DC9723 December 18 2018 Meeting

DC9723 December 18 2018 Meeting
When: Tuesday 18 of December, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Enabling Intel Hardware debug in 30 minutes or less – Mickey Shkatov
Analysing baseband 1-days – Guy

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube (eventually) after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:

Enabling Intel Hardware debug in 30 minutes or less – Mickey Shkatov
Having the ability to halt the cpu and view registers from hardware is the best way for debugging software and even firmware, To do this you must know how to enable this feature, come join me as I review known methods for such enablement and share some of my own experience and some tips and tricks i picked up along the way.

Analysing baseband 1-days – Guy
While baseband analysis remains one of the least well-explored in the public domain, many researchers don’t know that it is not rocket science. Baseband research merely has a high entry barrier that keeps out all but the most well funded organizations.
In this talk I will show my methods and experience with several vulnerabilities which were reported and patched in the past year.

DC9723 November 27 2018 Meeting

DC9723 November 27 2018 Meeting
When: Tuesday 27 of November, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
What The Fax!? – Yaniv Balmas & Eyal Itkin
Finding And Exploiting Vulnerabilities In Bluetooth Stacks Implementations – Ori Nimron

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
What The Fax!? Yaniv Balmas & Eyal Itkin
Unless you’ve been living under a rock for the past 30 years or so, you probably know what a fax machine is. For decades, fax machines were used worldwide as the main way of electronic document delivery. But this happened in the 1980s. Humanity has since developed far more advanced ways to send digital content, and fax machines are all in the past, right? After all, they should now be nothing more than a glorified museum item. Who on earth is still using fax machines?

The answer, to our great horror, is EVERYONE. State authorities, banks, service providers and many others are still using fax machines, despite their debatable quality and almost non-existent security. In fact, using fax machines is often mandatory and considered a solid and trustworthy method of delivering information.

What the Fax?! We embarked on a journey with the singular goal of disrupting this insane state of affairs. We went to work, determined to show that the common fax machine could be compromised via mere access to its fully exposed and unprotected telephone line — thus completely bypassing all perimeter security protections and shattering to pieces all modern-day security concepts.

Join us as we take you through the strange world of embedded operating systems, 30-year-old protocols, museum grade compression algorithms, weird extensions and undebuggable environments. See for yourself first-hand as we give a live demonstration of the first ever full fax exploitation, leading to complete control over the entire device as well as the network, using nothing but a standard telephone line.

This talk is intended to be the canary in the coal mine. The technology community cannot sit idly by while this ongoing madness is allowed to continue. The world must stop using FAX!

DC9723 – Code of Conduct

Hi everyone.

I’d like to present you all with the DC9723 Code Of Conduct.
But before – a brief explanation. I have witnessed how the security community have grown over the past 20+ years that I have been involved in it. I’ve seen it become more inclusive, and accepting. I’ve also seen it go through rough phases where people were mistreated, bullied and shunned. I’ve seen conferences turn from “bro” all-out parties into places where I can bring my kids to, and people of all ages, races, beliefs and genders come to learn, hear and be heard.
Through this time a lot has happened, and I’ve also witnesses the abuse of those changes and witnessed code of conducts being created with the intent to protect participants, and I’ve also seen those used against the community in order to get personal gain (social fame and online reputation mostly through stirring up problem that didn’t exist there before).
I’ve also seen an attempt from certain groups to solicit the use of code of conduct in conferences and gatherings that is “easy to use/reference” but provides a lot of restrictions and allows people who have an interest in creating problems where they didn’t exist before to do so – through these skewed code of conducts (I’ve been subjected to one of those myself as well…). One of those (the most popular one to my knowledge) was created and is being pushed around by the Ada Initiative.

This is why we at DC9723 have adopted a code of conduct FOR the community. It’s based on the DEFCON Code of Conduct, and is also used in other conferences such as DerbyCon. It’s close to the one I have been personally been using in my “other” conference – BSidesLasVegas.

So here it is, the DC9723 Code of Conduct:
TL;DR: Be excellent to each other. Don’t be an asshole.

DC9723 provides a forum for open discussion between participants, where radical viewpoints are welcome and a high degree of skepticism is expected. However, insulting or harassing other participants is unacceptable. We want DC9723 to be a safe and productive environment for everyone. It’s not about what you look like but what’s in your mind and how you present yourself that counts at DC9723.

We do not condone harassment against any participant, for any reason. Harassment includes deliberate intimidation and targeting individuals in a manner that makes them feel uncomfortable, unwelcome, or afraid.

Participants asked to stop any harassing behavior are expected to comply immediately. We reserve the right to respond to harassment in the manner we deem appropriate, including but not limited to expulsion without refund and referral to the relevant authorities.

