RCE with Captive Portal

Speaker: Chai Kunze

April 26th: 16:15

Location: Main room, P-1 building

The wireless network is now becoming an important infrastructure for most enterprises, and many employees are even allowed to use mobile devices to work. However, the dependence on wireless network may lead to many security risks. In our recent research, we found a new way to exploit these Windows devices.

In this talk, I will introduce a combined attack that using the feature of the captive portal on wireless network and a series of vulnerabilities of Windows to gain RCE. First, it will set up a hotspot with evil captive portal service. Once a victim connects to the hotspot actively or passively and detects the captive portal, the NTLM credentials of the victim will be relay to get access to Exchange Web Services. Then using the API of EWS and vulnerabilities of Outlook client, I can achieve RCE.

Looking into a black mirror: What hackers could do with your memories

Speaker: Dmitry Galov

April 26th: 17:15

Location: Main room, P-1 building

If you think that cyberthreats targeting your body and your mind is something that belongs in the future, or that being able to retain and share your memories forever is a just something from a dystopian television series? Then think again. Connected deep brain stimulation devices already exist to help sufferers of many neurological disorders, and this fundamental technology will eventually enable memory enhancement, implantation and more. Even today, connected medicine is creating an online-ecosystem for monitoring patients, tuning implants, remote diagnostic (telemedicine) or simply for collecting the data for future treatments. But any new pioneering technology, like ‘magic’, has another side – a dark side. In this case, the black magic could allow for the manipulation, control and abuse of your data.
In this research, I will describe how this black magic can affect the near future of implantable things. The step from software and hardware vulnerabilities in these implants to unwanted control of your memories. This presentation will shed some light on the dark spots of implantable medicine and neurosurgery.

Internet of Things and Surveillance

Speaker: Barbara Weimer

April 26th: 18:15

Location: Main room, P-1 building

Oh, smart, new world: The first networked refrigerators that sent spam mails already existed in 2014. Smart TV cameras had been filming couples during sex in the living room and hackers putting that stuff on the internet in 2016. In 2018 the first hospital had to stop an operation because the computer that was responsible for anesthesia started an update during that process. In a hyper-connected world many examples like this will occur and invade peoples privacy and security.

Often there are also less spectacular things, such as IP monitoring cameras, thermostats, fire detectors, network printers or WLAN routers that make the Internet of Things a real threat to the entire Internet. According to Austrian security researchers 96.8 percent of networked devices have security gaps. What does this all mean for our privacy when our data is leaked? And how can we find solutions? Are there any positive examples of how IoT can be used open source and with privacy by design? This talk will give an overview of how the insecurity of IoT affects society and what we can do to stop that problem.

Catching multilayered zero-day attacks on MS Office

Speaker: Boris Larin

April 27th: 09:05

Location: Main room, P-1 building

Over the past few years attacks leveraging Microsoft Office documents have become a weapon of choice for APT attacks. Office documents are popular not only with APT. It doesn’t take much time for malware authors to integrate novel techniques into their own Exploit Kits and attack ordinary users. Our statistics shows that only during 2018 amount of exploits attempts targeting MS Office increased by 4 times, making it the most targeted application in the world.

In this presentation we would like to take a look at one of the most recent zero-day attacks against this platform, CVE-2018-8174, that introduced a completely new attack vector. Zero-day exploit utilized a technique to load an Internet Explorer engine component right into the process context of MS Office and exploited an unpatched VBScript vulnerability without any user interaction. This new technique changes current threat landscape, as vulnerabilities that previously could only be exploited from a browser in a drive-by-attack scenario can now be also abused from an Office document.

This, and many other vulnerabilities was discovered with the help of our sandbox technology, that is proven to be very effective in catching even sophisticated, multilayered zero-day threats. In this presentation we would like to reveal how Sandbox can be utilized to catch this and many others zero-day attacks.

Stack machines unchained: code emulation with ESIL

Speaker: Arnau Gàmez

April 27th: 10:05

Location: Main room, P-1 building

This talk will explore the nature of stack machines, focusing on its application to emulate code. In particular, it will cover the use of ESIL to help in tasks related to reverse engineering and malware analysis taking advantage of the capabilities of code emulation, including practical examples and demos of several use cases.

