Black Hat Asia 2018

This year I had the honour of being invited to be part of the 2018 Black Hat Regional Review Board for Asia. This is a volunteer role that I take very seriously having the privilege to read through peoples research and see whats on the horizon. This year did not disappoint with great talks in the malware, network defense, IoT, SDL and many other tracks. The regional review board comprises of security professionals worldwide, so jumping on a conference call at 2am to discuss submissions is not unusual. Everyone is highly dedicated and I was proud to be part of this team.

The 2 days were extremely busy and I wanted to attend many of presentations I personally weight high. Black Hat Asia 2018 displayed outstanding regional and international research, and I'd like to recount some my highlights. I wished I could have attended more talks and arsenal.

DAY 1

NATIONAL CYBER-AGGRESSION AND PRIVATE-SECTOR INTERNET INFRASTRUCTURE

Opening Keynote by Bill Woodcock

Woodcock started by summarising past cyber breaches, damaged caused and lessons learnt, if any. The part that struck a cord with me, and I assume for the rest of the audience was when he started talking about the impact to critical infrastructure and civilians. Breaches impacting critical services and lives such as the Russian power grid and the NHS, where does that leave mankind? Are we really that self-fish? He went on further to discuss what countries are doing to try and influence change. Russia and China put together treaties which nobody abides by, so there had to be a better way.

Woodcock discussed the importance of the GCSC and the work he and Jeff Moss were actively doing. The GCSC (GLOBAL COMMISSION ON THE STABILITY OF CYBERSPACE) is helping to promote mutual awareness and understanding among the various cyberspace communities working on issues related to international cybersecurity (quoted from website). He discussed the differences between treaties, and norms and the importance of the creation of a non-aggression norm to protect civilian lives and critical infrastructure services.

I found this talk very uplifting. Woodcocks message was loud and clear, Cyber is hard and the landscape changes faster than we can click our fingers. While there might be a war coming, lives and people matter and they must come first.

I DON'T WANT TO SLEEP TONIGHT: SUBVERTING INTEL TXT WITH S3 SLEEP

by Jun-Hyeok Park and Seunghun Han

I remember reading through this submission and I was excited by the thought process of these two researchers. They discussed the differences between the Intel TXT and UEFI Secure boot sequence whereby each method ideally can be measured and validated by the TPM. They demonstrated how using tBoot (a reference implementation of TXT widely used on linux distros) can be exploited using the Lost Pointer Vulnerability to change the PCR values stored in the TPM. Exploitation is possible as the S3 state does not shutdown all the security functions. Park and Han called for better controls in the tBoot sequence and other mitigating controls.

SECURING YOUR IN-EAR-FITNESS COACH: CHALLENGES IN HARDENING NEXT GENERATION WEARABLES

by Kavya Racharla and Sumanth Naropanth

Wearables are popping up everywhere! Whether you use it to pay for your shopping, do your banking, or personal fitness trainer, the list is growing. As companies rush to market, just how secure is our data. Racharla and Naropanth discussed the every growing challenges between the interaction of the wearable device, the app which lives on our smart phones, and the cloud infrastructure which supports it. Industry protocols being created and/or modified to meet the demand with no standardisation. They presented a new way of doing SDL for IoT/Wearables, SPDL (Security and Privacy Development Lifecycle) where the focus is on mitigating disclosure of information, deep diving into the challenges of each phase.

The researchers finished off their talk by demonstrating a number of wearable exploits and areas of improvement. In a time where IoT is booming and end-users are looking for ease of use and compatibility, Racharla and Naropanth are trying to influence the industry by creating a standard framework to reduce information leakage and improve security.

BREACH DETECTION AT SCALE WITH AWS HONEY TOKENS

by Dan Bourke and Daniel Grzelak

It seems every cloud provider is front page headlines. In particular companies like AWS while they offer its customers a secure operating environment, many of the security features are disabled or perhaps mis-configured through lack of training or other factors. AWS access keys (private key) are necessary whenever you want to create a new EC2 instance. However how are we securing these keys!