This Code of Conduct applies to everyone participating at DC9723 in all its formats (online, the monthly meetings, and the conferences) and everyone who’s attending it – from participants and sponsors to speakers, press, volunteers, and the DC9723 staff.

Anyone can report harassment. If you are being harassed, notice that someone else is being harassed, or have any other concerns, you can contact a DC9723 staff member/admin online or in-person.

Our staff will be happy to help participants contact venue security, local law enforcement, or otherwise assist those experiencing harassment to feel safe for the duration of the meetup.

Remember: DC9723 is what you make of it, and as a community we can create a great experience for everyone

DC9723 October 30 Meeting

DC9723 October 30 2018 Meeting
When: Tuesday 30 of October, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Digital Whisper
Reversing SR-IOV For Fun and Profit – Adir Abraham
BITSInject – Control your BITS, get SYSTEM – Dor Azouri

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Reversing SR-IOV For Fun and Profit – Adir Abraham
We are surrounded with PCIe devices everywhere. They are in charge of interconnecting extremely important and exciting functionalities inside and outside our systems.
Have you ever been wondering how to explore and reverse engineer those devices and their functionalities? SR-IOV (Single-Root I/O Virtualization) is a peripheral component interconnect (PCI) standard for sharing PCIe devices within a single computer.
In this talk, I will provide thorough background of PCIe devices and the standard. Afterwards, I will share my research experience and explain how SR-IOV PCIe devices can be reverse engineered using radare2, how to look for vulnerabilities, what information we can get and what we can learn from those findings.

BITSInject – Control your BITS, get SYSTEM – Dor Azouri
Windows’ BITS service is a middleman for your download jobs. You start a BITS job, and from that point on, BITS is responsible for the download. But what if we tell you that BITS is a careless middleman? We have uncovered the way BITS maintains its jobs queue using a state file on disk, and found a way for a local administrator to control jobs using special modifications to that file.
Comprehending this file’s binary structure allowed us to change a job’s properties (such as RemoteURL, Destination Path…) in runtime and even inject our own custom job, using none of BITS’ public interfaces. This method, combined with the generous notification feature of BITS, allowed us to run a program of our will as the LocalSystem account, within session 0. So if you wish to execute your code as NT AUTHORITY/SYSTEM and the first options that come to mind are psexec/creating a service, we now add a new option: BITSInject.
Here, we will not only introduce the practical method we formed, but also: Reveal the binary structure of the state file for you to play with, and some knowledge we gathered while researching the service flow;
We will also provide free giveaways: A one-click python tool that performs the described method; SimpleBITSServer – a pythonic BITS server; A struct definition file, to use for parsing your BITS state file.

DC9723 July 17 2018 Meeting

DC9723 July 17 2018 Meeting
When: Tuesday 17 of July, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Detecting Phishing from pDNS – Irena Damsky
CoffeeShot: Avoid Detection with Memory Injection – Asaf Aprozper
SiliVaccine: North Korea’s weapon of Mass Detection – Mark Lechtik and Michael Kajiloti

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Detecting Phishing from pDNS

Passive DNS (pDNS) have been utilized by threat researchers for several years and allow us to gather information on domain usage worldwide. Since data fidelity varies depending upon the scope, timeline, and vantage point of sensor networks, pDNS visibility provides a multitude of different and exciting results for analysts to review. In this presentation we will quickly recap DNS and pDNS, review different approaches to detecting phishing using pDNS and focus on demonstrating different heuristics and operational procedures that can help increase actual detection while minimizing false positives

CoffeeShot: Avoid Detection with Memory Injection
For the first time ever, we are introducing a framework that utilizes the usage of Java Native Access with Java. How did we take advantage of that? Well, we used this to call to interesting Windows API’s directly from Java. CoffeeShot is a framework that was designed for creating Java-based malware which bypasses most of the anti-virus vendors. CoffeeShot utilizes the features of JNA to look for a victim process, once it finds it – a shellcode will be injected directly from the Java Archive file (JAR).

Java malware like “Jrat” and “Adwind” are used by malicious adversaries day by day, more and more. Their main reason for writing malware in Java is to be evasive and avoid security products – including those that use advanced features like machine learning. To overcome the above, blue-teamers can use this framework and thereby understand their status of anti-malware weakness against Java-based malware.

On the other hand, CoffeeShot can be applied by penetration testers as well. The framework provides red-teamers a friendly toolset by allowing them to embed any shellcode in a JAR file, assisting them to avoid detection with memory injection and to PWN the target!

SiliVaccine: North Korea’s weapon of Mass Detection
Meet SiliVaccine – North Korea’s national Anti-Virus solution. SiliVaccine is deployed widely and exclusively in the DPRK, and has been continuously in development by dedicated government teams for over fifteen years. When we heard of this strange software, we were immediately driven to investigate it: it’s not every day that you can catch a glimpse of the malware landscape inside the closed garden of the DPRK’s intranet.

