Black Hat 2017

The best tracks from Black Hat 2017

amol sarwate / 08.01.17

Over the course of the last few years, Black Hat – the desert meetup for security geeks – has evolved impressively. So many events happen simultaneously, and in the midst of the parties and socialization I attended as many security briefings from fellow researchers as possible.

Choosing from more than a dozen parallel tracks was difficult, but here are a few of my top picks of what was definitely worth a listen:

Hacking serverless runtimes: profiling AWS Lambda, Azure functions, and more
Speakers: Andrew Krug and Graham Jones

As organizations move their infrastructures into the cloud the need to secure this new frontier becomes increasingly evident. This talk perfectly demonstrated how insecurities can be introduced into AWS, Azure and other cloud infrastructures; and what organizations can do to secure them.

The first demo dove into AWS Lambda. The researchers created code that broke out of the controlled Lambda sandbox and accessed the environment of the outside machine. In AWS the filesystem is read only so it provides the least amount of attack surface. For Azure, breaking out yielded richer capabilities as the code had read/write capabilities. All in all, this was great cloud-security-focused research.

ShieldFS: the last word in ransomware resilient file systems
Speakers: Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero and Federico Maggi

This interesting research introduced a Windows program/driver to determine if the machine is infected by ransomware (like WannaCry) trying to encrypt your data. Interestingly the machine learning was developed before WannaCry, and, according to the researchers, it was able to protect against the WannaCry outbreak. Actually, the program not only protects against the ransomware process but also keeps a backup of your data without taking a toll on the CPU at runtime – a sleek product in development if you ask me.

Splunking dark tools – A pentesters guide to Pwnage visualization
Speakers: Bryce Kunz and Nathan Bates

This talk focused on an excellent Splunk plugin that visualizes your network and host status including the inventory of devices, open ports, and open services, providing a great diagram of who is talking to whom. The tool requires you to run a program on host machines and forward the data and logs to Splunk using your organization’s existing log forwarding mechanism. In my opinion this would be an excellent tool for organizations to use if they’re already using Splunk.

Free-Fall: hacking Tesla from wireless to CAN bus
Speakers: Sen Nie, Ling Liu, and Yuefeng Du

No Black Hat is complete without a good car hack, and this talk delivered. The speakers remotely hacked into a Tesla model S and the model X, demonstrating in pre-recorded videos their ability to control the car.

The “remote” hack was administered using the default WIFI SSID used by Tesla Shops and charging stations. The researchers used a browser bug in the car and exploited it when the car connected to the malicious WIFI hosted by them. After gaining control of the browser, the researchers used a series of flaws to take control of the bridge, which is the connection between the car’s Ethernet and the CAN bus.

Since there was no code-signing, the team installed custom firmware on the Etnernet-CAN bridge while keeping its existing functionally intact. Once they were able to control the CAN bus it was game over!

Exploit kit cornucopia
Speakers: Brad Antoniewicz and Matt Foley

This research focused on the infrastructure of exploit kits – which are SaaS-like offerings on which even a novice attacker can install malicious binary (on thousands of machines). They used Rig, which in my opinion is the top dog of the exploit kit world after the disappearance of Angler. The researchers disclosed a vulnerability in the injected code placed on compromised websites and exploited that vulnerability to uncover the deeper infrastructure.

Zero days, thousands of nights: the life and times of zero-day vulnerabilities and their exploits
Speaker: Lillian Ablo

This unique research by Lillian Ablon highlighted the average amount of time it takes a zero-day vulnerability to become public knowledge due to vendor acknowledgement, leaks, or a researcher finding the same flaw. The inspiration behind the talk was to drive policies for zero-day disclosure, which we are greatly in favor of here at CloudPassage!

Practical tips for defending web applications in the age of DevOps
Speaker: Zane Lackey

As the title goes, this talk provided practical advice and useful guidance for protecting web applications in today’s world of agile, DevOps, and continuous integration and continuous delivery, CI/CD. As you know, traditional methods on securing web applications (static analysis and dynamic scanning) often don’t work in today’s agile environments and this research provided an excellent entry into securing web apps.

Well, that escalated quickly! How abusing Docker API led to remote code execution, same origin bypass and persistence in the hypervisor via shadow containers
Speakers: Michael Cherny and Sagie Dulce

This session covered the benefits of moving to the container model, but it also depicted how some in-securities could be abused. With so many organizations moving toward containerization this talk provided some interesting insights.

Out of the dozens of container APIs, the researcher found a vulnerable API and was able to find – Persistence – which is container gold for hackers. One of the benefits of containers is that once they are destroyed, everything related to them is gone. So if your container is compromised, destroying it would also get rid of the attacker code on it – in theory. But this research demonstrated how attacker code can persist and come back to haunt you when you re-spin the container using shadow containers.

IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices
Speakers: Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia and Xin Ouyang

With the Mirai IoT botnet fresh in our memories, this research developed an unique approach to getting alerts for IoT botnet activity. Hundreds of IoT devices have a variety of behaviors, introducing challenges of how to mimic them in order to create a honeypot. The approach taken here was to scan the entire internet for IoT devices, automatically record behavior, and apply machine learning to trap future IoT botnets in their custom honeypot.

SITCH: distributed, coordinated GSM counter-surveillance – arsenal theatre demo

Lastly in the arsenals section, I attended an excellent research presentation by CloudPassage strategic engineering specialist, Ash Wilson. He was looking into SITCH, which is a distributed coordinated GSM counter surveillance system. It uses Raspberry Pi 3 and inexpensive hardware and open-source software to create a network of sensors for detecting malicious activity in GSM wireless networks. With “BYOD” a lot of sensitive corporate data travels over GSM networks and ability to monitor and detect anomalies in the network can prove valuable in an organization’s defense-in-depth strategy.

That’s it for my 2017 Black Hat journey. Overall the concern was focused on securing and managing cloud and container infrastructures, especially when researchers are able to persist their code with concepts like shadow containers. It will be interesting to see how these techniques, hacks, and research will be used, (for both good and bad)  in the ever-changing security landscape.