Bourke and Grzelak started off their presentation by doing a live demo of finding an AWS access keys and posting it to pastebin in the hope that someone would use them. We weren't disappointed! What was the point? AWS access keys are being stored in all sorts of places, user desktop, text files, and even a quick search of github. They wanted to demonstrate how easy it was and lack of controls in place.

Introduce SpaceCrab, the defensive tool that monitors the usage of your AWS access keys as honey tokens. If they are used and accessed, then your administrators are notified. This was a well presented talk (and entertaining) that showed the impact of breached AWS keys and how SpaceCrab can help the Security Ops teams.

DAY 2

A SHORT COURSE IN CYBER WARFARE

Opening Keynote by The Grugq

The Grugq started his presentation by discussing the history of war in terms of dimensions, land, sea, air, space and finally cyber. He showed one such text (if I recall it was air), you could simply replace the world cyber with air and the text could have been written for today. Fantastic comparison!

In his talk The Grugq stated, "You may be best in your field, but your skills don't guarantee a win, you need to overwhelm your opponent". This is the reality we live in as information security professionals. You can have the best defenses, the best of everything, but it takes one new move, one new new tactic, and we are defeated. He mentioned the complexity of security how "things that should work don't and things that shouldn't work do".

The keynote looked at Cyber Security from a unique perspective comparing the progression of each dimension and the complexity of each. The modification of human behaviour changing outcomes.

SERVER TAILGATING - A CHOSEN-PLAINTEXT ATTACK ON RDP

by Eyal Karni, Roman Blachman and Yaron Zinar

I really enjoying watching these researchers present their findings on how they took advantage of the CredSSP protocol. The team showed that when they received a copy of the public key it wasn't verified, therefore anyone could sign it. Using this weakness they could compromise a domain controller and obtain a copy of the passwords. At this stage all versions of windows are vulnerable and they showed how they are working with Microsoft to remediate this issues.

WHEN GOOD TURNS EVIL: USING INTEL SGX TO STEALTHILY STEAL BITCOINS

by Michael Schwarz and Moritz Lipp

This presentation was an outstanding talk and was definitely one of the highlights at Black Hat Asia. Not only did Schwarz and Lipp have great presentation style, their topic and research was creative and thought provoking. They discussed Intels SGX (Software Guard Extension) which is "so" secure and it can't be accessed even by the operating system. By definition it should not be subjected to any vulnerabilities let alone be exploited. What these researchers did what nothing short of amazing.

Within the SGX enclave everything is encrypted. It is not only protected from malware entering but the operating system has no access. Hence why the enclave was implemented to store private keys such as those which are used in our bitcoin wallets. These researchers demonstrated using a race-condition, how they were able to retrieve the 256-bit private key from the SGX enclave.

This picture below is pure genus. They purpose build their own clock timer to be able to retrieve the key as SGX does not have one so attacks like this are less likely.

It still inspires me to see their persistent and efforts of their research to prove out their theories. I don't think I could ever do thus talk justice, Hoping the video will be made available soon as there was a lot of information that I personally would like the opportunity to study and re-watch again.

OTHER TALKS

There were other really good talks I wanted the opportunity to see, but there are only so many ways you can divide yourself. I look forward to watching the video on these when they are released:

CLOSING

As Stefano Zanero put it, if you have a opening keynote, you must have a closing locknote and I had the privilege to be part of it. It was hosted by Stefano, which included myself, Vincenzo Iozzo and Anthony Lai. We all grabbed a beer or water and discussed some of our favourite talks at 2018 Black Hat Asia. I honestly felt we could have used the entire hour just discussing the research presented. Finally we closed off by discussing areas which we think will be hot topics or will possibly make an appearance in Black Hat USA 2018.

Thankyou to all the organisers and the review panel who work tirelessly to create such an amazing event. Finally, to the researchers in arsenal, on the stage, those who submitted or want to submit in the future, keep pushing the boundaries and the limits of your imagination. We are all grateful for your hard work and time.

Also published on Linkedin

Add a Comment

Your email address will not be published. Required fields are marked *