Published: Fri 04 April 2014
Singapore hacking SyScan
Breaking Anti-Virus Software: Joxean Koret
Joxean gave a great introduction into worst security practices at anti virus
companies. He basically dropped a large amount of 0days on a bunch of AV
engines (I liked his opening statement "all bugs are 0days unless otherwise
mentioned"). Using dumb fuzzing Joxean found a huge amount of crashes and then
started diving into the individual engines. He wrote a quick fuzzer himself that
runs on Linux and he runs the scanners either under wine or extracts the core
engine and runs that one directly. Some of the worst practices he found are that
many engines (i) disable ASLR for their core libraries, (ii) inject (unsafe)
libraries into all processes, (iii) the scan engine often runs as root with full
privileges, and (iv) is full of bugs. So you might want consider trusting your
AV engines to handle untrusted files.
Embracing the New Threat: Towards Automatically Self-Diversifying Malware: Mathias Payer
The talk by yours truly. I talked about fully automatic malware diversification.
Using a modified compiler we modify the generated code and static data on a
per-binary basis. White-paper, slides, and code are released
How to Train Your SnapDragon: Exploring Power Regulation Frameworks on Android: Josh 'm0nk' Thomas
m0nk introduced a set of nice concepts on how to attack different sets of phones
by tinkering with power regulation and batteries. Unfortunately, I missed most
of the talk, will watch it later when it's online!
Click and Dragger: Denial and Deception on Android: the grugq
Rockstar on the stage, ranting about phone security: mobile phones suck for
anonymity, privacy, and security. Smartphones suck even more. Location
information (e.g., through triangulation) allows building social graphs,
clustering, deanonymization of secondary phones if they correlate with other
phones. Networks are just as bad: you can be identified by the numbers you call
or the calls you receive, or the calling pattern as well. Smartphones add
content, GPS sensors, apps, network connectivity, and so on the mix.
To be safe get burner phones. Buy phone and SIM apart from each other long ago,
use infrequently, never at home, and throw away after use. Smartphones are
inherently unsafe. You cannot make Android safer by installing apps (e.g.,
The grugq presents a new Android mod, based on CyanogenMod and removes all
Google code. Added a set of tripwires and default return values that ensure
privacy. Lots of userland hardening as well, e.g., adding grsecurity patches,
save allocators, and so on. As an add on he presents DarkMatter, a secure app
that allows dynamic per-application TrueCrypt volumes (using crypted containers)
and transparent access to that data.
(this was the most awesome talk so far - except mine of course)
All about the ALPC, RPC, LPC, LRPC in your PC: Alex Ionescu
All the dirty details of different forms of remote or local procedure calls on
Windows using different transport services.
Thunderbolts and Lightning: Very Very Frightening: Snare and Rzn
Tunderbolt is a display port and PCIe bundled together. Same DMA attacks as over
FireWire a couple of years ago should be possible. The implement the PCIe
interface on an FPGA to capture data that is in flight on the cable. The run DMA
over PCIe and patch login password check to always return true. Nice!
Linux Memory Forensics: A Real-Life Case Study: Georg Wicherski
Georg started off with a long introduction into APT, attacks, and a discussion
of the ELF format. Dumping an executable from memory is no easy task as not the
whole binary is loaded into memory and a lot of the section view is lost when
individual segments are loaded. In the end Georg wrote some volatility plugin
that looks for PLT and GOT.PLT sections and compares the entries of the
individual libraries with possible injected ones.
Speakers have to drink two shots of Whiskey to get 5 minutes of talking time.
Nguyen Anh Quynh presented his Capstone engine, a multi-platform, multi-ISA
disassembly engine. Mark talkes about weirdness on the internet, misconfigured
DNS entries, UPnP, telnet, serial port, and much more. Scan all the IPv4 all the
time and add a time component to it. The results are
online. Rex against the romans was about abuse of power and
attacking Macs (i.e., what kind of malware is running there and how to the
droppers work). Miaubiz talked a bit longer about lldb and different hooks.
metl ranted about IT risk management and liability assessment. Joey was just
there for the shots. Yevgeniy talked about abusing malware protections.