DEFCON was a treat as usual with many interesting talks and events. DEFCON, for those that don’t know, is the world’s longest running and largest underground hacking conference that takes place in Las Vegas. Every year, hackers from all over (including LMG’s resident hackers) fly in to experience the event, see as many talks as possible, and chat with others in the industry. While some LMG consultants ran the Network Forensics workshop at BlackHat, a few others got to see some talks at DEFCON. The LMG hackers had a great time and attended some interesting events. Here are their summaries of some of their favorite talks.
Our consultants were excited to learn as much as they could at DEFCON this year! Craig Nagy, a Cybersecurity Consultant for LMG Security, was able to attend a talk by Gabriel Ryan about evil twin attacks on a wireless network that uses EAP as perimeter security.
“’The Black Art of Wireless Post Exploitation’ talk by Gabriel ‘s0lst1c3’ Ryan at DEFCON shined some light on parts of the enterprise wireless testing methodology that aren’t thoroughly documented elsewhere. As part of the demonstration, Gabriel set up an Evil Twin access point using EAPHammer, then he forced multiple clients to de-authenticate from the legitimate access point and connect to his Evil Twin AP. From there, he showed various attacks including using an SMB Relay attack to install a payload which would repeatedly attempt to connect back to the attacking computer. After gaining access through the targets, he could pivot into the previously closed-off section of the infrastructure. Overall this demo showed some novel techniques to pivot further into the network and highlighted the flaws of using EAP as the only form of perimeter security.” –Craig Nagy, Cybersecurity Consultant
Contact Gabriel Ryan, presenter of the DEFCON talk “The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots”, here on twitter.
Another of our consultants had the opportunity to view a talk about Android password manager apps. Cybersecurity professionals tend to adopt the mindset that it’s a matter of when something will be hacked, not if. However, having your master password stolen out of an Android password manager application might be a larger risk than you thought…
“I had the opportunity to check out a talk titled ‘Bypassing Android Password Manager Apps Without Root’. The presenters, Stephan Huber and Siegfried Rasthofer, are cybersecurity professionals from Germany with some compelling findings about the nine most downloaded password manager apps for Android devices. The duo presented several proof-of-concepts for obtaining the Master Password for these password manager apps through different exploitation scenarios, including attackers gaining access via a victim losing their device, man in the middle attacks, and using a third party app to obtain the Master Password. Luckily, all of their findings have been reported – and are hopefully patched by this point – however, since their focus was on the top nine downloaded password manager apps this means there are other password managers available that may still be vulnerable. It’s really interesting that apps designed to protect some of our most sensitive data can be broken or exploited so easily!” –Gregg Kalbas, Cybersecurity Consultant
Stephan Huber and Siegfried Rasthofer weren’t the only ones presenting on Android at DEFCON this year, however.
“One of the talks I attended while at DEFCON was ‘Unboxing Android: Everything you wanted to know about Android packers’. The talk was a great overview of techniques used to protect application code and the possible approaches the authors of the talk considered for unpacking apps. The speaker showed that two popular packers, Bangcle and Baidu, both use similar methods for loading the app to run on Android. By focusing on the commonality that both use libc for handling the opening of the OAT or DEX file, the authors of the talk used the DEX loading process to recover an unencrypted version of the actual DEX file. They were able to create a patch for the AOSP build of Android 6.0.1_r65 and a script to perform the unpacking. The authors believe that their method should allow unpacking apps that are packed using many of the different packers available. Hopefully the project will continue and be updated when necessary. This could be a useful tool for mobile application pentests if a packer was used, or if you want to do analysis of android malware that uses a packer.” –Corey Batiuk
The presentation slides for “Unboxing Android: Everything you wanted to know about Android packers” can be found here.
Meanwhile, Ben Kast enjoyed a talk about identifying wireless clients through passive sniffing.
“The Defcon talk “I Know What You Are By The Smell Of your Wifi” by Denton Gentry covered a novel method of passive wifi client identification through the inspection of wifi management frames (probes and associations). The method is focused on identification of mobile devices exclusively, and includes a library of identifiers for each of the major mobile devices. This allows the devices to be identified without further scanning on the network, and can assist in identifying clients on networks even when client isolation is enabled. For such a short talk some useful information was shared that could be valuable on wireless penetration tests.” –Ben Kast, Senior Cybersecurity Consultant
The presentation slides for “I Know What You Are By The Smell Of your Wifi” can be found here.
While the LMG consultants learned about vulnerabilities in wifi and Android, after teaching a module at the LMG Network Forensics workshop, Allison Saywer shared her experience learning about Machine Learning at BlackHat.
“Having heard the terms “machine learning” (ML) and “artificial intelligence” bandied about at BlackHat, I spent part of the conference getting a feel for the state of automated-learning technologies in information security. Cylance talked with me about using ML algorithms to detect malware by assessing executable file binaries before they are run on an endpoint. The ML approach has the potential to alert on previously unknown malware. I also spoke with TrendMicro about their endpoint-based security solution that analyzes features including ports and protocols used to detect traffic anomalies.
It’s important to be aware that a ML model’s accuracy is largely determined by the quality of the dataset fed into it, as Hillary Sanders of Sophos reminded us in a briefing entitled “Garbage In, Garbage Out: How Purportedly Great Machine Learning Models can be Screwed Up by Bad Data.” Sanders’ team generated three ML models to detect malicious URLs using training data from three different sources. The model that proved the least accurate when tested on data from its own input source actually generalized the best and had the highest accuracy when tested on combined data from all three sources. The increasing application of ML to security has great potential to help us detect unknown threats, but it’s no silver bullet solution – network traffic is so complex that many types of nefarious activities escape the grasp of ML-based detection. For now.” –Ali Sawyer, Cybersecurity Consultant
In all, our consultants had a great time! From Android packers and password managers to evil twin attacks and machine learning malware identification, this year’s DEFCON and BlackHat conferences were both entertaining and educational. Check out the LMG Security Cyber Slap Bracelets that LMG handed out at BlackHat for cybersecurity cheat sheets in the form of slap bracelets! For any questions about DEFCON or BlackHat, email [email protected].