Posts Tagged ‘Cybersecurity’
[DefCon32] AIxCC Closing Ceremonies
Perry Adams and Andrew Carney, representatives from DARPA and ARPA-H, preside over the closing ceremonies of the AI Cyber Challenge (AIxCC) at DEF CON 32. Their presentation celebrates the innovative efforts of participants who developed AI-driven systems to detect and patch software vulnerabilities, emphasizing the critical role of secure software in safeguarding global infrastructure. Perry and Andrew highlight the competition’s impact, announce finalists, and inspire continued collaboration in cybersecurity.
The Vision of AIxCC
Perry opens by reflecting on the AIxCC’s inception, announced at the previous DEF CON, aiming to harness AI to secure critical infrastructure. With over 12,000 visitors to the AIxCC village, the challenge engaged a diverse community in building systems to identify and fix software flaws. Perry underscores the urgency of this mission, given the pervasive vulnerabilities in software underpinning essential services like power grids and healthcare systems.
Recognizing Team Achievements
Andrew highlights standout teams, such as Team Lacrosse for their memorable patch and Team Atlanta for their innovative SQLite findings. The ceremony acknowledges the creative use of large language models (LLMs) and fuzzing techniques by participants. By sharing lessons learned, teams like Trail of Bits contribute to the broader cybersecurity community, fostering transparency and collective progress in tackling software vulnerabilities.
Impact on Critical Infrastructure
The duo emphasizes the broader implications of AIxCC, noting that insecure software threatens global stability. Perry and Andrew praise competitors for developing systems that autonomously detect and mitigate vulnerabilities, reducing reliance on manual processes. Their work aligns with DARPA’s mission to advance technologies that protect national and global infrastructure from cyber threats.
Looking Ahead to Finals
Concluding, Perry announces the finalists, each awarded $2 million and a chance to compete at DEF CON 2025. Andrew encourages ongoing engagement, promising detailed scoring feedback to participants. Their call to action inspires researchers to refine AI-driven security solutions, ensuring a resilient digital ecosystem through collaborative innovation.
Links:
[DefCon32] DEF CON Unplugged: Cocktails & Cyber with Jeff & Jen
Jen Easterly, Director of CISA, and Jeff Moss, founder of DEF CON, engage in a candid “Ask Me Anything” session, blending mixology with cybersecurity insights. Their informal dialogue, set against Jen’s cocktail-making, addresses pressing issues like cyber liability and secure software development. As members of CISA’s advisory council, Jen and Jeff offer a unique perspective on fostering a secure digital ecosystem through collaboration and accountability.
Navigating Cyber Liability
Jen and Jeff tackle a question on cyber liability, acknowledging its complexity due to legal frameworks focusing on proximate causes, like human errors in ransomware attacks, rather than root issues. Jen emphasizes the need for a cultural shift toward security, referencing CISA’s Cyber Safety Review Board report, which highlights vendor accountability. Their discussion underscores the challenge of legislating liability without a major incident driving change.
Building a Secure Ecosystem
The duo explores levers for enhancing cybersecurity, such as fostering a culture of responsibility among software vendors. Jen highlights the importance of product differentiation through secure development practices, while Jeff stresses the role of community engagement in shaping policy. Their dialogue, enriched by real-world examples, advocates for proactive measures to prevent devastating cyberattacks.
Community Engagement and Collaboration
Reflecting on DEF CON’s role, Jen shares her enthusiasm for the conference as a hub for hacker innovation. She and Jeff emphasize the value of open dialogue, as seen in their AMA format, to bridge gaps between government and the hacker community. By encouraging questions, they foster a collaborative environment where ideas can shape future cybersecurity strategies.
Future Directions for Cybersecurity
Concluding, Jen and Jeff call for sustained efforts to protect critical capabilities from malicious actors, including nation-states and criminals. Their session, blending humor with policy insights, inspires attendees to contribute to a more secure digital landscape through shared responsibility and innovative thinking.
