Presentations and Panels, CanSecWest 2021

Mobile Station Modem (MSM) is an ongoing series of a 2G/3G/4G-capable SoCs designed by Qualcomm starting in the early 1990s. MSM has always been and will be a popular target for security research because hackers want to find a way to attack a mobile device remotely just by sending it a SMS or crafted radio packet. But 3GPP protocols are not the only entry point into the modem. Android also has an ability to communicate with the modem processor through the Qualcomm MSM Interface (QMI). In our research, we looked at the QMI as a way to attack MSM data services.

MSM is managed by Qualcomm real-time OS (QuRT) that cannot be debugged or dumped even on rooted Android devices. We reverse-engineered QuRT and built a feedback fuzzer for QDSP6 processor architecture to probe MSM data services for bugs.

We are going to show real-world examples of using the QMI API to query MSM data services, our experience with unpacking and fuzzing MSM code, and a vulnerability we discovered that can be used to control the modem and dynamically patch it from the application processor.

The Information Age has led to the birth of the Misinformation Age. Commercial and open-source projects exist that can allow anyone to create a “deepfake” video. This has caused industry leaders such as DARPA, Microsoft, Facebook, Intel, and Adobe to pursue initiatives to help people to discern whether online content should be trusted. These initiatives have even gone down to the hardware level with companies such as Qualcomm who recently added the ability to perform hardware-secured photo capture to their latest Snapdragon mobile processors. This presentation will share an overview of the current state of deepfake technology and then explore the different proposals for combatting misinformation including a detailed discussion on the Content Authenticity Initiative.

You've probably used Wireshark or a similar packet sniffer to look at TCP/IP traffic and Ethernet frames at the byte level. But just how deep does the rabbit hole go? Dig down into the Ethernet physical layer with a high-bandwidth oscilloscope and see what actual Ethernet frames look like on the wire. We'll cover the 10Base-T, 100Base-TX, 1000base-X, and 10Gbase-R standards in depth with example waveforms and protocol analysis, as well as brief discussion of 1000baseT and 40Gbase-SR4 and the "killer packet" vulnerability in the 100baseTX specification.

In this talk, we'll demonstrate Kubernetes and AWS attacks, attacking a scenario themed on the movie "Real Genius." . We'll discuss multiple defenses available to every Kubernetes and AWS user. In part of the attack, we'll use the open source Peirates tool. Come learn how to attack Kubernetes and break your attacks!

You will learn about how to attack and avoid several "gotcha" configurations, where the cluster maintainer's intent doesn't match the attacker's view of the defenses. You'll also learn how some of these defenses really work, including the Kubernetes to AWS linkages.

During this talk, we will discuss the various stages of lateral movement from credential theft techniques, privilege escalation and finding network targets to code execution methods, we will retrospect on some infamous lateral movement methods. We will also discuss how to detect and mislead an attacker’s lateral movement using network deception and approaches that can be taken to build the deceptive network.

The monolithic nature of modern OS kernels leads to a constant stream of bugs being discovered. It is often unclear which of these bugs are worth fixing, as only a subset of them may be serious enough to lead to security takeovers (i.e., privilege escalations). Therefore, researchers have recently started to develop automated exploit generation techniques (for UAF bugs) to assist the bug triage process. In this project, we investigate another top memory vulnerability in Linux kernel — out-of-bounds (OOB) memory write from heap.

LPWAN (low-power wide-area network) is a mainstream IoT communication technology and has been widely used in smart cities and other fields. LoRaWAN and NB-IoT are the most mainstream technologies in the LPWAN, and there are hundreds of millions of IoT devices using these two technologies. LoRaWAN is used by Internet manufacturers, and NB-IoT is promoted by 3GPP as the scene evolution of 5G mMTC. With the development of LPWAN, this field is worthy of in-depth security research.

In recent years, the security research on LPWAN has mostly focused on the LoRaWAN specification and communication keys, However, in the real world, there is little research on the security risks of the supply chain of LoRaWAN. In addition, because NB-IoT is more complex and closed than LoRaWAN, security research is also more difficult, and there are very few studies on the supply chain, threat models and security risks of NB-IoT chips. In this talk, we will disclose the security research findings in the field of LPWAN supply chain for the first time.

