#RomHack2019 Program
28th of September 2019
Attack and Defense#RomHack2019 speaker's talk playlist
10:45 - 11:30
Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it
Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system.
In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.
In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation.
Topic: Attack
Language:
Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it
Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system.
In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers.
In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation.
Topic: Attack
Language:
11:30 - 12:15
Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs
We found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a "magic" backdoor was found to allow changing any user's password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!
[ Full description ]
Topic: Attack
Language:
Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs
We found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a "magic" backdoor was found to allow changing any user's password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!
[ Full description ]
Topic: Attack
Language:
12:15 - 13:00
Reverse engineering of IoT devices: hack a home router
The firmware reverse engineering of IoT devices is described with an example on a home router. The process is based on Information Gathering of hardware and software; on building a debugging friendly emulation environment based on QEMU and on a kernel and a root file system built with Buildroot; on techniques to analyse, hack, reverse engineer and modify the firmware.
[ Full description ]
Topic: Attack
Language:
Reverse engineering of IoT devices: hack a home router
The firmware reverse engineering of IoT devices is described with an example on a home router. The process is based on Information Gathering of hardware and software; on building a debugging friendly emulation environment based on QEMU and on a kernel and a root file system built with Buildroot; on techniques to analyse, hack, reverse engineer and modify the firmware.
[ Full description ]
Topic: Attack
Language:
13:00 - 14:30
Lunch
Lunch
14:30 - 15:15
Red teaming: from badge to domain
While speaking about "Red Teaming" is cool and plenty of companies announce, on their website, that they provide this kind of services, more often than not what is delivered is nothing more than a penetration test (on steroids).
We used nearly six months to prepare a real red teaming activity, both technically and legally and we then delivered it in a time frame of two months.
During this talk we want to share our experience, the details to care and also some funny anecdotes.
[ Full description ]
Topic: Attack
Language:
Red teaming: from badge to domain
While speaking about "Red Teaming" is cool and plenty of companies announce, on their website, that they provide this kind of services, more often than not what is delivered is nothing more than a penetration test (on steroids).
We used nearly six months to prepare a real red teaming activity, both technically and legally and we then delivered it in a time frame of two months.
During this talk we want to share our experience, the details to care and also some funny anecdotes.
[ Full description ]
Topic: Attack
Language:
15:15 - 16:00
How to impress your management when you are an Active Directory noob?
Being appointed by the top management to secure the Active Directory of a multinational, I faced difficulties with IT admins. Especially when you deal with merger, acquisition and companies located in other countries!
So I had to develop my own tool to collect information without involving the admin. It started with collecting trust information of my domain (that admins were reluctant to give) and I added over time more and more information.
This talk will focus on the experience I gathered on the field to protect a very complex & multi domain environment and I'll present the result of my research: the tool PingCastle.
Topic: Defense
Language:
How to impress your management when you are an Active Directory noob?
Being appointed by the top management to secure the Active Directory of a multinational, I faced difficulties with IT admins. Especially when you deal with merger, acquisition and companies located in other countries!
So I had to develop my own tool to collect information without involving the admin. It started with collecting trust information of my domain (that admins were reluctant to give) and I added over time more and more information.
This talk will focus on the experience I gathered on the field to protect a very complex & multi domain environment and I'll present the result of my research: the tool PingCastle.
Topic: Defense
Language:
16:00 - 16:45
SAFE: Self Attentive Function Embedding for Binary Similarity
Deep Learning has been shown to be very effective when applied to binary analysis. In this talk we will present SAFE, an open source tool using a recurrent neural network to create similarity preserving vectorial representations of binary functions (the so called embeddings).
Using them it is possible to detect if two functions are similar or not, thus embeddings can be a useful support for reverse engineering.
As example, they permit to identify library functions inside a binary even if we don't have access to the exact compiled version of the linked library. Moreover, embeddings can be used also as a signature for vulnerability discovery and malware hunting.
Finally, embeddings permit to identify the behaviour of a function, such as encryption.
Topic: Defense
Language:
SAFE: Self Attentive Function Embedding for Binary Similarity
Deep Learning has been shown to be very effective when applied to binary analysis. In this talk we will present SAFE, an open source tool using a recurrent neural network to create similarity preserving vectorial representations of binary functions (the so called embeddings).
Using them it is possible to detect if two functions are similar or not, thus embeddings can be a useful support for reverse engineering.
As example, they permit to identify library functions inside a binary even if we don't have access to the exact compiled version of the linked library. Moreover, embeddings can be used also as a signature for vulnerability discovery and malware hunting.
Finally, embeddings permit to identify the behaviour of a function, such as encryption.
Topic: Defense
Language:
19:00 - 24:00
Capture The Flag
Capture The Flag
