Just a couple of pointers, nothing major here. A pretty comprehensive-looking party schedule (in addition to the official page). Filling up crazy fast.
One event I don’t see there though is the DEF CON Shoot, Wed 26 18:00 and Thu 27 9:00
Part of why I love being in this field – I’m not really aware of any other global community with annual weeklong bashes in Vegas.
(my last year’s DEFCON badge – it winks at you with those terminator LED’s!)
Here is my subjective take on Vegas hacker’s Disneyland that’s happening end of July 2017. Please keep in mind that this year I’m trying to make it useful for web site/web service security – to that end, I sifted through 70+ talks to come up with a summary of what’s particularly interesting this year.
As for the parties… that’s for the follow-up post : )
BlackHat at Mandalay is more practical and by far the most expensive, it consists of three parts:
Last year I took trainings, but this year I’m very much interested in website security briefings, so I plan to attend as many of the latter as possible.
BSidesLV is much more mellow, it’s under $100 bucks and more informal, people basically chill out in Tuscany Suites in between the “serious” stuff and present research, which can be interesting.
DEFCON, this year at Caesars, is definitely the most fun one, under $300 for everything. It has crazy talks, workshops, hackathons, CTF’s and just like the Renaissance Faire for geeks. They hack everything from poker to pacemakers to 747’s to implanting circuitry into your hands, also have tons of fun contests and a geek marketplace. It’s just super-fun, tho probably less useful for safeguarding a web service.
Now, since BlackHat is absurdly expensive, I filtered out a few specific talks that seem worth visiting for website/web service security – all included with the admission ($2,395):
Cracking The Lens: Targeting HTTP’s Hidden Attack-surface
Don’t Trust The Dom: Bypassing XSS Mitigations Via Script Gadgets
A New Era Of SSRF – Exploiting URL Parser In Trending Programming Languages!
Practical Tips For Defending Web Applications In The Age Of Devops – potentially very interesting talk from Etsy on how to properly set up the whole security engineering process
Splunking Dark Tools – A Pentesters Guide To Pwnage Visualization
The Epocholypse 2038: What’s In Store For The Next 20 Years
Ichthyology: Phishing As A Science (walk through a series of real-world attacks conducted against a Bay Area tech company)
Those are very useful, they typically take 2 days, but tend to cost a ton (~$3k each). I took some last year, but this year I’m more interested in the briefings above. But still, these are the ones that I found very interesting for web security:
Engineering/app-level security training:
Whiteboard Hacking aka Hands-on Threat Modeling
Abilities Inc – Metasploit Mastery
Applied Data Science for Security Professionals
Visual Analytics – Delivering Actionable Security Intelligence
The Web Application Hacker’s Handbook, Live Edition – good intro as usual, but honestly, focuses too much on the obsolete and made-up simple attacks, could really benefit from a 2017-overhaul. But hey, maybe it will be brand new this year.
Cloud Security Hands On (CCSK-Plus)
Advanced Cloud Security and Applied SecDevOps
And that’s it for now – see you there!! After all, it’s Vegas – good times all around!
This is a great mix of research because it’s not just academic but a good half is coming from people who make a living off of helping their customers fight off malware:
Google and Apple markets: are their applications really secure?!
This one looks like yet another combing of the stores, mostly for privacy?
By analysing over 120,000 applications from the Google market and over 160,000 from the Apple market, we discovered a lot of security issues that can be found on an everyday app. Many popular applications from these markets hide a lot of security breaches, from sending data over an unsecured connection (such as user accounts or passwords) to GPS tracking or uploading highly sensitive data like contact lists or phone numbers. This behaviour may be intended or may result from the use of a third-party advertising framework employed by the author in order to increase the revenue of the application. This paper draws attention to the security flaws of applications in both the Android and Apple markets by providing statistics and well documented examples, as well as the methods used to extract this information.
Analysis of Android in-app advertisement kits
In this paper, we focus on the security risks and inefficiencies posed by ad-kits. And more particularly those embedded into malware. To this end, we study the Android platform, and 90,000 malware samples. We identify 10 representative ad-kits. We further develop a system called Droidlysis to examine potential risks, ranging from uploading sensitive information to remote servers, to downloading and executing untrusted code. We analyse ad traffic and identify sensitive data transmitted over the air.
Our results show that most ad-kits not only collect private information, but probe for data and permissions beyond the ones listed in their documentation. We discover how users can be tracked by an ad provider across applications, and by a network sniffer across ad providers. Finally, we discuss the financial implications for developers and ad providers.
Some very intense claims! Wonder if it works:
real-time malware detection framework for the Android platform that performs dynamic analysis of smartphone applications and detects the malicious activities through in-execution monitoring of process control blocks (PCB) in the Android kernel. We employ a novel scheme to mine the hidden execution patterns – from time-series PCB logs of Android applications – by using information theoretic measures, frequency component analysis and statistical analysis techniques. With the help of this novel scheme, this framework sits in the Android kernel as a loadable kernel module and is able to detect real-world malware applications for Android with very few false alarms. We have validated the framework using real-world Android malware (from well-known malware repositories) and popular benign applications taken from Google’s official app store for Android (i.e. Google Play Store). By carefully designing a series of experiments, we evaluate the detection and runtime performance of our framework. Our framework is able to detect zero-day (previously unseen) malicious applications with over 98% accuracy, while keeping the false positive rate below 1%. It has a runtime processing overhead below 4% on a low-end smartphone.
‘I am not the D’r.0,1d you are looking for’: an analysis of Android malware obfuscation
legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.
Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.
This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future.
GinMaster : a case study in Android malware
Android – practical security from the ground up
Some more info about this one here
The Android Security Team will discuss its approach for securing the Android platform against malware. … We will also give our view into the security of the Android ecosystem, based in part on worldwide data from our Verify Apps tool.
Oracle blocked off a chunk of Howard street downtown to run their conference outdoor
It looks cool, but I didn’t know you can just grab yourself a city block like that for a week. I wonder how much it cost them.
Fancy Mollusk 