{ "id": "7e3977b0-da12-4a20-93d5-93d426c665c4", "created_at": "2026-04-06T02:11:39.346414Z", "updated_at": "2026-04-10T03:36:13.962546Z", "deleted_at": null, "sha1_hash": "bb9408aa613c7d6652eb0f6260337fe1805f0001", "title": "Black Hat USA 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 462962, "plain_text": "Black Hat USA 2016\r\nArchived: 2026-04-06 01:55:24 UTC\r\nbriefings - august 3 \u0026 4\r\nKeynote\r\nThe Hidden Architecture of our Time: Why This Internet Worked How We Could\r\nLose It and the Role Hackers Play\r\nWhat we call the Internet, was not our first attempt at making a global data network that spanned the globe. It was\r\njust the first one that worked.\r\nWhy?\r\nIn this talk, I'll lay out what I see as how the Internet actually works. It's increasingly likely that there will be\r\nattempts to *change* the principles of the net, and the reality is that widespread hacking is the exact sort of force\r\nthat brought us this working-ish system in the first place.\r\nWe need to talk about the values of cryptography, of open software and networks, of hackers being a force for\r\nmeasurable good. We need to talk about how infrastructure like DNS -- it was there 25 years ago, we can imagine\r\nit will be there 25 years from now -- acts as foundation for future development in a way that the API of the hour\r\ndoesn't.\r\nThings do need to be better, and we need to talk about the role of Government in that. The things that need to be\r\nbetter are technical in nature, and guide research priorities that are outright not being addressed at present.\r\nEssentially, I'd like to provide a model for comprehending the Internet as it stands, that prevents harm to it (how\r\nmuch could we have used EC2 if SSH was illegal) while providing the useful resources to promote its continued\r\noperation.\r\nWe can't keep screwing this up forever. NTIA has noted half (!) of the population warily backing away. Let's talk\r\nabout how it really works, so we can discuss how we can do it better.\r\nBriefings\r\n$hell on Earth: From Browser to System Compromise\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 1 of 66\n\nThe winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software\r\nexploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via\r\nthe browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft\r\nWindows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in\r\nprevious contests.\r\nThis presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities)\r\ndemonstrated at this year's Pwn2Own contest. We will cover topics such as modern browser exploitation, the\r\ncomplexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory\r\ntraversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible\r\nremediations for the vulnerabilities presented.\r\nReducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface\r\nremains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel\r\nexploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't\r\nget enough of it; it's shell on earth.\r\n \r\n1000 Ways to Die in Mobile OAuth\r\nOAuth has become a highly influential protocol due to its swift and wide adoption in the industry. The initial\r\nobjective of the protocol was specific: it serves the authorization needs for websites. However, the protocol has\r\nbeen significantly repurposed and re-targeted over the years: (1) all major identity providers, e.g., Facebook,\r\nGoogle and Microsoft, have re-purposed OAuth for user authentication; (2) developers have re-targeted OAuth to\r\nthe mobile platforms, in addition to the traditional web platform. Therefore, we believe that it is necessary and\r\ntimely to conduct an in-depth study to demystify OAuth for mobile application developers.\r\nOur work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify\r\nwhat might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile\r\napplications that highlights how well developers fulfill the authentication and authorization goals in practice. The\r\nresult is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly\r\nimplemented and thus vulnerable. In the paper, we pinpoint the key portions in each OAuth protocol flow that are\r\nsecurity critical, but are confusing or unspecified for mobile application developers. We then show several\r\nrepresentative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been\r\ncommunicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some\r\nhave applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear\r\nguidelines for OAuth usage in mobile applications\r\n \r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 2 of 66\n\nA Journey from JNDI/LDAP Manipulation to Remote Code Execution Dream\r\nLand\r\nJNDI (Java Naming and Directory Interface) is a Java API that allows clients to discover and look up data and\r\nobjects via a name. These objects can be stored in different naming or directory services such as RMI, CORBA,\r\nLDAP, or DNS.\r\nThis talk will present a new type of vulnerability named \"JNDI Reference Injection\" found on malware samples\r\nattacking Java Applets (CVE-2015-4902). The same principles can be applied to attack web applications running\r\nJNDI lookups on names controlled by attackers. As we will demo during the talk, attackers will be able to use\r\ndifferent techniques to run arbitrary code on the server performing JNDI lookups.\r\nThe talk will first present the basics of this new vulnerability including the underlying technology, and will then\r\nexplain in depth the different ways an attacker can exploit it using different vectors and services. We will focus on\r\nexploiting RMI, LDAP and CORBA services as these are present in almost every Enterprise application.\r\nLDAP offers an alternative attack vector where attackers not able to influence the address of an LDAP lookup\r\noperation may still be able to modify the LDAP directory in order to store objects that will execute arbitrary code\r\nupon retrieval by the application lookup operation. This may be exploited through LDAP manipulation or simply\r\nby modifying LDAP entries as some Enterprise directories allow.\r\n \r\nA Lightbulb Worm?\r\nCould a worm spread through a smart light network? This talk explores the idea, and in particular dives into the\r\ninternals of the Philips Hue smart light system, and details what security has been deployed to prevent this.\r\nExamples of hacking various aspects of the system are presented, including how to bypass encrypted bootloaders\r\nto read sensitive information. Details on the firmware in multiple versions of the Philips Hue smart lamps and\r\nbridges are discussed. This talk concentrates on examples of advanced techniques used in attacking IoT/embedded\r\nhardware devices.\r\n \r\nA Retrospective on the Use of Export Cryptography\r\nTLS has experienced three major vulnerabilities stemming from \"export-grade\" cryptography in the last year---\r\nFREAK, Logajm, and Drown. Although regulations limiting the strength of cryptography that could be exported\r\nfrom the United States were lifted in 1999, and export ciphers were subsequently deprecated in TLS 1.1, Internet-http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 3 of 66\n\nwide scanning showed that support for various forms of export cryptography remained widespread, and that\r\nattacks exploiting export-grade cryptography to attack non-export connections affected up to 37% of browser-trusted HTTPS servers in 2015. In this talk, I'll examine the technical details and historical background for all\r\nthree export-related vulnerabilities, and provide recent vulnerability measurement data gathered from over a year\r\nInternet-wide scans, finding that 2% of browser-trusted IPv4 servers remain vulnerable to FREAK, 1% to Logjam,\r\nand 16% to Drown. I'll examine why these vulnerabilities happened, how the inclusion of weakened cryptography\r\nin a protocol impacts security, and how to better design and implement cryptographic protocols in the future.\r\nHaving been involved in the discovery of all three export vulnerabilities, I'll distill some lessons learned from\r\nmeasuring and analyzing export cryptography into recommendations for technologists and policymakers alike,\r\nand provide a historical context for the current \"going dark'' and Apple vs. FBI debate.\r\nAbusing Bleeding Edge Web Standards for AppSec Glory\r\nThrough cooperation between browser vendors and standards bodies in the recent past, numerous standards have\r\nbeen created to enforce stronger client-side control for web applications. As web appsec practitioners continue to\r\nshift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of\r\ndefense for attack patterns previously accepted as risks. With the most basic controls complete, attention is\r\nshifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side,\r\nstandards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning\r\n(HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders\r\nsupporting legacy applications actively make trade-offs between implementing the latest standards versus\r\naccepting risks simply because of the increased risks newer web standards pose.\r\nIn this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation\r\nstrategies and compromises which may make these standards more accessible to builders and defenders\r\nsupporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover\r\npreviously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the\r\nemergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during\r\nour research for this talk (which will hopefully be mitigated by d-day).\r\nAccess Keys Will Kill You Before You Kill the Password\r\nAWS users, whether they are devops in a startup or system administrators tasked with migrating an enterprise\r\nservice into the cloud, interact on a daily basis with the AWS APIs, using either the web console or tools such as\r\nthe AWS CLI to manage their infrastructure. When working with the latter, authentication is done using long-lived\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 4 of 66\n\naccess keys that are often stored in plaintext files, shared between developers, and sometimes publicly exposed.\r\nThis creates a significant security risk as possession of such credentials provides unconditional and permanent\r\naccess to the AWS API, which may yield catastrophic events in case of credentials compromise. This talk will\r\ndetail how MFA may be consistently required for all users, regardless of the authentication method. Furthermore,\r\nthis talk will introduce several open-source tools, including the release of one new tool, that may be used to allow\r\npainless work when MFA-protected API access is enforced in an AWS account.\r\nAccount Jumping Post Infection Persistency \u0026 Lateral Movement in AWS\r\nThe widespread adoption of AWS as an enterprise platform for storage, computing and services makes it a\r\nlucrative opportunity for the development of AWS focused APTs. We will cover pre-infection, post-infection and\r\nadvanced persistency techniques on AWS that allows an attacker to access staging and production environments,\r\nas well as read and write data and even reverse its way from the cloud to the the corporate datacenter.\r\nThis session will cover several methods of infection including a new concept - \"account jumping\" for taking over\r\nboth PaaS (e.g. ElasticBeans) and IaaS (EC2, EC2 Containers) resources, discussing poisoned AMIs, dirty account\r\ntransfer, as well as leveraging S3 and CloudFront for performing AWS specific credentials thefts that can easily\r\nlead to full account access. We will then discuss the post-infection phase and how attackers can manipulate AWS\r\nresources (public endpoints like EC2 IPS, Elastic IPS, load balancers and more) for complete MITM attacks on\r\nservices. We will demonstrate how attackers code can be well hidden via Lambda functions, some cross zone\r\nreplication configuration and the problem with storage affinity to a specific account. We'll examine hybrid\r\ndeployments from the cloud and compromising the on premise datacenter by leveraging and modifying\r\nconnectivity methods (HW/SW VPN, Direct connect or cloud hub). Finally, we'll end with a discussion on best\r\npractices that can be used to protect from such attacks such as bastion SSH/RDP gateways, understanding the\r\nvalue of CASB based solutions and where they fit, leverage audit and HSM capabilities in AWS as well as looking\r\nat different Isolation approaches to create isolation between administrators and the cloud while still providing\r\naccess to critical services.\r\n \r\nAdaptive Kernel Live Patching: An Open Collaborative Effort to Ameliorate\r\nAndroid N-Day Root Exploits\r\nAlthough 0-day exploits are dangerous, we have to admit that the largest threat for Android users are kernel\r\nvulnerabilities that have been disclosed but remain unfixed. Having been in the spotlight for weeks or even\r\nmonths, these kernel vulnerabilities usually have clear and stable exploits; therefore, underground businesses\r\ncommonly utilize them in malware and APTs. The reason for the long periods of remaining unfixed is complex,\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 5 of 66\n\npartly due to the time-consuming patching and verification procedures, or possibly because the vendors care more\r\nabout innovating new products than securing existing devices. As such, there are still a lot devices all over the\r\nworld subject to root attacks. The different patching status of various vendors causes fragmentation, and vendors\r\nusually don't provide the exact up-to-date kernel source code for all devices, so it is extremely difficult to patch\r\nvulnerable devices in scale. We will provide stats of the current Android kernel vulnerability landscape, including\r\nthe device model population and the corresponding vulnerability rates. Some vulnerabilities with great impact but\r\nslow fixing progress will be discussed. The whole community strives to solve this problem, but obviously this\r\ncannot be done discretely with limited hands.\r\nIn this talk, we present an adaptive Android kernel live patching framework, which enables open and live patching\r\nfor kernels. It has the following advantages: (1) It enables online hotpatching without interrupting user-experience.\r\nUnlike existing Linux kernel hotpatching solutions, it works directly on binaries and can automatically adjust to\r\ndifferent device models with different Android kernel versions. (2) It enables third party vendors, who may not\r\naccess the exact source code of the device kernel and drivers, to perform live patching. (3) Except for the binary\r\npatching scheme, it also provides a Lua based patching scheme, which makes patch generation and delivery even\r\neasier. It also has stronger confinement. This framework saves developers from repeating the tedious and error-prone patch porting work, and patches can be provided from various vendors, thus the patch deployment period\r\ncan be greatly shortened. Only offering the power to perform adaptive live patching is not enough -- we need to\r\nregulate it just in case the hotpatches introduce further vulnerabilities and backdoors. So, a special alliance with\r\nmembership qualification is formed. Only those selected vendors can provide patches and audit patches submitted\r\nfrom other alliance members. Furthermore, we will build a reputation ranking system for the patch providers, a\r\nmechanism similar to app stores. The Lua based patching scheme can provide even more restrictive regulations\r\nupon the operations of patches. Finally, this framework can be easily extended and applied to general Linux\r\nplatforms. We believe that improving the security of the whole ecosystem is not a dream of our own. We call for\r\nmore and more parties to join in this effort to fight the evils together.\r\n \r\nAdvanced CAN Injection Techniques for Vehicle Networks\r\nThe end goal of a remote attack against a vehicle is physical control, usually by injecting CAN messages onto the\r\nvehicle's network. However, there are often many limitations on what actions the vehicle can be forced to perform\r\nwhen injecting CAN messages. While an attacker may be able to easily change the speedometer while the car is\r\ndriving, she may not be able to disable the brakes or turn the steering wheel unless the car she is driving meets\r\ncertain prerequisites, such as traveling below a certain speed. In this talk, we discuss how physical, safety critical\r\nsystems react to injected CAN messages and how these systems are often resilient to this type of manipulation. We\r\nwill outline new methods of CAN message injection which can bypass many of these restrictions and demonstrate\r\nthe results on the braking, steering, and acceleration systems of an automobile. We end by suggesting ways these\r\nsystems could be made even more robust in future vehicles.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 6 of 66\n\nAirBnBeware: Short Term Rentals Long Term Pwnage\r\nWhat's scarier, letting HD Moore rent your house and use your home network for day or being the very next renter\r\nthat uses that network? With the colossal growth of the vacation rental market over the last five years (AirBnb,\r\nHomeAway), travellers are now more vulnerable than ever to network based attacks targeted at stealing personal\r\ninformation or outright pwnage. In 2006, the security industry desperately warned of the dangers of using public\r\nWi-Fi at coffee shops. In 2010, we reshaped the conversation around the frightful security of Internet provided at\r\nhotels. And now, in 2016, we will start a new battle cry against the abysmal state of network security enabled by\r\nshort term rentals. Both renters and property owners have a serious stake in this game. Whether you're renting a\r\nroom in a foreign city to attend a conference or you're profiting off of your own empty domicile, serious risks\r\nabound: MitM traffic hi-jacking, accessing illegal content, device exploitation, and more. Common attacks and\r\ntheir corresponding defenses (conventional or otherwise) will be discussed, with a strong emphasis on practicality\r\nand simplicity. This talk will contain demos of attacks, introduce atypical hardware for defense, and encourage\r\naudience participation.\r\nAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does\r\nIt\r\nIn Windows 10, Microsoft introduced the AntiMalware Scan Interface (AMSI) which is designed to target script-based attacks and malware. Script-based attacks have been lethal for enterprise security and with advent of\r\nPowerShell, such attacks have become increasingly common. AMSI targets malicious scripts written in\r\nPowerShell, VBScript, JScript etc. and drastically improves detection and blocking rate of malicious scripts.\r\nWhen a piece of code is submitted for execution to the scripting host, AMSI steps in and the code is scanned for\r\nmalicious content. What makes AMSI effective is, no matter how obfuscated the code is, it needs to be presented\r\nto the script host in clear text and unobfuscated. Moreover, since the code is submitted to AMSI just before\r\nexecution, it doesn't matter if the code came from disk, memory or was entered interactively. AMSI is an open\r\ninterface and MS says any application will be able to call its APIs. Currently, Windows Defender uses it on\r\nWindows 10. Has Microsoft finally killed script-based attacks? What are the ways out? The talk will be full of live\r\ndemonstrations.\r\nAn AI Approach to Malware Similarity Analysis: Mapping the Malware Genome\r\nWith a Deep Neural Network\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 7 of 66\n\nIn recent years, cyber defenders protecting enterprise networks have started incorporating malware code sharing\r\nidentification tools into their workflows. These tools compare new malware samples to a large databases of known\r\nmalware samples, in order to identify samples with shared code relationships. When unknown malware binaries\r\nare found to share code \"fingerprints\" with malware from known adversaries, they provides a key clue into which\r\nadversary is generating these new binaries, thus helping develop a general mitigation strategy against that family\r\nof threats. The efficacy of code sharing identification systems is demonstrated every day, as new family of threats\r\nare discovered, and countermeasures are rapidly developed for them.\r\nUnfortunately, these systems are hard to maintain, deploy, and adapt to evolving threats. First and foremost, these\r\nsystems do not learn to adapt to new malware obfuscation strategies, meaning they will continuously fall out of\r\ndate with adversary tradecraft, requiring, periodically, a manually intensive tuning in order to adjust the formulae\r\nused for similarity between malware. In addition, these systems require an up to date, well maintained database of\r\nrecent threats in order to provide relevant results. Such a database is difficult to deploy, and hard and expensive to\r\nmaintain for smaller organizations. In order to address these issues we developed a new malware similarity\r\ndetection approach. This approach, not only significantly reduces the need for manual tuning of the similarity\r\nformulate, but also allows for significantly smaller deployment footprint and provides significant increase in\r\naccuracy. Our family/similarity detection system is the first to use deep neural networks for code sharing\r\nidentification, automatically learning to see through adversary tradecraft, thereby staying up to date with adversary\r\nevolution. Using traditional string similarity features our approach increased accuracy by 10%, from 65% to 75%.\r\nUsing an advanced set of features that we specifically designed for malware classification, our approach has 98%\r\naccuracy. In this presentation we describe how our method works, why it is able to significantly improve upon\r\ncurrent approaches, and how this approach can be easily adapted and tuned to individual/organization needs of the\r\nattendees.\r\nAn Inconvenient Trust: User Attitudes Toward Security and Usability Tradeoffs\r\nfor Key-Directory Encryption Systems\r\nMany critical communications now take place digitally, but recent revelations demonstrate that these\r\ncommunications can often be intercepted. To achieve true message privacy, users need end-to-end message\r\nencryption, in which the communications service provider is not able to decrypt the content. Historically, end-to-end encryption has proven extremely difficult for people to use correctly, but recently tools like Apple's iMessage\r\nand Google's End-to-End have made it more broadly accessible by using key-directory services. These tools (and\r\nothers like them) sacrifice some security properties for convenience, which alarms some security experts, but little\r\nis known about how average users evaluate these tradeoffs. In a 52-person interview study, we asked participants\r\nto complete encryption tasks using both a traditional key-exchange model and a key-directory-based registration\r\nmodel. We also described the security properties of each (varying the order of presentation) and asked participants\r\nfor their opinions. We found that participants understood the two models well and made coherent assessments\r\nabout when different tradeoffs might be appropriate. Our participants recognized that the less-convenient\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 8 of 66\n\nexchange model was more secure overall, but found the security of the registration model to be \"good enough\" for\r\nmany everyday purposes.\r\n \r\nAn Insider's Guide to Cyber-Insurance and Security Guarantees\r\n$75 billion. That's the amount of money businesses, governments, and individuals pay every year to security\r\ncompanies. While some security companies provide good value, the reality is the number of incidents are still\r\ngetting worse and more frequent. Hundreds of millions of people have had their personal information stolen,\r\nbusinesses all over the world are losing intellectual property, and financial fraud is in the billions of dollars. These\r\nstories are constant, seemingly never-ending, and customers are tired of it. They are even apathetic to the degree\r\nthat customers are turning to cyber-insurance as an alternative to breach prevention. We know this because cyber-insurance is a thing. In fact, cyber-insurance is a skyrocketing business that is already influencing every area of\r\nthe information security industry. This rise of cyber-insurance has also provided a new way for security vendors to\r\nhelp their customers. A way for them to make a real positive impact, differentiate themselves, and align their\r\nincentives to that of their own customers - I'm talking about security guarantees.\r\nSecurity guarantees or guaranteeing security is almost a taboo subject in the industry. As skeptics are quick to\r\npoint out, nothing is 100% secure. Everything can be hacked. They're technically right, of course, but they're also\r\nmissing the bigger picture. Just like we all buy electronics, cars, tools, or toys for the kids, all of these items\r\nsometimes break - yet, every manufacturer still provides some kind of guarantee. Most often, at least a\r\nreplacement, a manufacture can do this because they know how often their product breaks. If every other major\r\nindustry in the world can do it, the security industry can too! And while many InfoSec practitioners are not yet\r\naware of this, a few security vendors are already offering security guarantees. From private conversations, at least\r\na half dozen or more are actively working with cyber-insurers and creating security guarantee programs of their\r\nown. Many of our peers are investing their time in this space as well. In not too long, security guarantees will\r\nbecome common.