The Presentations

This Year in Crypto

Nick Sullivan

Sometime in the last year, the word “crypto” became a dirty word. While linguists have been focused on debating abbreviation cannibalism in adjacent tech circles, it has also been a quietly interesting year for cryptography. From new theoretical advances in post-quantum cryptography and zero-knowledge proofs, to the discovery of efficient trilinear maps, to the rise of secure transport protocols like TLS 1.3 and secure group messaging proposals like MLS, cryptography nerds have a lot to talk about. This year has also been a challenging year for cryptographic technologies. Vulnerabilities in the software that supports cryptography in the Desktop version of Signal and GPG Tools and the surprising ROBOT vulnerability continued to highlight the fact that "secure" protocols are not secure without secure implementations. In the geopolitical realm, encryption issues have flared up, culminating with Russia’s attempts to block Telegram and major cloud companies deciding to disable domain fronting. This talk will attempt to distill the last year in crypto down to a short talk.

Who X-Rays the X-Rays – A deeper dive into Medical Device Security

Richard Oak

The healthcare industry has (finally) woken up to cyber-security. Hospitals are starting to demand cyber-security in new devices and manufacturers are delivering. This is great news for the future – but what about the past and the present? In this talk we examine the current state of cyber security in healthcare. We look at the protocols that are used to transfer information round the networks, and the devices themselves to see how well they would stand up to a modern cyber-attack.

Hack you a Koober Netty for Great Good!

Dino Dai Zovi

Do you want a koober netty? Or do you already have one? You may even already have many koober netties (pronounced: "kubernetes"). Either way, it turns out that they can be used for more things than just running your Linux containers in the cloud. They can also be used to give attackers access to thousands more computers than just the one running the container that the attacker got a shell in. How cool is that? In this talk, we'll discuss all of the magical ways that Kubernetes can give attackers access to your entire cluster and cloud environments. We'll also discuss some ways that it can be made to not do this if making attackers sad is your thing.

Blackhat Ethereum

Ryan Stortz and Jay Little

In the blockchain, there are no secrets. Every transaction is logged and everyone has a copy of all of the code. Nearly all of this code can only be analyzed through reverse engineering. Over the past year, we've seen enterprising hackers use flaws in smart contracts to whisk away millions. This was made possible thanks to Ethereum, the technology that powers cryptocats, and Solidity, a high level language that describes Ethereum's Turing complete smart contracts. This talk will introduce smart contract security, present common vulnerability classes, and demonstrate how to reverse engineer EVM code to identify these vulnerabilities. The talk will also present tools to support vulnerability discovery in EVM code and Solidity.

Exploiting the Exploiters: Hunting Fraud in Telecom Networks

Vlad Wolstencroft

Lurking underneath our increasingly mobile-connected world is a growing fraud problem -- one which exposes user data to security and privacy risks. Interconnect bypass fraud has been an issue within telecom networks ever since mobile phones were allowed to roam between countries. GSM Gateways, also known as "simboxes," are one of the primary keys for criminals to unlock the ability to conduct fraud on these networks.

In this talk, we'll explore how carriers and aggregators globally send your SMS and voice traffic through these IoT-based devices, which are not subject to any of the security or privacy requirements of critical infrastructure. However, these devices still handle our critical data -- both offering a profit opportunity for fraudsters as well as creating a privacy nightmare for mobile subscribers.

Then, we'll delve into the defensive devices dedicated to heuristic measurements, detection, and destruction of GSM gateways, and the retaliatory countermeasures employed to avoid detection, simulate real subscriber behavior, and outsmart the mobile network operators.

Next, we'll explore multiple GSM Gateway vendors and the equipment they provide for legitimate -- sometimes less-than-legitimate -- purposes. We'll examine how these systems operate and what actual security controls they provide for our voice and signaling data. While we expect stringent controls when data flows through network operators, can we hold the same expectation for these network elements operated in someone's basement?

Finally, I will propose new techniques to detect, map, and disable these devices remotely, as well as track the operators of these systems -- without the pitfalls of relying on heuristic measurements. With these methods, we can begin disrupting the $6b in fraudulent revenue running on the backs of flawed and vulnerable devices.

The New Hotness – Hunting for Code Similarity at Scale

Juan Andres Guerrero-Saade

Researching digital espionage involves a steep and unforgiving learning curve. Techniques come in waves, some more promising than others. Be it proprietary sandboxes, YARA retrohunting, passiveDNS analysis, or malware investigation platforms. Entire companies and niche industries have spawned to help researchers further their hunting at scale. The new hotness is code similarity analysis. By honing in on the particularities of the malware developer's coding conventions and setup, and their lazy reuse of code, researchers can identify clusters of shared activity. At scale, this technique yields fascinating results in otherwise unattributable cases. However, it has also proven a treacherous and uncertain technique, as fringe cases require manual analysis to avoid silly mistakes. And don't forget, threat hunting involves a puzzle that fights back. Just as we are testing and building up this new technique, adversaries have already begun to subvert its promise and turn it against us. Let's discuss the secrets and intricacies of this New Hotness.

REVERSE ENGINEERING WINDOWS DEFENDER ANTIVIRUS

Alexei Bulazel

Windows Defender Antivirus' MpEngine.dll implements the core of Defender's functionality in an enormous ~11 MB, 30,000+ function DLL. Based on months of personal research time spent reverse engineering Defender, I'll cover my findings on Defender's dynamic analysis systems, custom tooling that I built to enable my analysis, and various ways that malicious code can give Defender trouble.