[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection. Focused on Automotive, Pay-TV, Gaming and mobile devices.

Ведущий: Артем Шишкин Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.

The document discusses various Java-based remote access trojans (RATs) and their evolution over time. It begins with an overview of Java basics and how RATs are packaged in JAR files. It then analyzes the lineage of several RAT families like Frutas, Adwind, Unrecom, AlienSpy, jSocket, and others; how they emerged and were developed over time, sharing codebases and techniques. Common behaviors of Java RATs are also outlined, such as obfuscation, anti-analysis tricks, and persistence mechanisms. The document concludes with recommendations for analyzing and detecting Java threats.

At all times there have been bad guys, who tried to steal money. ATM machines containing vast amounts of money have always been attractive targets. Until recently, criminals were only using physical weaknesses. Skimmers and shimmers for stealing magstripe-tracking data, fake pin pads and cameras for stealing pin codes, and even fake ATMs were created. Time passed and ATM software started to unify. Where there is unification, there are viruses. Trojan.Skimmer.*, Ploutus and other named or unnamed trojans. And what did we see on the public scene? Vendors started discussing the skimmers problem only after they were detected in the wild. As you remember, Barnaby Jack presented "Jackpotting Automated Teller Machines" at Black Hat USA 2010. He used some vulnerabilities in ATM software. He showed that malware, was injected into the OS of the ATM via bootable flash drive or via remote management TCP port. Barnaby Jack's work was based on assumptions that most vulnerabilities were concentrated in the host machine and that we can and should reuse software made by ATM vendors. And that's quite true, but... antiviruses, locked firmware upgrades, blocked USB connectors, and encrypted hard drives can mitigate such risks. But, what about connecting not to the host machine, but to devices themselves? What countermeasures exist, when we will try to impersonate ourselves as an ATM host? Hacking ATMs with small computer like Raspberry Pi should be impossible, but it isn't. The point of our presentation is to draw attention to the problem, which has existed for quite a long time. The problem is usage of common interfaces (like RS232 or USB) and protocols of communication from host machine to such devices as card readers, pin pads and/or dispenser units.

The document provides a brief history of hardware security from 1982 to present day, focusing on developments like protected mode, virtualization with Xen and VT-x/AMD-V, the Intel Management Engine, SGX, and virtual machine introspection (VMI). It discusses the core concepts behind VMI including isolation, interpretation, and interposition. LibVMI is introduced as a tool for VMI that allows monitoring VM memory, translating guest virtual addresses, and placing hooks in the guest. Future directions include more guest OS and hypervisor support as well as new event types.

How to hack a telecom and stay alive Speaker: Sergey Gordeychik Penetration testing of telecommunication companies' networks is one of the most complicated and interesting tasks of this kind. Millions of IPs, thousands of nodes, hundreds of Web servers and only one spare month. What challenges are waiting for an auditor during the telecom network testing? What to pay attention on? How to use the working time more effectively? Why is the subscriber more dangerous than hacker? Why is contractor more dangerous than subscriber? How to connect vulnerability with financial losses? Sergey Gordeychik will tell about it and the most significant and funny cases of penetration testing of telecommunication networks in his report.

This talk briefly discusses strategies and methodologies than can be employed when assessing IoT devices. We look at how to develop credible threat scenarios for different IoT device and systems, perform static and dynamic attack surface mapping, perform static firmware analysis, perform static hardware analysis, undertake a dynamic device security analysis, sources of supporting information, supporting capability requirements and establishment, Execution of dynamic device analysis and approaches around network protocol analysis.

This document discusses various methods that criminals use to attack ATMs, including malware, black box attacks, and physical access. It describes specific malware like Tyupkin and attacks on protocols like XFS that allow unauthorized control of ATM components over USB/COM ports. Issues discussed include lack of authentication in XFS, vulnerabilities in Windows XP, and insecurity of physical locks and interfaces. The document calls for improvements like mutual authentication, secure protocols and regular security testing to help address these ATM attack methods.

Cesar Cerrudo discovered that traffic control systems using wireless sensors from Sensys Networks were insecure. The sensors had no encryption or authentication, allowing anyone nearby to manipulate traffic patterns. He was able to hack into sensors in multiple countries. Cerrudo showed that low-cost attacks could potentially cause traffic jams or accidents. He warned that critical infrastructure should be properly secured before use.

Reset-based designs can provide strong isolation by removing untrusted devices like PCs from the trusted computing base. This is done by using simple trusted hardware devices that contain private keys to sign transactions, instead of approving transactions on complex, bug-prone PCs. The paper proposes verifying reset functionality using satisfiability modulo theories solvers and symbolic simulation to prove that reset reliably purges all state from processors. This allows confirming transactions independently on simple hardware tokens by signing with private keys stored on chips that are proven to be securely purged on each use.

