DC9723 January 28 2020 Meeting

When: Tuesday 28 of January, 2020 from 18:45 to 21:00
Where: Check Point Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction and Administrative updates
Crypto Fails – from basics to advanced stuff – Guy Barnhart-Magen (double length talk)

As always, the talks are free and there is no need to register. Come and bring your friends.

DC9723 December 17 Meeting

When: Tuesday 17 of December, 2019 from 18:45 to 21:00

Where: Check Point Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)
Agenda:
Brief Introduction and Administrative updates

Get Off The Kernel If You Can’t Drive – Israeli Edition – Mickey Shkatov

2nd Talk TBA

As always, the talks are free and there is no need to register. Come and bring your friends.

DC9723 May 21 2019 Meeting

DC9723 May 21 2019 Meeting
When: Tuesday 21 of May, 2019 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
The butterfly effect – actively manipulating VMs through hypervisor introspection – Sofia Belikovetsky
Herding cattle in the desert: How malware actors have adjusted to new security enhancements in MacOS Mojave – Omer Zohar

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:

The butterfly effect – actively manipulating VMs through hypervisor introspection – Sofia Belikovetsky
Imagine your cloud was compromised with malware. Remediating this threat is often complex, since you need to have security solutions installed on each VM (virtual machine). Security solutions for the cloud often use the same security methods as for regular PCs, not tapping into the potential of virtualization. In this talk, we will show a way to break the “security agent per VM” paradigm by leveraging the power of hypervisor introspection against the attackers and their malware. Hypervisor introspection is the ability to analyze and monitor the internal memory of a VM from its host. It is a well-researched area in cyber security that focuses on a passive approach of analyzing the internal kernel structures of the VM in order to detect malicious code execution and anomalies. Traditionally, hypervisor introspection is used to detect security threats in datacenters. We build on the previous work in this field and extend it to utilize a more active approach where we can take remedial actions once a threat is detected and externally influence the behaviour of the VM. Remediation of cyber security threats is one of the most complicated problems in datacenter security, since there is a need to stop and remove the threat without harming the operational aspect of the VMs and the network. Currently there is no standard for solving this problem. However, by leveraging the power of virtualization, we can add remediation capabilities into the hypervisor layer. We can handle various security threats by focusing on suspension of processes and threads, and termination of unwanted network connections, all from outside the VM. One of the biggest advantages of such approach is that the malware running on the VM is completely unaware of either the detection methods that are running from the hypervisor or the remediation methods that modify values in memory. In this case, the malware can neither evade detection nor disable the detection mechanism. We demonstrate the concept of the “butterfly effect” in a virtualized environment, where changing a single value in a kernel struct can influence the behaviour of a VM. We have analyzed crucial linux kernel structures and tested how minor changes in their values can change the flow of the VM. This approach is unique, since we surgically select which values to modify in order to change the behavioural flow of the OS. Thus, a minor change achieves the desired effect, termination of the security threat. This is a technical talk where we will explain how hypervisor introspection works and demonstrate how to externally read and write to the internal memory of the VM. We will deep dive into the internals of the KVM hypervisor and Linux based VMs, show the addition of QMP commands to qemu-kvm and the modification of the memory. For each remediation scenario, we will show the value that was changed and how the flow of the Linux kernel was influenced by this change.

Herding cattle in the desert: How malware actors have adjusted to new security enhancements in MacOS Mojave – Omer Zohar

Malware on the Mac has always been like a unicorn – a creature from folk tales. But in recent years what was thought of as a unicorn, turned out to be a shadow of a horse with a wooden peg on his head: a story being told to give users a (false) sense of security.

Mac malware is on the rise, at an alarming rate. Estimations indicate that over 12% of Macs showed malicious activity in the past year. Most common types are adware, monetizing malware and scareware such as fake cleaners.

In contrast, each new version of macOS introduce improved security mechanisms, supposedly setting a higher bar for successful infection. Mechanisms such as Quarantine, SIP and GateKeeper verify software integrity, and make changes to user and OS settings more difficult, TCC (Transparency, Consent, and Control) requires stricter user consent during app installation, while XProtect and MRT finish off with rules to detect malicious files.

Still, Mac Malware is on the rise, with 12M infected machine identified in 2018 alone, while the YoY growth of infection has been over 100% since 2016. A clear signal that bad guys adapt fast.

In this talk, we’ll deep dive into recent security changes in MacOS Mojave & Safari and examine how these updates impacted actors of highly distributed malware in terms of number of infections, and more importantly – monetization.

