Security News Black Hat USA 2016: July 30th-August 4th

[Logethica]

A Selection of some of the Briefings taking place on Wednesday August 3rd at Black Hat USA 2016:
(Visit the Link at the top of the page for more information)

The Following take place between 09.00 and 14:40

• THE HIDDEN ARCHITECTURE OF OUR TIME: WHY THIS INTERNET WORKED, HOW WE COULD LOSE IT, AND THE ROLE HACKERS PLAY Dan Kaminsky
• A RETROSPECTIVE ON THE USE OF EXPORT CRYPTOGRAPHY David Adrian
  
• ABUSING BLEEDING EDGE WEB STANDARDS FOR APPSEC GLORY Bryant Zadegan & Ryan Lester
  
• AUGMENTING STATIC ANALYSIS USING PINTOOL: ABLATION Paul Mehta
  
• BEYOND THE MCSE: ACTIVE DIRECTORY FOR THE SECURITY PROFESSIONAL Sean Metcalf
  
• BREAKING PAYMENT POINTS OF INTERACTION (POI) Nir Valtman & Patrick Watson
  
• CAN YOU TRUST ME NOW? AN EXPLORATION INTO THE MOBILE THREAT LANDSCAPE Josh Thomas
  
• CAPTURING 0DAY EXPLOITS WITH PERFECTLY PLACED HARDWARE TRAPS Cody Pierce & Matt Spisak & Kenneth Fitch
  
• HTTP/2 & QUIC - TEACHING GOOD PROTOCOLS TO DO BAD THINGS Catherine (Kate) Pearce & Carl Vincent
  
• THE LINUX KERNEL HIDDEN INSIDE WINDOWS 10 Alex Ionescu
  
• $HELL ON EARTH: FROM BROWSER TO SYSTEM COMPROMISE Matt Molinyawe & Jasiel Spelman & Abdul-Aziz Hariri & Joshua Smith
  
• A JOURNEY FROM JNDI/LDAP MANIPULATION TO REMOTE CODE EXECUTION DREAM LAND Alvaro Munoz & Oleksandr Mirosh
  
• APPLIED MACHINE LEARNING FOR DATA EXFIL AND OTHER FUN TOPICS Matt Wolff & Brian Wallace & Xuan Zhao
  
• EXPLOITING CURIOSITY AND CONTEXT: HOW TO MAKE PEOPLE CLICK ON A DANGEROUS LINK DESPITE THEIR SECURITY AWARENESS Zinaida Benenson
  
• HACKPROOFING ORACLE EBUSINESS SUITE David Litchfield
  
• MEASURING ADVERSARY COSTS TO EXPLOIT COMMERCIAL SOFTWARE: THE GOVERNMENT-BOOTSTRAPPED NON-PROFIT C.I.T.L. Mudge . & Sarah Zatko
  
• MEMORY FORENSICS USING VIRTUAL MACHINE INTROSPECTION FOR CLOUD COMPUTING Tobias Zillner
  
• NONCE-DISRESPECTING ADVERSARIES: PRACTICAL FORGERY ATTACKS ON GCM IN TLS Sean Devlin & Hanno Böck & Aaron Zauner & Philipp Jovanovic
  
• SUBVERTING APPLE GRAPHICS: PRACTICAL APPROACHES TO REMOTELY GAINING ROOT Liang Chen & Qidan He & Marco Grassi & Yubin Fu
  
• ADAPTIVE KERNEL LIVE PATCHING: AN OPEN COLLABORATIVE EFFORT TO AMELIORATE ANDROID N-DAY ROOT EXPLOITS Yulong Zhang & Tao Wei
  
• CANSPY: A PLATFORM FOR AUDITING CAN DEVICES Jonathan-Christofer Demay & Arnaud Lebrun
  
• CERTIFICATE BYPASS: HIDING AND EXECUTING MALWARE FROM A DIGITALLY SIGNED EXECUTABLE Tom Nipravsky
  
• DRONE ATTACKS ON INDUSTRIAL WIRELESS: A NEW FRONT IN CYBER SECURITY Jeff Melrose
  
• GATTACKING BLUETOOTH SMART DEVICES - INTRODUCING A NEW BLE PROXY TOOL Slawomir Jasek
  
• HEIST: HTTP ENCRYPTED INFORMATION CAN BE STOLEN THROUGH TCP-WINDOWS Tom Van Goethem & Mathy Vanhoef
  
• SECURE PENETRATION TESTING OPERATIONS: DEMONSTRATED WEAKNESSES IN LEARNING MATERIAL AND TOOLS Wesley McGrew
  
• TOWARDS A HOLISTIC APPROACH IN BUILDING INTELLIGENCE TO FIGHT CRIMEWARE Dhia Mahjoub & Mykhailo Sakaly & Thomas Mathew
  
• XENPWN: BREAKING PARAVIRTUALIZED DEVICES Felix Wilhelm

 

[Logethica]

Conference brings hackers to the valley

LAS VEGAS

Hackers have descended upon Las Vegas, and you might want to be extra cautious with your personal information this weekend. The Black Hat convention is in town. Experts say, with so many hackers in town, something as simple as joining a Wi-Fi connection could put you at risk.

