{"id":8581,"date":"2017-08-04T09:10:02","date_gmt":"2017-08-04T17:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/04\/news-2354\/"},"modified":"2017-08-04T09:10:02","modified_gmt":"2017-08-04T17:10:02","slug":"news-2354","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/08\/04\/news-2354\/","title":{"rendered":"DEFCON 25"},"content":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Boursier| Date: Fri, 04 Aug 2017 16:11:10 +0000<\/strong><\/p>\n<p>After a few days in Las Vegas <a href=\"https:\/\/blog.malwarebytes.com\/security-world\/2017\/08\/black-hat-usa-2017-recap\/\" target=\"_blank\" rel=\"noopener\">and after BlackHat<\/a>, <a href=\"https:\/\/defcon.org\/html\/defcon-25\" target=\"_blank\" rel=\"noopener\">DEFCON 25<\/a> is finally over! It was an amazing time around awesome people.<\/p>\n<p>I didn&#8217;t attend all the talks, but most of the ones I saw were interesting:<\/p>\n<ul>\n<li><em>There&#8217;s no place like 127.0.0.1 &#8211; Achieving reliable DNS rebinding in modern browsers<\/em>, by\u00a0<a href=\"https:\/\/bored.engineer\" target=\"_blank\" rel=\"noopener\">Luke Young<\/a>.\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Young\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/bored.engineer\/def-con-25-slides-and-source-code-2f937f09724b\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/linkedin\/jaqen\" target=\"_blank\" rel=\"noopener\">Tool (Jaqen)<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented several ways to bypass protections against DNS rebinding, and ways to access data from an internal network using these techniques. Several mitigations were also presented, one of them being, to not use strong authentication only for external resources, but to enforce them for internal resources as well. He released <a href=\"https:\/\/github.com\/linkedin\/jaqen\" target=\"_blank\" rel=\"noopener\">Jaqen<\/a>, a tool used to reliably execute DNS rebinding attacks using different methods.<\/p>\n<ul>\n<li><em>The Brain&#8217;s last stand<\/em>, by <a href=\"http:\/\/www.kasparov.com\/\" target=\"_blank\" rel=\"noopener\">Garry Kasparov.<\/a>\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Kasparov\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<\/ul>\n<\/li>\n<li><em>A New Era of SSRF &#8211; Exploiting URL Parser in Trending Programming Languages!<\/em>, by\u00a0<a href=\"http:\/\/blog.orange.tw\/\">Orange Tsai<\/a>.\n<ul>\n<li><a href=\"https:\/\/www.blackhat.com\/docs\/us-17\/thursday\/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf\" target=\"_blank\" rel=\"noopener\">Slides\u00a0<\/a><\/li>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Tsai\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"http:\/\/blog.orange.tw\/2017\/07\/how-i-chained-4-vulnerabilities-on.html\" target=\"_blank\" rel=\"noopener\">Writeup<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented the weird behavior of URL parsers and how to get a RCE in Github Enterprise using a chain of four vulnerabilities exploiting SSRF.<\/p>\n<ul>\n<li><em>Next Generation Tor Onion Services<\/em>, by <a href=\"https:\/\/blog.torproject.org\/blog\/new-and-improved-onion-services-will-premiere-def-con-25\" target=\"_blank\" rel=\"noopener\">arma<\/a>.\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Dingledine\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF CON 25\/DEF CON 25 presentations\/DEFCON-25-Roger-Dingledine-Next-Generation-Tor-Onion-Services.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Tor developers <a href=\"https:\/\/blog.torproject.org\/blog\/mission-montreal-building-next-generation-onion-services\" target=\"_blank\" rel=\"noopener\">have been working on a new generation of Onion Services<\/a> to make them stronger to resist censorship and to provide several interesting features that the current generation doesn&#8217;t have. This talk also explained that <a href=\"https:\/\/trac.torproject.org\/projects\/tor\/wiki\/doc\/HowBigIsTheDarkWeb\" target=\"_blank\" rel=\"noopener\"><em>{Dark, Deep}Web<\/em><\/a> is not really a thing and is most of the time used as a marketing nonsense term: the biggest website using <a href=\"https:\/\/www.torproject.org\/docs\/hidden-services.html.en\" target=\"_blank\" rel=\"noopener\">Tor Onion Services<\/a> is actually&#8230; <a href=\"https:\/\/www.facebook.com\/notes\/protect-the-graph\/making-connections-to-facebook-more-secure\/1526085754298237?