Links:
[DefCon32] The Rise and Fall of Binary Exploitation
Stephen Sims, a veteran cybersecurity expert, navigates the evolving landscape of binary exploitation, a discipline long revered as the pinnacle of hacking challenges. His presentation at DEF CON 32 examines the impact of modern mitigations like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and newer technologies such as Control-flow Enforcement Technology (CET). Stephen explores how these defenses have reshaped the field, while emphasizing that the pursuit of novel exploitation techniques remains vibrant despite increasing complexities.
The Golden Era of Binary Exploitation
Stephen begins by reflecting on the historical significance of binary exploitation, where vulnerabilities in low-level languages like C++ enabled attackers to manipulate system memory. In the early 2000s, exploiting large applications was a hallmark of hacking prowess. However, Stephen notes that memory safety issues have prompted a shift toward safer languages like Rust, though these are not yet mature enough to fully replace C++. This transition has made exploitation more challenging but not obsolete.
Impact of Modern Mitigations
Delving into technical details, Stephen dissects key mitigations like DEP, which prevents code execution in data memory, and ASLR, which randomizes memory addresses. He also discusses CET, which enforces control-flow integrity, and Virtualization-Based Security (VBS), which isolates critical processes. These protections, often disabled by default on Windows to avoid breaking applications, have significantly raised the bar for attackers. Stephen illustrates their enforcement through practical examples, showing how they thwart traditional exploits.
Ethical and Legislative Challenges
Stephen addresses the ethical dilemmas facing researchers, noting that restrictive legislation, such as the Paul Maul Act, could push exploit development underground. He argues that the more researchers are constrained, the greater the risk of unethical markets flourishing. By sharing insights from past research, including contributions from Jeremy Tinder and Haroon Mir, Stephen underscores the need for responsible disclosure to balance innovation with security.
The Future of Exploitation
Concluding, Stephen likens modern exploit development to skateboarding legend Tony Hawk, where past techniques are now accessible to newcomers, enabling rapid advancement. He predicts that as bounties for zero-day exploits rise—some now fetching $500,000—the incentive to bypass mitigations will persist. Stephen encourages researchers to innovate ethically, leveraging open knowledge to uncover new vulnerabilities while navigating an increasingly fortified digital landscape.
Links:
[DefCon32] The Pwnie Awards
The Pwnie Awards, a cornerstone of DEF CON, celebrate the triumphs and missteps of the cybersecurity community with a blend of reverence and humor. Hosted by Ian Roose, this annual ceremony honors groundbreaking research and notable blunders, judged by a panel of esteemed security experts. The 2024 edition, sponsored by Margin Research, Red Balloon Security, and Summercon Foundation, pays tribute to luminaries like Sophia d’Antoine, whose lifetime achievements have shaped the field.
Celebrating Cybersecurity Excellence
Ian opens the ceremony by highlighting its role in recognizing outstanding contributions. The Pwnies showcase the best exploits and research, voted on by peers, offering a unique platform for hackers to gain recognition. From novel vulnerabilities to innovative defenses, the awards reflect the community’s ingenuity, fostering a culture of excellence and accountability in cybersecurity.
Honoring Sophia d’Antoine’s Legacy
A poignant moment comes with the Lifetime Achievement Award for Sophia d’Antoine, accepted by her sister Claudia d’Antoine of Margin Research. Sophia’s work, spanning hacking, policy advocacy, and training with Binary Ninja, left an indelible mark. Ian emphasizes her ethos of curiosity and community care, inspiring attendees to continue her legacy of impactful research and collaboration.
Acknowledging Community Contributions
The ceremony acknowledges the broader community, including nominees, presenters, and sponsors like Margin Research and Red Balloon Security. Ian highlights the collective effort behind the event, from organizers like Neil Durkin and Mark Trumpour to the audience’s participation. This collaborative spirit underscores the Pwnies’ role in uniting hackers to advance the field through shared knowledge and recognition.
Looking Forward to Future Impact
Closing, Ian reflects on the Pwnies’ role in inspiring future research. By celebrating both successes and failures, the awards encourage resilience and innovation. The call to stay curious, inspired by Sophia, resonates as a guiding principle, urging attendees to push boundaries and strengthen cybersecurity through collective effort.
