All Activities @ HITB+ CyberWeek

Adversarial learning aims at understanding the weaknesses of machine learning in the adversarial environment and developing protection against potential threats. In the field of object detection and image classification, a large number of open source machine learning models are used by industry. Researchers can attack Faster RCNN, SSD, VGG, ResNet and so on by using white boxes to generate adversarial images, then transfer learning to attack object detection and image classification systems in the real world before. But in the field of porn images detection , the only well-known open source model is Yahoo's NSFW. We have proved through experiments that transfer learning to the Yahoo's NSFW, can attack the real world porn images detection service with a lower success rate. Further research shows that by optimizing the loss function and adjusting the attack algorithm, a higher success rate can be achieved without affecting human senses through smaller disturbances.We call the new attack algorithm as FDA ( FeatureMap Destroy Attack).At the same time, we also propose a method to detection and defense Real-World Adversarial Images for Illicit Online Porn.

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Today, cyber threats have grown not just in its depth (more sophisticated) but also in its breadth (expanded scope). It has grown from threats in Enterprise IT systems to Operation Technologies (OT) and Industrial Control Systems (ICS).

To ensure wireless security, one needs to have a comprehensive understanding of the technology, threats, exploits, and defensive techniques along with experience in evaluating and attacking wireless technology. Not limiting one’s skill-set to WiFi, we also need to evaluate the threat from other standards-based and proprietary wireless technologies as well. This session takes an in-depth look at the security challenges of many different wireless technologies, exposing one to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, we’ll navigate our way through the techniques attackers use to exploit RF networks. The session will introduce one how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems.

MuddyWater is a threat actor likely based in Middle East, with known activities since at least the middle of 2017. It targets various individuals, government organizations and industries in many countries all across the Middle East and Central Asia, with the highest intensity of targets in Turkey, Pakistan, Afghanistan and Jordan. Starting with spear phishing emails and macro-powered attachments sent to carefully selected high profile targets, the threat actor attempts to deliver and install various backdoors written in different programming languages to the victims' computers – all with the purpose of performing cyber espionage. One of these backdoors has interesting capabilities, such as disk wiping, anti-analysis and numerous false flags. To increase stealthiness, C&C communication is forwarded via PHP proxies hosted on hacked websites, creating an asynchronous communication channel. We took advantage of this configuration to monitor the activity of this actor, discovering the identities of some of the victims as well as some commands which attackers attempted to execute on victims’ machines. In this presentation, we will show the most recent evolution of the tools, tactics and procedures of this threat actor. We will present some examples of targeted documents and the multiple layers of obfuscation added to their payloads. We will also detail the different tools this threat actor uses, and we will propose some ideas on how to prevent and hunt for these threats.

There are two types of RFID - those that use INDUCTIVE COUPLING like NFC and those that use RF like GEN2 UHF as per the title. NFC has been widely covered and exploited in the hacking scene, but UHF really has not, other than a few "long range" experiments. However, UHF is now being widely adopted for all kinds of interesting applications, from vehicle gateways on toll roads and border crossings to goods and inventory tracking in logistics. Even airline luggage will soon be sporting fancy e-paper tags with UHF tracking enabled, but how safe is that going to be? What research has been done in this area? Well, before hackers can start researching they need the tools, and this workshop will cover the first step in creating those tools... Building your own SDR controlled UHF RFID reader gives you the power to dig right down into the guts of the protocol and start fooling around... Who knows what you'll find? We will be implementing a reader using the BladeRF platform, and will cover "gotchas", tips and tricks to better understand how to get this working and your UHF hacking project under way.

The discussion flow would start from the importance of browsers, need for security within it, my research and vulnerabilities found, and finally demonstration of zero day, apart from other exploits and attacks, against browsers. The talk would conclude with a discussion around remediation efforts to protect against such attacks. Over the years reliance on browsers has increased many folds. The features provided by browsers, along with its numerous extensions and components, browsers have seen a humongous increase in the number of users using it to browse different services. This provides a huge attack base to "research" and identify potential vulnerabilities which can be exploited in order to improve defensive controls. The talk I will be presenting is entirely my own work of research. While identifying vulnerabilities in web applications and participate in various bug bounty programs is interesting, I enjoy targeting platforms which are less popular as research topics. Having said that, while security for browsers is a known topic, I've been able to identify, through my research, several vulnerabilities which will help secure it further. The issues I will be talking about are completely within three specific domains - SOP, RCE and Address Bar Spoofing (ABS). These vulnerabilities, along with the attack scenarios are something which I've created through my research. As a case study I'll discuss integer underflow vulnerability in firefox (NSS). I've also created, from scratch, an exploit code which can be used across several browsers for the same vulnerability. I will be showcasing multiple Metasploit module, I created during my research.

