NO HAT 2022
COMPUTER SECURITY CONFERENCE
22nd of October 2022 | Bergamo (Italy)
Concluded
numbers of the 2022 edition
9
PRESENTATIONS
On the most relevant and recent issues12
SPEAKERS
The most well-known professionals of the cyber industry+400
Attendees
From all over the worldTalks & Speakers
Decentralized Finance (DeFi) has promised to deliver a novel infrastructure that allows for the creation of financial services that do not rely on centralized, tightly controlled institutions. The current status of DeFi is a very dynamic, if not chaotic, environment in which new infrastructure components and protocols are routinely introduced to provide new services. However, it is not yet clear if the advantages introduced by DeFi applications outweigh the risks of participating in this highly unregulated market. Multi-million heists, widespread fraud, unchecked speculation, and devastating social engineering attacks have demonstrated that DeFi has a dark side. In this presentation, we will provide an overview of how DeFi services are abused and misused to support cybercrime, and what can (and cannot) be done to combat this massive problem. In addition, we will provide specific examples of current research in identifying vulnerabilities in smart contracts and security issues in the NFT marketplace.
Defensive software evolution is closely linked to the evolution of the modern threat landscape. Each iteration of evolution covers a specific gap in detection methods. Rootkits and bootkits have always benefited from persistent methods to get closer to hardware and firmware. Operating systems are evolving in a way that increases the cost of malware persistence and exploitation, as well as advanced threat actors are looking for the next level of persistence below the OS. Historically, firmware attacks have been more associated with advanced state-sponsored threat actors. In the modern threat landscape, firmware has become more and more of a sweet spot for attackers. But when it comes to detecting firmware threats, the industry is just scratching the surface. Current discoveries reveal that threat actors have been stealthy operating since 2015 or even earlier.
At Doyensec, we have a traditional monthly event called “Best Bugs”. Our security engineers and researchers showcase the most interesting security vulnerabilities that they have either discovered or helped exploit. For us this is a unique opportunity to share knowledge among team members, but there is more. Over the years, we realized how these bugs represent the current state of web application security. The progressive shift to SecDevOps and tech stacks that are secure-by-default have significantly changed the type of vulnerabilities and misconfigurations that affect mainstream web applications. Classic injection vulnerabilities are long gone in hard targets, and the new frontier of vulnerability research involves logical bugs, prototype pollution, API path traversal, broken state machines, second-order injections, misuse of libraries, inconsistencies between the application and the cloud infrastructure and many other “modern” approaches. In this presentation, I will showcase several of those bugs with the goal of both teaching individual techniques and vulnerabilities, as well as showing trends from the last couple of years.
Compromised websites can be used for drive-by-download attacks, water-hole attacks, social engineering, web skimming, ad injection, and hosting exploit kits. The volume of malicious traffic from such websites mandates an automated approach to finding threat intelligence quickly and efficiently. In this talk, we are presenting a new threat hunting framework called Crawlector (a combination of Crawler & Detector), designed for scanning websites for malicious objects, in a fully automated manner. Moreover, Crawlector supports online/offline scanning, spidering websites to discover additional links, Yara as a backend detection engine, digital certificate scanning, and querying URLhaus to find malicious URLs on the page, among others. The framework’s operations are highly customizable. To demonstrate the framework’s effectiveness and performance, we’ll highlight some interesting results from scanning the top 700k Alexa websites and top 100k WordPress sites. Furthermore, this talk will additionally address the design processes and decisions made during the development of the framework.
The "Open Machine Learning Application Security Project". The importance of testing Machine Learning models
Fran Ramirez, Pablo Gonzalez
When testing applications that employ machine learning algorithms, only traditional programming vulnerabilities tend to be checked by security auditors. However, these ML algorithms are also exposed to potential attacks due to bugs or other weaknesses. We are developing a framework called OMLASP (Open Machine Learning Application Security Project) to collect a list of potential attack and mitigation techniques for these algorithms. This framework aims becoming a standard for auditing machine and deep learning algorithms for attacks like pre-processing (make changes to the input data so to produce unexpected pre-processing output), adversarial attacks (mislead a ML algorithm to trigger an incorrect classification), exploration attacks (leak information out of an algorithm) or reverse engineering attacks (retrieve the weights and internal parameters of a ML model). We will show examples of these attacks and their effects on different real-world models, on top of releasing our framework to the public.
Recently, high-profile vendors started equipping IT appliances with system-on-chip technologies designed for remote assets management namely Baseboard Management Controllers (BMCs). During our research, we observed that BMC hardware is deployed in IT networks within critical infrastructures, introducing new supply chain risks that have not been explored before. In particular, we analyzed a BMC hardware bridging into a segregated production line to figure out how an attacker may gain full remote access to actuators and PLC devices. The result of our research highlighted an insecure codebase shared among different BMC vendors that can be exploited using non-public 0-days that we discovered. In this presentation, we demonstrate how these vulnerabilities can be leveraged to jump from IT to OT networks and disrupt industrial processes.
More than a decade ago, Project Basecamp highlighted how many OT devices and protocols deployed in a wide variety of industries and critical infrastructure applications were insecure-by-design. Ever since, it's been common knowledge that one of the biggest issues facing OT security is not so much the presence of unintentional vulnerabilities but the persistent absence of basic security controls. While the past decade has seen the advent of standards-driven hardening efforts at the component and system level it has also seen impactful real-world OT incidents like Industroyer and TRITON abusing insecure-by-design functionality, which has left many defenders wondering just how much has changed. In this talk, we will present dozens of previously undisclosed issues in products from almost 20 vendors deployed in industry verticals ranging from oil & gas, chemical and power generation to water management, mining and manufacturing. We will provide a quantitative overview of these issues, which range from persistent insecure-by-design practices in security-certified products to failed attempts to move away from them, in order to illustrate how the opaque and proprietary nature of these systems, the suboptimal vulnerability management surrounding them and the often false sense of security offered by certifications significantly complicate OT risk management efforts. In addition, we will take a technical deep-dive into several of the issues to demonstrate the ability of attackers to achieve remote code execution on critical Level 1 devices using nothing but intended functionality and discuss its defensive implications. Finally, we will present quantitative insights into our research process in order to provide the audience with some hard numbers on the resources required to develop basic offensive capabilities for the issues discussed and its potential implications for the relevant threat landscape.
Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new, we’ve known about them for years, but they’re everywhere! The scale of GitHub & tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, & would be even more of a burden on volunteer maintainers of OSS projects. Ideally the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request. When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix & now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.
While fault injection attacks were once exclusively performed in expensive hardware security labs, are nowadays a well-known and employed attack technique for embedded devices. Fault injection tends to be used to target critical conditional checks, like a hash comparison or argument check, often accomplished by skipping an instruction. During the last few years, we had pioneering the usage of more powerful fault models. We showed how 'instruction corruption' can lead to attacks otherwise difficult to achieve with the traditional approach of instruction skipping. For example, we demonstrated how to escalate privileges without relying on software vulnerabilities or how to bypass encrypted Secure Boot without knowing the key. This talk discusses techniques that leverage the 'instruction corruption' fault model to build fault injection attacks that require very loose synchronization with the target. Target synchronization was historically considered a strong requirement for such attacks, to the point that countermeasures like random delays were introduced or others. This talk reveals how to build an attack that is able to bypass all previous assumptions. The discussed techniques allows to create attacks with very little 'locality', i.e. carried on in a much wider, and sometimes unexpected execution window. The same attack has the potential to bypass most SW-based countermeasures that are commonly used nowadays in the industry.
Sponsored by