Links:
[DefCon32] What History’s Greatest Heist Can Teach Us About Defense In Depth
Pete Stegemeyer, a seasoned security engineer and heist historian, draws parallels between the 2003 Antwerp Diamond Heist and cybersecurity’s defense-in-depth principles. By dissecting how thieves bypassed multiple security layers to steal millions in diamonds, gold, and cash, Pete illustrates the consequences of complacency and inadequate security practices. His narrative offers actionable lessons for fortifying digital defenses, blending historical intrigue with modern security insights.
Anatomy of the Antwerp Heist
Pete begins by recounting the audacious 2003 heist, where thieves used simple tools like hairspray and double-sided tape to defeat sophisticated vault security. The heist succeeded due to failures in physical security, such as outdated cameras and unmonitored access points. By mapping these lapses to cybersecurity, Pete underscores how neglected vulnerabilities—akin to unpatched software or weak access controls—can lead to catastrophic breaches.
Failures in Security Design
Delving deeper, Pete highlights how the vault’s reliance on single points of failure, like unsegmented keys, mirrored common cybersecurity oversights. The thieves exploited predictable patterns and lax enforcement, much like attackers exploit misconfigured systems or social engineering. Pete stresses that defense in depth requires layered protections, regular updates, and proactive monitoring to prevent such exploitation in digital environments.
Lessons for Cybersecurity
Drawing from the heist, Pete advocates for robust accountability mechanisms to combat complacency. Just as the vault’s operators failed to enforce key-splitting protocols, organizations often neglect security best practices. He recommends rigorous auditing, mandatory updates, and consequence-driven policies to ensure diligence. By treating data as valuable as diamonds, organizations can build resilient defenses against sophisticated threats.
Links:
- None
[DefCon32] Threat Modeling in the Age of AI
As artificial intelligence (AI) reshapes technology, Adam Shostack, a renowned threat modeling expert, explores its implications for security. Speaking at the AppSec Village, Adam examines how traditional threat modeling adapts to large language models (LLMs), addressing real-world risks like biased hiring algorithms and deepfake misuse. His practical approach demystifies AI security, offering actionable strategies for researchers and developers to mitigate vulnerabilities in an AI-driven world.
Foundations of Threat Modeling
Adam introduces threat modeling’s four-question framework: what are we working on, what can go wrong, what are we going to do about it, and did we do a good job? This structured approach, applicable to any system, helps identify vulnerabilities in LLMs. By creating simplified system models, researchers can map AI components, such as training data and inference pipelines, to pinpoint potential failure points, ensuring a proactive stance against emerging threats.
AI-Specific Security Challenges
Delving into LLMs, Adam highlights unique risks stemming from their design, particularly the mingling of code and data. This architecture complicates secure deployment, as malicious inputs can exploit model behavior. Real-world issues, such as AI-driven resume screening biases or facial recognition errors leading to wrongful arrests, underscore the urgency of robust threat modeling. Adam notes that while LLMs excel at specific mitigation tasks, broad security questions yield poor results, necessitating precise queries.
Leveraging AI for Security Solutions
Adam explores how LLMs can enhance security practices. By generating mitigation code or test cases for specific vulnerabilities, AI can assist developers in fortifying systems. However, he cautions against over-reliance, as generic queries produce unreliable outcomes. His approach involves using AI to streamline threat identification while maintaining human oversight, ensuring that mitigations address tangible risks like data leaks or model poisoning.
Future Directions and Real-World Impact
Concluding, Adam dismisses apocalyptic AI fears but stresses immediate concerns, such as deepfake proliferation and biased decision-making. He advocates integrating threat modeling into AI development to address these issues early. By fostering a collaborative community effort, Adam encourages researchers to refine AI security practices, ensuring that LLMs serve as tools for progress rather than vectors for harm.
Links:
[DefCon32] How to Keep IoT From Becoming An IoTrash
The proliferation of Internet of Things (IoT) devices promises connectivity but risks creating a digital wasteland of abandoned, vulnerable gadgets. Paul Roberts, Chris Wysopal, Cory Doctorow, Tarah Wheeler, and Dennis Giese, a distinguished panel from Secure Resilient Future Foundation, Electronic Frontier Foundation, Veracode, Red Queen Dynamics, and DontVacuum.me, respectively, address this crisis. Their discussion, rooted in cybersecurity and policy expertise, explores solutions to prevent IoT devices from becoming e-waste, advocating for transparency, ownership, and resilience.
