Fake News and Info-Ops: Modern Information Warfare,
and What to Do About It

Tuesday, Jan 23 | 09:30-10:30 AM
In the Summer of 2016, the U.S. was rocked by a huge disinformation campaign orchestrated by the Russian government to influence the U.S. election, involving the hacking and disclosure of thousands of emails, dissemination of “fake news”, and the propagation of messages through social media designed to influence public debate. Disinformation isn’t new – even in U.S. political campaigns. It also isn’t the sole preserve of nation-states, and isn’t limited just to influencing elections. What is new is how modern technology like social-media, machine-learning, targeted advertising and, yes, hacking have all led to a massive explosion in the scale and effectiveness of disinformation. So what is disinformation? How did we get here? What does the future of information warfare look like? And what can we, as technologists, do about it? Come along to find out.

Beyond Belief: The Case of Spectre and Meltdown

Daniel Gruss
Moritz Lipp
Michael Schwarz
, Graz University of Technology
Wednesday, Jan 24 | 09:30-10:30 AM
In this talk, we present the unbelievable story of Meltdown and Spectre. The two vulnerabilities in CPUs allow to read usually inaccessible memory locations and are therefore considered by many experts as the worst vulnerabilities ever found. We, the Graz University of Technology team, share our story of the discovery. The talk covers questions around Meltdown and Spectre we were repeatedly asked by many people: How was the vulnerability discovered, what happened then, what are the connections between the different teams, is this a conspiracy (Spoiler: it is not)? Our answers to these questions bring interesting connections to light, which hopefully also debunk conspiracy theories. On the technical side of the talk, we provide a high-level overview using real-world analogies to get a big picture of Meltdown and Spectre. The high-level overview allows us to discuss the technical details in an easily comprehensible way. We explain the necessary background, including branch prediction and cache attacks, as well as the concrete Meltdown and Spectre attack. Finally, we discuss countermeasures to protect against these attacks. We demonstrate that Meltdown can be prevented entirely in software. We discuss the current approaches to prevent Spectre, however as this vulnerability cannot easily be mitigated, it requires more research to mitigate it fully.

Active Directory: What Can Make Your Million Dollar SIEM Go Blind?

Wednesday, Jan 24 | 12:45-13:30 PM
Active Directory is a key element for security and is a primary target in most of the common attacks today. There are also many tools used to ensure its protection. In large companies where there have been millions of dollars of investment in security, it appears that the logical choice to provide security monitoring of Active Directory is by using the company SIEM tool. Even if the chances of detecting a golden ticket are low, the logs processed by the SIEM can help track any object changes and can raise an alert in case of a suspicious modification to a privileged account. With Benjamin Delpy the mimikatz author in a guest appearance, this talk focuses on two topics:
  1. How an attacker can have more insight into your domains than you and how the attacker can also exploit distant domains, while being undetected by your SIEM
  2. How the new mimikatz attack "DCShadow", by transforming a compromised workstation into a DC, can push changes that are unseen by your SIEM.
While post incident response handlers can use replication metadata to build the attack history, the DCShadow attack will demonstrate that this replication metadata can no longer be trusted and how the technical specification of the AD (MS-ADTS) can be bypassed in most cases. An example is, instead of gathering the krbtgt hash via DCSync, you can push your own secret.

Attribution 2.0: When Code Reuse Brings Down the House of Cards

Costin Raiu
, Kaspersky Lab
Tuesday, Jan 23 | 11:45-12:15 PM
In June 2016, Motherboard’s Lorenzo Franceschi-Bicchierai interviewed the alleged DNC (hacker Guccifer 2.0. When asked about Russian metadata in the documents he leaked, Guccifer 2.0, a self-proclaimed Romanian, said “it is my ‘filigran’ ”. ‘Filigran’ is an odd word and almost never used in casual conversations; some younger people may have never heard it before. Translated into English however, it means “watermark”. Similarly, translating “watermark” from English into Romanian results in “ filigran ”. This and other “watermarks” effectively gave Guccifer 2.0 away as not being Romanian but simply using Google Translate to talk to journalists. In the end, it was his usage of “watermarks” that exposed him. How about code? Are there such things as “watermarks” for x86 executable code? During 2017, several high-profile incidents occurred that had something in common - they were all difficult to attribute or associate with any previously known actor. These include WannaCry , NotPetya , Shadowpad and the CCleaner supply chain attack. Building on our experience from handling WannaCry and NotPetya and combining it with Yara rules and big data, we have been able to associate Shadowpad with an APT group that uses the Winnti malware and the CCleaner backdoor with the Axiom APT group.