Introduction to Failure Analysis Tools for IC Reverse Engineering and Editing for Fun and Profit For many people are 0 and 1 just an imaginary values, but they actually has a physical interpretation. Whether it is charge in capacitor, trapped electron, or electrical potential, these values can be read directly despite of extensive software security measures. Although IC manufacturers want to prevent us looking into circuits by adding passive or active shields, a silicon chip is not a black box and understanding the block level and then transistor level is essential for security assessment. Once we understand how a circuit works, we can listen to specific signals and collect data. We can further change data in our advantage and bypass security checks, even change security keys by modifying values or by rerouting the circuit logic. All major chip manufacturers invest a huge amount of money into reverse engineering laboratories. These labs are especially important in development and early production stage to early eradicate defects and result in high yield production later on. While searching for such failures, they have to reverse engineer their own chips in order to find a failure and fix the process, so the next time it won’t happen. For that purpose, there is a whole industry, you may never heard of, called “Failure Analysis”. It is full of high resolution, high sensitivity and highly priced equipment, specially build for reverse engineering and defect localization, so why not use it for security analysis? We can start by looking into a device by X-ray, use dangerous chemical, lasers, or CNC machines to open it, high resolution optical microscopes to analyze the structures, or even look through the silicon on directly on transistor level. High sensitivity IR cameras can show operating circuitry and by removing metal layers, we can reverse engineer the circuit and localize our point of interest. The Focused Ion Beam for example is an essential tool, which offers not only a micro-milling option, but by precise deposition or removal of conductive and non-conductive materials, we can cut and reroute traces, create test pads, or even edit circuit from the backside. With a usage of nanoprobes and SEM we can then do measurements, visualize various structures, and trace signals. Not every piece of equipment needs to cost hundred-thousands of dollars, we can achieve a lot with just simple equipment and by applying some skill. By understanding of physics fundamentals and operation of some professional tools it’s possible to recreate functionality with much smaller budget. Wide second-hand market and advanced consumer electronics may offers many possibilities. Infrared backside imaging can give a great insight in structure without removing top metal layers. For example many commercially available cameras offer good enough performance in detecting IR light, which can be produced by cheap LEDs. For example by performing camera modifications, it is possible to detect low level infrared light emitted by flowing current through a transistor – visualizing activity and the changing states of running circuits. IC delayering shows inner structures, interconnections and allows to recreate a whole design. There are two approaches for delayering, chemical and mechanical. Chemical delayering involves wide variety of very aggressive chemicals like HF and the result repeatability is not great for laboratory use. Mechanical delayering is more precise and safer, however it is time consuming and edge rounding cannot be fully avoided. As usual, it can be done with high precision polishing machine with laser alignment, or with a fine sandpaper, bare hands and some skills. IC structures seems complicated and overwhelming, but example of simple redrawing can show structures, like AND, NAND, OR, NOR or inverter and reverse engineering becomes much easier. By understanding the low level layout, important traces can be identified and accessed from upper layers, contacted by FIB and compromised by injecting false signals. Failure Analysis is a whole industry which makes use of wide variety of physical phenomenon, sample preparation techniques, observation techniques and circuit editing tools to reverse engineer an IC. These tools and techniques are becoming cheaper, more accessible, and thus chip analysis, reverse engineering and hardware hacking easier.

Attacks on payment infrastructures are incredibly popular and many hackers are chasing easy money. On the other hand, payment security does not stand still - EMV, mobile wallets, bitcoin, digital banks without branches, business accounts opened in 1 day. We live in an era of digital technology that protects us from hackers. But does it? Each technology has been examined under the microscope and received its own attack, executed not only on the academic paper but also in the real world by real fraudsters. Over the past 2 years, our team has been successfully debunking the security myths about NFC, EMV, POS terminals, and ATMs. We will show how easy it is to steal money from a bank card, the money that the customer sometimes doesn't even have in the account. Why isn't the payment industry trying to take care of its customers' security more than required by risk management and is waiting for problems to occur, without worrying about attacks that "haven't arrived yet"?

Power-line communication (PLC) carries data on a electric line is used for AC electric power transmission or electric power distribution to consumers. PLC systems are based on the idea of ​​networking without the need for new cables. PLC in smart grids is used extensively in smart meters. Thus, plugs could become an input point due to the data transmission on the power line and from an attacker's perspective, the PLC could become an new attack surface in smart grids. In this talk I will explain a red team approach of smart meters in smart grids. These smart meters work on PLC. I will explain a case for how to capture data on 220v power line and how to retransmission of data on power line. Also I will discuss various attack vectors on smart grids such as blackout of transformer, manipulating usage data and analyze how to mitigate them. I will use some old school mathematical calculation for demodulation signals and data extraction on power line theoretically.

As IoT becomes more integral to our lives, the need to secure them grows. One thing the security industry isn’t talking very often is - IoT security. We talk very often about application security but very rarely we talk about security in Hardware or in particular security in IoT. With application security, you as a penetration tester is confronted with a Windows or a Linux server, or a web application or even a TCP/UDP protocols. But with IoT penetration testing, you have very uncommon architectures like ARM, PowerPC, MIPS, etc. Sometimes, you are even confronted with communication protocols like ZigBee, BLE, NFC, RFID, etc and to make it more complex, many times hardware device manufacturers do have their custom RF frequencies. These require new expertise and severals toolsets which are very uncommon. It is no wonder that traditional penetration testers can get completely lost in the world of embedded devices security and their protocols. This talk is going to be a helpful resource to help you become IoT Penetration tester. In this talk, attendees will get an opportunity to learn about the potential risks and vulnerabilities carried by IoT systems. They will also get to learn about IoT security best practice and guidelines. You will learn how to build & secure a connected IoT platform and attack from a hacker’s perspective. Also, I will be sharing the secrets that no one tells you about penetrating the IoT device, which I have learned over the years working as IoT and Mobile application security analyst.