The Growing Threat of Abandonware
Paul opens by highlighting the scale of the issue: end-of-life devices, from routers to medical equipment, are abandoned by manufacturers, leaving them susceptible to exploitation. Black Lotus Labs’ discovery of 40,000 compromised SOHO routers in the “Faceless” botnet underscores this danger. Cory introduces the concept of “enshittification,” where platforms and devices degrade as manufacturers prioritize profits over longevity, citing Spotify’s Car Thing, bricked without refunds after brief market presence.
Policy and Right-to-Repair Solutions
Tarah and Chris advocate for legislative reforms, such as updating the Digital Millennium Copyright Act (DMCA), to grant consumers repair rights. Google’s extension of Chromebook support to ten years saved millions in e-waste, a model Tarah suggests for broader adoption. Chris emphasizes that unmaintained devices fuel botnets, threatening critical infrastructure. Policy changes, including antitrust enforcement to curb monopolistic practices, could compel manufacturers to prioritize device longevity and security.
Cybersecurity Implications and Community Action
Dennis, known for reverse-engineering vacuum robots, stresses the cybersecurity risks of abandoned devices. Malicious actors exploit unpatched vulnerabilities, conscripting devices into botnets. He calls for community-driven efforts to document and secure IoT systems. Paul, through the Secure Resilient Future Foundation, encourages grassroots advocacy, such as contacting local representatives to support repair-friendly legislation, making it easier for individuals to contribute without navigating complex policy landscapes.
Redefining Ownership and Sustainability
Cory argues for redefining ownership in the IoT era, criticizing practices like Adobe’s Creative Cloud, where Pantone’s licensing dispute threatened to render designers’ work unusable. By designing devices to resist forced downgrades, manufacturers can empower users to maintain control. The panel collectively urges a shift toward sustainable design, where devices remain functional through community-driven updates, reducing e-waste and enhancing digital resilience.
Links:
[DefCon32] Listen to the Whispers: Web Timing Attacks that Actually Work
Timing attacks, long dismissed as theoretically potent yet practically elusive, gain new life through innovative techniques. James Kettle bridges the “timing divide,” transforming abstract concepts into reliable exploits against live systems. By amplifying signals and mitigating noise, Kettle unveils server secrets like masked misconfigurations, blind injections, hidden routes, and untapped attack surfaces.
Traditional hurdles—network jitter and server noise—once rendered attacks unreliable. HTTP/2’s concurrency, enhanced by Kettle’s single-packet method, synchronizes requests in one TLS record, eliminating jitter. Coalescing headers via sacrificial PING frames counters sticky ordering, making attacks “local” regardless of distance.
Server noise, from load variances to cloud virtualization, demands signal amplification: repeating headers for cumulative delays or denial-of-service tactics like nested XML entities. Repetition exploits caching, reducing variability; trimming requests minimizes unnecessary processing.
Parameter Discovery and Control Flow Insights
Kettle adapts Param Miner for time-based parameter/header guessing, uncovering hidden features on thousands of bug bounty sites. Timing reveals parameters altering responses subtly, like JSON-validated headers or cache keys signaling web cache poisoning risks.
Control flow changes, such as exceptions, emerge vividly. A Web Application Firewall (WAF) bypass exemplifies: repeated “exec” parameters trigger prolonged analysis, escalating to denial-of-service; excess parameters expose max-header limits, enabling evasion.
IP spoofing headers like “True-Client-IP” induce DNS caching delays, confirmed via pingbacks. Non-caching variants suggest third-party geo-lookups, bypassing with hostnames.
Server-Side Injection Vulnerabilities
Timing excels at blind injections in non-sleep-capable languages. Serde JSON injections manifest as microsecond differentials; combining with client-side reflections infers standalone processing, aiding exploitation.
Blind Serde parameter pollution contrasts reserved/unreserved characters, yielding exploits. Doppelgangers—non-blind equivalents—guide understanding, turning detections into impacts.
SQL injections via sleep evade WAFs but overlap existing tools; timing shines where sleep fails, though exploitation demands deep target insight.
