Nohat 2023

Herbert Bos - Leaking Abstraction Layers

Abstraction layers unfortunately are not completely isolated and a vulnerability in one can spill over to the other. As an example Spectre/Meltdown vulnerabilities can be combined with memory corruption to defeat kASLR.

Cloud providers at the moment will not allow to test for these vulnerabilities, hence publishing related research tested on cloud instances would result in a lawsuit.

Given that these attacks are very complex and local it is hard to determine how common they are in the wild. For sure browsers (with JavaScript running the attack locally) and cloud shared resources offer a wide attack surface. It is possible that intelligence services are looking into this class of vulnerabilities. At the moment there is no framework to automate this kind of attacks.

Julia Zduńczyk - RFID Cards

Introduction to RFID cards. Weak cards which can be just cloned are still widely used. Sometimes cards have even printed their number on them, therefore taking pictures with powerful zooms is another way to obtain IDs.

Numeric IDs (not UUIDs) are weak and can be easily enumerated. This weakness was combined in an assessment by abusing a printer which requires authentication via the card and displays first and last name. Therefore it was possible to enumerate the IDs in the printer room, obtaining a mapping of names to IDs. Then, on Linkedin, it was possible to identify the Network Administrator and make one successful attempt with its ID to access the server room, which had an entrance covered by multiple surveillance camera.

Proxmark can be hidden in multiple places. When hidden, in order to have a feedback to know that the cloning operation was successful one could connect to the proxmark a raspberry pi which sends push notifications. However, the effort is likely not worth the benefit.

Cards can be replayed over the network: demo where one attacker has physical access to a card, scans it, the content is replayed over the network to the second attacker in proximity of the reader.

Finally, even when employing encryption, cards might use very weak ciphers or default/weak keys.

Xeno Kovah - Bluetooth Sniffing

Motivation: some over the air bluetooth firmware RCEs have been found. However, there is no database to know which devices use the vulnerable firmware.

The author collected a lot of bluetooth signals, described its hardware equipment.

An interesting bit is that by law in the US each bluetooth device goes through a regulation process and on the FCC website there are photos of the device ripped open with the hardware visible. It is sometimes possible to see the firmware model.

Bluetooth devices may periodically generate a random ID that they advertise. However, this behaviour is rare in practice, or, when it happens, there are some other bits of information which still allow to identify the device. This can be an issue as it could allow to track people. Consider the following example: a security camera with bluetooth can be tracked, the camera is used in a case of spouse abuse, the victim relocates, with the information of the camera and crowd sourced bluetooth data it could be possible to track the new location of the victim.

Slides (same talk, different con)

Jakob Torrey - A talk about talks v2

The author presented a graph database containing an exhaustive collection of security talks given over time. The database started as CC (conference collection) and then evolved into Thinkstcapes. The graph can be queried to explore different relationships, between conferences, within conferences and about speakers. The talk is kind of a 10 years later follow up of Haroon Mer “A talk about talks”.

One of the questions is whether researchers should spend time on more important things rather than putting together slide decks or, put it differently, is there any metric or way to know what are the effective benefits of all the security conferences?

The topic could be controversial but spawning new discussions is also the idea of the talk.

Richard Johnson - Fuzzing

Overview of the latest developments in fuzzing. Too technical to be summarized, better to refer to the slides.

Matteo Redaelli - RDP Cache Analysis

In a nutshell: RDP uses a cache for network performance. If an attacker used RDP to perform lateral movement it is possible to retrieve some of the displayed information from the RDP cache. There exist multiple tools for this.

Gianluca Varisco - GCP Workshop

Demo of Stratus. Stratus is a tool for purple teams: it creates the resources for an attack, it performs the attack on the corresponding resources, it offers a query to detect the attack, finally it cleans up its activities.