In this talk, we will describe how we were able to obtain a rare copy of SiliVaccine; how we reverse-engineered it, despite the hair-tearing obstacles; and what surprising discoveries we made about its program architecture — all the way down to the file scanning engine, the system level drivers, the user mode utilities, and the most bizarre and puzzling implementation details. As it turns out, there is plenty going on behind the scenes of this product, away from the public eye.

How was SiliVaccine created? Who created it? what was the game plan? We will try to shed light on these questions, and on the sheer effort that must have gone into developing this product. If there is anything we learned from this research, it’s that DPRK state-sponsored software is a secretive industry underlied by incredibly shady practices, and that if Kim Jong-Un sends you a free trial of his latest security solution, the correct answer is “thank you but no thank you”.

DC9723 June 17 2018 Meeting – Notice time and day

DC9723 June 17 2018 Meeting
When: Sunday 17 of May, 2018 from 19:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Beware of the Bashware: A new method for any malware to bypass security solutions – Gal Elbaz
Let’s talk about the community – Rhett Greenhagen

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts:
Beware of the Bashware: A new method for any malware to bypass security solutions

Up to these days, running Linux on Windows sounded like a bad joke or some fairytale story…
Well not anymore! Since Windows 10 Anniversary update, Linux subsystem was added to Windows!
Windows Subsystem for Linux (WSL) is the name of Microsoft’s feature! WSL goal is making the popular Linux “Bash” terminal available for Windows OS users, but this feature goes far beyond having the familiar Linux “Bash” it is a complete compatibility layer for running an environment that looks and behaves just like Linux.
In addition to the new technologies that came along with this brand new feature, Also a set of new and unfamiliar security issues has been added to the Windows operating system world, such issues that most of the antivirus companies and the security product nowadays cannot identify or protect against.
In this talk we will present “Bashware”, a cross platform technique that leverages the underlying mechanism of the WSL feature in order to run invisibly malicious code that bypasses the current security solutions out there.
Will talk about the limitations and challenges of our research, the design and vulnerabilities of WSL and also demonstrate a live POC of “Bashware” technique on a leading vendor in the antivirus space.

DC9723 May 2018 Meeting

DC9723 May 2018 Meeting
When: Tuesday 29 of May, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction

Fileless Malware: Now With More Files – Philip Tsukerman
Reverse Engineering assisted by Graph Databases – Ezra Caltum

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Abstracts will be provided soon.

DC9723 April 2018 Meeting

DC9723 April 2018 Meeting
When: Monday 23 of April, 2018 from 18:45 to 22:00 (NOTE IS IN MONDAY!)
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad

Abstract

WoW64 processes have a complete 32-bit subsystem inside of them, in charge of supplying the 32-bit application with everything it needs to execute. But eventually, the communication with the 64-bit environment itself is done by the 64-bit portion of the process, often ignored by security products and malware alike. Mostly, only monitoring the 32-bit subsystem is enough, but attacks such as the notorious “Heaven’s Gate” technique prove that this approach is far from perfect.
In this talk, we wish to present the possibility of hooking 64-bit API calls inside of WoW64 processes. These can serve various purposes – either intercepting the normal flow of the process execution or gaining better visibility into the process actions – while taking advantage of a “blind spot” and being virtually invisible to the normal security product and confusing to many security researchers.
The task of hooking 64-bit APIs in WoW64 processes introduces some unique challenges, which we will discuss in detail. We will present several injection methods, including a couple of novel modifications for existing ones, that enable injecting a 64-bit DLL into a WoW64 process. We will then demonstrate the adjustments we made to an out-of-the-box hooking engine to make it able to hook 64-bit APIs in the process. Some changes in new Windows versions, such as the introducing of CFG and the changes to some API functions, made this task more challenging, and we will show how we researched these and solved these issues, making this hooking technique useful on all currently available Windows versions.

Title
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban

Abstract
The capabilities that C++ programming provides with the use of polymorphism are also obstacles when reverse engineering these programs.
Dynamic reverse engineering of C++ code is potentially extremely time-consuming and resource-intensive. So, what if we could automate parts of this process and even customize it to the behavior of each individual program?
C++ is known to be a knotty language, templates, lambdas, and smart and unique pointers. All of these features create a jungle of objects intended to make life easier for the programmer. But once the program is compiled, the target program is no longer what it once seemed.
Reversing C++ programs is tedious and demanding, and requires rebuilding inheritance, identifying templates and tainting program flow in order to combat the ties of function overloading and class utilization.
In my presentation I will show how we can use smart and automated tracing to shorten the process in reverse engineering C++ programs.
Rebuilding automatic vtables and virtual function calls are strong capabilities that could be easily achieved with IDAPython, as I’ll explain in my talk, in which I will also show examples for a framework created especially for this purpose.
In my presentation I present “Virtuailor”: a tailor-made framework that helps rebuild the relationships of C++ classes in the program and sew together all of the loose ends.