\r\nInfoSec practitioners who want to get a head start, or even a leg up, in cyber-insurance and security guarantees -\r\nthis presentation is just for you. Also, one does not simply launch a security guarantee program. A great many\r\nthings must be discussed, analyzed, and accounted for first. The business model of the program must be carefully\r\ndesigned, product efficacy must be measured, risk calculated, lawyers consulted, impact on financial accounting\r\nrules understood, liability reinsured, and more. Security vendors, if you're interested in how to go about creating a\r\nsecurity guarantee program of your own, I'll be providing several helpful tools and a process. And business\r\nmanagers who would like to understand the landscape and how security guarantees are a great help in the purchase\r\nprocess, this talk is also for you.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 9 of 66\n\nAnalysis of the Attack Surface of Windows 10 Virtualization-Based Security\r\nIn Windows 10, Microsoft introduced virtualization-based security (VBS), the set of security solutions based on a\r\nhypervisor. In this presentation, we will talk about details of VBS implementation and assess the attack surface - it\r\nis very different from other virtualization solutions. We will focus on the potential issues resulting from the\r\nunderlying platform complexity (UEFI firmware being a primary example).\r\nBesides a lot of theory, we will also demonstrate actual exploits: one against VBS itself and one against vulnerable\r\nfirmware. The former is non-critical (provides bypass of one of VBS features), the latter is critical.\r\nBefore attending, one is encouraged to review the two related talks from Black Hat USA 2015: \"Battle of the\r\nSKM and IUM: How Windows 10 Rewrites OS Architecture\" and \"Defeating Pass-the-Hash: Separation of\r\nPowers.\"\r\n \r\nApplied Machine Learning for Data Exfil and Other Fun Topics\r\nMachine learning techniques have been gaining significant traction in a variety of industries in recent years, and\r\nthe security industry is no exception to it's influence. These techniques, when applied correctly, can help assist in\r\nmany data driven tasks to provide interesting insights and decision recommendations to analyst. While these\r\ntechniques can be powerful, for the researchers and analyst who are not well versed in machine learning, there can\r\nexist a gap in understanding that may prevent them from looking at and applying these tools to problems machine\r\nlearning techniques could assist with.\r\nThe goal of this presentation is to help researchers, analyst, and security enthusiast get their hands dirty applying\r\nmachine learning to security problems. We will walk the entire pipeline from idea to functioning tool on several\r\ndiverse security related problems, including offensive and defensive use cases for machine learning. Through\r\nthese examples and demonstrations, we will be able to explain in a very concrete fashion every step involved to tie\r\nin machine learning to the specified problem. In addition, we will be releasing every tool built, along with source\r\ncode and related datasets, to enable those in attendance to reproduce the research and examples on their own.\r\nMachine learning based tools that will be released with this talk include an advanced obfuscation tool for data\r\nexfiltration, a network mapper, and command and control panel identification module.\r\nAttacking SDN Infrastructure: Are We Ready for the Next-Gen Networking?\r\nSoftware-Defined Networking (SDN), by decoupling the control logic from the closed and proprietary\r\nimplementations of traditional network devices, allows researchers and practitioners to design new innovative\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 10 of 66\n\nnetwork functions/protocols in a much easier, more flexible, and powerful way. This technology has gained\r\nsignificant attentions from both industry and academia, and it is now at its adoption stage. When considering the\r\nadoption of SDN, the security vulnerability assessment is an important process that must be conducted against any\r\nsystem before the deployment and arguably the starting point toward making it more secure.\r\nIn this briefing, we explore the attack surface of SDN by actually attacking each layer of SDN stack. The SDN\r\nstack is generally composed of control plane, control channel and data plane: The control plane implementations,\r\nwhich are commonly known as SDN controllers or Network OS, implementations are commonly developed and\r\ndistributed as an open-source project. Of those various Network OS implementations, we attack the most\r\nprevalent ones, OpenDaylight (ODL) [1] and Open Network Operating System (ONOS) [2]. These Network OS\r\nprojects are both actively led by major telecommunication and networking companies, and some of the companies\r\nhave already deployed them to their private cloud or network [3, 4]. For the control channel, we also attack a well-known SDN protocol [5], OpenFlow. In the case of the data plane, we test some OpenFlow-enabled switch device\r\nproducts from major vendors, such as HP and Pica8.\r\nOf the attacks that we disclose in this briefing, we demonstrate some of the most critical attacks that directly affect\r\nthe network (service) availability or confidentiality. For example, one of the attack arbitrarily uninstalls crucial\r\nSDN applications running on an ODL(or ONOS) cluster, such as routing, forwarding, or even security service\r\napplications. Another attack directly manipulates logical network topology maintained by an ODL(or ONOS)\r\ncluster to cause network failures. In addition, we also introduce some of the SDN security projects. We briefly go\r\nover the design and implementation of Project Delta, which is an official open-source SDN penetration testing\r\ntool pushed forward by Open Networking Foundation Security group, and Security-Mode ONOS, a security\r\nextension that protects the core of ONOS from the possible threats of untrusted third-party applications.\r\nReferences [1] Medved, Jan, et al. \"Opendaylight: Towards a model-driven sdn controller architecture.\" 2014\r\nIEEE 15th International Symposium on. IEEE, 2014. [2] Berde, Pankaj, et al. \"ONOS: towards an open,\r\ndistributed SDN OS.\"Proceedings of the third workshop on Hot topics in software defined networking. ACM,\r\n2014. [3] Jain, Sushant, et al. \"B4: Experience with a globally-deployed software defined WAN.\" ACM\r\nSIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, 2013. [4] CORD: Reinventing Central\r\nOffices for Efficiency and Agility. http://opencord.org (2016). [5] OpenFlow. OpenFlow Switch Specification\r\nversion 1.1.0. Tech. rep., 2011. http://www.openflow.org/documents/openflow-spec-v1.1.0.pdf.\r\nAugmenting Static Analysis Using Pintool: Ablation\r\nAblation is a tool built to extract information from a process as it executes. This information is then imported into\r\nthe disassembly environment where it used to resolve virtual calls, highlight regions of code executed, or visually\r\ndiff samples. The goal of Ablation is to augment static analysis with minimal overhead or user interaction.\r\nC++ binaries can be a real pain to audit sometimes due to virtual calls. Instead of having to reverse class, object,\r\nand inheritance relationships, Ablation can resolve any observed virtual calls, and create fully interactive x-refs in\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 11 of 66\n\nIDA; Disassembled C++ reads like C!\r\nWhen augmenting analysis by importing runtime data, much of the information is displayed using a color scheme.\r\nThis allows the info to be passively absorbed making it useful, rather than obtrusive.\r\nAblation makes it simple to diff samples by and highlight where the samples diverge. This is achieved by\r\ncomparing the code executed rather than just comparing data. Consider comparing a heavily mutated crash\r\nsample, and the source sample. The root cause of the crash is normally tedious and unrewarding. Using Ablation,\r\nthe root cause can often be determined simply by running each sample, and using the appropriate color scheme.\r\nThis also means that visualizing the code coverage of a sample set becomes as simple as running each.\r\nRecent findings have indicated that highly traversed code is not particularly interesting, and code infrequently\r\nexecuted or adjacent is more interesting. Ablation could be used to identify undocumented features in a product\r\ngiven a sample set.\r\nVulnerability research is all about the details. Having this information passively displayed could be the difference\r\nbetween confusion and discovery. Ablation will be made open source at BH2016.\r\nAVLeak: Fingerprinting Antivirus Emulators for Advanced Malware Evasion\r\nAVLeak is a tool for fingerprinting consumer antivirus emulators through automated black box testing. AVLeak\r\ncan be used to extract fingerprints from AV emulators that may be used by malware to detect that it is being\r\nanalyzed and subsequently evade detection, including environmental artifacts, OS API behavioral inconsistencies,\r\nemulation of network connectivity, timing inconsistencies, process introspection, and CPU emulator \"red pills.\"\r\nEmulator fingerprints may be discovered through painstaking binary reverse engineering, or with time consuming\r\nblack box testing using binaries that conditionally choose to behave benignly or drop malware based on the\r\nemulated environment. AVLeak significantly advances upon prior approaches to black box testing, allowing\r\nresearchers to extract emulator fingerprints in just a few seconds, and to script out testing using powerful APIs.\r\nAVLeak will be demoed live, showing real world fingerprints discovered using the tool that can be used to detect\r\nand evade popular consumer AVs including Kaspersky, Bitdefender engine (licensed out to 20+ other AV\r\nproducts), AVG, and VBA. This survey of emulation detection methods is the most comprehensive examination of\r\nthe topic ever presented in one place.\r\nBad for Enterprise: Attacking BYOD Enterprise Mobile Security Solutions\r\nThe global market for Bring Your Own Device (BYOD) and enterprise mobility is expected to quadruple in size\r\nover the next four years, hitting $284 billion by 2019. BYOD software is used by some of the largest organizations\r\nand governments around the world. Barclays, Walmart, AT\u0026T, Vodafone, United States Department of Homeland\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 12 of 66\n\nSecurity, United States Army, Australian Department of Environment and numerous other organizations, big and\r\nsmall, all over the world. Enterprise Mobile Security (EMS) is a component of BYOD solutions that promises\r\ndata, device and communications security for enterprises. Amongst others, it aims to solve Data Loss, Network\r\nPrivacy and jailbreaking/rooting of devices.\r\nUsing the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely\r\nineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against\r\nEMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution\r\nvendors often give penetration testers, \"We do not support jailbroken devices.\" I will also introduce a\r\ngroundbreaking tool, Swizzler, to help penetration testers confronted with apps wrapped into EMS protections.\r\nThe tool conveniently automates a large amount of attacks that allows pen-testers to bypass each of the protections\r\nthat Good and similar solutions implement. In a live demonstration of Swizzler I will show how to disable\r\ntampering detection mechanisms and application locks, intercept \u0026 decrypt encrypted data, and route \"secure\"\r\nHTTP requests through BURP into established Good VPN tunnels to attack servers on an organization's internal\r\nnetwork. Swizzler will be released to the world along with my talk at Blackhat USA. Whether you are a CxO,\r\nadministrator or user, you can't afford not to understand the risks associated with BYOD.\r\n \r\nBadTunnel: How Do I Get Big Brother Power?\r\nThis presentation will introduce a new threat model. Based on this threat model, we found a flaw in the Windows\r\nsystem. It affects all Windows released in the last two decades, including Windows 10. It also has a very wide\r\nrange of attacks surface. The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office,\r\nmany third-party software, USB flash drives, and even Web server. When this flaw is triggered, YOU ARE\r\nBEING WATCHED.\r\nWe will also show you how to defend against this threat, particularly on those systems are no longer supported by\r\nMicrosoft.\r\n \r\nbadWPAD\r\nWPAD (Web Proxy Auto Discovery) is a protocol that allows computers to automatically discover Web proxy\r\nconfigurations. It is primarily used in networks where clients are only allowed to communicate to the outside\r\nthrough a proxy. The WPAD protocol has been around for almost 20 years (RFC draft 1999-07-28), but has well-known risks to it that have been largely ignored by the security community. This session will present the results of\r\nseveral experiments highlighting the flaws inherent to this badly designed protocol (WPAD), and bring attention\r\nto the many ways in which they can be easily exploited. Our research expands on these known flaws and proves a\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 13 of 66\n\nsurprisingly broad applicability of \"badWPAD\" for possible malicious use today by testing it in different\r\nenvironments. The speaker will share how his team initially deployed a WPAD experiment to test whether WPAD\r\nwas still problematic or had been fixed by most software and OS vendors. This experiment included attacks in 1)\r\nIntranets and open-access networks (e.g. Free-WIFI spots and corporate networks) and 2) DNS attacks on clients\r\nleaking HTTP requests to the internet.\r\nAttendees will hear the rather surprising results that this experiment yielded: The DNS portion of the experiment\r\nrevealed more than 38 million requests to the WPAD honeypot domain names from oblivious customers - while\r\nthe intranet Free-WIFI experiment proved that almost every second Wifi spot can be utilized as attack surface.\r\nThis test included Wifi at airport lounges, conferences, hotel and on board of aircrafts, and were amazed that\r\napparently nobody realized what their laptop was secretly requesting. It seems that this neglected WPAD flaw is\r\ngrowing, while it's commonly assumed to be fixed. The paper will be backed up by statistics and reveal why\r\nbadWPAD remains to be a major security concern and what should be done to protect against this serious risk.\r\n \r\nBehind the Scenes of iOS Security\r\nWith over a billion active devices and in-depth security protections spanning every layer from silicon to software,\r\nApple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS\r\nsecurity mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to\r\niOS 10.\r\nHomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user\r\ndata – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple\r\nWatch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic\r\ndesign and implementation of our novel secure synchronization fabric which moves confidential data between\r\ndevices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.\r\nData Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure\r\nEnclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data\r\nProtection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived\r\nkeys available to the normal Application Processor.\r\nTraditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated\r\nmitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT\r\na more difficult target.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 14 of 66\n\nBeyond the MCSE: Active Directory for the Security Professional\r\nActive Directory (AD) is leveraged by 95% of the Fortune 1000 companies for its directory, authentication, and\r\nmanagement capabilities. This means that both Red and Blue teams need to have a better understanding of Active\r\nDirectory, it's security, how it's attacked, and how best to align defenses. This presentation covers key Active\r\nDirectory components which are critical for security professionals to know in order to defend AD. Properly\r\nsecuring the enterprise means identifying and leveraging appropriate defensive technologies. The provided\r\ninformation is immediately useful and actionable in order to help organizations better secure their enterprise\r\nresources against attackers. Highlighted are areas attackers go after including some recently patched\r\nvulnerabilities and the exploited weaknesses. This includes the critical Kerberos vulnerability (MS14-068), Group\r\nPolicy Man-in-the-Middle (MS15-011 \u0026 MS15-014) and how they take advantages of AD communication.\r\nSome of the content covered:\r\nDiffering views of Active Directory: admin, attacker, and infosec.\r\nThe differences between forests and domains, including how multi-domain AD forests affect the security of\r\nthe forest.\r\nDig into trust relationships and the available security features describing how attack techniques are\r\nimpacted by implementing these trust security features.\r\nAD database format, files, and object storage (including password data).\r\nRead-Only Domain Controllers (RODCs), security impact, and potential issues with RODC\r\nimplementation.\r\nKey Domain Controller information and how attackers take advantage.\r\nWindows authentication protocols over the years and their weaknesses, including Microsoft's next-generation credential system, Microsoft Passport, and what it means for credential protection.\r\nSecurity posture differences between AD on-premises and in the cloud (Microsoft Azure AD vs Office\r\n365).\r\nKey Active Directory security features in the latest Windows OS versions - the benefits and\r\nimplementation challenges.\r\nLet's go beyond the standard MCSE material and dive into how Active Directory works focusing on the key\r\ncomponents and how they relate to enterprise security.\r\n \r\nBlunting the Phisher's Spear: A Risk-Based Approach for Defining User Training\r\nand Awarding Administrative Privileges\r\nSolving the \"people problem\" of cyber security requires us to understand why people fall victim to spear phishing.\r\nUnfortunately, the only proactive solution being used against spear phishing is user training and education. But,\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 15 of 66\n\njudging from the number of continued breaches, training appears to be limited in its effectiveness. Today's leading\r\ncybersecurity training programs focus on hooking people in repeated simulated spear phishing attacks and then\r\nshowing them the nuances in the emails they missed. This \"gotcha game\" presumes that users merely lack\r\nknowledge, and if they are told often enough and repeatedly shown what they lack, they would become better at\r\nspear phishing detection. This is akin to trying to teach people to drive by constantly causing accidents and then\r\npointing out why they had an accident each time.\r\nWe propose a radical change to this \"one-size-fits all\" approach. Recent human factors researchthe Suspicion,\r\nCognition, Automaticity Model (SCAM) [1]identifies a small set of factors that lead to individual phishing\r\nvictimization. Using the SCAM, we propose the development of an employee Cyber Risk Index (CRI). Similar to\r\nhow financial credit scores work, the CRI will provide security analysts the ability to pinpoint the weak-links in\r\norganizations and identify who is likely to fall victim, who needs training, how much training, and also what the\r\ntraining should focus on. The CRI will also allow security analysts to identify which users get administrative\r\naccess, replacing the current mostly binary, role-based apportioning method, where individuals are given access\r\nbased on their organizational role and responsibilities, with a system that is based on individuals' quantified cyber\r\nrisk propensity. The CRI based approach we present will lead to individualized, cognitive-behavioral training and\r\nan evidence-based approach to awarding users' admin privileges. These are paradigm-changing solutions that will\r\naltogether improve individual cyber resilience and blunt the effectiveness of spear phishing.\r\n \r\nBreaking FIDO: Are Exploits in There?\r\nThe state of authentication is in such disarray today that a black hat is no longer needed to wreak havoc. One\r\navenue to authentication improvement is offered by the FIDO Alliance's open specifications built around public\r\nkey cryptography. Does FIDO present a better mousetrap? Are there security soft spots for potential exploitation,\r\nsuch as man-in-the-middle attacks, exploits aimed at supporting architecture, or compromises targeting physical\r\nhardware? We will pinpoint where vulnerabilities are hidden in FIDO deployments, how difficult they are to\r\nexploit, and how enterprises and organizations can protect themselves.\r\nBreaking Hardware-Enforced Security with Hypervisors\r\nHardware-Enforced Security is touted as the panacea solution to many modern computer security challenges.\r\nWhile certainly adding robust options to the defenders toolset, they are not without their own weaknesses. In this\r\ntalk we will demonstrate how low-level technologies such as hypervisors can be used to subvert the claims of\r\nsecurity made by these mechanisms. Specifically, we will show how a hypervisor rootkit can bypass Intel's\r\nTrusted Execution Environment (TXT) DRTM (dynamic root of trust measurement) and capture keys from Intel's\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 16 of 66\n\nAES-NI instructions. These attacks against TXT and AES-NI have never been published before. Trusted\r\ncomputing has had a varied history, to include technologies such as Trusted Execution Technology (TXT), ARM\r\nTrustZone, and now Microsoft Isolated User Mode and Intel SGX. All of these technologies attempt to protect\r\nuser data from privileged processes snooping or controlling execution. These technologies claim that no elevated\r\nprocess, whether kernel based, System Management Mode (SMM) based, or hypervisor based will be able to\r\ncompromise the user's data and execution.\r\nThis presentation will highlight the age-old problem of misconfiguration of Intel TXT by exploiting a machine\r\nthrough the use of another Intel technology, the Type-1 hypervisor (VT-x). Problems with these technologies have\r\nsurfaced not as design issues but during implementation. Whether there remains a hardware weakness where\r\nattestation keys can be compromised, or a software and hardware combination, such as exposed DMA that permits\r\nexfiltration, and sometimes modification, of user process memory. This presentation will highlight one of these\r\nimplementation flaws as exhibited by the open source tBoot project and the underlying Intel TXT technology.\r\nSummation will offer defenses against all too often pitfalls when deploying these systems, including proper\r\ndeployment design using sealed storage, remote attestation, and hardware hardening.\r\nBreaking Kernel Address Space Layout Randomization (KASLR) with Intel TSX\r\nKernel hardening has been an important topic, as many applications and security mechanisms often consider the\r\nkernel their Trusted Computing Base (TCB). Among various hardening techniques, kernel address space layout\r\nrandomization (KASLR) is the most effective and widely adopted technique that can practically mitigate various\r\nmemory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as\r\nlong as no memory disclosure vulnerability exists and high randomness is ensured. In this talk, we present a novel\r\ntiming side-channel attack against KASLR, called DrK (De-randomizing Kernel address space), which can\r\naccurately, silently, and rapidly de-randomize the kernel memory layout by identifying page properties:\r\nunmapped, executable, or non-executable pages. DrK is based on a new hardware feature, Intel Transactional\r\nSynchronization Extension (TSX), which allows us to execute a transaction without interrupting the underlying\r\noperating system even when the transaction is aborted due to errors, such as access violation and page faults. In\r\nDrK, we turned this property into a timing channel that can accurately distinguish the mapping status (i.e., mapped\r\nversus unmapped) and execution status (i.e., executable versus non-executable) of the privileged address space. In\r\naddition to its surprising accuracy and precision, the DrK attack is not only universally applicable to all OSes,\r\neven under a virtualized environment, but also has no visible footprint, making it nearly impossible to be detected\r\nin practice. We demonstrate that DrK breaks the KASLR of all major OSes, including Windows, Linux, and OS X\r\nwith near-perfect accuracy in a few seconds. Finally, we propose potential hardware modifications that can\r\nprevent or mitigate the DrK attack.