Smart contracts are a revolutionary aspect of blockchain technology that help us enforce an agreement between parties involved in transactions, transferring value and information without the presence of a third-party. Smart contracts scale well and provide faster solutions as they remove third parties traditionally involved in transactions. The main challenge is that smart contracts are not inherently secure and many security issues have taken place, some resulting in massive financial losses. In one incident (the "DAO" hack), the attacker managed to retrieve approx. 3.6 million Ether. This presentation will go through all known smart contract application vulnerabilities and discuss mitigations as well as best security practices for developing secure smart contracts.

Today, the number of IoT devices in both the private and corporate sectors are steadily increasing. IoT devices like IP cameras, routers, printers, and IP phones have become ubiquitous in our modern homes and enterprises. To evaluate the security of these devices, a security analysis has to be performed for every single device. Since manual analysis of a device and reverse engineering of a firmware image is very time-consuming, this is not practicable for large-scale analysis.

To be able to conduct a large-scale study on the security of embedded network devices, an approach was applied that allows a high number of firmware images to be statically analyzed. For data acquisition, a crawler was used to identify and retrieve publicly available firmware images from the Internet. In this way, more than 10,000 individual firmware images have been collected. The firmware was then automatically unpacked and analyzed regarding security-relevant aspects.

For the first time, this research provides insights into the distribution of outdated and vulnerable software components used in IoT firmware. Furthermore, a comprehensive picture of the use of compiler-based exploit mitigation mechanisms in applications and libraries is given. Factory default accounts were identified, and their passwords recovered as far as possible. Also, a large amount of cryptographic material was extracted and analyzed. Besides, a backdoor has been discovered in the firmware of several products that allows remote access to the devices via SSH after triggering the functionality. The backdoor has been verified and confirmed by the vendor and two official CVE numbers have been assigned.

The results of this large-scale analysis provide an interesting overview of the security of IoT devices from 20 different manufacturers. IoT firmware was analyzed regardless of device type or architecture and a broad picture of their security level was obtained.

Artificial Intelligence is one of the fastest growing technologies of the 21st century. AI accompanies us in our daily lives when interacting with technical applications. TÜV AUSTRIA Group and the Institute for Machine Learning at the Johannes Kepler University Linz therefore propose a certification process and an audit catalog for Machine Learning applications.

Artificial Intelligence (AI) technology has been widely deployed and made human lives much more convenient. It has become the cornerstone of many technologies, such as computer vision, machine translation and self-driving etc. But the AI also exposes some potential security problems. Especially when it is used inappropriately, the technology is very likely to become a weapon of the underground industry. In a word, AI is a double-edged sword. In this talk, we focus on AI security problems and the abuse of AI-based speech techniques. We will show how to use a few pieces of somebody’s voice to imitate his or her voice and make a fake call.

Over the past 5 years, the term ‘fake news’ has become more and more common. Previously referred to as propaganda, or campaigns to influence the thoughts and perceptions of the masses, we now call the same thing ”active measures.”

Regardless of semantics, Influence Operations are very real and have existed for centuries; In the exact same way as nailing paper to a door or inventing the printing press, the Communications Revolution of the last half century has again forever changed the method used.

What has not changed however, is the strategic objectives of the latest incarnation of the Influencer. Beware of geeks bearing gifts… because of course the ’new’ factor is the geek. With the advent of social media, Influence Operations have acquired a new method of distribution, which is more dynamic, far reaching, and allows better targeting and highly accurate feedback. Although this method is indeed very powerful, it is not what IO is all about.

IO is way more than bots on social or mainstream media. Those operations are designed to influence human beings, not bots. While chasing Russian bots on Twitter and Facebook is relatively easy, it does little to deter the end goal of a IO campaign, especially since the objectives are difficult to infer. This makes counteracting an IO campaign and denying its objectives particularly difficult.

In this talk, the author presents the basics in communications theory, to make these concepts accessible to non-practitioners in the field.

The presenter will cover the two-step flow of information, gatekeeping, agenda-setting, priming, framing, spiral of silence, echo chambers, and cultivation, as well as the effects of some of the mental processes that these actions have.

This talk will stay away from political topics and current events as attitudes towards those topics may interfere with perception. Furthermore, there will be no guilt - i.e., attribution - assigned.

The talk is the geek version by a geek who endeavored in social sciences and communication. The hope is that it will make this field more understandable to geeks.