It only takes a second to get hacked.

"Anyone who is really good at what they do want to show and demonstrate that," said Net Effect CEO Jeff Grace.

This weekend, hundreds of hackers, and the ones looking to stop those with malicious intent, will be in one room.

"Black Hat is an annual convention of security professionals,” Grace said. “There are also people who are a little bit more on the mischievous side, as well as on the cybercrime side."

It’s no secret what the mischievous ones are here to do. They have plenty of tricks up their sleeves.

"The worst thing is that they can corrupt your data, they can encrypt it and hold you ransom for it,” said Net Effect Service Manager Chris Wrightnour.

Hackers are also ready to play you.

"They put up their own hot spots that say ‘Free Hotel wireless.’ They drop USB keys on the ground. You plug it in your computer to see what’s on it, then infect your computer,” Wrightnour said.

"You can debate the ethical, the ethics behind it, but as a technology profession, I have to admire and respect their intelligence and ingenuity," Grace said.

 

[Logethica]

Famed hacker creates new ratings system for software

A famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes is now going after the computer software industry, whose standard practices all but guarantee that most products will be vulnerable to cyber attacks.

Peiter Zatko, known in the hacker world as Mudge, was the best-known member of pioneering Boston hacking group the L0pht. More recently, he headed a Defense Department grant program for computer security projects.

Now Zatko and his wife, former National Security Agency mathematician Sarah Zatko, are developing what amounts to a Consumer Reports-style rating system for software.

The initiative, if it catches on, could lead to major changes in the business practices of some of the world’s largest software companies. It could also, he says, help deliver something that decades of the free market, the open-source movement, government commissions and well-paid lawyers have not: software that is consistently secure, or at least very expensive to compromise.

On Wednesday at the annual Black Hat security conference in Las Vegas, the duo will explain how their system works and point out some of the early winners and losers in their analysis.

Among the preliminary findings: on Apple's Macintosh computers, Google’s Chrome web browser is significantly harder to attack than Apple’s Safari, which in turn is much more secure than Firefox. Many Microsoft products have scored quite well so far, but its Office suite for Mac did terribly.

The Zatkos’ system, which they have licensed in perpetuity to a new nonprofit, is a radical attempt to solve a problem that has vexed software customers for decades: There is no unbiased, consistent method for rating the security of programs.

Continue reading at the link at the top of this post...

 

[DardiM]

Thanks for the share

Black Hat USA 2016
=> will be a dream for me to assist to these briefings
(Need to improve my English, and too far ...)

Famed hacker creates new ratings system for software
"There is no unbiased, consistent method for rating the security of programs' => finally !
(read too many articles explaining how some programs were adapting themselves, detecting tools used for analysis, not only on mobile devices)

 

[Deleted member 178]

i like this one : CERTIFICATE BYPASS: HIDING AND EXECUTING MALWARE FROM A DIGITALLY SIGNED EXECUTABLE Tom Nipravsky

 

[Logethica]

Thanks for the share

Black Hat USA 2016
=> will be a dream for me to assist to these briefings
(Need to improve my English, and too far ...)

Famed hacker creates new ratings system for software
"There is no unbiased, consistent method for rating the security of programs' => finally !
(read too many articles explaining how some programs were adapting themselves, detecting tools used for analysis, not only on mobile devices)

Yes,I wonder if the "Zatkos System" will be implemented as a rating system

i like this one : CERTIFICATE BYPASS: HIDING AND EXECUTING MALWARE FROM A DIGITALLY SIGNED EXECUTABLE Tom Nipravsky

Yes..that is very interesting.
If wonder if anybody from MT (or other forums that we know) are at Black Hat this year.

 

[Logethica]

Black Hat USA 2015: Defeating Machine Learning: What your security vendor is not telling you:
PRESENTED BY Bob Klein & Ryan Peters

Machine learning is rapidly gaining popularity in the security space. Many vendors and security professionals are touting this new technology as the ultimate malware defense. While evidence from both research and practice validates the improved efficacy of machine learning-based approaches, their drawbacks are rarely discussed.

In this talk, we will demonstrate, from an attacker's perspective, how commonly deployed machine learning defenses can be defeated. We then step back and examine how existing systemic issues in the network security industry allow this to occur, and begin the discussion with the community about these issues. Finally, we propose a solution that uses novel data sourcing techniques to address these problems.

Duration: 51 Minutes.