\r\n \r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 17 of 66\n\nBreaking Payment Points of Interaction (POI)\r\nThe payment industry is becoming more driven by security standards. However, the corner stones are still broken\r\neven with the latest implementations of these payments systems, mainly due to focusing on the standards rather\r\nthan security. The best example for that is the ability to bypass protections put in place by points of interaction\r\n(POI) devices, by simple modifying several files on the point of sale or manipulating the communication\r\nprotocols. In this presentation, we will explain the main flaws and provide live demonstrations of several\r\nweaknesses on a widely used pinpad. We will not exploit the operating system of the pinpad, but actually bypass\r\nthe application layer and the business logic protections, i.e. the crypto algorithm is secure, but everything around it\r\nis broken. As part of our demos, we will include EMV bypassing, avoiding PIN protections and scraping PANs\r\nfrom various channels.\r\nBrute-Forcing Lockdown Harddrive PIN Codes\r\nThis presentation demonstrates a method of brute-forcing an AES-256 encrypted hard drive by spoofing the front-panel keyboard. In addition to tears into the internal design of the hard drive, and extends the work by J. Czarny \u0026\r\nR. Rigo to validate the (in)security of any encrypted drive based on the MB86C311 chipset.\r\nBuilding a Product Security Incident Response Team: Learnings from the\r\nHivemind\r\nYou've received vulnerability reports in your application or product, now what? As a positive, there is an\r\nabundance of incident response guidance for network security and a number of companies that have published\r\ntheir Product Security Incident Response Team (PSIRT) process for customers at a high level. Yet there is a dearth\r\nof detailed resources on how to implement PSIRT processes for organizations that have realized that Stage 7 of the\r\nSDL process (Response). To not only build but maintain secure products, organizations need to create mechanisms\r\nenabling their incident response teams to receive and respond to product incident reports, effectively partnering\r\nwith development teams, customer support, and communications teams.\r\nThis session will be targeted at small to medium companies that have small or overstretched security teams, and\r\nwill share content and best practices to support these teams' product incident response programs. Attendees will be\r\nprovided with templates and actionable recommendations based on successful best practices from multiple mature\r\nsecurity response organizations.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 18 of 66\n\nBuilding Trust \u0026 Enabling Innovation for Voice Enabled IoT\r\nVoice enabled technology provides developers with great innovation opportunities as well as risks. The Voice\r\nPrivacy Alliance created a set of 39 Agile security stories specifically for voice enabled IoT products as part of the\r\nVoice Privacy Innovation Toolkit. These security stories help product owners and security developer focals bake\r\nsecurity into their voice enabled products to save time, money and decrease incidents and reputation damage. This\r\nis a very practical, hands-on tool for developers that the Voice Privacy Alliance believes is needed to secure voice\r\nenabled technologies and promote innovation.\r\nCall Me: Gathering Threat Intelligence on Telephony Scams to Detect Fraud\r\nRobocalling, voice phishing and caller ID spoofing are common cybercrime techniques used to launch scam\r\ncampaigns through the telephony channel that many people have long trusted. More than 660,000 online\r\ncomplaints regarding unwanted phone calls were recorded on the top six phone complaints websites in 2015.\r\nMore reliable than online complaints, a telephony honeypot provides complete, accurate and timely information\r\nabout unwanted phone calls across the United States. By tracking calling patterns in a large telephony honeypot\r\nreceiving over 600,000 calls per month from more than 90,000 unique source phone numbers, we gathered threat\r\nintelligence in the telephony channel. Leveraging this data we developed a methodology to uniquely \"fingerprint\"\r\nbad actors hiding behind multiple phone numbers and detect them within the first few seconds of a call. Over\r\nseveral months, more than 100,000 calls were recorded and several millions call records analyzed to validate our\r\nmethodology. Our results show that only a few bad actors are responsible for the majority of the spam and scam\r\ncalls and that they can be quickly identified with high accuracy using features extracted from the audio. This\r\ndiscovery has major implications for law enforcement and businesses that are presently engaged in combatting the\r\nrise of telephony fraud.\r\n \r\nCan You Trust Me Now? An Exploration into the Mobile Threat Landscape\r\nBefore we dive into specific mobile vulnerabilities and talk as if the end times are upon us, let us pop the stack\r\nand talk about how the mobile environment works as a whole. We will explore the assumptions and design\r\nparadigms of each player in the overall mobile space, along with the requirements and inheritance problems they\r\nface. The value of this approach is that it allows us to understand and couch the impacts and implications of all\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 19 of 66\n\nmobile vulnerabilities, be it bugs existing today or theoretical future vulnerabilities. The approach also allows us\r\nto catalogue all the design assumptions made and search for any generalized logical flaws that could serve as a\r\nlynchpin to undermine the entirety of mobile security and trust.\r\nThis talk focuses on the entirety of the mobile ecosystem, from the hardware components to the operating systems\r\nto the networks they connect to. We will explore the core components across mobile vendors and operating\r\nsystems, focusing on bugs, logic, and root problems that potentially effect all mobile devices. We will discuss the\r\nlimitations of mobile trusted computing and what can be done to protect both your data and the devices your data\r\nreside on. From the specific perspectives of trusted computing and hardware integrity, there are a handful of\r\nsmartphone hardware platforms on the market. OEMs are constrained to release devices based on selecting and\r\ntrusting one of these platforms. If a skilled attacker can break trust at the hardware level, the entire device\r\nbecomes compromised at a very basic (and largely undetectable) level. This talk is about how to break that trust.\r\nCANSPY: A Platform for Auditing CAN Devices\r\nIn the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars.\r\nThis is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its\r\nuse is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance\r\ncompanies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance.\r\nNonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In\r\nfact, they will do less as they do not have knowledge of upper-layer protocols.\r\nSecurity auditors are used to dealing with this kind of situation: they reverse-engineer protocols before\r\nimplementing them on top of their tool of choice. However, to be efficient at this, they need more than just being\r\nable to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications\r\nand block them, forward them or modify them on the fly. This is why, for example, a platform such as Burp Suite\r\nis popular when it comes to auditing web applications.\r\nIn this talk, we present CANSPY, a platform giving security auditors such capabilities when auditing CAN\r\ndevices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of\r\nrules or interactively using Ethernet and a packet manipulation framework such as Scapy. It is also worth noting\r\nthat it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we\r\ndemonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of\r\nauditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs\r\nin order to audit a device that connects to this very connector.\r\n \r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 20 of 66\n\nCaptain Hook: Pirating AVs to Bypass Exploit Mitigations\r\nPut a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability\r\nnotifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security\r\napplications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we\r\nuncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security\r\nmeasures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to\r\nimpact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary\r\nengines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.\r\nIn this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a\r\nclose look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This\r\nvulnerability affects the most widespread productivity applications and forced the vendor to not only fix their\r\nengine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll\r\ndemonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security\r\nmeasures.\r\n \r\nCapturing 0day Exploits with PERFectly Placed Hardware Traps\r\nThe security industry has gone to great lengths to make exploitation more difficult. Yet we continue to see\r\nweaponized exploits used in malware campaigns and targeted attacks capable of bypassing OS and vendor exploit\r\nmitigation strategies. Many of these newly deployed mitigations target code-reuse attacks like return-oriented-programming. Unfortunately, the reality is that once attackers have control over code execution it's only a matter\r\nof time before they can circumvent these defenses, as the recent rise of EMET bypasses illustrates. We propose a\r\nnew strategy to raise the bar significantly. Our approach blocks exploits before they gain execution, preventing the\r\nopportunity to bypass mitigations.\r\nThis presentation introduces a new cross-platform, hardware-assisted Control-Flow Integrity (CFI) approach to\r\nmitigate control-flow hijack attacks on the Intel architecture. Prior research has demonstrated the effectiveness of\r\nleveraging processor-provided features such as the Performance Monitoring Unit (PMU) in order to trap various\r\nevents for detecting ROP behaviors. We extend and generalize this approach by fine-tuning low-level processor\r\nfeatures that enable us to insert a CFI policy to detect and prevent abnormal branches in real-time. Our promising\r\nresults have shown this approach capable of protecting COTS binaries from control-flow hijack attempts\r\nstemming from use-after-free and memory corruption vulnerabilities with acceptable overhead on modern\r\nWindows and Linux systems.\r\nIn this talk, we will cover our research methodology, results, and limitations. We will highlight novel solutions to\r\nmajor obstacles we faced, including: proper tracking of Windows thread context swapping; configuration of PMU\r\ninterrupt delivery without tripping Microsoft's PatchGuard; efficient algorithms for discovery of valid branch\r\ndestinations in PE and ELF files at run-time; and the impact of operating in virtualized environments. The\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 21 of 66\n\neffectiveness of our approach using hardware-assisted traps to monitor program execution and enforce CFI\r\npolicies on mispredicted branches will be demonstrated in real-time. We will prevent weaponized exploits\r\ntargeting Windows and Linux x86-64 operating systems that nominally bypass anti-exploit technologies like\r\nMicrosoft's EMET tool. We will also present collected metrics on performance impact and the real-world\r\napplications of this technology.\r\n \r\nCertificate Bypass: Hiding and Executing Malware from a Digitally Signed\r\nExecutable\r\nMalware developers are constantly looking for new ways to evade the detection and prevention capabilities of\r\nsecurity solutions. In recent years, we have seen many different tools, such as packers and new encryption\r\ntechniques, help malware reach this goal of hiding the malicious code. If the security solution cannot unpack the\r\ncompressed or encrypted malicious content (or at least unpack it dynamically), then the security solution will not\r\nbe able to identify that it is facing malware. To further complicate the matter, we present a new technique for\r\nhiding malware (encrypted and unencrypted) inside a digitally signed file (while still keeping the file with a valid\r\ncertificate) and executing it from the memory, using a benign executable (which acts as a reflective EXE loader,\r\nwritten from scratch). Our research demonstrates our Certificate Bypass tool and the Reflective EXE Loader.\r\nDuring the presentation, we will focus on the research we conducted on the PE file structure. We will take a closer\r\nlook at the certificate table and how we can inject data to the table without damaging the certificate itself (the file\r\nwill still look and be treated as a valid digitally signed file). We will examine the tool we wrote to execute PE files\r\nfrom memory (without writing them to the disk). We will cover the relevant fields in the PE structure, as well as\r\nthe steps required to run a PE file directly from the memory without requiring any files on disk. Last, we will\r\nconclude the demonstration with a live example and show how we bypass security solutions based on the way\r\nthey look at the certificate table.\r\nCrippling HTTPS with Unholy PAC\r\nYou're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a\r\nsecurity conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a \"Force\r\nTLS/SSL\" browser extension). All your traffic is protected from the first byte. Or is it?\r\nWe will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration)\r\nresource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how\r\ncredentials/sessions can be stolen. We will present the concept of \"PAC Malware\" (a malware which is\r\nimplemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 22 of 66\n\nthe PAC malware and an external server, contextual phishing via messages, denial-of-service options, and\r\nsensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more\r\nabout this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.\r\nCrumbling the Supercookie and Other Ways the FCC Protects Your Internet\r\nTraffic\r\nYou've probably heard of network neutrality. In 2015, the Federal Communications Commission enacted\r\ntransformative rules that prohibit Internet service providers from blocking, throttling, or creating \"fast lanes\" for\r\nonline content. The Open Internet Order protects your right to enjoy the lawful content, applications, services, and\r\ndevices of your choosing. But it also empowers the FCC to protect the security and privacy of your Internet\r\ntraffic. This talk will give an overview of the FCC's security and privacy authorities, which now cover broadband\r\nInternet service, as well as telephone, cable, and satellite connectivity. We will explain how the FCC investigates\r\nviolations of federal communications law, and how it brings enforcement actions against offenders. In just the past\r\ntwo years, the FCC's Enforcement Bureau has initiated several high-profile law enforcement actions related to\r\nsecurity and privacy. We required Verizon to stop injecting a unique identifier \"supercookie\" into third-party web\r\nrequests, unless a customer consents. We also required AT\u0026T and Cox to improve their customer information\r\nsafeguards, after their security failures led to information on hundreds of thousands of customers getting\r\nunacceptably and unnecessarily exposed.*\r\nMost recently, the FCC formally proposed new Internet security and privacy rules. The Commission\r\nrecommended that, if your Internet service provider wants to share information from or about you, it should first\r\nobtain your affirmative, opt-in consent. We will explain how the rulemaking process functions, and how you can\r\nfile comments on FCC proceedings. We will also leave time for a Q \u0026 A session. Whether you'd like to ask about\r\nnet neutrality, robocalls, wifi router firmware (we know many of you have thoughts about that mixup!), or\r\nanything else communications related, this is your opportunity. In fact, you can even ask about your cable\r\nappointment we bet you didn't know the FCC has rules about that, too!\r\nCunning with CNG: Soliciting Secrets from Schannel\r\nSecure Channel (Schannel) is Microsoft's standard SSL/TLS Library underpinning services like RDP, Outlook,\r\nInternet Explorer, Windows Update, SQL Server, LDAPS, Skype and many third party applications. Schannel has\r\nbeen the subject of scrutiny in the past several years from an external perspective due to reported vulnerabilities,\r\nincluding an RCE. What about the internals? How does Schannel guard its secrets?\r\nThis talk looks at how Schannel leverages Microsoft's CryptoAPI-NG (CNG) to cache the master keys, session\r\nkeys, private and ephemeral keys, and session tickets used in TLS/SSL connections. It discusses the underlying\r\ndata structures, and how to extract both the keys and other useful information that provides forensic context about\r\nconnection. This information is then leveraged to decrypt a session that uses ephemeral key exchanges.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 23 of 66\n\nInformation in the cache lives for at least 10 hours by default on modern configurations, storing up to 20,000\r\nentries for client and server each. This makes it forensically relevant in cases where other evidence of the\r\nconnection may have dissipated.\r\n \r\nCyber War in Perspective: Analysis from the Crisis in Ukraine\r\nThe conflict between Russia and Ukraine appears to have all the ingredients for \"cyber war\". Moscow and Kyiv\r\nare playing for the highest geopolitical stakes, and both countries have expertise in information technology and\r\ncomputer hacking. However, there are still many skeptics of cyber war, and more questions than answers.\r\nMalicious code is great for espionage and crime, but how much does it help soldiers on the battlefield? Does\r\ncomputer hacking have strategic effects? What are the political and military limits to digital operations in\r\npeacetime and war? This NATO-funded research project, undertaken by 20 leading authorities on national security\r\nand network security, is a benchmark for world leaders and system administrators alike, and sheds light on\r\nwhether \"cyber war\" is now reality -- or still science fiction. Further, it helps decision makers to understand that\r\nnational security choices today have ramifications for democracy and human rights tomorrow.\r\n \r\nDangerous Hare: Hanging Attribute References Hazards Due to Vendor\r\nCustomization\r\nFor the purposes of tailoring the Android to different hardware platforms, countries/regions and other needs,\r\nhardware manufacturers (e.g. Qualcomm), device manufacturers, carriers and others have aggressively customized\r\nAndroid into thousands of system images. This practice has led to a highly fragmented ecosystem where the\r\ncomplicated relations among its components and apps though which one party interacts with the other have been\r\nseriously compromised. This leads to the pervasiveness of Hare (hanging attribute references e.g. package,\r\nactivity, service action names, authorities and permissions), a type of vulnerabilities never investigated before.\r\nIn this talk, we will show that such flaws could have serious security implications, that is, a malicious app can\r\nacquire critical system capabilities by pretending to be the owner of an attribute who has been used on a device\r\nwhile the party defining it does not exist due to vendor customizations. On the factory image of 97 most popular\r\nAndroid devices, we discovered 21557 likely Hare flaws, demonstrating the significant impacts of the problem\r\nfrom stealing user's voice notes, controlling the screen unlock process, replacing Google Email's account settings\r\nto injecting messages into Facebook app and Skype. We will also show a set of new techniques we developed for\r\nautomatically detecting Hare flaws within different Android versions, which can be utilized by the device\r\nmanufacturers and other parties to secure their custom OSes. And we will provide the guidance for avoiding this\r\npitfall when building future systems.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 24 of 66\n\nDark Side of the DNS Force\r\nDNS is an essential substrate of the Internet, responsible for translating user-friendly Internet names into machine-friendly IP addresses. Without DNS, it would be an impossible mission for us to navigate through the Internet. As\r\nwe have seen in recent years, DNS-based attacks launched by adversaries remain a constant lethal threat in various\r\nforms. The record-breaking 300gbps DNS amplification DDoS attack against Spamhaus presented by Cloudflare\r\nat Black Hat 2013 is still vivid in our minds. Since then (in the last 3 years), thanks to the dark force's continuous\r\ninnovations, the dark side of the DNS force is getting much more pernicious. Today, the dark side is capable of\r\nassembling an unprecedented massive attacking force of an unimaginable scale and magnitude. As an example,\r\nleveraging up to 10X of the Internet domain names, a modern DNS-based attack can easily take down any\r\npowerful online service, disrupt well-guarded critical infrastructure, and cripple the Internet, despite all the\r\nexisting security postures and hardening techniques we have developed and deployed.\r\nIn this talk, we will present and discuss an array of new secret weapons behind the emerging DNS-based attacks\r\nfrom the dark side. We will analyze the root causes for the recent surges of the Internet domain counts from 300-\r\nmillion a year ago to over 2-billion. Some real use cases will be shown to illustrate the domain surges' impact on\r\nthe Internet's availability and stability, especially with spikes up to 5-billion domains. We will focus on the\r\nevolution of random subdomain weapon which can generate a large number of queries to nonexistent fully\r\nqualified domain names such as 01mp5u89.arkhamnetwork.org and 01k5jj4u.arkhamnetwork.org to overload and\r\nknock down both authoritative name servers and cache servers along the query paths. Starting as a simple\r\nprimitive tool used to disrupt competitors' gaming sites in order to win more users among the Chinese online\r\ngaming community about five years ago, random subdomain has become one of the most powerful disruptive\r\nweapons nowadays. As the attack targets move towards more high-profile and top level domains, the random\r\nsubdomain weapon also becomes much sophisticated by blending attacking traffic with legitimate operations. It is\r\na challenge for the cyber security community to distinguish bad traffic from benign ones in a cost-effective\r\nmanner.\r\nWe will address this challenge by dissecting the core techniques and mechanisms used to boost attack strength and\r\nto evade detection. We will discuss techniques such as multiple level of random domains, mix use of constant\r\nnames and random strings, innovative use of timestamps as unique domain names, as well as local and global\r\nescalations. We will demonstrate and compare different solutions for the accurate detection and effective\r\nmitigation of random subdomain and other active ongoing DNS-based attacks including DNS tunneling of data\r\nexfiltration on some most restricted networks due to the pervasiveness of DNS.\r\nDefense at Hyperscale: Technologies and Policies for a Defensible Cyberspace\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 25 of 66\n\nCyber attackers have had the advantage for decades over defenders but we can and must change this with a more\r\ndefensible cyberspace.\r\nThis talk describes the results of a recent task force to identify the top technologies, operational innovations and\r\npublic policies which have delivered security at scale for the defense to catch up with attackers. All of these\r\ninnovations have one thing in common: a dollar of defense buys far more than a dollar of offense. Now that we've\r\nrecognized what has been most effective, the community has to repeat these successes at hyperscale, and the talk\r\ngives recommendations.\r\n \r\nDemystifying the Secure Enclave Processor\r\nThe secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone\r\n5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit\r\nconfigured to perform secure services for the rest of the SOC, with with no direct access from the main processor.\r\nIn fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own\r\nkernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily\r\nrecovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully\r\ncompromised device.\r\nDespite almost three years have passed since its inception, little is still known about the inner workings of the SEP\r\nand its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions\r\nand false claims about the SEP.