DC9723 March Meeting – Notice Location Change!

DC9723 March 2018 Meeting
When: 13 of March, 2018 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)

Agenda:

Brief Introduction
Stories and Tips from the Dark Side of Managing a Security Research Department in a Start-Up – Irena Damsky & Omri Moyal
Unblockable Chains – Is Blockchain the ultimate malicious infrastructure? – Omer Zohar

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title
Unblockable Chains – Is Blockchain the ultimate malicious infrastructure? – Omer Zohar

Abstract
In this principal research, we investigate the possibilities blockchain technologies pose as an infrastructure for malicious operations. We will demonstrate a POC of a fully functional C&C infrastructure on top of the Ethereum network – the second largest public blockchain which also acts as a distributed computing platform featuring a smart contract functionality.

As Blockchain technologies gain more traction in recent years, it brings promise of creating a decentralized, distributed and transparent economy which aim to disrupt our current centric organizational structures and reduce middlemen.
Notoriously, crypto coins have been the currency of choice on the dark web for conducting illegal transactions. But what about the underlying technology, the Blockchain? Could a distributed, public, popular, global ledger be [ab]used as the infrastructure for the ultimate command and control mechanism?

Managing a botnet is a problem in distributed computing. Once infected, a host must be able to discover, reach and maintain communication with its operator over long periods. Over the years much effort has been made to perfect these capabilities to avoiding detection, maintain anonymity and resist take downs. From plain old HTTP requests, through DIY TCP protocols and encryption, up to fancy P2P networks, DGAs, Fast Flux and cloud service use. While all these techniques have varying degree of resilience and covertness, all are vulnerable to take down once network topology has been determined. Can blockchain turn this around?

In this talk, which will include many code examples and a live demo, we will discuss:

How can the blockchain solves the ‘first contact’ problem?
How to cope with the fact that all data, code and transactions are publicly visible on the blockchain?
What is the footprint of running a blockchain node on the client and how to minimize resources?
Cost analysis: Is it feasible financially to run a botnet at scale on top of a blockchain?
Is it takedown resilient? Can an adversary interrupt or take over the network? Or cause its resources (ether) to deplete? What are the design pitfalls to mitigate such concerns?
What information will be revealed to someone tracking the bot? how do you deal with it?
Does it scale?

Finally, we will try to offer possible mitigations and detection methods.

Title
Stories and Tips from the Dark Side of Managing a Security Research Department in a Start-Up – Irena Damsky & Omri Moyal

Abstract
TBD

DC9723 February 2018 Meeting

DC9723 February 2018 Meeting
When: 27 of February, 2018 from 18:45 to 22:00
Where: SafeBreach Offices in Tel-Aviv (Yosef Karo 18, 4th floor, Tel Aviv.)

Agenda:

Brief Introduction
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman
Get Rich or Die Trying – Mark Lechtik, Or Eshed

As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org

*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org

Title:
No Win32_Process Needed: Expanding the WMI Lateral Movement Arsenal – Phillip Tsukerman

Abstract:

For quite some time now, WMI has resided in the main roster of techniques used by threat actors to perform lateral movement between endpoints. Despite the vast scope of classes and methods available through WMI, attackers moving laterally seem to rely almost exclusively on the “Create” method of the “Win32_Process” class , diving further into the depths of the WMI model only to perform reconnaissance and establish persistence.

This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.

The talk will also describe the strengths and weaknesses and provide detection methods for every technique described.

Title:
Get Rich or Die Trying – Mark Lechtik, Or Eshed

Abstract:

In a World where oil is scarce and people click mail attachments they really shouldn’t, One Man sets out on an epic journey for glory, conquest, and other people’s money. So begins the amazing tale of the “Oil bot” campaign: a tale of a single man who ran a sting operation on a good share of the industrial sector, armed with nothing but his supply of off-the-shelf RATs, his very subpar OPSEC standards, and his Nigerian hutzpah. The talk will follow the entire course of Check Point’s investigation into this affair – from the few emails that didn’t add up, through the campaign’s not-so-intricate C&C infrastructure, to the point where we were inside the campaign, looking at all the incredulous details. How do you scam people into scamming other people? What leads a fraudster to leave a trail of incriminating footprints?

And what does a Nigerian scammer want with an energy company, anyway? One thing’s for sure: In this brave new world, the Nigerian prince is no longer happily calling to inform you that you should transfer your money to them; it is you who is angrily calling your bulk provider, asking where all your money went.