Black Hat - USA 2019 (관심사 발표내용 정리)

관심사 관련, 발표될 내용 중 일부만 요약 해봤습니다.

• Legal GNSS Spoofing and its Effects on Autonomous Vehicles

Many systems depend on accurate location information from Global Navigation System Satellites (GNSS) for normal operation. Public GNSS lacks integrity mechanisms and is vulnerable to spoofing. U.S. Federal law does not allow over-the-air spoofing of GNSS or other signals, which makes assessment of vulnerabilities difficult outside of an enclosed laboratory environment. This research proved the usefulness of a Mobile GNSS Spoofing System that enables legal, real-world evaluation of GNSS vulnerabilities. The mobile spoofing system was used to evaluate vulnerabilities in an Unmanned Ground Vehicle (UGV). The UGV GNSS was exploited using several different attacks including forced lane switching, driving off the road, and stopping the vehicle.

• Detecting Deep Fakes with Mice

Neural networks can generate increasingly realistic, human-like speech. These so-called "deep fakes" can be used in social engineering attacks.

• APIC's Adventures in Wonderland (SDN 네트워크 구성 관련 취약점 소개 예상)

In this talk, we will demystify the magic that surrounds the ACI wonderland and follow the APIC on its journey down the rabbit hole from when it gets first connected to the leaf switches till its configuration with EPGs and filtering rules. Along this journey we will participate in a crazy tea party. Here, the Mad Hatter will introduce us to the components involved in setting up the ACI fabric (including their background communication and used protocols), the March Hare will demonstrate what things can go wrong, and the Dormouse, before finally drifting to sleep, will release exploits for identified vulnerabilities.

• PicoDMA: DMA Attacks at Your Fingertips

Direct Memory Access (DMA) attacks are typically performed in real-time by an attacker that gains physical access to a high-speed expansion port on a target device, and can be used to recover full disk encryption keys and other sensitive data from memory, bypass authentication, or modify process memory to facilitate backdoor access.

• HTTP Desync Attacks: Smashing into the Cell Next Door

HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

• New Vulnerabilities in 5G Networks
• He Said, She Said – Poisoned RDP Offense and Defense

we will show that just by connecting to a rogue machine, your own host can be reliably and silently compromised. Although there are numerous vulnerabilities in popular open source RDP clients, this talk heads straight for the crown jewel: the Microsoft Terminal Services Client, or MSTSC.EXE. Together, we will take a deep dive into the main synchronized resource between the client and the server: the clipboard. At the end of this journey, we will discover an inherent design problem with this resource synchronization, a design problem also inherited by Hyper-V.

• Adventures in the Underland: The CQForensic Toolkit as a Unique Weapon Against Hackers

This session is based on CQTools; several of them are the result of discoveries made by CQURE Team! participants could also hear about 2 great discoveries CQURE made. First is about how to decrypt DPAPI protected data by leveraging usage of the private key stored as a LSA Secret on a domain controller. The second discovery is a great way to find the way how to decrypt SID-protected PFX files even without access to user's password but just by generating the SID and user's token. Attendees become familiar with completely unique CQForensic toolkit which can build an attack timeline, extract information from the USN journal, recover files, also from MFT, decrypt user's and system's stored secrets, like encrypted data, extract information from Prefetch and from Remote Desktop Session cache, extract information from the configuration of the used for administration tools.