\r\nIn this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look\r\nat the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself.\r\nWe also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how\r\nthis data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP\r\nattack surface and highlight some of the findings of our research, including potential attack vectors.\r\nDesign Approaches for Security Automation\r\nOrganizations often scale at a faster pace than their security teams. Therefore, security teams need to deploy\r\nautomation that can scale their processes. When it comes to your organization, what criteria should decide the best\r\napproach for security automation? Are there simpler alternatives to building a complex, custom built, automation\r\nenvironment? Where do you deploy? Which tools do you need? How do you ensure that your implementation will\r\neffectively enable teams versus just creating false positives at scale? This presentation will discuss criteria for\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 26 of 66\n\ndesigning and evaluating security automation tools for your organization. The goal is provide audience members\r\nwith effective small scale and large scale automation techniques for securing their environments.\r\nDiscovering and Exploiting Novel Security Vulnerabilities in Apple ZeroConf\r\nWith the proliferation of portable computing systems such as tablet, smartphone, Internet of Things (IoT), etc.,\r\nordinary users are facing the increasing burden to properly configure those devices, enabling them to work\r\ntogether. In response to this utility challenge, major device manufacturers and software vendors (e.g., Apple,\r\nMicrosoft, Hewlett-Packard) tend to build their systems in a \"plug-and-play\" fashion, using techniques dubbed\r\nzero-configuration (ZeroConf). Such ZeroConf services are characterized by automatic IP selection, host name\r\nresolving and target service discovery. As the major proponent of ZeroConf techniques, Apple has adopted\r\nZeroConf techniques in various frameworks and system services on iOS and OS X to minimize user involvements\r\nin system setup. However, when the design pendulum swings towards usability, concerns may arise whether the\r\nsystem has been adequately protected. In this presentation, we will report the first systematic study on the security\r\nimplications of these ZeroConf techniques on Apple systems.\r\nOur research brings to light a disturbing lack of security consideration in these systems' designs: major ZeroConf\r\nframeworks on the Apple platforms, including the Multipeer Connectivity and Bonjour, are mostly unprotected\r\nand system services, such as printer discovery and AirDrop, turn out to be completely vulnerable to an\r\nimpersonation or Man-in-the-Middle (MitM) attack, even though attempts have been made to protect them against\r\nsuch threats. The consequences are serious, allowing a malicious device to steal documents to be printed out by\r\nother devices or files transferred between other devices. Most importantly, our study highlights the fundamental\r\nsecurity challenges underlying ZeroConf techniques. Some of the vulnerabilities have not been fixed until this\r\nsubmission though we reported to Apple over half a year ago. We will introduce ZeroConf techniques and publish\r\ntechnical details of our attacks to Apple ZeroConf techniques. We will take Airdrop, Bonjour and Multipeer\r\nConnectivity as examples to show the vulnerabilities in their design and implementation and how we hacked these\r\nZeroConf frameworks and system services to perform MitM attacks. We will also show that some of\r\nvulnerabilities are due to TLS' incompetence to secure device-to-device communication in the ZeroConf scenario,\r\nwhich is novel discovery and contributes to the state of the art.\r\nDoes Dropping USB Drives in Parking Lots and Other Places Really Work?\r\nAt every Black Hat you will inevitably hear hackers boasting that they can break into any company by dropping a\r\nmalicious USB drive in the company's parking lot. This anecdote has even entered mainstream culture and was\r\nprominently featured in the Mr. Robot TV series. However despite its popularity, there has been no rigorous study\r\nof whether the attack works or is merely an urban legend. To answer this burning question and assess the actual\r\nthreat posed by malicious USB drives, we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And oh boy how effective that was! Of the drives\r\nwe dropped, 98% were picked up and for 48% of the drives, someone not only plugged in the drive but also\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 27 of 66\n\nclicked on files. Join us for this talk if you are interested in physical security and want to learn more about the\r\neffectiveness of arguably the most well known anecdote of our community. We will provide an in-depth analysis\r\nof which factors influence users to pick up a drive, why users plug them in, and demo a new tool that can help\r\nmitigate USB attacks.\r\nDPTrace: Dual Purpose Trace for Exploitability Analysis of Program Crashes\r\nThis research focuses on determining the practical exploitability of software issues by means of crash analysis.\r\nThe target was not to automatically generate exploits, and not even to fully automate the entire process of crash\r\nanalysis; but to provide a holistic feedback-oriented approach that augments a researcher's efforts in triaging the\r\nexploitability and impact of a program crash (or fault). The result is a semi-automated crash analysis framework\r\nthat can speed-up the work of an exploit writer (analyst). Fuzzing, a powerful method for vulnerability discovery\r\nkeeps getting more popular in all segments across the industry - from developers to bug hunters. With fuzzing\r\nframeworks becoming more sophisticated (and intelligent), the task of product security teams and exploit analysts\r\nto triage the constant influx of bug reports and associated crashes received from external researchers has increased\r\ndramatically. Exploit writers are also facing new challenges: with the advance of modern protection mechanisms,\r\nbug bounties and high-prices in vulnerabilities, their time to analyze a potential issue found and write a working\r\nexploits is shrinking.\r\nGiven the need to improve the existing tools and methodologies in the field of program crash analysis, our\r\nresearch speeds-up dealing with a vast corpus of crashes. We discuss existing problems, ideas and present our\r\napproach that is in essence a combination of backward and forward taint propagation systems. The idea here is to\r\nleverage both these approaches and to integrate them into one single framework that provides, at the moment of a\r\ncrash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the\r\npotential capabilities for achieving code execution. We discuss the concepts and the implementation of two\r\nfunctional tools developed by the authors (one of which was previously released) and go about the benefits of\r\nintegrating them. Finally, we demonstrate the use of the integrated tool (DPTrace to be released as open-source at\r\nBlack Hat) with public vulnerabilities (zero-days at the time of the released in the past), including a few that the\r\nauthors themselves discovered, analyzed/exploited and reported.\r\n \r\nDrone Attacks on Industrial Wireless: A New Front in Cyber Security\r\nWith new Drone technologies appearing in the consumer space daily, Industrial Plant operators are being forced to\r\nrethink their most fundamental assumptions about Industrial Wireless and Cyber-Physical security. This\r\npresentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents,\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 28 of 66\n\nLatest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats with Drones as delivery\r\nplatform.\r\nDungeons Dragons and Security\r\nThe security community knows, the weak link is the human factor - from the project manager deciding that\r\n\"security costs too much,\" to the operational bypassing its own company security measure, passing through the\r\nend user believing that nobody will ever think how he is using its cat's name as a password or a developper not\r\nfollowing best practices.\r\nWe all arrive to the same conclusion - we need to train people to the computer security stakes. According to the\r\nauthor's experience, standard Security training is focused on the technical context (what a password is, how does a\r\ncomputer work etc.) and tends to bore or scare a neophyte audience.\r\nThis briefing will propose a new way to train a neophyte audience to the basic principles of Computer Security.\r\nThe training is developed around a role playing game consisting in attacking and defending a building. A\r\ndebriefing is done after the game to highlight all the similarities between the game and computer security stakes.\r\nThe presentation will focus on the main feature of the training, and a white paper explaining how to conduct such\r\na training will be available.\r\n \r\nExploiting Curiosity and Context: How to Make People Click on a Dangerous\r\nLink Despite Their Security Awareness\r\nMessages containing links to malware-infected websites represent a serious threat. Despite the numerous user\r\neducation efforts, people still click on suspicious links and attachments, and their motivations for clicking or not\r\nclicking remain hidden. We argue that knowing how people reason about their clicking behavior can help the\r\ndefenders in devising more effective protection mechanisms. To this end, we report the results of two user studies\r\nwhere we sent to over 1600 university students an email or a Facebook message with a link from a non-existing\r\nperson, claiming that the link leads to the pictures from the party last week. When clicked, the corresponding\r\nwebpage showed the \"access denied\" message. We registered the click rates, and later sent to the participants a\r\nquestionnaire that first assessed their security awareness, and then asked them about the reasons for their clicking\r\nbehavior.\r\nWhen addressed by first name, 56% of email and 38% of Facebook recipients clicked. When not addressed by\r\nfirst name, 20% of email and 42.5% of Facebook recipients clicked. Respondents of the survey reported high\r\nawareness of the fact that clicking on a link can have bad consequences (78%). However, statistical analysis\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 29 of 66\n\nshowed that this was not connected to their reported clicking behavior. By far the most frequent reason for\r\nclicking was curiosity about the content of the pictures (34%), followed by the explanations that the content or\r\ncontext of the message fits the current life situation of the person (27%), such as actually having been at a party\r\nwith unknown people last week. Moreover, 16% thought that they know the sender. The most frequent reason for\r\nnot clicking was unknown sender (51%), followed by the explanation that the message does not fit the context of\r\nthe user (36%).\r\nTherefore, it should be possible to make virtually any person click on a link, as any person will be curious about\r\nsomething, or interested in some topic, or find the message plausible because they know the sender, or because it\r\nfits their expectations (context). Expecting from the users error-free decision making under these circumstances\r\nseems to be highly unrealistic, even if they are provided with effective awareness training.\r\nMoreover, while sending employees fake spear phishing messages from spoofed colleagues and bosses may\r\nincrease their security awareness, it is also quite likely to have negative consequences in an organization. People's\r\nwork effectiveness may decrease, as they will have to be suspicious of practically every message they receive.\r\nThis may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust.\r\nThus, organizations need to carefully assess all pros and cons of increasing security awareness against spear\r\nphishing. In the long run, relying on technical in-depth defense may be a better solution, and more research and\r\nevidence is needed to determine the feasible level of defense that the non-expert users are able to achieve through\r\nsecurity education and training.\r\nGATTacking Bluetooth Smart Devices - Introducing a New BLE Proxy Tool\r\nBluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices:\r\ngadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures\r\nsecure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without\r\nflaws, although that's another story we are already aware of. A surprising number of devices do not (or simply\r\ncannot - because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact,\r\nprovided on higher \"application\" (GATT protocol) layer of the data exchanged between the \"master\" (usually\r\nmobile phone) and peripheral device. The connection from \"master\" in such cases is initiated by scanning to a\r\nspecific broadcast signal, which by design can be trivially spoofed. And guess what - the device GATT internals\r\n(so-called \"services\" and \"characteristics\") can also be easily cloned.\r\nUsing a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original\r\none, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes\r\ninteresting - just imagine how many attacks you might be able to perform with the possibility to actively intercept\r\nthe BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit,\r\nincluding improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions -\r\nwhich allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also\r\nsuggest best practices to mitigate the attacks. Ladies and gentlemen - I give you the BLE MITM proxy. A free\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 30 of 66\n\nopen-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging.\r\nRun it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the\r\ncode.\r\n \r\nGreatFET: Making GoodFET Great Again\r\nMy evil plot began by making small but seemingly helpful contributions to the GoodFET project, a line of code\r\nhere, a simple add-on board there. Soon I was answering the occasional question on IRC or the mailing list, and I\r\nwas in: commit rights!\r\nI had chosen my prey carefully. GoodFET, the preferred open source tool of discriminating hardware hackers\r\naround the world, consisted of too many disparate hardware designs. It was full of terrific ideas and PoCs, but it\r\nwas becoming unmaintainable. The Facedancer variant alone had at least three different and incompatible code\r\nbases! The hardware designs were easy to build one at a time but needlessly costly for volume manufacturing. The\r\nproject was ripe for a takeover.\r\nI struck when Travis Goodspeed was most vulnerable, his faculties diminished by the hordes of Las Vegas. He\r\naccepted my $5. GoodFET was mine!\r\nWith GoodFET in my control I moved quickly to replace the entire project with something superior, something\r\ngreater! Today I unleash GreatFET!\r\n \r\nHacking Next-Gen ATMs: From Capture to Cashout\r\nOver the past year I have worked at understanding and breaking the new methods that ATM manufactures have\r\nimplemented on producing \"Next Generation\" Secure ATM systems. This includes bypassing Anti-skimming/Anti-Shimming methods introduced to the latest generation ATMs, along with NFC long range attacks\r\nthat allow real-time card communication over 400 miles away. This talk will demonstrate how a $2000 investment\r\ncan perform unattended \"cash outs,\" touching also on failures in the past with EMV implementations and how\r\ncredit card data of the future will most likely be sold with the new EMV data - with a short life span. This talk will\r\ninclude a demonstration of \"La-Cara,\" an automated cash out machine that works on current EMV and NFC\r\nATMs. \"La-Cara\" is an entire fascia placed on the machine to hide the auto PIN keyboard and flashable EMV card\r\nsystem that silently withdraws money from harvested card data. This demonstration of the system can cash out\r\naround $20,000/$50,000 in 15 min. With these methods revealed we will be able to protect against similar types of\r\nattacks.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 31 of 66\n\nHackproofing Oracle eBusiness Suite\r\nA recent security review by David Litchfield of Oracle's eBusiness Suite (fully patched) revealed it is vulnerable\r\nto a number of (unauthenticated) remote code execution flaws, a slew of SQL injection vulnerabilities and Cross\r\nSite Scripting bugs. Used by large corporations across the globe the question becomes how does one secure this\r\nproduct given its weaknesses. This talk will examine those weakness with demonstration exploits then look at how\r\none can protect their systems against these attacks.\r\n \r\nHardening AWS Environments and Automating Incident Response for AWS\r\nCompromises\r\nIncident Response procedures differ in the cloud versus when performed in traditional, on-premise, environments.\r\nThe cloud offers the ability to respond to an incident by programmatically collecting evidence and quarantining\r\ninstances but with this programmatic ability comes the risk of a compromised API key. The risk of a compromised\r\nkey can be mitigated but proper configuration and monitoring must be in place.\r\nThe talk discusses the paradigm of Incident Response in the cloud and introduces tools to automate the collection\r\nof forensic evidence of a compromised host. It highlights the need to properly configure an AWS environment and\r\nprovides a tool to aid the configuration process.\r\nCloud IR How is it Different?\r\nIncident response in the cloud is performed differently than when performed in on-premise systems. Specifically,\r\nin a cloud environment you can not walk up to the physical asset, clone the drive with a write-blocker, or perform\r\nany action that requires hands on time with the system in question. Incident response best practices advise\r\nfollowing predefined practiced procedures when dealing with a security incident, but organizations moving\r\ninfrastructure to the cloud may fail to realize the procedural differences in obtaining forensic evidence.\r\nFurthermore, while cloud providers produce documents on handling incident response in the cloud, these\r\ndocuments fail to address the newly released features or services that can aid incident response or help harden\r\ncloud infrastructure. (1.)\r\nA survey of AWS facilities for automation around IR\r\nThe same features in cloud platforms that create the ability to globally deploy workloads in the blink of an eye can\r\nalso add to ease of incident handling. An AWS user may establish API keys to use the AWS SDK to\r\nprogrammatically add or remove resources to an environment, scaling on demand. A savvy incident responder can\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 32 of 66\n\nuse the same AWS SDK, or (the AWS command line tools) to leverage cloud services to facilitate the collection of\r\nevidence. For example, using the AWS command line tools or the AWS SDK, a user can programmatically image\r\nthe disk of a compromised machine with a single call. However, the power of the AWS SDK introduces a new\r\nthreat in the event of an API key compromise.\r\nIncreased Attack Surface via Convenience ( Walk through some compromise scenarios to illustrate )\r\nThere are many stories of users accidentally uploading their AWS keys to GitHub or another sharing service and\r\nthen having to fight to regain control of the AWS account while their bill skyrockets. (2. 3.) And while these\r\nstories are sensational, they are preventable by placing limits on a cloud account directly. More concerning is the\r\nrisk of a compromised key being used to access private data. A compromised API key without restrictions could\r\naccess managed database, storage, or code repository services, to name a few. (4.) While the API key itself may\r\nnot be used to access a targeted box, it is possible to use that key to clone a targeted box, and relaunch it with an\r\nattacker's SSH key, giving the attacker full access to the newly instantiated clone. While the consequences of a\r\ncompromised API key can be dire, the risks can be substantially mitigated with proper configuration and\r\nmonitoring.\r\nHardening of AWS Infrastructure\r\nAWS environments can be hardened by following traditional security best practices and leveraging AWS services.\r\nAWS Services like CloudTrail and Config should be used to monitor and configure an AWS environment.\r\nCloudTrail provides logging of AWS API invocations tied to a specific API key. AWS Config provides historical\r\ninsight into the configuration of AWS resources including users and the permissions granted in their policies.\r\nAPI keys associated to AWS accounts should be delegated according to least privilege and therefore have the\r\nfewest number of permissions granted in its policy as possible. Furthermore, API keys should be tightened to\r\nrestrict access only to the resources they need. Managing of these policies is made easier by the group and role\r\nconstructs provided by AWS IAM, but it still leaves to the user having to understand each of the 195 policies\r\ncurrently recognized by IAM.\r\nIntroduction of Tools\r\nWe present custom tooling so the entire incident response process can be automated based on certain triggers\r\nwithin the AWS account. With very little configuration users could detect a security incident, acquire memory,\r\ntake snapshots of disk images, quarantine, and have it presented to an examiner workstation all in the time it takes\r\nto get a cup of coffee.\r\nAdditional tooling is presented to aid in the recovery of an AWS account should a AWS key be compromised. The\r\ntool attempts to rotate compromised keys, identify and remove rogue EC2 instances and produce a report with\r\nnext steps for the user.\r\nFinally, we present a tool that examines an existing AWS environments and aides in configuring that environment\r\nto a hardened state. The tool recommends services to enable, permissions to remove from user accounts, and\r\nmetrics to collect.\r\nWe discuss Incident Response in the cloud and introduce tools to automate the collection of forensic evidence of a\r\ncompromised host. We highlight the need to properly configure an AWS environment and provide tools to aid the\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 33 of 66\n\nconfiguration process.\r\nReferences\r\n1. AWS Security Resources. N.p., n.d. Web. 10 Apr. 2016.\r\n.\r\n2. Example AWS Key Compromises. Ed. Soulskill. N.p., n.d. Web. 10 Apr. 2016. .\r\n3. IT News Article on AWS Keys. N.p., n.d. Web. 10 Apr. 2016. .\r\n4. AWS Console Breach CloudSpaces. N.p., n.d. Web. 10 Apr. 2016. .\r\n \r\nHEIST: HTTP Encrypted Information can be Stolen Through TCP-Windows\r\nOver the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been\r\ndiscovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of\r\nobserving or manipulating network traffic. This prevented a wide and easy exploitation of these vulnerabilities. In\r\ncontrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the\r\nbrowser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network\r\nprotocols without having to sniff actual traffic. HEIST abuses weaknesses and subtleties in the browser, and the\r\nunderlying HTTP, SSL/TLS, and TCP layers. Most importantly, we discover a side-channel attack that leaks the\r\nexact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level.\r\nCombined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the\r\nplaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now\r\nbe performed purely in the browser, by any malicious website or script, without requiring network access.\r\nMoreover, we also show that our length-exposing attacks can be used to obtain sensitive information from\r\nunwitting victims by abusing services on popular websites. Finally, we explore the reach and feasibility of\r\nexploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is\r\nused. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In\r\nshort, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an\r\nimminent threat to our online security and privacy.\r\n \r\nHorse Pill: A New Type of Linux Rootkit\r\nWhat if we took the underlying technical elements of Linux containers and used them for evil? The result a new\r\nkind rootkit, which is even able to infect and persist in systems with UEFI secure boot enabled, thanks to the way\r\nalmost every Linux system boots. This works without a malicious kernel module and therefore works when kernel\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 34 of 66\n\nmodule signing is used to prevent loading of unsigned kernel modules. The infected system has a nearly invisible\r\nbackdoor that can be remote controlled via a covert network channel.\r\nHope is not lost, however! Come to the talk and see how the risk can be eliminated/mitigated. While this may\r\npoke a stick in the eye of the current state of boot security, we can fix it!