NO HAT 2023
COMPUTER SECURITY CONFERENCE
21st of October 2023 | Bergamo (Italy)
Concluded
numbers of the 2023 edition
4
TRACKS
Research, Technical and Executive Track + Workshops18
SPEAKERS
The most well-known professionals of the cyber industry+700
Attendees
From all over the worldDid you get one of our amazing Hardware Badge?
The source code has been published! Don't miss it!
The source code has been published! Don't miss it!
Talks & Speakers
Software design is all about separation of concerns. First, separation of concerns through layered abstraction is one of the most fundamental tenet in software engineering today. If JavaScript programmers, say, needed to know the minute implementation details of all the libraries, the browser, the operating system, and even the hardware, they would not get much work done. Second, we separate concerns even when it comes to vulnerabilities: we distinguish different classes of vulnerabilities, such as memory errors, hardware bugs, etc., and train specialized experts to solve these issues separately. Unfortunately, the concerns are not separated at all! First, those nice abstractions layers are leaky: the internals of one layer frequently spill over other layers, with important implications for the security. As a result, our programmers need to be aware of what is going behind those elegant interfaces. Second, attackers don't care of such class separation of vulnerabilities because they will misuse multiple bugs to compromise your system. Different exploitation techniques can be combined such that the strength of the combination is greater than the sum of their parts. In this presentation, I will discuss 100,000 years of history, including how we develop software and mitigate threats. I will explain why the emphasis of separation of concerns is both necessary and dangerous. Finally, I will illustrate other depressing messages with uplifting stick figures and a fun case study that combines Spectre with memory errors.
How can you glimpse at our community? 30 years of information security research: 10s of thousands of authors (the Pros), almost 75,000 talks, papers, and blogs at thousands of conferences (the Cons) brought into a single graph DB. What do the connections between conferences, breaches, and authors tell us about research impact? Community structure? Emerging trends, and their timeline to become part of the collective consciousness? This talk will explore this dataset, ask these questions and more, to look at what the community has created in the last three decades. The dataset will also be hosted online for others to explore and query.
Abusing Active Directory Configuration and Implementing Effective OPSEC Actions
Mars Cheng, Dexter Chen
Enterprises use Active Directory (AD) to manage digital assets such as accounts, machines, and access rights. However, because compromising AD can give attackers control over an entire enterprise's network, it is a primary target for attackers. The blue team is aware that AD is a Tier-1 asset and has established several mechanisms to monitor and hunt attack activity. To evade detection by the blue team, attackers will use techniques such as leveraging privilege, configuration settings, or designed mechanisms called configuration abuse. They may also use operation security (OPSEC) processes to attack AD. This talk will discuss how attackers can abuse these configurations and OPSEC skills to compromise AD and achieve their objectives. We will demonstrate real AD attack paths that blend On-Premises and Azure AD, and dive into the AD attack techniques that abuse the AD configuration settings. We will also discuss the methodology, including enumeration, consideration of tactical goals, and how to evade blue team monitoring to succeed in the operation.
Human-machine interfaces (HMIs) have been essential components in industrial control systems (ICS) for decades. With the advancements in web technologies and the wider adoption of web-based interfaces in the operational technology (OT) sector, browser-based HMIs have emerged as a practical alternative for supervising and controlling industrial devices. However, the inclusion of full-fledged browsers within these HMIs also introduces a unique set of risks that many vendors are overlooking, resulting in new vulnerabilities and opportunities for attackers. In this presentation, Nozomi Networks Labs reveals the results of a novel research on browser-based HMIs. We describe the new attack vectors enabled by the inclusion of a browser in an industrial system, present the vulnerabilities found while analyzing five real-world devices, and how these can be leveraged to secretly tamper with the industrial process while simultaneously manipulating the view to deceive operators.
