New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Black Hat Europe 2016 – Day One

November 17, 2016

Black Hat Europe 2016 – Day One

DAY 1

 

We were present at the 2016 edition of Black Hat Europe, held in the beautiful city of London!

As expected, the conferences and tools presented, as well as the people we met, lived up to our expectations and made this event a quality experience.

Given the large number of topics presented, we will only present here those that we were able to attend.

globalvue

All the materials from the various conferences presented are available here: https://www.blackhat.com/eu-16/briefings.html

 

Links to reports from other days:

«"WiFi-Based IMSI Catcher"»

 

Piers O'Hanlon and Ravishankar Borgaonkar, both members of Oxford University, presented us with a new approach to tracking mobile users using Wi-Fi networks.

 

The aim of this approach is to exploit automatic authentication mechanisms (802.1x) based on the EAP SIM and AKA methods. Specifically, data streams are not encrypted with AKA, while the EAP SIM method exchanges identities in plain text. An attacker can therefore exploit these two vulnerabilities to retrieve the IMSI of phones connecting to malicious Wi-Fi networks and track users.

 

The researchers then presented some recommendations to reduce the risks of espionage, such as disabling automatic connection, as well as certain protections towards telecommunications operators.

 

«I know what you saw – The Chrome Browser Case»

 

This conference, given by Ran Dubin, dealt with the exploitation of new HTTP Adaptive Streaming (HAS) live streaming techniques, used notably by YouTube, to determine which videos users have viewed despite SSL encryption.

 

In practice, a BPP (Bit Per Peak) analysis is used on the stream to determine the proportion of audio/images sent to the user.

 

«Another Brick Off The Wall – Deconstructing Web Application Firewalls Using Automata Learning»

 

Presented by George Argyros and Ionnis Stais, the conference presented a new method for determining potential attacks that can bypass application firewalls, which are very popular with many Web players.

 

The major problem being grammatical analysis, the speakers turned to the SFA algorithm in order to analyze the model used by WAFs and thus determine any vulnerabilities not taken into account by the protection engine.

 

1

 

The presentation of the approach then moved on to that of "LightBulb", a tool written by the authors that allows the creation of models of security equipment and browsers to be automated in order to compare them to a specific grammar in order to identify vulnerabilities.

 

2

 

The analysis performed by the tool thus makes it possible to identify potential entry points which will be tested in order to determine whether we are dealing with a false positive or not.

 

«Attacking Windows By Windows»

 

The day continued with a presentation of new attack methods used by Yin Liang and Zhou Li of Tencent PC Manager to take control of Windows systems.

 

The presentation was structured around three questions raised during an experiment:

  • Where to write?
  • What should I write?
  • What can be done?

 

After a brief review of old exploitation techniques (e.g., nt!HalDispatchTable) and new protections (SMEP), the authors focused on the "MmMapViewOfSection" function, which allows them to retrieve memory addresses available for writing.

 

An analysis of the Windows objects "TagMENU" and "TagWND" is then carried out in order to demonstrate the possibilities of exploitation.

Contact