\r\nHTTP Cookie Hijacking in the Wild: Security and Privacy Implications\r\nThe widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking\r\nattacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However,\r\nmany websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing\r\napproach in these cases is to force critical functionality and sensitive data access over encrypted connections,\r\nwhile allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to\r\nflaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth\r\nassessment of a diverse set of major websites and explore what functionality and information is exposed to\r\nattackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially\r\ndeployed HTTPS; service personalization inadvertently results in the exposure of private information. The\r\nseparation of functionality across multiple cookies with different scopes and inter-dependencies further\r\ncomplicates matters, as imprecise access control renders restricted account functionality accessible to non-session\r\ncookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and\r\nwork address and visited websites from Google, Bing and Baidu expose the user's complete search history, and\r\nYahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively),\r\nand almost every website exposes the user's name and email address. Ad networks like Doubleclick can also\r\nreveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore\r\nmultiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and\r\nsearch bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our\r\nuniversity's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for\r\nour hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as\r\nthe EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed.\r\nThe privacy implications of these attacks become even more alarming when considering how they can be used to\r\ndeanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be\r\nvulnerable to cookie hijacking.\r\n \r\nHTTP/2 \u0026 QUIC - Teaching Good Protocols To Do Bad Things\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 35 of 66\n\nThe meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field.\r\nQUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the\r\napplication level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different\r\nHTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of\r\nthese technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections\r\nwith QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation\r\nof Déjà vu with this work and our 2014 BlackHat USA MPTCP research. We find ourselves discussing a similar\r\nsituation in new protocols with technology stacks evolving faster than ever before, and Network Security is\r\nlargely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing\r\nattacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and\r\ndiscusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate,\r\nand release, some tools with these techniques incorporated.\r\n \r\nI Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache\r\nA decompression bomb attack is relatively simple to perform --- but can be completely devastating to developers\r\nwho have not taken the time to properly guard their applications against this type of denial of service. The\r\ndecompression bomb is not a new attack - it's been around since at least 1996 - but unfortunately they are still\r\nhorrifyingly common. The stereotypical bomb is the zip bomb, but in reality nearly any compression algorithm\r\ncan provide fruit for this attack (images, HTTP streams, etc.). What algorithms have the highest compression ratio,\r\nthe sloppiest parsers, and make for the best bomb candidates? This talk is about an ongoing project to answer that\r\nquestion. In addition to the compression algorithm audit, this research is generating a vast library of tools\r\n(\"bombs\") that can be used by security researchers and developers to test for this vulnerability in a wide variety of\r\napplications/protocols. These bombs are being released under an open-source license.\r\nInto The Core - In-Depth Exploration of Windows 10 IoT Core\r\nThe Internet of Things is becoming a reality, and more and more devices are being introduced into the market\r\nevery day. With this, the demand for technology that would ease device management, improve device security, and\r\nfacilitate data analytics increases as well.\r\nOne such technology is Windows 10 IoT Core, Microsoft's operating system aimed at small footprint, low cost\r\ndevices. It offers device servicing and manageability, enterprise grade security, and - combined with Microsoft's\r\nAzure platform - data analytics in the cloud. Given these features, Microsoft Windows 10 IoT Core will likely\r\nplay a significant role in the future of IoT. As such, understanding how this operating system works on a deep\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 36 of 66\n\nlevel is becoming important. Methods and techniques that would aid in assessing its security are also becoming\r\nessential.\r\nIn this talk I will first discuss the internals of the OS, including the security features and mitigations that it shares\r\nwith the desktop edition. I will then enumerate the attack surface of a device running Windows 10 IoT Core as\r\nwell as its potential susceptibility to malware. I will also talk about methods to assess the security of devices\r\nrunning Windows 10 IoT Core such as static/dynamic reverse engineering and fuzzing. I will end the talk with\r\nsome recommendations on how to secure a Windows 10 IoT Core device.\r\n \r\nIntra-Process Memory Protection for Applications on ARM and x86: Leveraging\r\nthe ELF ABI\r\nToday's software needs to isolate not only processes but the many components *within* a process from each other.\r\nProcess-level isolation via jails, sandboxes, VMs, or hypervisors is finally becoming mainstream, but it misses an\r\nimportant point about modern software: its growing number of libraries that are all loaded into the same address\r\nspace, and may all interact with complex inputs by way of vulnerable parsers. A process, even isolated, is as weak\r\nas the weakest of its components, but is as valuable as the most sensitive data it holds. Heartbleed was a perfect\r\nexample of this: a faulty parser in a library could read absolutely everything in memory; there are many others less\r\nfamous but no better. The biggest challenge of making intra-process memory protection practical is that it cannot\r\nrequire major changes to how software is written. A practical granular memory protection scheme must work for\r\nthe existing C/C++ build chains, nor should it change the ABI. Further, it cannot rely on concepts that aren't\r\nalready intuitively clear to C/C++ programmers. Many academic proposals for more granular memory access\r\ncontrol stopped short of this. They disregard the glue what keeps the development process and runtime together:\r\nthe ABI.\r\nWe demonstrate ELFbac, a system that uses the Linux ELF ABI to express access control policies between a\r\nprogram's components, such as libraries, and requires no changes to the GNU build chain. It enforces these\r\npolicies by using a modified Linux loader and the Linux virtual memory system. ELFbac policies operate on the\r\nlevel of ELF object file sections. Custom data and code units can be created with existing GCC C/C++ attributes\r\nwith a one-line annotation per unit; they are no more complex than C's static scoping. We have developed\r\nprototypes for ARM and x86. We used our ARM prototype to protect a validating proxy firewall for DNP3, a\r\npopular ICS protocol, and our x86 one to write a basic policy for Nginx. We will also demonstrate a policy for\r\nprotecting OpenSSH.\r\n \r\nInvestigating DDOS - Architecture Actors and Attribution\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 37 of 66\n\nDDOS attack usage has been accelerating, in terms of both attack volume and frequency. Such attacks present a\r\nmajor threat to enterprises worldwide. Presenters will discuss a number of novel techniques utilized by law\r\nenforcement and the private sector, to measure, study, and attribute attacks originating from sources such as\r\nembedded device botnets and booter/stresser services. Presenters will discuss the usage of honeypots to gather\r\nhistorical attack details, as well as best practices for conducting live DDOS attack testing. Representative PCAPs\r\nwill be shown, dissected, and explain. Finally, presenters will provide examples of where these services are\r\noffered for sale, how they are purchased, and the individuals who operate them.\r\nIran's Soft-War for Internet Dominance\r\nOver the past decade, the Islamic Republic of Iran has been targeted by continual intrusion campaigns from\r\nforeign actors that sought access to the country's nuclear facilities, economic infrastructure, military apparatus,\r\nand governmental institutions for the purpose of espionage and coercive diplomacy. Similarly, since the\r\npropagandic defacements of international communications platforms and political dissident sites conducted by an\r\norganization describing itself as the \"Iranian Cyber Army\" beginning in late 2009, Iranian actors have been\r\nattributed to a recurrent campaigns of intrusions and disruptions of private companies, foreign government\r\nentities, domestic opposition, regional adversaries and international critics. The intent of the CNO activities is not\r\nalways discernable based on the tactics used or the data accessed, as the end implications of the disclosure of\r\nparticular information is often distant and concealed. Where such intent is made evident, the reasons for Iranian\r\nintrusion campaigns range from retaliatory campaigns against adversaries, as a result of identifiable grievances, to\r\nsurveillance of domestic opposition in support of the Islamic Republic establishment. Iranian intrusion campaigns\r\nhave also reflected an interest in internal security operations against active political movements that have\r\nhistorically advocated for the secession of ethnic minority provinces or overthrow of the political establishment\r\nthrough violence. However, Iranian intrusion sets appear to be primarily interested in a broader field of challenges\r\nto the political and religious hegemony of the Islamic Republic. Previous reports on Iranian campaigns have\r\nreferred to the targeting of Iranian dissident. However, in practice those targeted range from reformists operating\r\nwithin the establishment from inside of Iran to former political prisoners forced out of the country.\r\nAcross the records of hundreds of intrusion attempts of campaigns conducted by a distinct sets of actors, distinct\r\npatterns emerge in the types of individuals and organizations targeted by Iranian actors by internal security\r\noperations: high-profile individuals and organizations, such as journalists, human rights advocates or political\r\nfigures, with extensive relationships and networks inside of Iran; members of the diplomatic establishment of Iran,\r\nand former governmental officials under previous administrations; adherents to non-Shia religions, participants in\r\nethnic rights movements, or members of anti-Islamic Republic political organization; academics or public policy\r\norganizations critical of the Iranian government; cultural figures that promote values contrary to the interpretation\r\nof Islamic values promoted by the establishment; organizations fostering international collaboration and\r\nconnections with the current Iranian administration; and international organizations conducting political\r\nprogrammes focused on Iran through funding by governmental agencies. In this presentation we will analyze in\r\ndepth the results of several years of research and investigation on the intrusion activities of Iranian threat actors,\r\nparticularly engaged in attacks against members of civil society.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 38 of 66\n\nKeystone Engine: Next Generation Assembler Framework\r\nAssembler is an application that compiles a string of assembly code and returns instruction encodings. An\r\nassembler framework allows us to build new tools, and is a fundamental component in the Reverse Engineering\r\n(RE) toolset. However, a good assembler framework is sorely missed since the ice age! Indeed, there is no single\r\nmulti-architecture, multi-platform and open source framework available and the whole RE community are badly\r\nsuffering from this lingering issue.\r\nWe have decided to step up again to solve this challenge once and for all. We built Keystone, an assembler engine\r\nwith unparalleled features:\r\n- Multi-architecture, with support for Arm, Arm64 (AArch64/Armv8), Hexagon, Mips, PowerPC, Sparc, SystemZ,\r\n\u0026 X86 (include 16/32/64bit).\r\n- Clean/simple/lightweight/intuitive architecture-neutral API.\r\n- Implemented in C/C++ languages, with bindings for Python, NodeJS, Ruby, Go \u0026 Rust available.\r\n- Native support for Windows \u0026 *nix (with Mac OSX, Linux, *BSD \u0026 Solaris confirmed).\r\n- Thread-safe by design.\r\n- Open source.\r\nThis talk is going to introduce some existing assembler frameworks, then goes into details of their\r\ndesign/implementation and explains their current issues. Next, we will present the architecture of Keystone and\r\nthe challenges of designing and implementing it. The audience will understand the advantages of our engine and\r\nsee why the future is assured, so that Keystone will keep getting better, stronger and become the ultimate\r\nassembler engine of choice for the security community.\r\nKeystone aims to lay the ground for innovative works and open up new opportunities for future of security\r\nresearch and development. To conclude the talk, some new advanced RE tools built on top of Keystone will be\r\nintroduced to demonstrate its power.\r\nKeystone has a homepage at http://www.keystone-engine.org. Full source code of our engine will be released at\r\nBlack Hat USA 2016.\r\nLanguage Properties of Phone Scammers: Cyberdefense at the Level of the\r\nHuman\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 39 of 66\n\nThe prevalence of human interactive components of serious system breaches continues to be a problem for every\r\norganization. Humans are the biggest vulnerability in any security system; helping people identify social\r\nengineering attempts over the phone will be cheaper and more effective than yet another technological\r\nimplementation. At minimum it will add an important and necessary layer to defense in depth.\r\nForensic linguistics is the study of language as evidence for the law. It is a relatively new field and has not\r\npreviously been applied to cybersecurity. Linguistic analysis uncovers several features of language interaction in a\r\nlimited data set (recorded IRS phone scammers) that begin to answer how forensic linguistics could assist in\r\ncybersecurity defense.\r\nThis presentation will briefly introduce and explain polar tag questions, topic control, question deferral, and\r\nirregular narrative constructions in IRS scam phone calls, and offer some starting points for identifying such\r\nlinguistic properties during the course of a phone call to help improve defense at the human level. We think this is\r\nonly the beginning of applying forensic linguistics to cybersecurity.\r\nMeasuring Adversary Costs to Exploit Commercial Software: The Government-Bootstrapped Non-Profit C.I.T.L.\r\nMany industries, provide consumers with data about the quality, content, and cost of ownership of products, but\r\nthe software industry leaves consumers with very little data to act upon. In fact when it comes to how secure or\r\nweak a product is from a security perspective, there is no meaningful consumer facing data. There has long been a\r\ncall for the establishment of an independent organization to address this need.\r\nLast year, Mudge (from DARPA, Google, and L0pht fame) announced that after receiving a phone call from the\r\nWhite House he was leaving his senior position inside Google to create a non-profit organization to address this\r\nissue. This effort, known as CITL, is akin to Consumer Reports in its methodologies. While the media has dubbed\r\nit a \"CyberUL\", there is no focus on certifications or seals of approval, and no opaque evaluation metrics. Rather,\r\nlike Consumer Reports, the goal is to evaluate software according to metrics and measurements that allow\r\nquantitative comparison and evaluation by anyone from a layperson, CFO, to security expert.\r\nHow? A wide range of heuristics that attackers use to identify which targets are hard or soft against new\r\nexploitation has been codified, refined, and enhanced. Some of these techniques are quite straightforward and\r\neven broadly known, while others are esoteric tradecraft. To date, no one has applied all of these metrics\r\nuniformly across an entire software ecosystem before and shared the results. For the first time, a peak at the Cyber\r\nIndependent Testing Lab's metrics, methodologies, and preliminary results from assessing the software quality and\r\ninherent vulnerability in over 100,000 binary applications on Windows, Linux, and OS X will be revealed. All\r\naccomplished with binaries only.\r\nSometimes the more secure product is actually the cheaper, and quite often the security product is the most\r\nvulnerable. There are plenty of surprises like these that are finally revealed through quantified measurements.\r\nWith this information, organizations and consumers can finally make informed purchasing decisions when it\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 40 of 66\n\ncomes the security of their products, and measurably realize more hardened environments. Insurance groups are\r\nalready engaging CITL, as are organizations focused on consumer safety. Vendors will see how much better or\r\nworse their products are in comparison to their competitors. Even exploit developers have demonstrated that these\r\nresults enable bug-bounty arbitrage.\r\nThat recommendation you made to your family members last holiday about which web browser they should use to\r\nstay safe (or that large purchase you made for your industrial control systems)? Well, you can finally see if you\r\nchose a hard or soft target… with the data to back it up.\r\nMemory Forensics Using Virtual Machine Introspection for Cloud Computing\r\nThe relocation of systems and services into cloud environments is on the rise. Because of this trend users lose\r\ndirect control over their machines and depend on the offered services from cloud providers. These services are\r\nespecially in the field of digital forensics very rudimentary. The possibilities for users to analyze their virtual\r\nmachines with forensic methods are very limited. In the underlying research of this talk a practical approach has\r\nbeen developed that gives the user additional capabilities in the field of forensic investigations. The solution\r\nfocuses on a memory forensic service offering. To reach this goal, a management solution for cloud environments\r\nhas been extended with memory forensic services. Self-developed memory forensic services, which are installed\r\non each cloud node and are managed through the cloud management component, are the basis for this solution.\r\nForensic data is gained via virtual machine introspection techniques. Compared to other approaches it is possible\r\nto get trustworthy data without influencing the running system. Additionally, a general overview about the\r\nunderlying technologies is provided and the pros and cons are discussed. The solution approach is discussed in a\r\ngeneric way and practically implemented in a prototype. In this prototype OpenNebula is used for managing the\r\ncloud infrastructure in combination with Xen as virtualization component, LibVMI as Virtual Machine\r\nIntrospection library and Volatility as forensic tool.\r\nNext-Generation of Exploit Kit Detection by Building Simulated Obfuscators\r\nRecently, driving-by downloads attacks have almost reached epidemic levels, and exploit-kit is the propulsion to\r\nsignify the process of malware delivery. One of the key techniques used by exploit-kit to avoid firewall detection\r\nis obfuscating malicious JavaScript program. There exists an engine in each exploit kit, aka obfuscator, which\r\ntransforms the malicious code to obfuscated code. Few researchers have studied obfuscation techniques utilized\r\nby exploit kit. Their main focus is on extracting information from the obfuscated page, such as common substring,\r\ncommon pattern, structure of the script (AST) and statistics of sensitive function invocation, and generating\r\nsignatures. All of these studies are based on the analysis of obfuscated page, but not the obfuscator. One reason is\r\nthat purchasing an obfuscator utilized by real exploit-kit is extremely expensive in the underground market.\r\nHowever, exploit-kit research can benefit from obfuscators in various aspects.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 41 of 66\n\nOur work rebuilds obfuscator for 6 notorious exploit kit families (Angler, Nuclear, Rig, Magnitude, Neutrino,\r\nSweetOrange). We will discuss our design to implement an obfuscator used by the exploit kit family, and evaluate\r\nhow similar our obfuscator is to a real one. We would also like to open-source our obfuscator to benefit the\r\nresearch, which aims to provide better protection of the cyber-world. We performed a serial of experiences based\r\non our obfuscators. With the obfuscator in hand, we are also able to generate more samples than we have ever\r\nobserved, even those that haven't been created by real exploit-kit. We also simulate the evolution of obfuscator in\r\neach exploit kit family by building a new version upon the previous version. We derived some patterns on how\r\nobfuscator evolved and tent to predict what the next obfuscator variation could be. We also noticed that current\r\nvariation naming convention may not properly reflect variation of exploit kit. Currently, people name a new\r\nvariation of unknown sample by checking whether it shares the similar structure with existing samples. However,\r\nour experience shows that even a minor configuration file change in obfuscator could significantly change the\r\nobfuscated page. Therefore, we propose to use the actual change of obfuscator as the evidence to name a new\r\nvariation. We also conduct an evaluation on how many times the obfuscator could amplify its change to the\r\nobfuscated page.\r\n \r\nNonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS\r\nWe investigate nonce-reuse issues with the Galois/Counter Mode (GCM) algorithm as used in TLS. Nonce reuse\r\nin GCM allows an attacker to recover the authentication key and forge messages as described by Joux. With an\r\nInternet-wide scan we identified over 70,000 HTTPS servers that are at risk of nonce reuse. We also identified 184\r\nHTTPS servers repeating nonces directly in a short connection. Affected servers include large corporations,\r\nfinancial institutions, and a credit card company. We implement a proof of concept attack allowing us to violate\r\nthe authenticity of affected HTTPS connections and inject content.\r\n \r\nO-checker: Detection of Malicious Documents Through Deviation from File\r\nFormat Specifications\r\nDocuments containing executable files are often used in targeted email attacks in Japan. We examine various\r\ndocument formats (Rich Text Format, Compound File Binary and Portable Document Format) for files used in\r\ntargeted attacks from 2009 to 2012 in Japan. Almost all the examined document files contain executable files that\r\nignore the document file format specifications. Therefore, we focus on deviations from file format specifications\r\nand examine stealth techniques for hiding executable files. We classify eight anomalous structures and create a\r\ntool named o-checker to detect them. O-checker detects 96.1% of the malicious files used in targeted email attacks\r\nin 2013 and 2014. There are far fewer stealth techniques than vulnerabilities of document processors. Additionally,\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 42 of 66\n\ndocument file formats are more stable than document processors themselves. Accordingly, we assert that o-checker can continue detecting malware with a high detection rate for long periods.\r\n \r\nOSS Security Maturity: Time to Put On Your Big Boy Pants!\r\nOpen source software (OSS) usage is on the rise and also continues to be a major source of risk for companies.\r\nOSS and 3rd party code may be inexpensive to use to build products but it comes with significant liability and\r\nmaintenance costs. Even after high profile vulnerabilities in OpenSSL and other critical libraries, tracking and\r\nunderstanding exposure continues to challenge even at the most mature enterprise company. It doesn't matter if\r\nyou are a software vendor or not, development and the use of OSS in your organization is most likely significant.\r\nIt also doesn't matter if you have been developing software for years or are just getting started, or whether you\r\nhave one product or one hundred, it can feel to many nearly impossible to keep up with OSS vulnerabilities or\r\nmore important ensure they are properly mitigated.