In 2020, I discussed fuzzing in "Lightning in a Bottle" reviewing major milestones that led to the "fuzzing renaissance" that was kicked off by the creation of effective greybox mutational parser fuzzing with the release of American Fuzzy Lop. It is now 2023 and fuzzing continues to be one of the most effective approaches to vulnerability discovery, reaching an ever-wider range of attack surface in targets like browsers, kernels, trusted execution environments, smart contracts, mobile and embedded devices, managed languages and more. In this talk we will discover what the future trends and opportunities for fuzzing will look like. We will explore how the science of fuzzing has improved to augment early feedback methods, how the philosophy of fuzzing has evolved through benchmarking and empirical data, and how fuzzing tooling has become more flexible and adaptable to arbitrary targets. We will explore together what has happened since The Fuzzing Renaissance created a boom of research and began to mature as we shift into The Age of Vulnerability Discovery.
Join us, Team mhackeroni, for a light-hearted and entertaining dive into our victorious adventure at Hack-A-Sat! Our presentation takes you on a ride through the challenges and triumphs of hacking into an orbiting satellite, the Moonlighter.
The Dark Side of the Moon: Advancing System Call Obfuscation via Stack Manipulation
Alessandro Magnosi
Building upon the previous talk on thread stack spoofing and Stack Moonwalking, we will introduce advanced concepts and use cases of Full Moon, focusing on addressing limitations that were previously left unsolved. After that, we will present "Half-Moon", another StackMoonwalking technique that advances system call obfuscation. The Half-Moon technique is designed to conceal indirect system call invocations on Windows 64-bit platforms. Half-Moon builds upon the principles introduced by Full-Moon, enhancing the concealment of system calls within the call stack. Traditional approaches, including direct and indirect system calls, leave detectable traces through thread call stack analysis. Half-Moon circumvents this vulnerability by creating a seemingly legitimate call stack, evading detection mechanisms for indirect syscalls. We will delve into the technical intricacies of Half-Moon, showcasing its effectiveness in obfuscating system call invocations. After that, we will evaluate and discuss how this technique cannot be detected by using traditional detection algorithms, including our own Eclipse. Towards the end of the talk, we will discuss the impact of Control-Flow Enforcement Technology (CET) on these stack manipulation techniques. CET is a security mechanism designed to mitigate control-flow hijacking attacks. We will examine how StackMoonwalking aligns with or challenges CET, emphasising the interplay between stack spoofing techniques and advanced security measures, and we will try to answer an extremely important question: will CET be enough to fully prevent stack spoofing techniques? Finally, we will inspire and foster collaboration among researchers and practitioners, driving the development of robust memory evasion techniques that can withstand the adoption of CET and strengthen cybersecurity defences.
In the past few years, the research community proposed sophisticated tools to enhance automated security testing and identify vulnerabilities before they can be exploited by attackers. In fact, bug-finding techniques have arguably become too successful. We are nowadays finding more bugs than we can timely fix. In addition, existing tools do not provide detailed information about the discovered vulnerabilities, requiring expert analysts to manually investigate their causes and implications. However, identifying vulnerabilities is only the first step to secure software. A subsequent, fundamental step lies in reasoning about the identified vulnerabilities to understand their risks, and thus to develop and prioritize suitable patches. In this talk, I will present our latest research on automated analysis and patching of memory corruption vulnerabilities. Specifically, I will focus on two scenarios. First, I will focus on out-of-bounds write vulnerabilities and present a technique to automatically distill the set of source code-level objects affected by such unintended writes. Second, I will focus on firmware and discuss the challenges of injecting patches in binary-only monolithic images. I will present a set of automated program analysis techniques to address these challenges and enable third-party patching of embedded devices. We tested our tools on real-world binaries and firmware, characterizing several CVEs and patching severe vulnerabilities in critical devices, such as a pacemaker. Finally, I will conclude my talk by highlighting the next technical challenges to be addressed in future research.
Zero-Touch-Pwn: Abusing Zoom's Zero Touch Provisioning for remote attacks on desk phones
Moritz Abrell
Cloud communication platforms like Zoom have become a fundamental aspect of modern communication and are widely used in daily work. However, in certain scenarios, traditional endpoints such as desk phones or analog gateways are still required. Today, these devices can be integrated with most major cloud communication providers through the use of their provisioning services, which centralize configurations and firmware. This session is about a security analysis of the Zoom "Zero Touch Provisioning" method in conjunction with certified hardware. It will reveal several vulnerabilities that, when combined, allow an attacker to remotely compromise arbitrary devices, such as massive eavesdropping on conversations or rooms, remote control of devices, or using them as a pivot point to attack the adjacent corporate network. Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust, exposure of sensitive information and unverified ownership.
