DC9723 February 26 2019 Meeting
When: Tuesday 26 of February, 2019 from 18:45 to 22:00
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)
Agenda:
Brief Introduction
Deep hacking the automotive cyberspace – Uri Bear
Sneaking Past Device Guard – Philip Tsukerman
As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org/
*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org
Abstracts:
Title: Deep hacking the automotive cyberspace – Uri Bear
Abstract:
Connected cars are the future, it just makes sense, doesn’t it? But as cars connect, there is the increased potential for security risks.
Automation, AI, Machine learning and plain old style ECU’s contain an ever increasing computation load, an incredibly expanding code base, old and new sensors and algorithms – How do hackers approach all of these?
A person skilled in reverse engineering and armed with certain tools may be able to eavesdrop on automotive control data. Even more, an advanced hacker could interfere, interact, and modify both the ECU itself and the data flowing across its wires.
The cybersecurity landscape is rapidly evolving and the ecosystems are continuously innovating to advance security for devices of all types. The automotive industry is being driven towards a quest for a higher level of security, due to the current plethora of applications, media files, and user inputs available in its systems.
In this presentation, I will present:
• An introduction to automotive computing environment from a hacker’s point of view.
• Why is secure hardware a must-have?
• Case study: Hacking a car, near or far.
o Hacking hardware.
o Hacking software.
Many solutions exist, many are offered, hack yourself to know which are good enough for you.
Title: Sneaking Past Device Guard – Philip Tsukerman
Abstract:
DeviceGuard is the newest application whitelisting feature in Windows 10. I will dive into the internals of various parts of the feature, and provide various new ways of subverting in different contexts. New execution techniques, accidental AMSI bypasses and other fun bonuses will also be included!
Device Guard (or WDAC) Is an application whitelisting feature on Windows 10 systems that allows only approved executables, libraries, and scripts to run, even under administrator users. Seemingly, the only way to run unsigned code without specific RCE vulnerabilities would require an administrator to turn the feature off and restart the machine.
This talk will exhibit rarely discussed and novel techniques to bypass Device Guard, some requiring admin access, some requiring Microsoft Office (but no user interaction), and one available under low privileges and using nothing but native OS executables. All techniques presented will eventually allow an attacker to run arbitrary code without disabling Device Guard. As of now, Microsoft decided not to service most of these techniques with an update (except for one which was serviced as CVE-2018-8417).
During the the talk, we’ll dive in to the various ways the feature is implemented under different contexts, and explore the internals of Windows scripting engines and their host processes to understand how some popular techniques (and some of the ones shown in the talk) are able to bypass Device Guard