\r\nThis presentation looks at the real risk of using OSS and the best way to manage its use within your organization\r\nand more specifically the Product Development Lifecycle. We will examine all the current hype around OSS and\r\nseparate out what are the real risks, and what organizations should be the most concerned about. We explore the\r\ntrue cost of using OSS and review the various factors that can be used to evaluate if a particular product or library\r\nshould be used at your organization, including analyzing Vulnerability Metrics including Time to Patch. Getting\r\nyour head wrapped around the issues and the need to improve OSS security is challenging, but then taking action\r\nat your organization can feel impossible. This presentation provides several real world examples that have been\r\nsuccessful at a including: A case study of a single third party libraries vulnerability across several products will\r\nhelp to show why the result of investigating actual impact against your different products is valuable intelligence.\r\nWe will provide learnings from your incident response function and why understanding the vulnerabilities in your\r\ncurrent software can gain you valuable insight into creating smarter products to avoid maintenance costs. Finally,\r\nwe will introduce a customized OSS Maturity Model and walk through the stages of maturity for organization\r\ndeveloping software with regards to how they prioritize and internalize the risk presented by OSS.\r\nOuroboros: Tearing Xen Hypervisor with the Snake\r\nThe Xen Project has been a widely used virtualization platform powering some of the largest clouds in production\r\ntoday.\r\nSitting directly on the hardware below any operating systems, the Xen hypervisor is responsible for the\r\nmanagement of CPU/MMU and guest operating systems.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 43 of 66\n\nGuest operating systems cound be controled to run in PV mode using paravirtualization technologies or HVM\r\nmode using hardware-assisted virtualization technologies.\r\nCompare to HVM mode, PV mode guest OS kernel could recognize the existence of hypervisor and, thus, work\r\nnormally via hypervisor inferfaces which are called hypercalls. While performing priviledged operations, PV\r\nmode guest OS would submit requests via hypercalls then the hypervisor do these operations for it after verifying\r\nits requests.\r\nInspired by Ouroboros, an ancient symbol with a snake bitting its tail, our team has found a critical verification\r\nbypass bug in Xen hypervisor and that will be used to tear the hypervisor a hole. With sepecific exploition vectors\r\nand payloads, malicious PV guest OS could control not only the hypervisor but also all other guest operating\r\nsystems running on current platform.\r\n \r\nOver the Edge: Silently Owning Windows 10's Secure Browser\r\nMemory deduplication, a well-known technique to reduce the memory footprint across virtual machines, is now\r\nalso a default-on feature inside the Windows 10 operating system. Deduplication maps multiple identical copies of\r\na physical page onto a single shared copy with copy-on-write semantics. As a result, a write to such a shared page\r\ntriggers a page fault and is thus measurably slower than a write to a normal page.\r\nWe leverage this side channel to build a weird machine and read arbitrary data in the system from the browser. By\r\ncontrolling the alignment and reuse of data in memory, we perform a byte-by-byte disclosure of high-entropy\r\nsensitive data, such as 64-bit code pointers randomized by ASLR. Next, even without control over data alignment\r\nor reuse, we show how to disclose randomized 64-bit heap pointers using a novel birthday attack. To show these\r\nattack primitives are practical, we have built an end-to-end JavaScript-based exploit against the new Microsoft\r\nEdge browser, in absence of software vulnerabilities and with all defenses turned on. Our exploit combines our\r\ndeduplication-based primitives with a reliable Rowhammer attack to gain arbitrary memory read and write access\r\nin the browser.\r\nPangu 9 Internals\r\nPangu 9, the first (and only) untethered jailbreak tool for iOS 9, exploited a sequence of vulnerabilities in the iOS\r\nuserland to achieve final arbitrary code execution in the kernel and persistent code signing bypass. Although these\r\nvulnerabilities were fixed in iOS 9.2, there are no details disclosed. This talk will reveal the internals of Pangu 9.\r\nSpecifically, this talk will first present a logical error in a system service that is exploitable by any container app\r\nthrough XPC communication to gain arbitrary file read/write as mobile. Next, this talk will explain how Pangu 9\r\ngains arbitrary code execution outside the sandbox through the system debugging feature. This talk will then\r\nelaborate a vulnerability in the process of loading the dyld_shared_cache file that enables Pangu 9 to achieve\r\npersistent code signing bypass. Finally, this talk will present a vulnerability in the backup-restore process that\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 44 of 66\n\nallows apps signed by a revoked enterprise certificate to execute without the need of the user's explicit approval of\r\nthe certificate.\r\nPay No Attention to That Hacker Behind the Curtain: A Look Inside the Black Hat\r\nNetwork\r\nEach year thousands of security professionals answer the siren song of Black Hat USA. They come to learn from\r\nthe best trainers, and the smartest(and best looking) speakers. And hey, this is Vegas, and when you're in Vegas,\r\nyou make it rain...exploits.\r\nYes, every year thousands of security pros learn the latest tactics and techniques from the sharpest minds in the\r\nindustry, and once they have, they can't wait to test them on the closest network they can find, our network. This\r\npresentation will help you understand what's going on behind the scenes at Black Hat. Who's attacking who? What\r\nare they doing? And what makes it all tick.\r\nSo come see what goes into standing up, and maintaining one of the most hostile networks on the planet. We'll\r\nshare everything we can about the history of the network, the infrastructure we're using today, and the traffic\r\npatterns that keep us sweating, and laughing, well into the night.\r\nPINdemonium: A DBI-Based Generic Unpacker for Windows Executable\r\nNowadays malware authors employ multiple obfuscation and packing techniques to hinder the process of reverse\r\nengineering and bypass the anti-virus (AV) signature based analysis. This is a significant threat for end user's PCs\r\nsince this voids part of the AV analysis, and it is also a problem for professional reverse engineers that have to\r\ninvest lot of time in order to unpack and study a single packed malware sample. The problem of unpacking is well\r\nstudied in literature and several works have been proposed both for enhancing the end user's protection and\r\nsupporting the malware analysts in their work. Different approaches exist in order to build a generic unpacker:\r\ndebuggers, kernel modules, hypervisor modules, dynamic binary instrumentation (DBI). In this thesis we explore\r\nthe possibility to exploit the functionality of a DBI framework since it provides great functionality useful during\r\nthe analysis process: it allows an instruction level granularity inspection and modification, through high level\r\nAPIs, which gives the analyst full control of the program being instrumented. Our system can extract and\r\nreconstruct the original program from a packed version of it, helping and speeding up the analysis of an\r\nobfuscated binary. The packers employ different techniques with various levels of complexity, but all of them\r\nmust share one common behavior during the run-time unpacking: they have to write new code in memory and\r\neventually execute it. Starting from this we have designed a generic unpacking algorithm that can correctly detect\r\nthis behaviour and defeat the most popular of packing techniques. Not only the packing strategy can be really\r\ndifferent, but the obfuscation can be increased by hiding the function imported by the program which is usually a\r\nvaluable source of information during the process of reverse engineer. These are known in literature as Import\r\nAddress Table (IAT) obfuscation techniques. Our tool tries to reconstruct a working PE from its packed version,\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 45 of 66\n\ntaking care of modern packing techniques like unpacking on dynamic memory allocated areas and tries to defeat\r\nthe most used IAT obfuscation techniques.\r\nIn order to validate our work we have conducted two experiments. The first one demonstrate the generality of our\r\nunpacking process with respect to fifteen different packers. The second experiment demonstrates the effectiveness\r\nof our system against malware samples packed with both known and unknown packers. Our system was able to\r\nreconstruct a working unpacked binary for 63\\% of the collected samples. When it is not possible to reconstruct a\r\nfully working PE, we provide all the memory dumps, representing the unpacked program along with a log about\r\nthe unpacking process, which can be really useful to a malware analyst in order to speed up his work as it has been\r\nuseful for us during the development of this tool. The source code of our tool can be found at\r\nhttps://github.com/Seba0691/PINdemonium.\r\n \r\nPLC-Blaster: A Worm Living Solely in the PLC\r\nWe will present and demonstrate the first PLC only worm. Our PLC worm will scan and compromise Siemens\r\nSimatic S7-1200 v1-v3 PLCs without any external support. No PCs or additional hardware is required. The worm\r\nis fully self-contained and \"lives\" only on the PLC. The Siemens Simatic PLCs are managed using a proprietary\r\nSiemens protocol. Using this protocol the PLC may be stopped, started and diagnostic information may be read.\r\nFuthermore this protocol is used to upload and download user programs to the PLC. The older S7-300 and S7-400\r\nPLCs are supported by several OpenSource solutions supporting the protocols used on these older PLCs. With the\r\nintroduction of the S7-1200 the protocol has been replaced by a new version. We inspected the protocol based on\r\nthe S7-1200v3 and implemented the protocol by ourselves. We are now able to install and extract any user\r\nprogram on these PLCs currently sold by Siemens. The current versions S7-1200v4 and S7-1500 again changed\r\nthe protocol and are not susceptible to the attack.\r\nBased on this work we developed a PLC program which scans a local network for other S7-1200v3 PLCs. Once\r\nthese are found the program compromises these PLCs by uploading itself to these devices. The already installed\r\nuser software is not removed and still running on the PLC. Our malware attaches itself to the original software and\r\nruns in parallel to the original user program. The operator does not notice any changed behavior. We developed the\r\nfirst PLC only worm. The worm is only written using the programming language SCL and does not need any\r\nadditional support. For the remote administration of the compromised PLCs we implemented a\r\nCommand\u0026Control server. Infected PLCs automatically contact the C\u0026C server and may be remotely controlled\r\nusing this connection. Using this connection we can manipulate any physical input or output of the PLC. An\r\nadditional proxy function enables us to access any additional system using a tunnel. Lastly the Stop mode may be\r\ninitiated through the C\u0026C connection requiring a cold restart of the PLC by disconnecting the power supply. We\r\nwill demonstrate the attack during the talk.\r\nOur worm prevents its detection and analysis. If the operator connects to the PLC using the programming software\r\nTIA Portal 11 the operator may notice unnamed additional function blocks. But when accessing these blocks the\r\nTIA Portal crashes preventing the forensic analysis. The infection of the PLC takes roughly 10 seconds. While the\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 46 of 66\n\ninfection is in progress the PLC is in Stop mode. As soon as the infection has succeeded the PLC undergoes a\r\nwarm restart and the worm is running additionally to to the original user program. Our worm malware requires\r\n38,5kb RAM and 216,6kb persistent memory. If the PLC does not offer the memory required by the original user\r\nsoftware including our worm the worm may overwrite the original user program. Based on the actually used\r\nmodel of the S7-1200 different setups may be required.\r\nModel RAM (Worm) Persistent Memory (Worm) S7-1211 50kb (77%) 1Mb (21%)\r\nS7-1212 75kb (51%) 1MB (5 %)\r\nS7-1214 100kb (38%) 4MB (5 %)\r\nS7-1215 125kb (30%) 4MB (5 %)\r\nS7-1217 150kb (25%) 4MB (5 %)\r\nA critical requirement for the execution of a PLC program is the cycle time for one full cycle of the user program.\r\nOur malware requires 7ms per cycle. This is just 4.7% of the maximum cycle time configured by default on the\r\nPLC models we inspected. The original user program still has plenty of time to run. By default all Siemens\r\nSimatic S7-1200v1-v3 PLCs are susceptible to this attack. The PLC user programs may be uploaded and\r\ndownloaded without any restriction. The Siemens Simatic PLCs support several protection mechanisms. We will\r\nexplain these mechanisms and their result on the attack.\r\nWith the introduction of the S7-1200v4 Siemens introduced again a new protocol. These PLCs are not susceptible\r\nto the attack. The built-in copy protection restricts the user program to run only on a subset of PLCs with specific\r\nserial numbers. This protection is only implemented within the programming software (Siemens Simatic TIA\r\nPortal) used to install the software. We can upload and download user programs using this feature to any PLC\r\nusing our own implementation. The whole protection is implemented on the client. This is the first time this is\r\npublicly shown. The built-in know-how protection forbids modifications of the user program on the PLC and\r\nprevents the extraction of the user program from the PLC. Again this protection is implemented only in the\r\nprogramming software (Siemens Simatic TIA Portal). Our own implementation can extract the user program,\r\ndisplay the source code, modify the program and reinstall the modified program. This feature does not offer the\r\nprotection advertised. This is the first time publicly shown. The built-in access protection does prevent the attack\r\nwe will demonstrate. While we present an attack via the ethernet interface the installation of the user program can\r\nalso happen using the field bus interface. Using this interface even PLCs not connected to the ethernet network\r\nmay be compromised. Once the first PLC is infected using the Ethernet all other PLCs connected by the field bus\r\nwould be compromised as well. This talk emphasizes the significance of the built in protection features in modern\r\nPLCs and their correct deployment by the user.\r\n \r\nPwning Your Java Messaging with Deserialization Vulnerabilities\r\nMessaging can be found everywhere. It's used by your favourite Mobile Messenger as well as in your bank's\r\nbackend system. Message Brokers such as Pivotal's RabbitMQ, IBM's WebSphere MQ and others often form a\r\nkey component of a modern backend system's architecture. Furthermore, there are various messaging standards in\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 47 of 66\n\nplace like AMQP, MQTT, and STOMP. When it comes to the Java World it is rather unknown that Messaging in\r\nthe Java ecosystem relies heavily on Java's serialization. Recent advances in the exploitation of Java\r\ndeserialization vulnerabilities can be applied to exploit applications using Java messaging. This talk will show the\r\nattack surface of various Java messaging API implementations and their deserialization vulnerabilities. Last but\r\nnot least, the Java Messaging Exploitation Tool (JMET) will be presented to help you identify and exploit\r\nmessage-consuming systems like a boss.\r\n \r\nRecover a RSA Private Key from a TLS Session with Perfect Forward Secrecy\r\nThey always taught us that the only thing that can be pulled out from a SSL/TLS session using strong\r\nauthentication and latest Perferct Forward Secrecy ciphersuites is the public key of the certificate exchanged\r\nduring the handshake - an insufficient condition to place a MiTM attack without to generate alarms on the validity\r\nof the TLS connection and certificate itself. Anyway, this is not always true. In certain circumstances it is possible\r\nto derive the private key of server regardless of the size of the used modulus. Even RSA keys of 4096 bits can be\r\nfactored at the cost of a few CPU cycles and computational resources. All that needed is the generation of a faulty\r\ndigital signature from server, an event that can be observed when occurring certain conditions such as CPU\r\noverheating, RAM errors or other hardware faults. Because of these premises, devices like firewall, switch, router\r\nand other embedded appliances are more exposed than traditional IT servers or clients. During the talk, the author\r\nwill explain the theory behind the attack, how common the factors are that make it possible and his custom\r\npratical implementation of the technique. At the end, a proof-of-concept, able to work both in passive mode (i.e.\r\nonly by sniffing the network traffic) and in active mode (namely, by participating directly in the establishment of\r\nTLS handshakes), will be released.\r\n \r\nSamsung Pay: Tokenized Numbers Flaws and Issues\r\nSamsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit\r\ncard information, Samsung Pay is trying to become one of the most secure approaches offering functionality and\r\nsimplicity for its customers. This app is a complex mechanism which has some limitations relating security. Using\r\nrandom tokenize numbers and implementing Magnetic Secure Transmission (MST) technology, which do not\r\nguarantee that every token generated with Samsung Pay would be applied to make a purchase with the same\r\nSamsung device. That means that an attacker could steal a token from a Samsung Pay device and use it without\r\nrestrictions. Inconvenient but practical is that Samsung's users could utilize the app in airplane mode. This makes\r\nit impossible for Samsung Pay to have a full control process of the tokens pile. Even when the tokens have their\r\nown restrictions, the tokenization process gets weaker after the app generates the first token relating a specific\r\ncard. How random is a Spay tokenized number? It is really necessary to understand how the tokens heretically\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 48 of 66\n\nshare similarities in the generation process, and how this affect the end users' security. What are the odds to guess\r\nthe next tokenized number knowing the previous one?\r\n \r\nSecure Penetration Testing Operations: Demonstrated Weaknesses in Learning\r\nMaterial and Tools\r\nFollowing previous presentations on the dangers penetration testers face in using current off-the-shelf tools and\r\npractices, this presentation explores how widely available learning materials used to train penetration testers lead\r\nto inadequate protection of client data and penetration testing operations. With widely available books and other\r\ntraining resources targeting the smallest set of prerequisites, in order to attract the largest audience, many\r\npenetration testers adopt the techniques used in simplified examples to real world tests, where the network\r\nenvironment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise\r\npenetration testers, and given current practices, can do so easily and with dramatic impact. This presentation will\r\ninclude a live demonstration of techniques for hijacking a penetration tester's normal practices, as well as guidance\r\nfor examining and securing your current testing procedures. Tools shown in this demonstration will be released\r\nalong with the talk.\r\n \r\nSecurity Through Design - Making Security Better by Designing for People\r\nIn this session we will explore why certain devices, pieces of software or companies lead us to utter frustration\r\nwhile others consistently delight us and put a smile on our face. With these insights in mind, we will explore how\r\nwe typically create our security processes, teams and solutions. All too often we create something without\r\nproperly understanding what our colleagues or customers are trying to achieve only to bombard them with\r\nawareness training and policies because they \"just don't get it\" and because \"humans are the weakest link.\" We\r\nwill look at user-centered design methods and concepts from other disciplines like economy, psychology or\r\nmarketing that can help us to build security in a truly usable way not just our tools but also the way we setup our\r\nteams, the way we communicate and the way we align incentives. Every interaction with security is an\r\nopportunity to improve convenience and bring a smile to somebody's face. By understanding the impact of design,\r\nwe can do a lot to improve corporate productivity and security itself.\r\nSGX Secure Enclaves in Practice: Security and Crypto Review\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 49 of 66\n\nSoftware Guard Extensions (SGX) is a technology available in Intel(R) CPUs released in autumn 2015. SGX\r\nallows a remote server to process a client's secret data within a software enclave that hides the secrets from the\r\noperating system, hypervisor, and even BIOS or chipset manager, while giving cryptographic evidence to the\r\nclient that the code has been executed correctly the very definition of secure remote computation.\r\nThis talk is the first public assessment of SGX based on real SGX-enabled hardware and on Intel's software\r\ndevelopment environment. While researchers already scrutinized Intel's partial public documentation, many\r\nproperties can only be verified and documented by working with the real thing: What's really in the development\r\nenvironment? Which components are implemented in microcode and which are in software? How can developers\r\ncreate secure enclaves that won't leak secrets? Can the development environment be trusted? How to debug and\r\nanalyze SGX software? What crypto schemes are used in SGX critical components? How reliable are they? How\r\nsafe are their implementations? Based on these newly documented aspects, we'll assess the attack surface and real\r\nrisk for SGX users. We'll then present and demo proofs-of-concept of cryptographic functionalities leveraging\r\nSGX: secure remote storage and delegation (what fully homomorphic encryption promises, but is too slow to put\r\nin practice), and reencryption. We'll see how basic architectures can deliver powerful crypto functionalities with a\r\nwide range of applications. We'll release code as well as a tool to extract and verify an enclave's metadata.\r\n \r\nSide-Channel Attacks on Everyday Applications\r\nIn 2013, Yuval Yarom and Katrina Falkner discovered the FLUSH+RELOAD L3 cache side-channel. So far it has\r\nbroken numerous implementations of cryptography including, notably, the AES and ECDSA in OpenSSL and the\r\nRSA GnuPG. Given FLUSH+RELOAD's astounding success at breaking cryptography, we're lead to wonder if it\r\ncan be applied more broadly, to leak useful information out of regular applications like text editors and web\r\nbrowsers whose main functions are not cryptography.\r\nIn this talk, I'll briefly describe how the FLUSH+RELOAD attack works, and how it can be used to build input\r\ndistinguishing attacks. In particular, I'll demonstrate how when the user Alice browses around the top 100\r\nWikipedia pages, the user Bob can spy on which of those pages she's visiting.\r\nThis isn't an earth-shattering attack, but as the code I'm releasing shows, it can be implemented reliably. My goal\r\nis to convince the community that side channels, FLUSH+RELOAD in particular, are useful for more than just\r\nbreaking cryptography. The code I'm releasing is a starting point for developing better attacks. If you have access\r\nto a vulnerable CPU running a suitable OS, you should be able to reproduce the attack within minutes after\r\nwatching the talk and downloading the code.\r\n \r\nSubverting Apple Graphics: Practical Approaches to Remotely Gaining Root\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 50 of 66\n\nApple graphics, both the userland and the kernel components, are reachable from most of the sandboxed\r\napplications, including browsers, where an attack can be launched first remotely and then escalated to obtain root\r\nprivileges. On OS X, the userland graphics component is running under the WindowServer process, while the\r\nkernel component includes IOKit user clients created by IOAccelerator IOService. Similar components do exist\r\non iOS system as well. It is the counterpart of \"Win32k.sys\" on Windows. In the past few years, lots of interfaces\r\nhave been neglected by security researchers because some of them are not explicitly defined in the sandbox\r\nprofile, yet our research reveals not only that they can be opened from a restrictive sandboxed context, but several\r\nof them are not designed to be called, exposing a large attack surface to an adversary. On the other hand, due to its\r\ncomplexity and various factors (such as being mainly closed source), Apple graphics internals are not well\r\ndocumented by neither Apple nor the security community. This leads to large pieces of code not well analyzed,\r\nincluding large pieces of functionality behind hidden interfaces with no necessary check in place even in\r\nfundamental components. Furthermore, there are specific exploitation techniques in Apple graphics that enable\r\nyou complete the full exploit chain from inside the sandbox to gain unrestricted access. We named it \"graphic-style\" exploitation.