How Much Do They Really Earn? Challenges and Pitfalls when Estimating Cybercrime Bitcoin Revenue
Juan Caballero
Estimations of the revenue cybercriminal gangs make through Bitcoin payments often do not agree, due to the use of different methodologies, seed addresses, and time periods. Most often, revenue is underestimated due to the (lack of) coverage on the gangs's payment addresses and the use of evasion techniques by the attackers. But, how far the estimate is from reality remains unknown. Even worse, some estimations may instead grossly overestimate the profits due to methodological flaws. In this work, we perform the first systematic analysis on the estimation of cybercrime bitcoin revenue. We implement a tool that can replicate the different estimation methodologies. We use our tool to quantify, in a controlled setting, the impact of the different methodology steps. In contrast to what is widely believed, we show that the revenue is not always underestimated. There exist methodologies that can introduce huge overestimation. We collect 30,424 cybercrime payment addresses and use them to compare the financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We observe that the popular multi-input clustering fails to discover addresses for 40% of groups. We quantify, for the first time, the impact of the (lack of) coverage on the estimation. For this, we propose two techniques to achieve high coverage, possibly nearly complete, on the DeadBolt server ransomware. Our expanded coverage enables estimating DeadBolt's revenue is 39 times higher than what would be calculated with a straightforward estimation.
The talk will present KRWX, an open-source tool I developed over the years to initially study Linux Kernel internals and exploitation and later adjusted to assist the exploitation phase of kernel bugs. During the talk, I will explain how KRWX can be used to approach the Linux Kernel Exploitation subject by demonstrating practical use cases to explore the basics of the kernel. With the same practical and technical approach, the talk will also cover more advanced instances, like assisting the exploitation phase (as I have described on public exploits like CVE-2022-2602 and CVE-2020-27786) and more. The talk targets beginners and expert kernel exploit developers at the same time, showcasing all practical usages in a technical form.
During the pandemic I took up Bluetooth (BT) sniffing as a way to get out of the house. I didn't know what was out there for BT devices, but it felt important to know what the implications were of the new over-the-air, no-auth, cross-device, firmware-level exploits on BT chips that my wife and others had started publishing. And because BT Low Energy specifically added anti-tracking functionality that didn't exist in BT classic, I wanted to understand the in-the-wild state of privacy protection within the BT ecosystem. Bluedriving left me with questions that are different from those you'd ask based on traditional WiFi wardriving. Is there a correlation between poverty, obesity, and BT sleep apnea medical devices? What are the implications of BT on police body cameras? Are BT sniffers going to be (already) used as alternatives to license plate cameras for tracking vehicles? Are fitness trackers still making it easy to track humans instead? Can someone steal heavy-construction equipment thanks to BT keyless ignition? Can hackers be tracked by their "portable multi-tool[s]"? Do hotels using BT door locks "open the door" to easier assassinations? In this talk I will describe some of the most interesting observations from the past few years, and share some perhaps-surprising answer to those questions and more.
In the increasingly complex landscape of cybersecurity, having tools and methodologies to resolve security incidents is crucial. This presentation focuses on the importance of Remote Desktop Protocol Bitmap Cache analysis in Windows based system as a resource for extracting valuable information during cyber incidents. Bitmap caches are used by the client and server to store graphic bitmaps of a specific dimension. These images are stored on the endpoint to improve sessions performance and reduce latency and may contains important information regarding an incident. Anonymized real cases will be presented during the talk, showing how RDP bitmap cache analysis has been really important. Additionally, will be presented a tool created for extracting information from the images. This automation allows investigators to perform analysis at scale, extending the scope of research and reducing the time it takes to identify hosts involved in the compromise. The main objective of this presentation is to provide cybersecurity experts with an in-depth overview of utilizing RDP cache bitmap analysis to address important questions like, did the attacker exfiltrate data? Practical knowledge and strategies will be shared to effectively tackle this subject matter.