We’ll take a look at malware actors currently infecting machines in the wild (Bundlore and Genio to name a few) – and investigate how their tactics evolved after the update: From Vectors of infection that bypass GateKeeper, getting around the new TCC dialogs, hijacking search in a SIP protected Safari, to persistency and reinfection mechanisms that ultimately turn these ‘annoying PUPs’ into a fully fledged backdoored botnet.

DC9723 March 26 2019 Meeting

DC9723 March 26 2019 Meeting
When: Tuesday 26 of March, 2019 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Using Machines to Exploit Machines – Harnessing AI to Accelerate Exploitation – Guy Barnhart-Magen, Ezra Caltum
TBD

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:

Title: Using Machines to Exploit Machines – Harnessing AI to Accelerate Exploitation – Guy Barnhart-Magen, Ezra Caltum
Abstract:
Imagine yourself looking through a myriad number of crash dumps trying to find that one exploitable bug that has escaped you for days!

We will explore ML for offensive exploration, categorize and determine the exploitability of crashes and bugs, accelerating the triage process for exploitation.

Imagine yourself looking through a myriad number of crash dumps trying to find that one exploitable bug that has escaped you for days!

And if that wasn’t difficult enough, the defenders know that they can make us chase ghosts and red herrings, making our lives waaaay more difficult (Chaff Bugs: Deterring Attackers by Making Software Buggier)

Offensive research is a great field to apply Machine Learning (ML), where pattern matching and insight are often needed at scale. We can leverage ML to accelerate the work of the offensive researcher looking for fuzzing–>crashes–>exploit chains.

Current techniques are built using sets of heuristics. We hypothesized that we can train an ML system to do as well as these heuristics, faster and more accurately.

Machine Learning is not the panacea for every problem, but an exploitable crash has multiple data points (features) that can help us determine its exploitability. The presence of certain primitives on the call stack or the output of libraries and compile-time options like libdislocator, address sanitizer among others, can be indicators of “exploitability”, offering us a path to a greater, more generalized insight.

Defenders can find a lot of value in this work as well, as we can help developers isolate and focus on crashes that will lead to exploitation instead of drudging through countless crashes and analyzing them manually.

In this talk we will explore the current state of the art in ML for offensive exploration and present our ongoing work to automatically categorize and determine the exploitability of crashes and bugs, accelerating the triage process tremendously.

DC9723 February 26 2019 Meeting

DC9723 February 26 2019 Meeting
When: Tuesday 26 of February, 2019 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Deep hacking the automotive cyberspace – Uri Bear
Sneaking Past Device Guard – Philip Tsukerman

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:

Title: Deep hacking the automotive cyberspace – Uri Bear
Abstract:
Connected cars are the future, it just makes sense, doesn’t it? But as cars connect, there is the increased potential for security risks.

Automation, AI, Machine learning and plain old style ECU’s contain an ever increasing computation load, an incredibly expanding code base, old and new sensors and algorithms – How do hackers approach all of these?

A person skilled in reverse engineering and armed with certain tools may be able to eavesdrop on automotive control data. Even more, an advanced hacker could interfere, interact, and modify both the ECU itself and the data flowing across its wires.

The cybersecurity landscape is rapidly evolving and the ecosystems are continuously innovating to advance security for devices of all types. The automotive industry is being driven towards a quest for a higher level of security, due to the current plethora of applications, media files, and user inputs available in its systems.
In this presentation, I will present:
• An introduction to automotive computing environment from a hacker’s point of view.
• Why is secure hardware a must-have?
• Case study: Hacking a car, near or far.
o Hacking hardware.
o Hacking software.

Many solutions exist, many are offered, hack yourself to know which are good enough for you.

Title: Sneaking Past Device Guard – Philip Tsukerman
Abstract:
DeviceGuard is the newest application whitelisting feature in Windows 10. I will dive into the internals of various parts of the feature, and provide various new ways of subverting in different contexts. New execution techniques, accidental AMSI bypasses and other fun bonuses will also be included!

Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.

This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables. All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service most of these techniques with an update (except for one which was serviced as CVE-2018-8417).

During the the talk, we’ll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard

DC9723 December 18 2018 Meeting

DC9723 December 18 2018 Meeting
When: Tuesday 18 of December, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Enabling Intel Hardware debug in 30 minutes or less – Mickey Shkatov
Analysing baseband 1-days – Guy

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube (eventually) after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:

Enabling Intel Hardware debug in 30 minutes or less – Mickey Shkatov
Having the ability to halt the cpu and view registers from hardware is the best way for debugging software and even firmware, To do this you must know how to enable this feature, come join me as I review known methods for such enablement and share some of my own experience and some tips and tricks i picked up along the way.