Born Secure. How to Design a Brand New Cloud Platform with a Strong Security Posture

Lee Holmes
, Microsoft
Wednesday, Jan 24 | 14:30-15:15 PM
What if you could design a sealed, cloud infrastructure starting from a clean slate? What security posture would you adopt? This is the opportunity we had with Azure Stack! Starting from the assumption that the first "enemy" to protect from is the Administrator, we designed a tightly constrained management experience, protected by a military-grade OS security baseline, multiple levels of network ACLs and the latest encryption standards. In this talk, we discuss the security posture of Azure Stack and how we built the security principles of Assume Breach and Hardened by Default directly into the architecture of the cloud infrastructure. We will also describe the security assumptions we took, and how those heavily impacted the overall design of the on-prem cloud platform that analysts defined as the Microsoft’ secret weapon in the cloud war.

Browser Security Beyond Sandboxing

Jordan Rabet
, Microsoft
Tuesday, Jan 23 | 12:15-12:45 PM
Security is now a strong differentiator in picking the right browser - a single compromise through a web browser can have catastrophic results. Much of recent browser security development has been focused on improving sandboxing, but we can't lose sight of how damaging remote code execution (RCE) exploits can be, even when they remain contained to a single process. This talk will interactively walk through the discovery of RCE bugs in Google's Chrome browser, the exploitation of one of them, and finally, the capabilities a savvy attacker can attain from that, culminating in a live pwning demo.

Computers Gone Rogue: Abusing Computer Accounts to Gain Control in an Active Directory Environment

Wednesday, Jan 24 | 12:15-12:45 PM
Active Directory has always been a lucrative target for attackers since it serves as the main storage of all credentials in a domain environment. Attackers usually target user accounts to gain an initial access to domain resources and use them to move laterally in the network, until eventually compromising a domain administrator. Hence, many monitoring systems track the behavior of domain accounts to find potential anomalies in case the account is compromised. In most cases, the focus is on user accounts, who are usually the ones targeted to get high privileged access in the environment. However, a lot of attacks may incorporate the use of computer accounts to compromise the domain and even gain persistence once the required privileges are acquired. In this talk we will discuss how computer accounts can be abused, starting from the initial attack stages, continuing to the lateral movement phase, and finishing with how a computer account can be used to gain a TGT for any administrative account in the environment while hiding the computer account to avoid detection.

eMMC Hacking, Or: How I Fixed Long-Dead Galaxy S3 Phones

Tuesday, Jan 23 | 12:45-13:30 PM
A few years ago Samsung Galaxy S3 devices started dying all around the world (a phenomenon known as "Galaxy S3 Sudden Death"). The faulty hardware was pinpointed to its eMMC chip (made by Samsung). This incident led to the belief that there's a microcontroller in it, and sparked a journey that began in finding a method to obtain the firmware, up until gaining generic code execution ability on every Samsung eMMC chip. As this was done originally to fix Samsung S3 devices by software-only means, it was not enough. The bootloader inside every S3 (sboot) won't happily run your precious eMMC fixing code. Thus, a vulnerability had to be found. This talk uncovers two vulnerabilities in sboot which led to code execution. But how to talk with an eMMC chip, which is already dead? Well, technically yes, but apparently there's some hidden recovery mode that can be triggered by a power reset to the chip, and the phone's life is spared. In newer eMMC chips, the firmware is slightly different, as due it its size it must be stored partially on the external NAND, with an overlay mechanism. This talk discusses the process of reversing such firmware, presents a simple Python utility to experiment with Samsung eMMC chips, and further discusses some possible applications, such as low-level NAND forensics, information hiding, and ultimately, installing a rootkit on the eMMC firmware itself.

Ethereum VM, Bytecode & Bugged Smart-Contracts

Tuesday, Jan 23 | 17:15-18:00 PM
In this talk we will explore the Ethereum Virtual Machine (EVM) architecture, explore its smart-contract "boot loader" and analyze a few cases of known bugs, and how static and dynamic analysis using frameworks such as Porosity could prevent them. As trusted models are becoming increasingly important, we will also guess how frameworks like Coco Framework will leverage virtualization-based security (VBS) and Intel Software Guard Extensions (SGX) to protect Blockchain-based Virtual Machines such as the EVM.