Scoped Server-Side Request Forgery Detection
Overlooked for years, scoped SSRF—proxies accessing only target subdomains—defies DNS pingbacks. Timing detects via DNS caching or label-length timeouts: valid hostnames delay; invalids accelerate or prolong.
Automating exploration, Kettle probes subdomains directly and via proxies, flagging discrepancies like missing headers. Exploits span firewall bypasses, internal DNS resolutions uncovering staging servers, pre-launch consoles, and frontend circumventions.
Frontend impersonation leverages trusted internal headers for authentication bypasses, exploitable via proxies, direct backend access, or smuggling. Timing guesses header names, enabling severe breaches.
Links:
EN_DEFCON32MainStageTalks_004_005.md
[DefCon32] Breaking Secure Web Gateways for Fun and Profit
Secure Web Gateways (SWGs), integral to enterprise Secure Access Service Edge (SASE) and Security Service Edge (SSE) frameworks, promise robust defenses against web threats. Vivek Ramachandran and Jeswin Mathai expose architectural flaws in these systems, introducing “Last Mile Reassembly Attacks” that evade detection across major vendors. Their findings underscore the limitations of network-level analysis in confronting modern browser capabilities.
SWGs intercept SSL traffic for malware scanning, threat prevention, URL filtering, and data loss prevention (DLP). Yet, as browsers evolve into sophisticated compute environments, attackers exploit client-side processing to reassemble threats post-proxy. Ramachandran highlights how SWGs lack context on DOM changes, events, and user interactions, operating blindly on flat traffic. Cloud constraints—file size limits (15-50 MB) and incomplete archive scanning—exacerbate vulnerabilities, often forcing blanket policies.
Vendors’ service level agreements (SLAs) claim 100% prevention of known malware, but these attacks shatter such guarantees. Pricing models ($2-4 per user/month) prioritize efficiency over exhaustive analysis, leaving gaps in protocol support and file handling.
Unmonitored Channels and Hiding in Plain Sight
Mathai demonstrates unmonitored protocols like WebRTC, WebSockets, gRPC, and Server-Sent Events smuggling malware undetected. These channels, essential for real-time apps, bypass interception; blocking them degrades user experience. Demos show seamless downloads of known malicious files via these vectors, indistinguishable from standard HTTP.
Further evasion involves embedding payloads in HTML, CSS, JavaScript, or SVG, extracting them client-side for reconstruction. SWGs scan individual resources but miss browser-side assembly. Encryption/decryption and encoding/decoding (e.g., Base64, UUencode) transform binaries in memory, dropping unencrypted files without triggering content disposition headers.
Last Mile Reassembly Techniques
Core to their research, Last Mile Reassembly fragments files into chunks—straight splits, reverses, randomized sizes, or mixes—fetched via multiple requests and reassembled via JavaScript. SWGs analyze fragments independently, failing to detect malice. Extending to WebAssembly modules constructing documents (e.g., malicious Excel) locally, no file download occurs from the proxy’s view.
File uploads reverse this: insiders fragment sensitive data, sending as form submissions evading DLP rules. Overlapping fragments mimic historical network attacks, fully bypassing inspections.
Phishing sites, converted to MHTML archives and smuggled via reassembly, repaint via canvas, reusing known malicious pages undetected. SWGs fingerprint server-side but overlook client-side rendering.
Architectural Challenges and Vendor Responses
SWGs’ server-side nature precludes real-time browser syncing or per-tab emulation, unscalable amid millions of events. Ramachandran argues for browser-integrated security to access rich data, contrasting cloud-centric models’ economic allure with practical failures.
Vendor engagements yielded mixed results: some acknowledged issues and pursued fixes; others claimed partial detection or disengaged. Open-sourcing 25 bypasses at browser.security empowers testing, urging vendors to address rather than block the site.
Their toolkit facilitates red-team simulations, exposing SLAs’ fragility. Enterprises must rethink web threat defenses, prioritizing client-side visibility over network proxies.