This talk revisits the theme of personal privacy in the digital world, this time centring around the "I've got nothing to hide" argument. A beam of intensive light is shed on the motivation behind caring about one's privacy. We go in depth into what we can do to stay private and should we even try to do it at all. We talk about where we as an global society were able to fix privacy and where we have failed. New topics previously not covered are discussed, such as AI/LLMs.
Have you ever wondered how Red Teamers manage to get access to high-security areas in buildings? This talk is your chance to learn about the tools, tactics, and techniques we use to break access control systems. The presentation is based on the experience and examples collected during the Red Team assessments and gathers in one place the knowledge needed to gain access to places protected by access cards. During the talk, I’m going to show you how I was able to break into organizations using techniques such as simple card cloning: We'll discover the basics of RFID technology and learn how to use Proxmark3 for access card scanning and cloning with the demo of the device operation. We'll explore some of the most common misconfigurations in access control systems and learn how to use them for gaining access and escalating privileges. We’ll also delve into the technical and social engineering aspects of card scanning during a Red Team Assessment with an example of a complete kill chain, which enabled me to gain entry to highly secure areas within a building, starting from a position of zero access. And last but not least - we'll talk about how to protect your organization from these types of attacks. Let’s discover how to break into organizations with style.
An Introduction to ARM64 Assembly and Shellcode
Saumil Shah
An Introduction to ARM64 Assembly and Shellcode is a workshop for those interested in getting a quick start into the world of 64-bit ARM binary exploitation. ARM64 is in several ways vastly different than ARM32. In this bring-your-own-laptop workshop, participants will get to learn the key differences between ARM32 and ARM64 from an assembly language perspective, get some hands-on introduction to writing simple ARM64 assembly code, working with a debugging environment and concluding with writing their own ARM64 shellcode.
Searching for 0-days in the Linux Kernel without quitting your job
Davide Ornaghi
When dealing with a vast codebase such as the Linux kernel, it's easy to get lost in the vulnerability research process because of the many applicable tools and techniques, without mentioning the complexity of all the Linux-specific patterns scattered around the source code. This process can be extremely time-consuming and requires understanding the whole subsystem under analysis to correctly interact with it and spot possible security flaws. In this workshop, we will establish a research methodology that can be reproduced on the different components of the Linux kernel to find and demonstrate several classes of security bugs, thus maximizing your chances of finding actual vulnerabilities without putting too much effort into learning the internals. As security researchers, understanding our environment is essential, although we don’t want to become kernel developers before starting to look for bugs. We will start with basic techniques such as static and dynamic analysis with Sparse and GDB, and then explore more advanced approaches such as variant analysis with CodeQL and subsystem-oriented fuzzing with Syzkaller to realize how certain bugs could’ve been found in the past. As for bug reproduction, we will focus on function tracing, kernel probing and debugging with Ftrace and Systemtap to generate a working reproducer while also understanding the nature of the vulnerability. We will eventually practice our methodology on precompiled kernel images that have been appropriately built from previous mainline trees, which include previously reported (and now patched) vulnerabilities. By the end of this workshop, the attendees will be able to independently assess basic security vulnerabilities on the Linux kernel attack surface, including most syscall and interrupt-based components.
Using and abusing Cloud Service Providers’ capabilities
Gianluca Varisco
In this workshop, we’ll delve into several real-world CSP (Cloud Service Provider) attacks and highlight how to use the available telemetry to identify and detect these attacks. In particular, we'll dive into tactics used by threat actors such as lateral movement, privilege escalation, data exfiltration and the types of event logging to aid the detection process. This session will cover several cloud services that may be erroneously configured as publicly accessible, including CSPs’ queues, notification channels, managed identity providers, control planes, and different managed storage services. If you ever wondered how to properly manage IAM guardrail policies or how to deal with the security of the Instance Metadata Services (IMDS) or technologies like Kubernetes, and if all of this sounds like a tremendous effort, you may want to not miss this workshop! Join me and let’s have some fun together! At the end of the workshop, attendees will better understand how to build targeted detections and enhance their overall security posture.
Sponsored by