\r\nIn the first part of the talk, we introduce the userland Apple graphics component WindowServer. We start from an\r\noverview of WindowServer internals, its MIG interfaces as well as \"hello world\" sample code. After that, we\r\nexplain three bugs representing three typical security flaws: - Design related logic issue CVE-2014-1314, which\r\nwe used at Pwn2Own 2014 - Logic vulnerability within hidden interfaces - The memory corruption issue we used\r\nat Pwn2Own 2016 Last but not least we talk about the \"graphic-style\" approach to exploit a single memory\r\ncorruption bug and elevate from windowserver to root context.\r\nThe second part covers the kernel attack surface. We will show vulnerabilities residing in closed-source core\r\ngraphics pipeline components of all Apple graphic drivers including the newest chipsets, analyze the root cause\r\nand explain how to use our \"graphic-style\" exploitation technique to obtain root on OS X El Capitan at Pwn2Own\r\n2016. This part of code, mostly related to rendering algorithm, by its nature lies deeply in driver's core stack and\r\nrequires much graphical programming background to understand and audit, and is overlooked by security\r\nresearchers. As it's the fundamental of Apple's rendering engine, it hasn't been changed for years and similar issues\r\ndo exist in this blue ocean. We'll also come up with a new way of kernel heap spraying, with less side-effect and\r\nmore controllable content than any other previous known methods. The talk is concluded by showing two live\r\ndemos of remote gaining root through a chain of exploits on OS X El Capitan. Our first demo is done by\r\nexploiting userland graphics and the second by exploiting kernel graphics.\r\n \r\nTCP Injection Attacks in the Wild - A Large Scale Study\r\nIn this work we present a massively large-scale survey of Internet traffic that studies the practice of false content\r\ninjections on the web. We examined more than 1.5 Peta-bits of data from over 1.5 million distinct IP addresses.\r\nEarlier this year we have shown that false content injection is practiced by network operators for commercial\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 51 of 66\n\npurposes. These network operators inject advertisements and malware into webpages viewed by potentially ALL\r\nusers on the Internet.\r\nIn this presentation we recap the injections we discovered earlier this year and show them in detail. Additionally,\r\nwe shall show new types of non-commercial injections, identify the injectors behind them and discuss their modi\r\noperandi. Finally, we shall discuss in detail analysis of a targeted injection attack against an American website.\r\nThe attacks we discovered are done using out-of-band TCP injection of false packets (rather than in-band\r\nalteration of the original packets). This is what actually allowed us to detect the injection events in the first place.\r\nWe also present a novel client-side tool to mitigate such attacks that has minimal performance impact.\r\n \r\nThe Art of Defense - How Vulnerabilities Help Shape Security Features and\r\nMitigations in Android\r\nInformation security is ever evolving, and Android's security posture is no different. Android users faces threats\r\nfrom a variety of sources, from the mundane to the extraordinary. Lost and stolen devices, malware attacks,\r\nrooting vulnerabilities, malicious websites, and nation state attackers are all within the Android threat model, and\r\nsomething the Android Security Team deals with daily. In this talk, we will cover the threats facing Android users,\r\nusing both specific examples from previous Black Hat conferences and published research, as well as previously\r\nunpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability,\r\nas well as newly added Android N security features which defend against future unknown vulnerabilities. Finally,\r\nwe'll discuss where we could go from here to make Android, and the entire computer industry, safer.\r\nThe Art of Reverse Engineering Flash Exploits\r\nAdobe Flash is one of the battlegrounds of exploit and mitigation methods. As most of the Flash exploits\r\ndemonstrate native memory layer exploit technique, it is valuable to understand the memory layout and behavior\r\nof Adobe Flash Player. We developed fine-grained debugging tactics to observe memory exploit technique and the\r\nway to interpret them effectively. This eventually helps defenders to understand new exploit techniques that are\r\nused for current targets quickly. This information is also valuable in deciding which area should defenders focus\r\non for mitigation and code fixes. Adobe Flash Player was one of the major attack targets in 2015. We observed at\r\nleast 17 effective zero-days or 1-day attacks in the wild. Flash is not just used by exploit kits like Angler, it has\r\nalso been commonly used for advanced persistent threat (APT) attacks. The bug class ranges from simple heap\r\noverflows, uninitialized memory to type confusion and use-after-free. At Microsoft, understanding exploits in-the-wild is a continuous process. Flash exploit is one of the hardest to reverse-engineer. It often involves multi-layer\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 52 of 66\n\nobfuscation, and by default, is highly obfuscated and has non-decompilable codes. The challenge with Flash\r\nexploit comes from the lack of tools for static and dynamic analysis. Exploits are written with ActionScript\r\nprogramming language and obfuscated in bytecode level using commercial-grade obfuscation tools.\r\nUnderstanding highly obfuscated logic and non-decompilable AVM bytecode is a big challenge. Especially, the\r\nlack of usable debuggers for Flash file itself is a huge hurdle for exploit reverse engineers. It is just like debugging\r\nPE binaries without using Windbg or Olly debugger. The ability of the researcher is highly limited.\r\nWith this presentation, I want to deliver two things: 1. The tactics and debugging technique that can be used to\r\nreverse engineer exploits. This includes using existing toolsets and combining them in an effective way. 2. The\r\ndetailed exploit code reverse engineering examples that can help you understand what's the current and past status\r\nof attack and mitigation war. You might have heard of Vector corruption, ByteArray corruption and other JIT\r\nmanipulation technique. Technical details will be discussed on how the exploits are using these and how the\r\nvendor defended against these.\r\n \r\nThe Beast Within - Evading Dynamic Malware Analysis Using Microsoft COM\r\nMicrosoft Common Object Model (COM) is a technology for providing a binary programming interface for\r\nWindows programs. Despite its age it still forms the internal foundation of many new Microsoft technologies such\r\nas .NET. However, over the course of more than twenty years of development, the inevitable pressure to retain\r\nbackwards compatibility has turned the COM runtime into an obscure beast. These days, many COM interfaces\r\nexist that mirror almost the same functionality provided by common Windows APIs. Malware authors can easily\r\nexecute almost any operation (creating files, starting new processes, etc.) only using COM calls. Dynamic\r\nmalware analyzers must deal with this accordingly without getting lost in the shadowy depths of the COM\r\nruntime.\r\nThe talk presents various aspects of automated dynamic COM malware analysis and shows which approaches are\r\nactually practical and which ones are hopeless from the beginning. We show how COM interfaces are already\r\nactively used by malware in the wild. Our data retrieved from various sample sharing programs indicates that\r\nCOM use is widespread and not only limited to sophisticated attacks. It can be used to create arbitrary files, access\r\nthe registry, control the Windows firewall, tap into audio interfaces and much more. The possibilities are endless.\r\nFurthermore, many script engines such as VBScript or JScript use COM underneath. If such samples are analyzed,\r\nthen this must be dealt with appropriately. Unfortunately, many existing dynamic analysis solutions fail at\r\nmonitoring COM correctly which makes it easy for malware to evade many common sandboxes. One essential\r\nproblem is that COM classes can be implemented in various places: in the calling program itself, in other\r\nprocesses on the same machine, or even in remote processes on different machines using DCOM. This requires to\r\ncatch and process COM calls at the very first API layer and not later on. Due to the myriad of COM calls in\r\nquestion, hooking-based solutions quickly hit a wall. The popular workaround is to hook on API layers behind\r\n(such as NTDLL). Since COM calls can be executed in remote processes and heavily rely on data marshalling,\r\nthis approach can only be used for not more than simple COM interfaces. Furthermore, it requires filtering out\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 53 of 66\n\nirrelevant API calls from OS libraries, which, notwithstanding the above, poses many problems by itself. Last but\r\nnot least, hooking COM calls (or API calls in general) makes it easy for malware to detect that it is running in a\r\nsandbox.\r\nWe show how transition-based monitoring can be used to monitor all COM calls at the first interface layer. This\r\nrequires additional effort in parsing the numerous different formats COM uses to encode function call parameters.\r\nWe show what obstacles are to be expected and how to deal with them accordingly. This generic approach yields a\r\ndetailed list of all COM calls executed by malware with all their parameters. In addition, malware cannot evade\r\nthe analysis since transitions are detected transparently in a hypervisor. Not a single bit has to be modified in the\r\nanalysis environment.\r\nThe Linux Kernel Hidden Inside Windows 10\r\nInitially known as \"Project Astoria\" and delivered in beta builds of Windows 10 Threshold 2 for Mobile,\r\nMicrosoft implemented a full blown Linux 3.4 kernel in the core of the Windows operating system, including full\r\nsupport for VFS, BSD Sockets, ptrace, and a bonafide ELF loader. After a short cancellation, it's back and\r\nimproved in Windows 10 Anniversary Update (\"Redstone\"), under the guise of Bash Shell interoperability. This\r\nnew kernel and related components can run 100% native, unmodified Linux binaries, meaning that NT can now\r\nexecute Linux system calls, schedule thread groups, fork processes, and access the VDSO!\r\nAs it's implemented using a full-blown, built-in, loaded-by-default, Ring 0 driver with kernel privileges, this not a\r\nmere wrapper library or user-mode system call converter like the POSIX subsystem of yore. The very thought of\r\nan alternate virtual file system layer, networking stack, memory and process management logic, and complicated\r\nELF parser and loader in the kernel should tantalize exploit writers - why choose from the attack surface of a\r\nsingle kernel, when there's now two?\r\nBut it's not just about the attack surface - what effects does this have on security software? Do these frankenLinux\r\nprocesses show up in Procmon or other security drivers? Do they have PEBs and TEBs? Is there even an\r\nEPROCESS? And can a Windows machine, and the kernel, now be attacked by Linux/Android malware? How are\r\nLinux system calls implemented and intercepted?\r\nAs usual, we'll take a look at the internals of this entirely new paradigm shift in the Windows OS, and touch the\r\nboundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions,\r\nwhich lead to a wealth of new security challenges on Windows 10 Anniversary Update (\"Redstone\") machines.\r\nThe Remote Malicious Butler Did It!\r\nAn Evil Maid attack is a security exploit that targets a computing device that has been left unattended. An evil\r\nmaid attack is characterized by the attacker's ability to physically access the target multiple times without the\r\nowner's knowledge. On BlackHat Europe 2015, Ian Haken in his talk \"Bypassing Local Windows Authentication\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 54 of 66\n\nto Defeat Full Disk Encryption\" had demonstrated a smart Evil Maid attack which allows the attacker to bypass\r\nBitlocker disk encryption in an enterprise's domain environment. The attacker can do so by connecting the\r\nunattended computer into a rogue Domain Controller and abusing a client side authentication vulnerability. As a\r\nresult, Microsoft had released a patch to fix this vulnerability and mitigate the attack. While being a clever attack,\r\nthe physical access requirement for the attack seems to be prohibitive and would prevent it from being used on\r\nmost APT campaigns. As a result, defenders might not correctly prioritize the importance of patching it.\r\nIn our talk, we reveal the \"Remote Malicious Butler\" attack, which shows how attackers can perform such an\r\nattack, remotely, to take a complete control over the remote computer. We will dive into the technical details of the\r\nattack including the rogue Domain Controller, the client-side vulnerability and the Kerberos authentication\r\nprotocol network traffic that ties them. We would explore some other attack avenues, all leveraging on the rogue\r\nDomain Controller concept. We would conclude with the analysis of some practical generic detection and\r\nprevention methods against rogue Domain Controllers.\r\n \r\nThe Risk from Power Lines: How to Sniff the G3 and Prime Data and Detect the\r\nInterfere Attack\r\nPower line communication (PLC) is a kind of communication technology which uses the power line as the\r\ncommunication media. The PLC technology is divided with 2 sub-field: narrow-band PLC and wide-band PLC.\r\nFor the narrow-band PLC, there are 2 very import standards: Prime and G3. Both the standards are widely used in\r\nAMR and electric monitor system and it lead to the rise of threat in AMR system security and electric safety. This\r\ntopic will talk about how to get the PLC data stream in a PLC communication system which would use G3 or\r\nPrime standard, and will also talk about how to detect attacking in the net. We will focus on how to identify which\r\nkind of standard the system using and how to sniff the PLC data in physical level.\r\n \r\nThe Tao of Hardware the Te of Implants\r\nEmbedded, IOT, and ICS devices tend to be things we can pick up, see, and touch. They're designed for\r\nnontechnical users who think of them as immutable hardware devices. Even software security experts, at some\r\npoint, consider hardware attacks out of scope. Thankfully, even though a handful of hardware manufacturers are\r\nmaking some basic efforts to harden devices, there's still plenty of cheap and easy ways to subvert hardware. The\r\nleaked ANT catalog validated that these cheap hardware attacks are worthwhile. The projects of the NSA Playset\r\nhave explored what's possible in terms of cheap and easy DIY hardware implants, so I've continued to apply those\r\nsame techniques to more embedded devices and industrial control systems. I'll show off a handful of simple\r\nhardware implants that can 1) Blindly escalate privilege using JTAG 2) Patch kernels via direct memory access on\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 55 of 66\n\nan embedded device without JTAG 3) Enable wireless control of the inputs and outputs of an off-the-shelf PLC 4)\r\nHot-plug a malicious expansion module onto another PLC without even taking the system offline and 5) Subvert a\r\nsystem via a malicious display adapter. Some of these are new applications of previously published implants -\r\nothers are brand new.\r\nI'll conclude with some potential design decisions that could reduce vulnerability to implants, as well as ways of\r\nprotecting existing hardware systems from tampering.\r\n \r\nThe Year in Flash\r\nAdobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and\r\nmitigations are implemented, increasingly complex vulnerabilities and exploits are coming to light. This talk\r\ndescribes notable vulnerabilities and exploits that have been discovered in Flash in the past year.\r\nIt will start with an overview of the attack surface of Flash, and then discuss how the most common types of\r\nvulnerabilities work. It will then go through the year with regards to bugs, exploits and mitigations. It will end\r\nwith a discussion of the future of Flash attacks: likely areas for new bugs, and the impact of existing mitigations.\r\nTiming Attacks Have Never Been So Practical: Advanced Cross-Site Search\r\nAttacks\r\nCross-site search (XS-search) is a practical timing side-channel attack that allows the extraction of sensitive\r\ninformation from web-services. The attack exploits inflation techniques to efficiently distinguish between search\r\nrequests that yield results and requests that do not. This work focuses on the response inflation technique that\r\nincreases the size of the response; as the difference in the sizes of the responses increases, it becomes easier to\r\ndistinguish between them. We begin with browser-based XS-search attack and demonstrate its use in extracting\r\nusers' private data from Gmail and Facebook. The browser-based XS-search attack exploits the differences in the\r\nsizes of HTTP responses, and works even when significant inflation of the response is impossible. This part also\r\ninvolves algorithmic improvements compared to previous work. When there is no leakage of information via the\r\ntiming side channel it is possible to use second-order (SO) XS-search, a novel type of attack that allows the\r\nattacker to significantly increase the difference in the sizes of the responses by planting maliciously crafted record\r\ninto the storage. SO XS-search attacks can be used to extract sensitive information such as email content of Gmail\r\nand Yahoo! users, and search history of Bing users.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 56 of 66\n\nTowards a Holistic Approach in Building Intelligence to Fight Crimeware\r\nTo defeat your adversaries, it is crucial to understand how they operate and to develop a comprehensive view of\r\ntheir playing field. In this talk, we describe a holistic and scalable approach to investigating and combating\r\ncybercrime. Our strategy focuses on two perspectives: the network attack surface and the actors. The network\r\nattack surface exploited by malware manifests itself through various aspects such as hosting IP space, DNS traffic,\r\nopen ports, BGP announcements, ASN peerings, and SSL certificates. The actors' view tracks trends, motivations,\r\nand TTPs of cyber criminals by infiltrating and maintaining access to closed underground forums where threat\r\nactors collaborate to plan cyber attacks. Crimeware campaigns nowadays rely heavily on bulletproof hosting for\r\nscalable deployment. We distinguish two types of such hosting infrastructures: the first consists of a large number\r\nof infected residential hosts scattered geographically that are leveraged to build a fast flux proxy network. This\r\nnetwork is a hosting-as-a service platform for various malware and ransomware C2, phishing, carding, and botnet\r\npanels. The second type exists in dedicated servers acquired from rogue hosting companies or large abused\r\nhosting providers with the purpose of hosting exploit kits, phishing, malware C2, and other gray content. We start\r\nby using DNS traffic analysis and passive DNS mining algorithms to massively detect malware domains. After we\r\nidentify the hosting IPs of these domains, we will demonstrate novel methods using DNS PTR data to further map\r\nout the entire IP space of bulletproof hosters serving these attacks. In the case of fast flux proxy networks, we\r\nleverage SSL data to map out larger sets of compromised hosts. Concurrently, we investigate underground forums\r\nfor emerging signals about bulletproof hosters just about to be employed for malware campaigns.\r\nThe talk describes how to proactively bridge the gap between the actors and network views by identifying the IP\r\nspace of the mentioned hosters given very few initial indicators and predictively block it. This is made possible\r\nthanks to the deployment at large scale of DNS PTR, SSL, and HTTP data provided by Project Sonar datasets and\r\nour own scanning of certain IP regions. It is undoubtedly a serious challenge facing security researchers to devise\r\nmeans to quickly index and search through vast quantities of security related log data. Therefore, we will also\r\ndescribe the backend architecture, based on HBase and ElasticSearch, that we use to index global Internet\r\nmetadata so it is easily searchable and retrievable. Join us in this talk to learn about effective methods to\r\ninvestigate malware from both network and actors' perspectives and hear about our experience on how to deploy\r\nand mine large scale Internet data to support threat research.\r\nUnderstanding HL7 2.x Standards Pen Testing and Defending HL7 2.x Messages\r\nHealth Level-7 or HL7 refers to a set of international standards for transfer of clinical and administrative data\r\nbetween software applications used by various healthcare providers. Healthcare provider organizations typically\r\nhave many different computer systems used for everything from billing records to patient tracking. All of these\r\nsystems should communicate with each other (or \"interface\") when they receive new information, or when they\r\nwish to retrieve information, but not all do so. The Hl7 2.x protocol was designed keeping certain factors in mind.\r\nSome of which are: a closed network, no malicious intent by the devices, and running the devices in a completely\r\nreliable environment. The number of devices using the HL7 2.x is huge (currently, the HL7 v2.x messaging\r\nstandard is supported by every major medical information systems vendor in the world). However, a secure\r\nimplementation standard / guide still needs to be worked on. Over some time I have observed that hospitals and\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 57 of 66\n\nvendors do not fully understand the risks on their infrastructure. Also vendors need to implement some changes\r\nover their software and hardware to make their devices more resilient to attacks.\r\nThe talk will cover HL7 2.x messages, their significance and the information in these messages, also the impact of\r\ngaining access to these messages. We will look the scenario of gaining patient information, fingerprinting\r\narchitecture, examining and changing diagnosis, gaining access to non-prescribed drugs / changing medication\r\nand possible financial scams. This talk will also cover how to Pen test medical systems running HL7 interfaces\r\n(EMR Software, Patient monitors, X-ray machines.. etc.), discovering common flaws and attack surfaces and on\r\ndevices that use HL 7 2.x messages to test machine interfaces and connected environment.\r\nUnleash the Infection Monkey: A Modern Alternative to Pen-Tests\r\nSecurity breaches never happen exactly the way you expected or planned for. Yet an organization's infrastructure\r\nshould be able to withstand a breach of its perimeter security layer, and also handle the infection of internal\r\nservers. The security testing toolset available to security professionals today consists mainly of penetration testing\r\nand vulnerability scanners.These tools were designed for traditional, relatively static networks and can no longer\r\naddress ALL the possible vulnerabilities of today's dynamic and hybrid network. While there is no replacement to\r\na highly skilled human pen-test hacker, penetration tests are limited to specific parts of a network, are expensive,\r\nand may become obsolete within months. Automatic vulnerability scanners have limited accessibility and can not\r\nsimulate today's advanced lateral movement attack methods. The result is network blind spots which is where\r\nsecurity threats often arise. This calls for a new approach to testing network security resilience. An ideal tool\r\nwould be easy to use, budgetary conscious, autonomous and scalable.\r\nWe propose using the Infection Monkey, a new open source cyber security testing tool, designed to thoroughly test\r\na network from an attacker's point of view. Our tool draws its inspiration from Netflix's Chaos Monkey released in\r\n2011. Netflix's Monkey was designed to randomly delete servers in Netflix' infrastructure to test a service's ability\r\nto withstand server failures. We think that a similar approach applies to network security, \"infecting\" your network\r\nto test your defenses capabilities, so we have leveraged Netflix's Chaos Monkey concept to address the challenges\r\nof the network defense community. The Infection Monkey spins up an infected virtual machine inside random\r\nparts of your data center, to test for potential security failures. By \"inside\", we mean behind the firewall and any\r\nother perimeter defense you are deploying for your computing infrastructure. By equipping the monkey with\r\nadvanced exploitation abilities (without destructive payloads), it can spread to any vulnerable machine within\r\nreach. Along with the ability to spread onwards from its victims, the monkey can detect surprising weak spots\r\nthroughout the network.