Links:
[DefCon32] Abusing Windows Hello Without a Severed Hand
In the realm of cybersecurity, exploring vulnerabilities in authentication mechanisms often reveals unexpected pathways for exploitation. Ceri Coburn and Dirk-jan Mollema delve into the intricacies of Windows Hello, Microsoft’s passwordless technology, highlighting how attackers can manipulate its components without relying on physical biometric data. Their presentation uncovers the architecture of Windows Hello, from key storage providers to protectors and keys, demonstrating real-world abuses that challenge the system’s perceived robustness.
Coburn begins by outlining the foundational elements of Windows Hello, emphasizing its role in generating keys for operating system logins, passkeys, and third-party applications. The distinction between Windows Hello and Windows Hello for Business lies primarily in the latter’s focus on certificate-based authentication for Active Directory environments. Both utilize key storage providers (KSPs), which serve as APIs for cryptographic operations. Traditional providers include software-based ones, TPM-backed platforms, and smart card integrations, but Windows Hello introduces the Passport KSP, acting as a proxy to these existing systems.
The Passport KSP comprises two services: the NGC service for application communication via RPC and the NGC controller service for metadata storage under the local service account, accessible only with system-level privileges. Each user enrollment creates a unique container folder identified by a GUID, housing protectors, key metadata, and recovery options. Protectors represent authentication methods like PINs or biometrics, encrypting intermediate PINs that unlock enrolled keys. These intermediate PINs—split into signing, decryption, and external variants—remain constant across protectors, allowing bypasses once accessed.
Unprivileged Attacks and Primary Refresh Tokens
Shifting focus, Mollema addresses attacks feasible without administrative privileges, centering on Primary Refresh Tokens (PRTs) in Windows Hello for Business scenarios. PRTs function as single sign-on tokens, requested via JSON Web Tokens (JWTs) signed by device certificates, ensuring trust from Entra (formerly Azure AD). When using Windows Hello, these requests incorporate data signed by private keys, including nonces to prevent replays.
A critical flaw arises from the ability to generate assertions without prompting for PINs or biometrics post-login, as keys are cached in sessions. Mollema demonstrates crafting “golden assertions” with extended validity, though Microsoft mitigated this by enforcing nonces server-side in May 2024. Nonetheless, within a five-minute window, attackers can request new PRTs on rogue devices, bypassing TPM protections and enabling persistence for up to 90 days.
This technique exploits RDP scenarios where PRTs on non-TPM devices expose credentials. Even with virtualization-based security or LSA protections, such attacks persist, underscoring the need for device compliance monitoring and restrictions on RDP to non-TPM systems.
Privileged Exploitation of Containers and Protectors
Under privileged access, Coburn dissects container structures, revealing metadata in .dat files detailing user SIDs, backing KSPs, and recovery keys. Protectors encrypt intermediate PINs differently: PIN protectors use PBKDF2 derivation for software KSPs or hex conversion for TPM unsealing. Biometric protectors, surprisingly, rely on system DPAPI keys, enabling reversal without actual biometrics via Vault decryption.
Recovery protectors, exclusive to business scenarios, involve Azure-encrypted blobs requiring MFA claims, yet their storage outside protector folders poses risks. Pre-boot and deprecated companion device protectors receive brief mentions, with further research needed.
Abuses include brute-forcing software-backed PINs via Hashcat masks, exploiting known lengths for rapid cracks—seconds for eight digits. TPM-backed PINs resist better, though four-digit variants succumb in months due to anti-hammering.
Key Types and Persistence Implications
Enrolled keys leverage intermediate PINs: vault keys decrypt local passwords in consumer setups, entry keys handle business enrollments and passkeys, and external keys support third-party apps like Okta FastPass. Software-backed keys allow extraction off-device, amplifying risks.
Mollema extends this to PRT theft, using cached keys for assertions on different devices, even without TPMs, facilitating identity persistence. Reported vulnerabilities led to CVE assignments, with server-side enforcements post-July 2023.
Endpoint mitigations include Windows Hello Extended Session Security (ESS), rewriting containers in JSON under secure processes. Detections monitor NGC metadata access, alerting on non-controller processes.
Their tools—Shay for Hello abuses and ROADtools for Azure AD—aid offensive and defensive efforts, drawing from blogs by Teal and others.