Analysing baseband 1-days – Guy
While baseband analysis remains one of the least well-explored in the public domain, many researchers don’t know that it is not rocket science. Baseband research merely has a high entry barrier that keeps out all but the most well funded organizations.
In this talk I will show my methods and experience with several vulnerabilities which were reported and patched in the past year.

DC9723 November 27 2018 Meeting

DC9723 November 27 2018 Meeting
When: Tuesday 27 of November, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
What The Fax!? – Yaniv Balmas & Eyal Itkin
Finding And Exploiting Vulnerabilities In Bluetooth Stacks Implementations – Ori Nimron

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
What The Fax!? Yaniv Balmas & Eyal Itkin
Unless you’ve been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?

The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.

What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line — thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.

Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.

This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!

DC9723 – Code of Conduct

Hi everyone.

I’d like to present you all with the DC9723 Code Of Conduct.
But before – a brief explanation. I have witnessed how the security community have grown over the past 20+ years that I have been involved in it. I’ve seen it become more inclusive, and accepting. I’ve also seen it go through rough phases where people were mistreated, bullied and shunned. I’ve seen conferences turn from “bro” all-out parties into places where I can bring my kids to, and people of all ages, races, beliefs and genders come to learn, hear and be heard.
Through this time a lot has happened, and I’ve also witnesses the abuse of those changes and witnessed code of conducts being created with the intent to protect participants, and I’ve also seen those used against the community in order to get personal gain (social fame and online reputation mostly through stirring up problem that didn’t exist there before).
I’ve also seen an attempt from certain groups to solicit the use of code of conduct in conferences and gatherings that is “easy to use/reference” but provides a lot of restrictions and allows people who have an interest in creating problems where they didn’t exist before to do so – through these skewed code of conducts (I’ve been subjected to one of those myself as well…). One of those (the most popular one to my knowledge) was created and is being pushed around by the Ada Initiative.

This is why we at DC9723 have adopted a code of conduct FOR the community. It’s based on the DEFCON Code of Conduct, and is also used in other conferences such as DerbyCon. It’s close to the one I have been personally been using in my “other” conference – BSidesLasVegas.

So here it is, the DC9723 Code of Conduct:
TL;DR: Be excellent to each other. Don’t be an asshole.

DC9723 provides a forum for open discussion between participants, where radical viewpoints are welcome and a high degree of skepticism is expected. However, insulting or harassing other participants is unacceptable. We want DC9723 to be a safe and productive environment for everyone. It’s not about what you look like but what’s in your mind and how you present yourself that counts at DC9723.

We do not condone harassment against any participant, for any reason. Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid.

Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate, including but not limited to expulsion without refund and referral to the relevant authorities.

This Code of Conduct applies to everyone participating at DC9723 in all its formats (online, the monthly meetings, and the conferences) and everyone who’s attending it – from participants and sponsors to speakers, press, volunteers, and the DC9723 staff.

Anyone can report harassment. If you are being harassed, notice that someone else is being harassed, or have any other concerns, you can contact a DC9723 staff member/admin online or in-person.

Our staff will be happy to help participants contact venue security, local law enforcement, or otherwise assist those experiencing harassment to feel safe for the duration of the meetup.

Remember: DC9723 is what you make of it, and as a community we can create a great experience for everyone

DC9723 October 30 Meeting

DC9723 October 30 2018 Meeting
When: Tuesday 30 of October, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Digital Whisper
Reversing SR-IOV For Fun and Profit – Adir Abraham
BITSInject – Control your BITS, get SYSTEM – Dor Azouri

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Reversing SR-IOV For Fun and Profit – Adir Abraham
We are surrounded with PCIe devices everywhere. They are in charge of interconnecting extremely important and exciting functionalities inside and outside our systems.
Have you ever been wondering how to explore and reverse engineer those devices and their functionalities? SR-IOV (Single-Root I/O Virtualization) is a peripheral component interconnect (PCI) standard for sharing PCIe devices within a single computer.
In this talk, I will provide thorough background of PCIe devices and the standard. Afterwards, I will share my research experience and explain how SR-IOV PCIe devices can be reverse engineered using radare2, how to look for vulnerabilities, what information we can get and what we can learn from those findings.

BITSInject – Control your BITS, get SYSTEM – Dor Azouri
Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file.
Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path…) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.
Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow;
We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer – a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.