August 29, 2017

Postcards from Vegas

by Jscrambler

welcome-to-las-vegas

At this time, you should already know that Jscrambler attended Black Hat USA 2017 and DEF CON 25 between 25 - 30 July 2017, in Las Vegas, US. It seemed almost inevitable to us to write about that, sharing some insights from both events, as we had a blast!

Black Hat USA

In its 20th year, Black Hat is the world’s leading information security event, providing attendees with the very latest trends in research, web development and security. Black Hat USA 2017 kicked off with four days of technical Trainings (July 22-25) followed by two days of conferences (July 26-27) including Briefings, Arsenal, Business Hall, and much more.

black-hat-usa-2018

As 'Visibility' was one of the five words that defined this year's conference, we recommend that you check the best hacks from this security conference that Wired compiled: Security This Week: The Very Best Hacks From Black Hat and DEFCON.

“The good guys have got to learn it because the bad guys already do,” says Dan Haagman, co-founder of Not So Secure, which ran one of the training courses at the event.

astronaut-at-black-hat-2018

BBC sent a security researcher on one of the courses held in Las Vegas to find out more. Check the video here.

DEF CON 25

def-con-logo

DEF CON needs no introduction whatsoever. In its 25th edition, the event is still super exciting and it's composed and supported by a vast community of volunteers and enthusiasts who are passionate about improving our digital world. Let us highlight some of the talks that caught our attention:

- The Brain’s Last Stand by Garry Kasparov

A quite philosophical talk but entertaining on the struggle of man against the AI based on the personal battles of Garry Kasparov. He gave interesting details on how his preparation changed from game to game, how he studied computer limitations, and how he tried to balance the scale (eg, having access to all games the computer played). His talk can be watched below.



- Exploiting Continuous Integration (CI) and Automated Build systems by spaceB0xx

A Pull Request (PR) can trigger a build in Continuous Integration (CI) but if that PR includes changes in the build process settings, it can lead to Remote Code Execution (RCE). The speaker did the research about this topic using public repositories in Github (and therefore was expelled).

The repositories used Travis as CI (common) and were configured to do build during the PR ( a common practice to know if the PR breaks the build). It was given as a critical example, the case of the repositories that include dockerfile, allowing image modification, access to the network - in containers everything runs as root, allowing access to the internal network, full control over the image or SSH key leak. Since CI service providers use a hosting infrastructure, the speaker realized that they could still create new instances, launch new processes, etc, through the before_install hook. While doing the research, he automated the entire process and eventually created a tool called CIDER: Continuous Integration and Deployment Exploiter. Here you can find this presentation.

- Game of Chromes: Owning the Web with Zombie Chrome Extensions by Tomer Cohen

This talk was about Wix.com use case (April 2016). At some point, they noticed a peak in the number of records and realized the existence of a suspicious pattern: each record completed the process and published a site in only 10s. The target page of the "attack" was the registration form, so they noticed it was not a CSRF attack. They investigated further and realized that it was a botnet, admitting that it could have passed the mechanisms implemented to block this type of traffic.

Research shown later that it was an extension of Chrome (Viad30 Unlocker) since the pages that were created on Wix.com had a link to the extension. You can check HackRead's feature regarding this use case here. The modus operandi of the extension was as described below:

  • Inject code into Facebook pages / tabs / windows
  • Open in a hidden iframe the Wix.com registration form;
  • Simulate the click on the "Register with Facebook" button;
  • Publish the site on Wix.com
  • Send message to all Facebook Messenger contacts with the link to the newly created site on Wix.com
  • The sites published on Wix.com served to disseminate the Chrome Extension;
  • By posting a site for each "infected" user, the attacker could get a new (different) URL to send to the contacts, thus preventing Facebook from blocking the URL, since it wasn't unique.

The rest of the presentation was about the potential of a Browser Extension. It was also demonstrated how vulnerabilities can be exploited using other extensions that the user may have installed, such as:

  • Adobe Acrobat (30M installs, XSS was found in January, 2016)
  • AVG (9M installs, XSS was found in December, 2015)

If you want to deep dive in the agenda, DEFCON presentations and workshop materials are available online.

Enjoy, share and... See you next year!