_fb_noscript=1\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>.<\/p>\n<ul>\n<li><em>How We Created the First SHA-1 Collision and What it means For Hash Security<\/em>, by\u00a0<a href=\"https:\/\/www.elie.net\" target=\"_blank\" rel=\"noopener\">Elie Bursztein<\/a>\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Bursztein\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/cdn.elie.net\/talks\/how-we-created-the-first-sha-1-collision-and-what-it-means-for-hash-security-slides.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<li><a href=\"https:\/\/shattered.io\/\" target=\"_blank\" rel=\"noopener\">Demo<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented the impressive research and results from Google and CWI which led them to get a way to get SHA1-collisions after several years of work and intense computations. Some unexpected consequences have also been presented,<a href=\"https:\/\/bugs.webkit.org\/show_bug.cgi?id=168774#c23\" target=\"_blank\" rel=\"noopener\"> like the Webkit repository<\/a> corruption. Counter crypt-analysis mechanisms used to detect these collisions implemented in Gmail and <a href=\"https:\/\/github.com\/blog\/2338-sha-1-collision-detection-on-github-com\" target=\"_blank\" rel=\"noopener\">Github <\/a>have also been explained.<\/p>\n<ul>\n<li><em>Breaking Wind: Adventures in Hacking Wind Farm Control Networks<\/em>, by\u00a0Jason Staggs.\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Staggs\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF CON 25\/DEF CON 25 presentations\/DEFCON-25-Jason-Staggs-Breaking-Wind-Hacking-Wind-Farm-Control-Networks.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented internals of wind turbine control networks, and how security is totally absent from their design: unauthenticated APIs, flat network, false security claims from vendors&#8230;<\/p>\n<ul>\n<li><em>Microservices and FaaS for Offensive Security<\/em>, by\u00a0<a href=\"https:\/\/twitter.com\/ryancancomputer\" target=\"_blank\" rel=\"noopener\">Ryan Baxendale<\/a>\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Baxendale\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF CON 25\/DEF CON 25 presentations\/DEFCON-25-Ryan-Baxendale-Microservices-and-FaaS-for-Offensive-Security.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented a very cheap (but efficient) way to leverage DDoS and bruteforce attacks against websites and OTP systems, using several Microservices providers.<\/p>\n<ul>\n<li><em>Abusing Webhooks for Command and Control<\/em>, by <a href=\"https:\/\/twitter.com\/Op_Nomad\" target=\"_blank\" rel=\"noopener\">Dimitry Snezhkov<\/a>\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Snezhkov\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF%20CON%2025\/DEF%20CON%2025%20presentations\/Dimitry%20Snezhkov\/DEFCON-25-Dimitry-Snezhkov-Abusing-Web-Hooks.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/dsnezhkov\/octohook\" target=\"_blank\" rel=\"noopener\">Tool (Octohook)<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented interesting ways to use webhooks and Github as a broker C&amp;C to exfiltrate data in a constrained environment. Github issues and comments were used as a communication channel. A proposed mitigation: to restrict outbound access to required Github repositories only.<\/p>\n<ul>\n<li><em>Demystifying Windows Kernel Exploitation by Abusing GDI Objects<\/em>, by\u00a0<a href=\"https:\/\/twitter.com\/saif_sherei\" target=\"_blank\" rel=\"noopener\">Saif El-Sherei<\/a>.\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#El-Sherei\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF CON 25\/DEF CON 25 presentations\/5A1F\/DEFCON-25-5A1F-Demystifying-Kernel-Exploitation-By-Abusing-GDI-Objects.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This nice and technical presentation explaining the process to get Ring0 exploits primitives using GDI, and analyzing security issues MS16-098 + MS17-017 with the first standpoint.