Virtual machine introspection (VMI) allows security tools to be run externally to virtual machines for improved isolation, visibility, and control. VMI provides full interpretation of the virtual hardware and memory to detect malware. It can actively monitor VM events and memory through techniques like EPT trap interposition. The speaker demonstrated these capabilities using open source tools like LibVMI and DRAKVUF for dynamic malware analysis. VMI is presented as an important approach for cloud and mobile security going forward.

This document discusses virtual machine introspection (VMI) with Xen on ARM platforms. It notes that VMI allows advanced security capabilities by separating the security monitoring domain from the trusted computing base (TCB). The document outlines that Xen on ARM provides isolation between guest VMs and the hypervisor through security modules. It also describes how the LibVMI library can reconstruct guest OS state information by interpreting ARM guest page tables. The document states that interposition, or stepping into guest VM execution on events of interest, requires hardware and hypervisor support through two-stage address translation configuration and trap handlers. It concludes that work remains to be done on ARM hardware event trapping support and performance testing of Xen on ARM trap handlers.

This document discusses virtual machine introspection (VMI) using the Xen hypervisor. VMI allows reconstructing a guest VM's state from outside the guest by monitoring its memory, CPU, and devices. It provides isolation, interpretation of the guest's state, and ability to intercept execution. The document outlines challenges like reconstructing paged memory and kernel data structures. It presents tools like LibVMI and DRAKVUF that use VMI for malware analysis and cloud security. Kernel code integrity during runtime patching is also discussed.

ATMs (Automated Teller Machines) are usually weak spots in any organization that operates them. We would like to share with you how we hack ATMs. We will show GENERIC ways to attack ATMs. Specific attacks are kewl but we like GENERIC ones that work in the often complex ATM world. Join us to pwn some ATMs and learn from our vast experience in the trenches.

The document discusses vulnerabilities in ATM systems that can allow attackers to steal cash or users' financial information. It provides examples of past malware attacks on ATMs and describes technical methods attackers have used to gain unauthorized access and control of ATM components like card readers, cash dispensers, and PIN pads. The authors argue that current security measures are insufficient and that vendors prioritize profits over fixing issues. They call for implementing stronger authentication of ATM devices and transactions to help address ongoing threats.

This document discusses virtual machine introspection (VMI) and the DRAKVUF dynamic malware analysis tool. It begins with an overview of why VMI is useful, describing how it allows security monitoring from outside the VM for increased isolation and visibility. It then introduces DRAKVUF and provides a link to a video demonstration. Finally, it includes a "rant" about the limitations of dynamic analysis for threat detection and argues it is better suited to identifying attack infrastructure and behaviors rather than individual samples.

The firmware executed by components found in a car provide a starting point for adversaries to obtain confidential information and discover potential vulnerabilities. However, the process of reverse engineering a specific component is typically considered a complex and time-consuming task. In this paper we discuss several techniques which we used to significantly increase the efficiency of reverse engineering the firmware of an instrument cluster.

Inria Tech Talk dédié à une actualité brulante : la sécurité de vos objets connectés. Aujourd'hui, il est indispensable de développer des outils pour générer les tests de sécurité de ces objets dans des scénarios d’usage réalistes. Les chercheurs-experts Inria vous présenteront les attaques existantes et celles développées d’une manière artisanale sur des automates programmables industriels et des objets connectés au cours de ces dernières années. La présentation est disponible ici : https://french-tech-central.com/events/inria-tech-talk-iot/

This document discusses techniques used to evade detection from enterprise security systems. It covers common security technologies like firewalls, IDS, IPS and how attackers can bypass them. Specific evasion techniques discussed include modifying packet headers, fragmentation, source routing and using tunnels through other compromised systems. The goal is to introduce common concepts but the document is not intended to be comprehensive.

When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all. We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.

Hacking telecommunication companies presents unique challenges and opportunities for attackers. Some key points include: - Telecom networks are large with many interconnected systems and perimeters owned by third parties. - Attacks can target subscribers by exploiting weaknesses in broadband access, mobile networks, or subscriber-facing web portals. - Network infrastructure and subscriber equipment often have vulnerabilities like default credentials, outdated software or misconfigurations. - Less traditional systems like VOIP gateways, wireless access points or control systems may be overlooked but contain vulnerabilities. - Partner resources and systems are sometimes co-located with the telecom's own infrastructure, providing a path into the network.

Sergey Gordeychik discussed how to hack telecommunication companies while avoiding illegal activity. He explained that telecom networks have many perimeters, partners, contractors, and technology that could be vulnerable. Specific risks included attacks against subscribers by guessing passwords, malware, or fraud. Pentesters should thoroughly examine the network for any overlooked systems or misconfigurations while respecting all laws and client approvals. Forensics after an incident would also be very challenging in large telecom networks with many access points.