Large corporations have access to, and use, incredibly sophisticated anti-fraud systems that monitor dozens of signals each time one of their customers or employees log into their web portal. These signals include what browser is used, what plugins are installed, and even the language of the users’ software. Past investigations have shown that malicious actors use malware to build profiles of their victims, and create virtual environments that replicate precisely the victims’ computers’ fingerprints. These profiles can be loaded up in specially crafted browser plugins and used in account takeover attacks. These profiles are sold on private markets and can fetch in the hundreds of dollars when they also include the cookies and credentials of the victims for financial institutions. The aim of this presentation is to build on past research and to map over a period of a month all of the Canadian activities of a machine fingerprint market. Our analysis extends past research first by developing a new understanding of how, and which, Canadians are targeted by this type of attack. Secondly, it presents models that predict not only the price of profiles for sale – i.e., what makes a profile more valuable – but also which profiles will end up being sold among the thousands that are for sale. Through these analyses, we end up with estimations for the Canadian market for profiles for sale, and propose hypotheses as to the size of the impact of these illicit activities on the Canadian economy. The market for fingerprinting victims is growing exponentially, and is promising to be, along with ransomware, one of the biggest threats of the coming year. With more detailed knowledge about this problem, companies and individual victims will be better suited to protect themselves against these attacks, and limit the monetization of the criminal underground.

Disinformation Risk Management : Bringing Cognitive Security to a Modern SOC

This talk is about cognitive security risk management and how security operations centre (SOC) services can be augmented to provide disinformation response. We'll examine the core functions of cognitive security, it's application, in theory and practice, at organization, country, and global scales, with examples including SJ Terp's recent work with the United Nations Development Programme.

A core challenge organizations face when including cognitive security practices into their operations is the effective allocation of detection, response, and mitigation resources. Using insights from AMITT (Adversarial Misinformation and Influence Tactics and Techniques), an open-source framework for describing the strategic, operational, and tactical elements of influence operations, we'll explore how responders can allocate resources to minimize attack surface, vulnerabilities, and potential losses.

A Journey on Discovering Vulnerabilitys and Exploiting SGX Enclave Frameworks

Intel SGX provides hardware support to protect sensitive data. Cloud vendors,
such as Microsoft Azure and Google Cloud, have developed SGX software frameworks,
such as Asylo and OpenEnclave, and offered Intel SGX-enabled virtual machines
for confidential computing.

We conduct an in-depth analysis of Microsoft OpenEnclave SDK (powered by Azure
CC) and Google Asylo SDK (powered by GCP), discovering 20+ vulnerabilities (14
CVEs assigned) in them. We show that these vulnerabilities allow an attacker to
read and write arbitrary enclave protected memory by exploiting the
vulnerability, which affects all SGX enclaves using the vendor-provided SDK.
Our attack is more realistic for exploitation than side-channel attacks and can
reliably retrieve and manipulate protected enclave data.

In this talk, we will go through the SGX enclave security model and analyze
attack surfaces. In this model, developers have to partition trusted components
of an application as TCB into the SGX enclave. After partitioning, any
out-enclave data flowing into these trusted components become untrusted and
require additional checks and sanitization. To reduce the attack surface,
developers declare enclave boundary interfaces with annotated parameters in an
EDL file and generate boilerplate code for marshaling the parameters. However,
this EDL approach is insufficient since it lacks checks for nested pointers,
context-aware data, shared memory, etc.

Also, we cover typical mistakes enclave developers made and share real-world
vulnerability cases we have discovered with our bug-finding tool, SGXRay. We
discuss attack scenarios and the consequences once successfully exploited by
attackers outside the enclave. This talk also includes demonstrations of our
enclave exploitation with arbitrary read and write capability to enclave memory
by leveraging the bugs found by us.

Quick-Win Triage Forensics for Macs

This is an excerpt of an upcoming dojo on quick-win forensics. This practical tutorial will walk beginners through a first attempt at forensics on a Mac. Attendees will take home the knowledge and skill on what and how to quickly triage a bunch of Macs to zero in on the ones that need further examination.

Panels

Car-Hacking

Electronics are increasingly filled with more and more electronics and not all of them are always the most robust with respect to software security, come join the panel as Dragos Ruiu and Chris Valasek discuss the state of Car-Hacking in this panel.

Drone Security

To be added.

Teens Explain Internet Security to Infosec Professionals

The title says it all.

Wifi Hacking

Mike Spicer, Dragos Ruiu and EI Kentaro enter the internet thunderdome and talk about war warwalking, packet capturing all the things, access point reliability,and mesh WiFi.