Arron “finux” Finnon
Hacking the Wetware – Compromising Fortune 500 Companies with Social Engineering
Social Engineering (SE) is one of the most severe threats to security and privacy as 90% of cyber attacks start with a social engineering attempt. This talk outlines updated real-world SE examples, and seemingly innocuous information that could compromise a company. Learn the methods SEs use to mine data, pick targets, choose pretexts, and exploit behavior to own companies, and how women are uniquely skilled as SEs – from a 2016 and 2017 DEFCON SE Capture the Flag winner.
Re-using your targets’ code against them
A story of how I found RCE in two different “fat client”-server applications (one .NET and one Java). As they used non-HTTP binary protocols to communicate, I re-used parts of the existing application code to quickly implement a custom client that could exploit the vulnerabilities. This talk will both show how to find bugs in applications by decompiling Java and .NET code as well as how to re-use that decompiled code to attack the application.
The Hunt is On! Advanced Memory Forensics meets NextGen Actionable Threat Intelligence
Cyber attacks continue to increase in severity and sophistication. A new era of attacks have become more ubiquitous and dangerous in nature. Malware has become much better at hiding its presence on the host machine. However, one place it cannot hide for long is in the volatile memory of the computer system. The purpose of this talk is to show exactly how to conduct advanced forensics on volatile memory to extract relevant artifacts and indicators of compromise and interface with a new Actionable Cyber Threat Intelligence Engine I have built and released to the community to better hunt and identify new indicators of compromise across enterprise networks.
Breaking and abusing specifications and policies – Let’s Encrypt, cloud storage vulns and verfication bypasses
Last year at Secfest, Frans Rosén talked about DNS hijacking using cloud services. This time, he approaches technologies where verification methods actually exists and how to break them. Let’s Encrypt closed down one of their three blessed verification methods due to a bug Frans found in January. Cloud storage containers already patched from being publicly exposed are still often vulnerable to full modification, extraction and deletion by abusing weak policies and application logic. Frans goes through some weak design patterns, policy structures and explains how to bypass them which have netted him over $45,000 in bug bounties.
Insecurity in Information Technology
A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and pressure from management, often leads to stress, anxiety and less-than-ideal reactions from developers and security people alike.
No more laying blame and pointing fingers, it’s time to put our egos aside and focus on building high-quality software that is secure. The cause and effect of insecurities and other behavioral influencers, as well as several detailed and specific solutions will be presented that can be implemented at your own place of work, immediately. No more ambiguity or uncertainty from now on, only crystal-clear expectations.
Detecting Phishing from pDNS
Passive DNS (pDNS) has been utilised by threat researchers for several years and allows us to gather information on domain usage worldwide. Since data fidelity varies depending upon the scope, timeline, and vantage point of sensor networks, pDNS visibility provides a multitude of different and exciting results for analysts to review.
In this presentation we will quickly recap DNS and pDNS, review different approaches to detecting phishing using pDNS and focus on demonstrating different heuristics and operational procedures that can help increase actual detection while minimizing false positives.
Bokbot: The (re)birth of a banker
Bokbot (aka. IcedID) was discovered by Fox-IT in June 2017 and has been dated back to at least April 2017 and actively tracked since. This talk will detail what we’ve found so far during our tracking of the malware but also present findings that ties this specific malware threat to a well known group known as Vawtrak/Neverquest which targeted financial institutions between 2010-2017. We will also provide a rare insight into the development process and life cycle of this malware and also reveals a new type of debug logging technique via DNS.