Extracting Secrets from Silicon – A New Generation of Bug Hunting

Gunter Ollmann
, Microsoft
Tuesday, Jan 23 | 15:15-16:00 PM
As reverse engineering tools and hacking techniques have improved over the years, software engineers have been forced to bury their secrets deeper down the stack – securing keys and intellectual property first in software, then drivers, on to custom firmware and microcode, and eventually as etchings on the very silicon itself. For the hackers involved, the skills and tools needed to extract and monetize these secrets come with ever increasing hurdles and cost. Yet, seemingly as a corollary to Moore’s Law, each year the cost of the tooling drops by half, while access (and desire) doubles. Today, with access to multi-million-dollar semiconductor labs that can be rented for as little as $200 per hour, skilled adversaries can physically extract the most prized secrets from the integrated circuits (IC) directly. Understanding your adversary lies at the crux of every defensive strategy. This session reviews the current generation of tools and techniques used by professional hacking entities to extract the magic numbers, proprietary algorithms, and WORN (Write Once, Read Never) secrets from the chips themselves. As a generation of bug hunters begin to use such tools to extract the microcode and etched algorithms from the IC’s, we’re about to face new classes of bug and vulnerabilities – lying in (possibly) ancient code – that probably can’t be “patched”. How will we secure secrets going forward?

Hi, My Name is "CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

Matt Graeber
, SpecterOps
Wednesday, Jan 24 | 11:45-12:15 PM
In the context of computer security, what is trust and what does it mean to you and your organization? While clearly a subjective term, trust should form the basis of what we permit and deny in our enterprise. Trust can also be explicit or implicit and security products exist to cater to both models, specifically, application whitelisting and EPP/EDR solutions, respectively. Additionally, threat hunters and incident responders require a definition of trust to be able to quickly make benign versus suspicious classifications during the course of an investigation. As for the implementation of trust, code signing plays a large role. That said, what does it mean for code to be signed? What certificates should be considered trusted? What are the technical means by which digital signatures are validated against trusted certificates and how might an attacker subvert the process? What are some of the common assumptions security tools and users of security tools make when it comes to trust validation? These questions in the context of Microsoft Windows will be addressed. By the end of this talk, the audience will understand the Windows trust architecture, how it can be subverted, and how to investigate/mitigate/detect subversion attempts. Finally, everyone will walk away with an appreciation of trust and the challenges involved in its validation.

KRACKing WPA2 in Practice Using Key Reinstallation Attacks

Mathy Vanhoef
, KU Leuven
Wednesday, Jan 24 | 16:30-17:15 PM
This talk presents the key reinstallation attack. It abuses design or implementation flaws in cryptographic protocols to reinstall an already-in-use key. This resets the key’s associated parameters such as transmit nonces and receive replay counters. Several cryptographic Wi-Fi handshakes are affected by the attack. All protected Wi-Fi networks use the 4-way handshake to generate a fresh session key. So far, this 14-year-old handshake has remained free from attacks. However, we show that the 4-way handshake is vulnerable to a key reinstallation attack. Here, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying handshake messages. When reinstalling the key, associated parameters such as the incremental transmit packet number (nonce) and receive packet number (replay counter) are reset to their initial value. In contrast with previous talks, we will also discuss the vulnerability disclosure process that we followed. Since our discovery affected numerous vendors, coordinating the disclosure was far from trivial. We discuss several lessons that we learned from this experience.

Linux Vulnerabilities, Windows Exploits: Escalating Privileges
with WSL

Wednesday, Jan 24 | 15:15-16:00 PM
WSL (Windows Subsystem for Linux) is an impressive mechanism integrated recently into the Windows 10 kernel. This subsystem allows Linux executables to run without modifications on a Windows machine, using the same system calls, file system layout and executable format — an enormous attack surface by all means. Like any other new, large, and complex codebase, it is a greenfield for vulnerability researchers, hindered only by the lack of documentation, and by a single massive .sys file just waiting to be reverse engineered. This talk will cover the story behind one such vulnerability. On our path to its root cause, we will go down the rabbit hole and explore an astounding engineering project on Microsoft's part, juggling between the internals of two completely different operating systems. At its end, we will showcase a Linux executable that can invoke a series of syscalls and overwrite Windows kernel memory. The entire kernel memory, as in a wild-copy. Not the simplest primitive to kick things off. But no vulnerability is complete without an exploit. With recent advances in anti-exploitation, this isn't an easy task at all. Between saving the kernel from crashing itself and bypassing every defensive mechanism, there is much more than a single hoop to jump through. We will demonstrate the different primitives and tricks to stabilize such memory corruption and finally achieve arbitrary code execution in modern Windows 10 kernels. All from a single Linux executable.

