NO HAT 2020

COMPUTER SECURITY CONFERENCE

28th of November 2020 | Virtual

Concluded

numbers of the 2020 edition

PRESENTATIONS

On the most relevant and recent issues

SPEAKERS

The most well-known professionals of the cyber industry

2000

Views

On our Livestream, from all over the world

Speakers Talks

Talks & Speakers

Humans in Cyberspace

Saumil Shah

In this age of exploration, we have finally established a growing colony in Planet Cyberspace. The landscape is vastly different than what we are built for. This keynote, while keeping user centric cybersecurity as the central focus, explores four areas - Evolution, Asymmetry, Laws of Planet Cyberspace and Trust. I shall be sharing my observations over the past two decades in a humble attempt to provide some insight into the statement "Where we go depends a lot where we came from".

Medical malware on Android

Axelle Apvrille

This talk focuses on medical malware on Android, or more precisely malicious applications which fake or abuse medical situations. You will follow live reverse engineering of a COVID-19 malicious app. We will also discuss other medical malware on Android, with some advice if you need to use your smartphone for medical reasons. Take care, be safe, and see you at No Hat!

Identifying multi-binary vulnerabilities in embedded firmware at scale

Andrea Continella

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and executes in unique, minimal environments, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this talk, we will unveil the inner peculiarities of embedded firmware, we will show why existing firmware analysis techniques are ineffective, and we will present Karonte, a novel static analysis tool capable of analyzing firmware by modeling and tracking multi-binary interactions. Our tool propagates taint information between binaries to detect insecure interactions, and identify vulnerabilities. We will then present the results and insights of our experiments. We tested Karonte on 53 firmware samples from various vendors, showing that our tool can successfully track and constrain multi-binary interactions. Doing so, we discovered 46 zero-day bugs, which we disclosed to the responsible entities. We performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity, and can effectively and efficiently analyze real-world firmware in a generic and fully automated fashion.

CRISPR - Binary Editing with High Level Languages

Filippo Cremonese

Have you ever wanted to patch an executable without manually writing tedious assembly and doing complex binary manipulations? By (ab)using the LLVM JIT engine, CRISPR allows you to statically rewrite individual functions in an existing binary using C, or any language for which LLVM IR can be generated. It is possible to call existing functions, import additional dynamic libraries, and do in-place patching if the new code fits! In this talk I will cover the motivation and the problems of rewriting binaries in a non invasive way, diving into the dynamic loader internals and ELF file format vodoo necessary to accomplish this task, as well as why and how we chose to use the LLVM ORC JIT. CRISPR will be integrated with the Rev.ng decompiler and GUI, allowing point-and-click binary editing in the easiest way possible on a wide range of targets. This tool has the potential to become a game changer in real world binary patching scenarios and A/D CTFs, and it will be released as open source!

Untrusted Roots: exploiting vulnerabilities in Intel ACMs

Alexander Ermolov, Dmitriy Frolov

Capture the Flag (CTF) competitions have attracted an increasing interest over the last decade. They proved to be an effective tool employed in academic, professional, and military contexts to teach practical IT security topics, as well as to strengthen lateral thinking skills and to acquire hands-on experience in the field. This talk will give you an insight into the various challenges that a team has to face while playing an attack and defence competition by leveraging on the experience gained by mhackeroni. We will report on the infrastructure developed by the Italians to clash with the world's best teams at DEF CON CTF and present some concrete examples from well-known hacking competitions.

As it would be Sampei for you too?

Michele Orru, Giuseppe Trotta

Phishing remains the main technique to remotely compromise targets having minimal or no knowledge of them. Cost is low, 0days are not required, and given the appropriate precautions phishing is difficult to track down. Moreover, even if the target realizes the phishing campaign, yours truly Sampei would already have all the necessary info to keep going, pivoting in the target's network. Sampei isn't happy with credential harvesting, he goes beyond, automating its techninques with new phishing tools like NecroBrowser. Sampei will also demystify two-factor authentication (2FA), as well as presenting those few cutting-edge protections that help mitigate phishing. Sampei will not drop any 0days, but plenty of fishing demos!

60 CVEs in 60 Days

Eran Shimony

In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. I will present a complementary approach to fuzzing. By using the method, which is quite easy, I managed to get over 60 CVEs across multiple major vendors in only one month. Some things never die. In this session, I’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or DoS a machine. I’ll demonstrate how I generalized these two techniques within an automated testing system called Ichanea, with the aim - finding new vulnerabilities. Our mindset was - choose software that is prone to be vulnerable: installers, update programs, and services. These types of software are often privileged. Therefore, they are good candidates for exploitation using symlink or DLL Hijacking attacks. We’re only scratching the surface; I am positive that there are additional attack vectors that could be widely implemented to achieve similar results.

GANs and Roses: weaponizing the CEO Scam fraud with AI and Autoencoders Reloaded

Fran Ramirez, Pablo Gonzalez

The combat to discern what if news are real or not has already begun. Generating fake content has never been so easy. Artificial Intelligence has become a useful resource to apply techniques for an easy generation of non-legitimate content. These new tools have become a threat for Fake News, phishing campaigns and cunning fraud strategies generation. In this talk, the most extended techniques for the generation of deceitful content are explained from both technical and practical approaches. The capabilities of the state-of-the-art generative models (i.e., Variational Autoencoders and Generative Adversarial Networks) will be exemplified by means of a Chief xecutive Officer fraud sample generation, including fake images generation and custom voice production. Additionally, considering the big amount of fake content society is currently exposed, different Machine Learning techniques to reveal spurious contents will be also presented.

Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks

Avinash Sudhonanan

This talk is about Cross-Origin State Inference (COSI) attack. In a COSI attack, an attacker convinces a victim into visiting an attack web page, which leverages the cross-origin interaction features of the victim's web browser to infer the victim's state at a target web site. Multiple instances of COSI attacks have been found in the past under different names such as login detection attacks. But, those attacks only consider two states (e.g., logged in or not) and focus on a specific browser leak method (or XS-Leak). This work shows that mounting robust and more complex COSI attacks such as deanonymizing the owner of an account often requires considering multiple browsers and more than two states. To address these issues, we present a novel approach to identify and build complex COSI attacks that differentiate more than two states and support multiple browsers by combining multiple attack vectors, possibly using different XS-Leaks. To enable our approach, we introduce the concept of a COSI attack class. We propose two novel techniques to generalize existing COSI attack instances into COSI attack classes and to discover new COSI attack classes. We systematically apply our techniques to existing attacks, identifying 40 COSI attack classes. As part of this process, we discover a novel XS-Leak based on window.postMessage. We implement our approach into Basta-COSI, a tool to find COSI attacks in a target web site. We apply Basta-COSI to test four stand-alone web applications and 58 popular web sites, finding COSI attacks against each of them.