challenge for an industry that was, for decades, primarily bothered by people who virtually shot other people through walls they could see through using wallhacks.
That’s it for now. Thanks for reading and see you at Black Hat!
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!