<\/p>\n<ul>\n<li><em>MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)<\/em>, by\u00a0<a href=\"https:\/\/twitter.com\/retBandit\" target=\"_blank\" rel=\"noopener\">Chris Thompson<\/a>\n<ul>\n<li><a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#Thompson\" target=\"_blank\" rel=\"noopener\">Summary<\/a><\/li>\n<li><a href=\"https:\/\/media.defcon.org\/DEF CON 25\/DEF CON 25 presentations\/DEFCON-25-Chris-Thompson-MS-Just-Gave-The-Blue-Teams-Tactical-Nukes.pdf\" target=\"_blank\" rel=\"noopener\">Slides<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>This talk presented the new features and developments related to Windows Defender galaxy&#8230;. and how to get around the new defense mechanisms introduced in latest Windows 10 versions.<\/p>\n<p>Apart from these talks, villages and panels were very exciting places to attend. <a href=\"https:\/\/forum.defcon.org\/forum\/defcon\/dc25-official-unofficial-parties-social-gatherings-events-contests\/dc25-villages\/the-social-engineer-village-aa\" target=\"_blank\" rel=\"noopener\">SE-Village<\/a>, <a href=\"http:\/\/reconvillage.org\/\">Recon-Village<\/a>, <a href=\"https:\/\/forum.defcon.org\/forum\/defcon\/dc25-official-unofficial-parties-social-gatherings-events-contests\/dc25-villages\/crypto-and-privacy-village-ab\" target=\"_blank\" rel=\"noopener\">Crypto and Privacy Village<\/a>, <a href=\"https:\/\/forum.defcon.org\/forum\/defcon\/dc25-official-unofficial-parties-social-gatherings-events-contests\/dc25-villages\/voting-machine-hacking-village\/226138-new-for-def-con-25-voting-machine-hacking-village\" target=\"_blank\" rel=\"noopener\">Voting Machine Hacking Village<\/a> and <a href=\"https:\/\/www.wallofsheep.com\/pages\/dc25\" target=\"_blank\" rel=\"noopener\">Packet Hacking village<\/a>\u00a0were particularly great! Also, the\u00a0<a href=\"https:\/\/defcon.org\/html\/defcon-25\/dc-25-speakers.html#EFF\" target=\"_blank\" rel=\"noopener\">EFF panel<\/a>\u00a0on Friday night was nice to get updates and discussions from EFF directors and attorneys.<\/p>\n<p>Recorded presentations and workshops are available on\u00a0<a href=\"https:\/\/media.defcon.org\/DEF CON 25\/\" target=\"_blank\" rel=\"noopener\">media.defcon.org\u00a0<\/a>.<\/p>\n<p>This was a nice (but very crowded!) edition, looking forward to next year!<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/security-world\/conferences-security-world\/2017\/08\/defcon-25\/\">DEFCON 25<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/security-world\/conferences-security-world\/2017\/08\/defcon-25\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: J\u00e9r\u00f4me Boursier| Date: Fri, 04 Aug 2017 16:11:10 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/security-world\/conferences-security-world\/2017\/08\/defcon-25\/' title='DEFCON 25'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/08\/dc-25-website-header-2.png' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>A quick overview of several interesting talks at DEF CON 25, the hacking conference that was held in Las Vegas July 27-30, 2017<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/security-world\/conferences-security-world\/\" rel=\"category tag\">Conferences<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/conference\/\" rel=\"tag\">conference<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/defcon\/\" rel=\"tag\">defcon<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/las-vegas\/\" rel=\"tag\">las vegas<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/security-world\/conferences-security-world\/2017\/08\/defcon-25\/' title='DEFCON 25'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/security-world\/conferences-security-world\/2017\/08\/defcon-25\/\">DEFCON 25<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11759,10756,13346,10253],"class_list":["post-8581","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-conference","tag-conferences","tag-defcon","tag-las-vegas"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8581","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8581"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8581\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}