New and Improved UMCI, Same Old Bugs

James Forshaw
, Google Project Zero
Wednesday, Jan 24 | 17:15-18:00 PM
User Mode Code Integrity (UMCI) restricts what executables can be run based on the signer. UMCI was introduced with the ARM-based Windows RT in 2012. However, ways of bypassing the signing restrictions were quickly discovered. In 2017, Microsoft introduced a new SKU of Windows 10 the Cloud Edition, better known as Windows 10S. This was the first x86 version of Windows which enabled UMCI by default, in this case to restrict the OS to only running Microsoft and Store signed executables for the purposes of security. It turns out that many of the same mistakes made in Windows RT were applicable to Windows 10S, and so it was possible to bypass UMCI to execute arbitrary code. This presentation will describe in detail how Windows 10S is configured, introduce some of the bypasses I’ve discovered, including ones that haven’t been fixed, and describe how you might go about finding new bypasses.

Terrorist Phone Unlocking 101

Tuesday, Jan 23 | 14:30-15:15 PM
The widely misreported realm of mobile phone unlocking and forensic extraction has significantly developed in the last few years.
What was once a native ground for lab geeks who probe for forgotten JTAG interfaces or handle hot air blowers to carefully remove shielding and expose eMMC chips for ISP readings, has shifted into a domain where the art of vulnerability research and exploitation sets the tone to dictate whether a device can be forensically extracted or not. Behind the scenes, a silent but breathtaking arms race of exploits and mitigations is taking place. For the first time, researchers from Cellebrite's world-leading forensics research lab - will uncover a part of that ongoing story. During this talk, we will introduce the audience to the unique and often disregarded technical challenges to the forensic extraction world (hint: do RCE attackers even consider encryption?) and navigate a complete extraction scenario for a popular encrypted phone model. This talk will feature a complete walk-though for the discovery, analysis and exploitation of a never-before-detailed extraction-enabling BootROM vulnerability present in modern day phones. This vulnerability is already known to the affected vendor and was patched and fixed in newer versions.

The New Paradigm of Security Controls

John Lambert
, Microsoft
Tuesday, Jan 23 | 10:30-11:15 AM
We are seeing a new approach to security that is rippling across network defenders, products, and attackers alike. The world is moving from security on data to security from data. Defenders are transitioning from appliances that shrink data volumes to cloud approaches that capture more data than ever before. Innovators are seeking signals across user, device, and application activity, and building learning systems to master security insights from them. Users are central to this new world, as security solutions adapt from placing controls on them to creating controls from them. Attackers are adapting to these data driven systems as well. This talk will discuss these trends as well as new risks that arise from them.

The Wolf in SGX Clothing

Tuesday, Jan 23 | 16:30-17:15 PM
SGX is a security technology, which is designed to hide secrets from the very platform they are stored on. While this sounds sweet in case one is worried about leaving secrets lying around unguarded in memory, it is a terrifying proposal for someone who hunts threats. As a blind spot by definition, SGX provides worrisome capabilities to potential intruders. But just how much of a blind spot is an SGX? What can it hide and what not? What can an attacker actually achieve leveraging this technology? Malware hidden within secure enclaves has been a topic of security research quicker than legitimate customers could implement their crypto containers, but what we are still missing today is a holistic, no wait, realistic threat model. The extent of malicious activities attackers can hide within home-grown enclaves, the risk posed by benign but vulnerable enclaves, and the horrifying outlook for DFIR specialists facing SGX protected threats are the major focus of this presentation. The presented research sheds light on capabilities and limitations of malicious enclaves, and shows what attackers can gain from compromising benign enclaves. A legitimate but vulnerable Linux pet enclave gone rogue will serve as demonstration, and also be a base for discussion of SGX monitoring approaches.

Windows: Hardening with Hardware

David Weston
, Microsoft
Wednesday, Jan 24 | 10:30-11:15 AM
The security features of modern PC hardware are enabling new trust boundaries and attack resistance capabilities unparalleled in software alone. These hardware capabilities help to improve resistance to a wide range of attacks including physical attacks against DMA and disk encryption, kernel and remote code exploits, and even application isolation through virtualization. In this talk, we will review the metamorphosis and fundamental re-architecture of Windows to take advantage of emerging hardware security capabilities. We will also examine in-depth the hardware security features provided by vendors such as Intel, AMD, ARM and others, and explain how Windows takes advantage of these features to create new and powerful security boundaries and exploit mitigations. Finally, we will discuss the new attack surface that hardware provides and review exploit case studies, lessons learned, and mitigations for attacks that target PC hardware and firmware.