Black Hat Europe - day 1

Posted by   Virus Bulletin on   Oct 17, 2014

Programme packed with interesting talks.

Though the prestige of Black Hat Europe doesn't compare to that of its American parent conference, and the event certainly doesn't dominate the debate on Twitter in quite the same way, more than 800 security experts descended on Amsterdam this week where, in the RAI Convention Centre, the 14th edition of Black Hat Europe is taking place.

The conference opened with a keynote from Adi Shamir (perhaps still best known as the 'S' in the RSA protocol) on side channel attacks. He started by describing how it is possible for an adversary to extract the private RSA key by measuring the power usage of a computer that uses that key to decrypt data.

Most of Adi's presentation, however, concentrated on an attack that used a printer/scanner, a laser, and ultimately even a drone to extract data from an air-gapped network after it had been infected with malware. It was a fascinating presentation, even if probably of little practical use for anyone not in the business of writing film scripts.

After the keynote, the conference split into four parallel streams. I stayed in the main room to watch a presentation by Jose Selvi on bypassing HSTS.

HSTS (HTTP Strict Transport Security) allows a web server that has been contacted over HTTPS to tell the client to force all connections for the next n seconds to use HTTPS, for some usually very large value of n. This prevents a user who enters the URL manually (or uses a non-HTTPS bookmark) from becoming the victim of a man-in-the-middle attack.

As the value of n usually isn't infinity, Jose demonstrated a weakness in HSTS by performing a man-in-the-middle attack on the NTP protocol, forcing the client's computer to change its time to a future date. The 'Delorean' tool he demonstrated (named after the car in the Back to the Future film series) seemed pretty neat and showed that HSTS isn't a silver bullet for enforcing HTTPS.

Symantec researcher Candid Wüest spoke about wearable devices at VB2014 and, having missed that presentation, I can see why people were so excited about it. To be filed under the category 'it would be funny if it wasn't true', Candid showed how some of these devices have never been within a mile of a security expert, sending unencrypted and unauthenticated data over the Internet and making many other rather basic mistakes. And while that might perhaps not have surprised many people in the room, Candid demonstrated how he had already been able to track a large number of delegates through their wearables.

Although I have an interest in cryptography, I know very little about quantum cryptography. Hence I was intrigued by the presentation from BT's Konstantinos Karagiannis, in which he showed how by combining quantum theory and Fourier analysis, in the future one might be able to break RSA keys in real time. Konstantinos also showed a much more positive result: using quantum properties, one can send data (such as encryption keys) over a network with the property that it vanishes as soon as someone looks at it.

Axelle Apvrille has spoken at and written for Virus Bulletin on several occasions in the past (do read her most recent paper on AdThief if you haven't done so already), so I was interested to see her presentation on research she has performed with Ange Albertini. In their presentation, they showed how one could hide an Android app (such as malware installed by a second, apparently harmless, app) inside a PNG image that would AES-decrypt to the malware.

I was expecting a lot of brute forcing to find a key that would turn the malware into a PNG image, but it turned out that the trick is far more subtle and uses only some basic cryptography, as well as the fact that both PNG images and Android packages can contain a large amount of redundant data.

  An image like this one, of Anakin Skywalker, could AES-decrypt to Android malware.

The final talk of the day was also Android-related. In a presentation that didn't shy away from technical details, Sagi Kedmi explained that there is a weakness in the pseudo-random number generator used by Android, which turns out to be a lot more predictable than it is supposed to be, especially during the first moments after a device is booted up when not enough entropy is available.

As Sagi explained, and later showed in some demonstrations, this has serious consequences and could, for instance, be abused by malware to attack other apps and cause further harm.

The conference continues on Friday with another full day. If Thursday was anything to go by, I expect the presentations to be good!

Posted on 17 October 2014 by Martijn Grooten



Latest posts:

New paper: LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the…

VB2019 presentation: Building secure sharing systems that treat humans as features not bugs

In a presentation at VB2019 in London, Virtru's Andrea Limbago described how, by exploring data sharing challenges through a socio-technical lens, it is possible to make significant gains toward the secure sharing systems and processes that are vital…

VB2019 presentation: Attor: spy platform with curious GSM fingerprinting

Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. Details of Attor were presented at VB2019 in London by ESET researcher Zuzana…

Why we encourage newcomers and seasoned presenters alike to submit a paper for VB2020

With the call for papers for VB2020 currently open, we explain why, whether you've never presented before or you're a conference circuit veteran, if you have some interesting research to share with the community we want to hear from you!

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

At VB2019 in London, Kaspersky researcher Santiago Pontiroli presented a paper on the growing illegal economy around video game cheats and its parallels with the malware industry. Today we publish both Santiago's paper and the recording of his…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.