Sergey Gordeychik gave a presentation on how to hack telecom networks and stay alive. He discussed that telecom networks have many perimeters including subscribers, partners, offices, and technology networks. He outlined specific attacks such as gaining unauthorized access to subscriber self-service portals or exploiting vulnerabilities in VoIP infrastructure. Gordeychik emphasized that telecom networks are complex with many third-party systems, exotic technologies, and administrative issues that can enable attacks if not properly secured. Forensics after an attack can also be very challenging in these large, dynamic networks.

This document discusses the security challenges of using Java on smart cards, known as Java Card. Java Card aims to enable multiple applications on a single smart card by using a common Java platform. However, Java Card presents unique security risks compared to regular Java due to constraints of smart cards and the presence of multiple untrusted applications. The document outlines various attacks against Java Card and recommendations for addressing the risks through secure applet design, testing, and platform improvements.

IoT PaaS platforms help accelerate the delivery of IoT solutions. This deck outlines the various architectural patterns in IoT Cloud Platforms - A useful checklist to ascertain your own IoT Solution Architecture.

The document provides an overview and analysis of several industrial control system protocols including MODBUS, DNP3, PROFINET DCP, IEC 61850-8-1, IEC 61870-5-101/104, FTE, and Siemens protocols. It discusses the functionality of each protocol, security issues like the lack of authentication and encryption, and tools for analyzing and interacting with the protocols. Live demonstrations are provided of scanning networks using some of the protocols.

The document discusses various industrial control system protocols including Modbus, DNP3, PROFINET DCP, IEC 61850-8-1, and IEC 61870-5-101/104. It describes their functions, security issues like lack of authentication and encryption, and available tools for analyzing the protocols. The speaker is a penetration tester who researches SCADA security and protocols.

This document profiles several security researchers focused on industrial control systems: - Sergey Gordeychik is the CTO of Positive Technologies and director of Positive Hack Days, focusing on ICS/SCADA security research. - Gleb Gritsai and Denis Baranov are researchers at Positive Technologies working on network security, forensics, and challenges related to ICS/SCADA systems. - The group collaborates to research vulnerabilities in common ICS/SCADA platforms like Siemens, Rockwell, Schneider Electric to help secure critical infrastructure systems from cyber attacks.

This document discusses Avast's work in securing IoT devices through machine learning. It provides an overview of Avast's operations and size, then discusses the growing number of IoT devices and security challenges in securing them. Avast is developing AI-based protections for IoT by monitoring threats at the network level and plans to release a new product called Avast Smart Life. The workshop agenda covers topics like IoT botnets, device identification, and perceptual phishing detection.

Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause. This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC. This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.

This document discusses various types of network security attacks and methods to prevent them. It covers physical access attacks, social engineering attacks, penetration attacks like scanning and malware. It also discusses attacks on the OSI and TCP/IP models like at the session, transport and network layers. Prevention methods covered include firewalls, proxies, IPSec, security policies and hardening hosts. Specific switch and router vulnerabilities are examined like ARP poisoning, SNMP, spanning tree attacks. Countermeasures for switches include BPDU guard, root guard.

Is Agent or Agentless the best approach to monitoring devices and applications? The answer is both. Join us as we review the various approaches and solutions that Kaseya offers to handle this complex question and how they will be enhanced over the coming year. Presented by: Jeff Keyes, Product Marketing Manager & Scott Brackett, Product Manager

Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia. Teacher: Sam Bowne Twitter: @sambowne Website: https://samsclass.info/121/121_F16.shtml

The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.

- The document discusses the need for security in IoT devices as the number of connected devices grows exponentially to over 30 billion by 2020. - It outlines the various types of connected devices and assets that need protection including personal information, products, infrastructure and more. - The main threats to IoT systems are discussed as access to services and networks, device access, data theft and counterfeiting. Specific attacks like hacking exposed data and exploiting vulnerabilities are also covered. - The presentation recommends using cryptography, authentication, secure boot processes and other countermeasures to protect assets by mitigating vulnerabilities and reducing threats and risk. It emphasizes the importance of a layered security approach and managing risk for different asset values.

This document summarizes a presentation on malware analysis techniques. It discusses how malware spreads, common types of malware like ransomware and cryptomining malware, and approaches to analyzing malware both statically and dynamically. Static analysis techniques examined include scanning files, searching for strings, and analyzing file headers and dynamic linking. Dynamic analysis involves running malware in a controlled environment to observe its behaviors and network activity. Cryptomining malware is described as using victims' computers to mine cryptocurrency without permission.