\r\nIn our talk we will show how our Infection Monkey uncovers blind spots and argue that ongoing network-wide\r\nsecurity testing adds strong capabilities to the security team. We will focus on vulnerabilities that up until now\r\nhave stayed in the industry's 'collective blind spot'. The security community can greatly benefit from a disruptive,\r\nmodern tool that helps verify security solution deployments and shed light on the weaker parts of the security\r\nchain.\r\n \r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 58 of 66\n\nUsing an Expanded Cyber Kill Chain Model to Increase Attack Resiliency\r\nThe Cyber Kill Chain model provides a framework for understanding how an adversary breaches the perimeter to\r\ngain access to systems on the internal network. However, this model is incomplete and can lead to over-focusing\r\non perimeter security, to the detriment of internal security controls. In this presentation, we'll explore an expanded\r\nmodel including the Internal Kill Chain and the Target Manipulation Kill Chain.\r\nWe'll review what actions are taken in each phase, and what's necessary for the adversary to move from one phase\r\nto the next. We'll discuss multiple types of controls that you can implement today in your enterprise to frustrate the\r\nadversary's plan at each stage, to avoid needing to declare \"game over\" just because an adversary has gained\r\naccess to the internal network. The primary limiting factor of the traditional Cyber Kill Chain is that it ends with\r\nStage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on\r\nthe internal network, the defending victim has already lost. In reality, there should be multiple layers of security\r\nzones on the internal network, to protect the most critical assets. The adversary often has to move through\r\nnumerous additional phases in order to access and manipulate specific systems to achieve his objective. By\r\nincreasing the time and effort required to move through these stages, we decrease the likelihood of the adversary\r\ncausing material damage to the enterprise.\r\nUsing EMET to Disable EMET\r\nMicrosoft's Enhanced Mitigation Experience Toolkit (EMET) is a project that adds security mitigations to user\r\nmode programs beyond those built in to the operating system. It runs inside \"protected\" programs as a Dynamic\r\nLink Library (DLL), and makes various changes in order to make software exploitation expensive. If an attacker\r\ncan bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit\r\ndevelopment. In this briefing we discuss protections being offered from EMET, how individually each of them can\r\nbe evaded by playing around the validation code and then a generic disabling method, which applies to multiple\r\nendpoint products and sandboxing agents relying on injecting their Dynamic Link Library into host processes in\r\norder to protect them. It can be noted that Microsoft has issued a patch to address this very issue in EMET 5.5 in\r\nFebruary 2016. EMET was designed to raise the cost of exploit development and not as a \"fool proof exploit\r\nmitigation solution\". Consequently, it is no surprise that attackers who have read/write capabilities within the\r\nprocess space of a protected program can bypass EMET by systematically defeating its mitigations. As long as\r\ntheir address space remains same, a complete defensive solution cannot be used to prevent exploitation.\r\nThe talk will focus on how easy is it to defeat EMET or any other Agent. How secure is any endpoint exploit\r\nprevention/detection solution, which relies on same address space validations and how to defeat them with their\r\nown checks or by circumventing and evading their validation. Moreover it will also reflect on, targeted EMET\r\nevasion i.e. when the attacker knows EMET is installed on victim machine. These methods applied on EMET can\r\nbe applied on other enterprise products and were tested on many during our research.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 59 of 66\n\nUsing Undocumented CPU Behavior to See into Kernel Mode and Break KASLR\r\nin the Process\r\nTypically, hackers focus on software bugs to find vulnerabilities in the trust model of computers. In this talk,\r\nhowever, we'll focus on, how the micro architectural design of computers and how they enable an attacker to\r\nbreach trust boundaries. Specifically, we'll focus on how an attacker with no special privileges can gain insights\r\ninto the kernel and how these insights can enable further breaches of security. We will focus on the x86-64\r\narchitecture, but round up with comments on how our research touches on ARM processors. Unlike software bugs,\r\nmicro architectural design issues have applications across operating systems and are independent of easily fixable\r\nsoftware bugs. In modern operating systems the security model is enforced by the kernel. The kernel itself runs in\r\na processor supported and protected state often called supervisor or kernel mode. Thus the kernel itself is\r\nprotected from introspection and attack by hardware. We will present a method that'll allow for fast and reliable\r\nintrospection into the memory hierarchy in the kernel based on undocumented CPU behavior and show how\r\nattackers could make use of this information to mount attacks on the kernel and consequently of the entire security\r\nmodel of modern computers. Making a map of memory and breaking KASLR Modern operating systems use a\r\nnumber of methods to prevent an attacker from running unauthorized code in kernel mode. They range from\r\nrequiring user-privileges to load drivers, over driver signing to hardware enabled features preventing execution in\r\nmemory marked as data such as DEP (Data Execution Prevention) or more resonantly SMEP that prevents\r\nexecution of user allocated code with kernel level privileges. Often used bypasses modify either page tables or use\r\nso called code reuse attacks. Either way an attacker needs to know where the code or page tables are located. To\r\nfurther complicate an attack modern operating system is equipped with \"Kernel Address Space Randomized\r\nLayout\" (KASLR) that randomizes the location of important system memory.\r\nWe'll present a fast and reliable method to map where the kernel has mapped pages in the kernel mode area.\r\nFurther, we'll present a method for locating specific kernel modules thus by passing KASLR and paving the way\r\nfor classic privileged elevation attacks. Neither method requires any special privileges and they even run from a\r\nsandboxed environment. Also relevant is that our methods are more flexible than traditional software information\r\nleaks, since they leak information on the entire memory hierarchy. The core idea of the work is that the prefetch\r\ninstructions leaks information about the caches that are related to translating a virtual address into a physical\r\naddress. Also significant is that the prefetch instruction is unprivileged and does not cause exceptions nor does it\r\nhave any privilege verification. Thus it can be used on any address in the address space. Physical to virtual address\r\nconversion A number of micro-architectural attacks is possible on modern computers. The Row hammer is\r\nprobably the most famous of these attacks. But attacks methodologies such as cache side channel attacks have\r\nproven to be able to exfiltrate private data, such as private keys, across trust boundaries. These two attack\r\nmethodologies have in common that they require information about how virtual memory is mapped to physical\r\nmemory. Both methodologies have thus far either used the \"/proc/PID/pagemap\" which is now accessible only\r\nwith administrator privileges or by using approximations. We will discuss a method where an unprivileged user is\r\nable to reconstruct this mapping. This goes a long way towards making the row hammer attack a practical attack\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 60 of 66\n\nvector and can be a valuable assistance in doing cache side channel attacks. Again we use the prefetch's\r\ninstructions lack of privilege checking, but instead of using the timing that it leaks we now use the instructions\r\nability to load CPU caches and that timing of memory access instructions depend heavily on the cache state.\r\nBonus material We will shortly discuss the attack vectors relevance on ARM platforms and its potential impact on\r\nhypervisor environments. Finally, we will shortly outline a possible defense.\r\n \r\nViral Video - Exploiting SSRF in Video Converters\r\nMany web applications allow users to upload video - video/image hostings, cloud storages, social networks,\r\ninstant messengers, etc. Typically, developers want to convert user uploaded files into formats supported by all\r\nclients. The number of input formats is very big, so developers use third-party tools/libraries for video encoding.\r\nThe most common solution in this area is ffmpeg and its forks. ffmpeg by default supports many different formats,\r\nincluding playlists (files with a set of links to other files). In this Briefing, we will examine exploitation of SSRF\r\nin hls (m3u8) playlists processing. Video processing is frequently done in clouds, which by design is more\r\nvulnerable to SSRF attacks, and playlists support many different protocols (http, file, tcp, upd, gopher ...), so\r\nSSRF in playlist processing can be very critical and even lead to full service takeover.\r\nWe will show how implementation details of hls playlists processing in ffmpeg allow reading files from the video\r\nconversion server, with and without network support. We will show how SSRF in video converter can give full\r\naccess to service based on cloud like Amazon AWS. We will also present our tool for the detection and\r\nexploitation of this vulnerability. We will show a truly \"viral\" video which could perform successful attacks on\r\nFacebook, Telegram, Microsoft Azure, flickr, one of Twitter services, Imgur and others.\r\nVOIP WARS: The Phreakers Awaken\r\nLarger organisations are using VoIP within their commercial services and corporate communications and the take\r\nup of cloud based Unified Communications (UC) solutions is rising every day. However, response teams and\r\nsecurity testers have limited knowledge of VoIP attack surfaces and threats in the wild. Due to this lack of\r\nunderstanding of modern UC security requirements, numerous service providers, larger organisations and\r\nsubscribers are leaving themselves susceptible to attack. Current threat actors are repurposing this exposed\r\ninfrastructure for botnets, toll fraud etc.\r\nThe talk aims to arm response and security testing teams with knowledge of cutting-edge attacks, tools and\r\nvulnerabilities for VoIP networks. Some of the headlines are: attacking cloud based VoIP solutions to jailbreak\r\ntenant environments; discovering critical security vulnerabilities with the VoIP products of major vendors;\r\nexploiting harder to fix VoIP protocol and service vulnerabilities; testing the security of IP Multimedia Subsystem\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 61 of 66\n\n(IMS) services; and understanding the toolset developed by the author to discover previously unknown\r\nvulnerabilities and to develop custom attacks. In addition, the business impact of these attacks will be explained\r\nfor various implementations, such as cloud UC services, commercial services, service provider networks and\r\ncorporate communication. Through the demonstrations, the audience will understand how can they secure and test\r\ntheir communication infrastructure and services. The talk will also be accompanied by the newer versions of\r\nViproy and Viproxy developed by the author to operate the attack demonstrations.\r\n \r\nWatching Commodity Malware Get Sold to a Targeted Actor\r\nDetected breaches are often classified by security operation centers and incident response teams as either\r\n\"targeted\" or \"untargeted.\" This quick classification of a breach as \"untargeted,\" and the following de-prioritization for remediation, often misses a re-classification and upgrade process several attack groups have been\r\nconducting. As part of this process, assets compromised as part of broad, untargeted \"commodity\" malware\r\ncampaigns are re-classified based on the organizational network they're part of to determine their potential value\r\nin the market. The higher value ones are upgraded and taken out of the \"commodity\" campaign to prepare them\r\nfor a sale, for buyers planning a targeted attack. Organizations overlooking this often miss the opportunity to\r\neliminate the threat prior to its escalation.\r\nThis session will cover the analysis of endpoint and network data captured during these re-classification\r\noperations, demonstrating the techniques and procedures used by some of the attack groups as they migrate\r\ncompromised endpoints from the \"commodity\" threat platform to the valuable-target's platform. What measures\r\ncan be taken to detect that a commodity threat is going through a migration process? How can this be leveraged to\r\nincrease the efficiency of the incident response process?\r\nWeaponizing Data Science for Social Engineering: Automated E2E Spear Phishing\r\non Twitter\r\nHistorically, machine learning for information security has prioritized defense: think intrusion detection systems,\r\nmalware classification and botnet traffic identification. Offense can benefit from data just as well. Social\r\nnetworks, especially Twitter with its access to extensive personal data, bot-friendly API, colloquial syntax and\r\nprevalence of shortened links, are the perfect venues for spreading machine-generated malicious content.\r\nWe present a recurrent neural network that learns to tweet phishing posts targeting specific users. The model is\r\ntrained using spear phishing pen-testing data, and in order to make a click-through more likely, it is dynamically\r\nseeded with topics extracted from timeline posts of both the target and the users they retweet or follow. We\r\naugment the model with clustering to identify high value targets based on their level of social engagement such as\r\ntheir number of followers and retweets, and measure success using click-rates of IP-tracked links. Taken together,\r\nthese techniques enable the world's first automated end-to-end spear phishing campaign generator for Twitter.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 62 of 66\n\nWeb Application Firewalls: Analysis of Detection Logic\r\nThe presentation will highlight the core of Web Application Firewall (WAF): detection logic, with an accent on\r\nregular expressions detection mechanism. The security of 6 trending opensource WAFs (OWASP CRS 2,3 -\r\nModSecurity, Comodo WAF, PHPIDS, QuickDefense, Libinjection) will be called into question.\r\nStatic Application Security Testing (SAST) tool for Regular Expressions analysis will be released, which aims to\r\nfinds security flaws in the cunning syntax of regular expressions. Using the proposed \"regex security cheatsheet\",\r\nrules from popular WAFs will be examined. Logical flaws in regular expressions will be demonstrated by\r\napplying author's bughunting experience and best practices. Unexpected by regexp's primary logic vectors will be\r\ndiscovered for Cross-Site Scripting and SQL-Injection attacks (MySQL, MSSQL, Oracle) using advanced fuzz\r\ntesting techniques. Obtained from fuzz testing framework attack vectors will be clustered and represented via\r\nlook-up tables. Such tables can be used by both attackers and defenders in order to understand the purpose of\r\ncharacters in various parts of attack vector, which are allowed by appropriate browsers or databases.\r\nMore than 15 new bypass vectors will be described, with an indication of over 300 potential weakness in regular\r\nexpression detection logic of WAFs.\r\nWhat's the DFIRence for ICS?\r\nDigital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about\r\nIndustrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical\r\ninfrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If\r\nthese are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical\r\nconditions, and other data can be analyzed in embedded systems to determine the root cause.\r\nThis talk will show examples of what and how to collect forensics data from two popular RTUs that are used in\r\nElectric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.\r\nThis talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 63 of 66\n\nWhen Governments Attack: State Sponsored Malware Attacks Against Activists\r\nLawyers and Journalists\r\nTargeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace.\r\nThese attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and\r\njournalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don't even have\r\na single security professional on staff. In this session Eva\r\nGalperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational\r\ndetails of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They\r\nwill also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence\r\ndissent. As security professionals we are in a unique position to help in this fight.\r\n \r\nWhen the Cops Come A-Knocking: Handling Technical Assistance Demands from\r\nLaw Enforcement\r\nWhat kind of surveillance assistance can the U.S. government force companies to provide? This issue has entered\r\nthe public consciousness due to the FBI's demand in February that Apple write software to help it access the San\r\nBernardino shooter's encrypted iPhone. Technical assistance orders can go beyond the usual government requests\r\nfor user data, requiring a company to actively participate in the government's monitoring of the targeted user(s).\r\nCompanies that take seriously the task of securing of their users' information and communications must be\r\nprepared to respond to demands to disclose, proactively begin storing, or decrypt user data; write custom code;\r\nallow the installation of government equipment on their systems; or hand over encryption keys. Advance\r\npreparation for handling technical assistance demands is especially important now since the U.S. Department of\r\nJustice has been so aggressive with companies that resist broad or novel surveillance orders. In the \"Apple vs.\r\nFBI\" case, America's richest company faced a motion for contempt of court and derisive rhetoric from U.S.\r\nofficials before it enlisted the nation's top lawyers in its defense and ultimately fought off the case. In stark\r\ncontrast, encrypted e-mail provider Lavabit unsuccessfully opposed multiple court orders to compel it to decrypt\r\nand give law enforcement the e-mails of its most famous customer, Edward Snowden, and even to hand over its\r\nprivate encryption keys. The Fourth Circuit Court of Appeal did not look kindly on Lavabit, which lost its legal\r\nbattle and shuttered its operations after its legal defeat. In 2007, Yahoo! unsuccessfully battled warrantless\r\nwiretapping in secret before the Foreign Intelligence Surveillance Court. The price for seeking to protect its users'\r\nFourth Amendment rights? DOJ argued that Yahoo! should be fined $250,000 a day for non-compliance while the\r\nlitigation was pending.\r\nThis talk, given by two Crypto Policy Project attorneys from Stanford Law School's Center for Internet and\r\nSociety, will teach an enterprise audience what they need to know about technical-assistance orders by U.S. law\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 64 of 66\n\nenforcement, so that they can handle demands effectively even if they do not have Apple-level resources. We'll go\r\nover what sorts of assistance law enforcement may demand you provide (and has demanded of companies in the\r\npast), whether they have authority to require such assistance and under what law(s), and a company's options in\r\nresponse.\r\nWindows 10 Mitigation Improvements\r\nContinuous improvements have been made to Windows and other Microsoft products over the past decade that\r\nhave made it more difficult and costly to exploit software vulnerabilities. The various mitigation technologies that\r\nhave been created as a result have played a key role in helping to keep people safe online even as the number of\r\nvulnerabilities that are found and fixed each year has increased. In this presentation, we'll describe some of the\r\nnew ways that Microsoft is tackling software security and some of the new mitigation improvements that have\r\nbeen made to Windows 10 as a result. This talk will cover a new data driven approach to software security at\r\nMicrosoft. This approach involves proactive monitoring and analysis of exploits found in-the-wild to better\r\nunderstand the types of vulnerabilities that are being exploited and exploitation techniques being used. This\r\ncategory of analysis and insight has driven a series of mitigation improvements that has broken widely used\r\nexploitation techniques and in some cases virtually eliminated entire classes of vulnerabilities.\r\nIn this presentation, we'll share more details on how this analysis is performed at Microsoft, how it has helped\r\ndrive improvements, and how we have measured the success of those improvements. This presentation will also\r\ndescribe Microsoft's unique proactive approach to software security assurance which embraces offensive security\r\nresearch and extends traditional \"red team\" operations into the software security world. This approach replaces\r\ntraditional software security design and implementation reviews with a true end-to-end simulation of attacks in the\r\nwild by spanning vulnerability discovery, exploit development, and mitigation bypass identification. This\r\napproach enables Microsoft to concretely evaluate the effectiveness of mitigations, identify gaps in protection, and\r\nprovide concrete metrics on the cost and resources required to develop an exploit in a given scenario. In other\r\nwords, this provides concrete data to help Microsoft be proactive about making holistic platform security\r\nimprovements rather than simply waiting and reacting to what we see attackers do in-the-wild. In order to help\r\ndrive these points home, this presentation will describe a number of mitigation improvements that have been made\r\nin Windows 10 and the upcoming Windows 10 anniversary edition. We will show how these improvements were\r\nsupported by the above methods and what impact we expect these improvements to have going forward. This\r\nportion of the presentation can be seen as a follow-on to our \"Exploit Mitigation Improvements in Windows 8\"\r\npresentation which was given at Black Hat USA 2012.\r\nWindows 10 Segment Heap Internals\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 65 of 66\n\nIntroduced in Windows 10, Segment Heap is the native heap used in Windows app (formerly called Modern/Metro\r\napp) processes and certain system processes. This heap is an addition to the well-researched and widely\r\ndocumented NT heap that is still used in traditional application processes and in certain types of allocations in\r\nWindows app processes.\r\nOne important aspect of the Segment Heap is that it is enabled for Microsoft Edge which means that\r\ncomponents/dependencies running in Edge that do not use a custom heap manager will use the Segment Heap.\r\nTherefore, reliably exploiting memory corruption vulnerabilities in these Edge components/dependencies would\r\nrequire some level of understanding of the Segment Heap.\r\nIn this presentation, I'll discuss the data structures, algorithms and security mechanisms of the Segment Heap.\r\nKnowledge of the Segment Heap is also applied by discussing and demonstrating how a memory corruption\r\nvulnerability in the Microsoft WinRT PDF library (CVE-2016-0117) is used to create a reliable write primitive in\r\nthe context of the Edge content process.\r\n \r\nXenpwn: Breaking Paravirtualized Devices\r\nInstead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide\r\nguests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out\r\nof a guest, making them quite an interesting target.\r\nIn this talk, I'll present the results of my research on the security of these backend components and discuss\r\nXenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in\r\nparavirtualized drivers of the Xen hypervisor.\r\nIf you like virtualization security, race conditions, vulnerabilities introduced by compiler optimizations or are a\r\nbig fan of Bochspwn, this is the right talk for you.\r\n \r\nSource: http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nhttp://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions\r\nPage 66 of 66", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" ], "report_names": [ "briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441499, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb9408aa613c7d6652eb0f6260337fe1805f0001.pdf", "text": "https://archive.orkl.eu/bb9408aa613c7d6652eb0f6260337fe1805f0001.txt", "img": "https://archive.orkl.eu/bb9408aa613c7d6652eb0f6260337fe1805f0001.jpg" } }