Saturday, March 7, 2015

#RootedCON Day 2: PoC earthquake

Sometimes you know, before getting up, it's going to be a hard day's life. So, you will end up this day with notebook full of notes, and the head spinning again and again on topics that you'd probably were not thinking about, just some hours before. And yes, yesterday Friday was one of those days.

Second day at the RootedCON, one of the most important events in the field of computer security, held as every year in Madrid (Spain). Yesterday we posted the chronicle for day 1 (, and there we go again. What was about this 2nd round?

Alfonso Muñoz, from Eleven Paths, kicked off talking about what he is specialized: for this occasion, on estegomalware in mobile applications. Or what is the same: different ways to obfuscate executable code in applications from Android Play Store. Both in the store, using PNG images with obfuscated code, and calls to external resources that the application makes for smooth operation; and also, of course, in the resources of the application. It is a very sophisticated attack vector and today almost undetectable, because there is no systems focused on this type of scrutiny.

Carmen Torrano (@ctorranog), from the Spanish Centre for Scientific Research (CSIC), presented her doctoral thesis on algorithms for creating Web services firewall. She talked for anomalies based WAFs, Markov model and machine learning. Techniques that significantly improve the effectiveness of this type of software to face environments in profound change, as in the world of web defensive security.

Illegitimate copies and privileges scaling
Losing account access from WebEx, one of the most used services for online education, drove Abel Valero (@sanguinawer) to get interested in performance of the user local-stored files of the platform. And thanks to it, he found a serious vulnerability in the system that would allow any client to get copies of the videos -even when this is reserved only for its creator.

Next, Julián Vilas (@Julianvilas), alerted on bad configuration in Struct, a Java development framework, that allow any external attacker to conduct corrupted callings to getClass() and setClass() methods, scaling privileges and gaining sensible resoursece from a server or a service.

Then, Ricardo J. Rodriguez (@RicardoJRdez) and Jose Vila (@cgvwzq) broke proximity-based security, like NFC payment methods. It's a theorical vulnerability hard to replay in real environments, the researchers acknowledged, due to internal protection of almost every bank account. But in any case it's remarkable that attack is driven from neither rooted nor custom firmware mobile devices.

This issue is linked with Sebastian Guerrero's (@oxroot) talk, about Apple Pay performance. He presented no exploitable vulnerability, but used his time to explain how this Cupertino's service operates, and its possible weaknesses.

Next turn went for Alejandro Ramos (@aramosf), regular speaker at RootedCON, with a talk about offensive and defensive security. "Are you red team or blue team?", he asked the attendees via online survey, and gave some tips for each of the crews, that resulted on a very systemized summary of their work in real life.

José Selvi (@JoseSelvi) likes travelling to the future... at least via digital. A study of security protocol HSTS allowed him to notice that expiration date is skippable, throwing the system internal clock towards the future. What can you get done with this? Well, you can access almost any massive web service without HTTPs. And, in addition, to prevent a system to notify updates.

Last, Eduardo Cruz (@edcrossed), astonished everybody with a several years work of amateur reverse engineering with microprocessors, in this case in an Arcade machine. It's a dangerous hobby that requires a considerable physical security measures, since it works with acids to separate layers and analyze the distribution of the microprocessor. And also it is a very strenuous work, which allowed him to replicate the hardware in a computer program, and later, an arduino. Simply amazing. Because the hacking is not just software. There is hardware hacking, and when you get the desired result after so much hard work, it is highly rewarding.

Like we've been doing last days, we are covering RootedCON last day in real time from our Twitter:

You may also like:
#RootedCON, Day 1: The show begins!


Post a Comment