The Immitation Game: tracking botnets activity.

Speaker: Alexander Eremin

April 27th: 11:05

Location: Main room, P-1 building

Nowadays more and more malicious activity belongs to the special type of malware called botnets. Botnet masters invest lots of money into spreading and expansion of their botnets. Every new bot (infected machine) requests command and control center for commands to execute. So what are the commands they get? What can we get if we have a chance to intercept or oversee the commands?
We at Kaspersky Lab continuously monitor the most popular botnets’ activity with our special technology, Botnet Monitoring.
In this talk I’ll cover some details of this technology and difficulties we are facing during the monitoring. What do you need to perform monitoring? How malware authors try to prevent our activity? Also, how not to let botnet masters to know that they are being watched? What’s better for monitoring, virtual machines with running samples or light emulation of malicious behavior? I’ll show you some interesting cases from our practice, some ways to extract necessary data for botnet monitoring and what data can you get just watching the commands of botnet.

Presenting Lithopia, the hyperledger revolution

Speaker: Denisa Kera

April 27th: 12:05

Location: Main room, P-1 building

The design fiction village Lithopia explores the extreme scenarios of future data and blockchain governance, but also resistance by using Hyperledger Composer and Fabric to deploy smart contracts triggered by satellite and drone data. The villagers in this fictional place use satellite and drone data to govern their affairs in an extremely transparent, but also aesthetic manner. They live their lives in front of the all-seeing technical “eyes” of God and Providence, such as Sentinel 2A and B Copernicus satellites, and public drones used as notaries. Special long gestures, large LiCoins, but also acts of covering spaces in land-art, Christo manner at strictly defined times trigger the transactions on the Hyperledger blockchain managed over the Node RED dashboard. Through this project, I explore the possibility of anticipatory design that involves various stakeholders in the governance of emergent technologies.

Danger of using fully homomorphic encryption, a look at Microsoft SEAL

Speaker: Minrui Yan & Zhiniang Peng

April 27th: 16:05

Location: Main room, P-1 building

Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it’s extremely dangerous to use it without a crypto expert.

p-adic attacks on elliptic curves

Speaker:Enric Florit

April 27th: 17:05

Location: Main room, P-1 building

Elliptic curves are objects from number theory that have several applications in cryptography. They provide us asymmetric schemes with public and private key pairs, but they don’t look as close to computers as RSA. In this talk, I will introduce the basics of elliptic curves and their use in cryptography. Then, I will explain an elementary attack based on theoretical properties of the so-called “anomalous curves”.

Attacking .NET Framework through CLR

Speaker:Yu Hong & Jiwen Xiao

April 27th: 18:05

Location: Main room, P-1 building

The Common Language Runtime ﴾CLR﴿, the virtual machine component of Microsoft’s .NETFramework, manages the execution of .NET programs, which runs the code and providesservices that make the development process easier. Microsoft also integrated CLR for itsproducts, E.g SQL Server, Office etc. We have studied CLR since last month. And we found thesefeatures could lead to several attack surface. In this talk, we first introduce managed executionenvironment and managed code under .NET Framework and discuss the security weaknessesof this code execution method . After that, we show a exploit for SQL Server through CLR andwe would like to make our automate tools about this exploitation . Next then, we would like tointroduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NETApplication. In addition, we extend our CLR security study to Microsoft Office used VSTO. Theresult shows that we could convert a document‐level customizations into a program‐levelcustomizations and execute arbitrary code quietly .

All malwares are equal, but some are more equal than others

Speaker: Joxean Koret

April 27th: 19:05

Location: Main room, P-1 building

During the talk, various different techniques for finding similar malware samples and families, as well as for grouping, clustering and indexing them will be shown. The techniques (which can be used for any kind of software analysis but will be focused on malware datasets) that will be discussed will go from byte-level fuzzy hashing algorithms to call graph based clusterization techniques and indexing of malware functions to try to help attributing similar groups and actors.