8.8 2019 Nine

11 GANS AND ROSES: WEAPONIZING THE CEO SCAM FRAUD WITH AI AND AUTOENCODERS

Pablo González Pérez
Telefónica
España

La inteligencia artificial y la ciberseguridad son dos pilares fundamentales en el proceso de transformación digital de la sociedad y de las organizaciones. El día a día de esta revolución digital, que ha cambiado la forma en la que el ser humano se comunica, se relaciona, trabaja y vive, pasa por conocer los riesgos que las nuevas tecnologías traen consigo. Cualquier usuario puede entender los beneficios que puede proporcionar la inteligencia artificial, pero debemos ser cautos y conocer los riesgos que ésta puede proporcionar. En este ponencia se habla del Machine Learning y Deep Learning mostrando diferentes caminos. La posibilidad de que un atacante pueda suplantar identidades, voces, imágenes, videos a través de una IA supone un gran riesgo para la sociedad como para las organizaciones. En este artículo se muestran la aplicabilidad de la inteligencia artificial para protección y su cara más ofensiva. El objetivo de la ponencia es mostrar de forma práctica e interactiva cómo los ataques orientados al engaño evolucionan a través del uso de la IA. La estafa del CEO y otras toman una nueva dimensión. El objetivo es mostrar casos reales (en directo) con GANS dónde se generarán caras reales en vivo y mostrar cómo se puede detectar este tipo de amenazas. Nuevas amenazas en la sociedad. GANS, Autoencoders o VAEs son formas de enseñar a una IA para que genere la misma voz de una persona, el mismo rostro en tiempo real de una persona, los mismos gestos, el mismo estilo. ¿Crees que es una amenaza? La IA y la Ciberseguridad se juntan para poder combatir contra este nuevo tipo de amenazas.

07 METATHIEF: FILTRANDO SECRETOS CORPORATIVOS

Diego Espitia
Eleven Paths
Colombia

Tras muchos años haciendo procesos de investigación y trabajando con metadatos se entiende que es un aspecto que no se tiene en cuenta por las empresas, esto me llevó a desarrollar una herramienta que permite extraer información de un computador usando el campo de comentarios de los metadatos de archivos PDF alojados en el mismo, en las pruebas iniciales se confirmo que era posible extraer datos saltando los controles tradicionales de las empresas, como son Firewalls, IPS o antivirus. Con esta confirmación se planteo desarrollar una herramienta en Python, que permitiera detectar los archivos ofimáticos (docx, xlsx y pptx) que se tengan en la maquina para ser exfiltrados dentro del parámetro de comentarios de los metadatos de los archivos PDF, usando el correo electrónico como el mecanismo más sigiloso para extraer estos datos. En la charla se realiza la explicación de como se desarrollo la herramienta y con demostraciones en vivo se evidencia como se detectan los archivos, como se seleccionan los PDF que serán usados para cargar la información en los metadatos y como usando esteganografía se ocultan los fragmentos de los archivos a exfiltrar. Después de esto se muestra como una vez que los archivos PDF contienen los fragmentos de la información a exfiltrar son enviados al atacante usando el correo electrónico. Para que el atacante pueda reconstruir los archivos, para esto se usa otro programa en Python, que identifica el orden en el que se deben extraer los segmentos de los metadatos y así reconstruir los documentos exfiltrados. La charla se realiza mostrando en vivo los diferentes procedimientos realizados en la herramienta, permitiendo a los asistentes ver como la mala gestión en seguridad de los metadatos puede ser aprovechada con esta PoC en los procesos de pentesting, midiendo de forma efectiva los controles de fugas de informaciónimplementados en la red y entregando la evidencia suficiente al analista para documentar el procedimiento realizado.

03 BUILDING A NEW DECENTRALIZED INTERNET, WITH THE NODES IMPLANTED IN OUR BODIES

Dr. Mixæl S Laufer
Four Thieves Vinegar Collective
Estados Unidos

The internet is broken. It’s vulnerable to manipulation, censorship, shutdowns, surveillance, and on top of all that, it costs to access it. What if we could bypass all that? The PirateBox platform with its meshing capability creates this possibility, but somehow has gained little traction. If every WiFi enabled device just became a node on a mesh network, we would have a replacement for the hardware layer of the internet. To show how powerful this platform can be, and take it to the next level, we have created the PegLeg, an implanted cybernetic enhancement that turns the user into an anonymized local area network on which people can chat and share files anonymously, as well as mesh with other nearby networks. The PegLeg differs from a wearable, as it cannot be confiscated, and has no battery. Come learn how you can turn your phone, laptop, raspberry pi, or router into a meshing piratebox, and build a new internet. And if you are really committed, you can build the implant yourself, and be a walking pirate server with a PegLeg.

08 KEYNOTE: BRAZILIAN BANKING BANDITS BILKING BILLIONS

Fabio Assolini
Kaspersky
Brasil

Imagine a malware family that somehow manages to avoid detection and operate under the radar for more than five years. Actually, only a few security researchers can see it. The goal of the attack? Steal $500 million a year from Brazilian banks by regularly changing tactics and limiting infections geographically to avoid being detected by international security companies. They started humbly, using simple VBS files with different obfuscation, so naturally, the detection rate of their creations grew quickly. Geniously, they thought of a way to evolve and avoid being discovered: why not adopt process hollowing and a cascade of legit processes in their mediocre malware? With legit executables, they achieved it. (Ab)usingWMIC, making it execute an apparently inoffensive XSL file, that later was interpreted as a Javascript file – everything trusted by your whitelist solution and security products. Why not add a pinch of Powers(hell) to the recipe? So they started with BITSAdmin, mixed-in LNK files, executed by Powershell, folded-in WMIC, and then injected a Javascript snippet into an XSL file that randomly selected a domain to download the payloads. This was the long, yet effective formula used to bypass security protections. To make things more interesting, they decided to complicate matters a little more, adopting obfuscating techniques such as XOR shift-left in the payloads to avoid network detection. They also used different keys, making it hard to obtain the final file; they separated the loader into many files, reassembling before execution; used algorithms and different keys for file encryption, making it necessary to scrutinize each file individually thus making the analysis process extremely slow. In this presentation, we’ll detail how Brazilian banking bandits are bilking billions from banks, in the land of cachaça, carnival, beaches and banking trojans, and all right under the security industry’s nose.

04 SS7 PROTOCOLS OF MOBILE NETWORKS – THE ENDLESS FIELD OF ZERO DAYS

Kirill Puzankov | Rusia

For more than 5 years information about the existence of a huge flaw in the SS7 protocols of mobile networks are widely spread and nearly every MNO in the world is now aware of it. With the help of researchers and vendors, GSM Association has produced a bunch of standards and security recommendations related to signaling. Mobile network operators have their security budget reorganized to implement different security measures starting from security assessment to introducing security monitoring and firewalls. We are in 2019 and there goes booom… Another bank, this time UK based, has to admit it got its client funds attacked via SS7 vulnerability. The right approach about the SS7 security seem to always be on the wave of recent security research of the field to be able to adapt accordingly. Unfortunately it’s not only white-hat hackers/researchers are exploring the protocol that still seem to have a lot of features that can be exploited. One of the latest of such features, recently found by our team, will be the central theme of the talk to apply to exploitation of different threats. I will also show how blind the up-to-date security measures could be for this type of attacks and how quickly the hackers can utilize new techniques after they are revealed to GSMA.

05 SIEMS FRAMEWORK: OPEN SOURCE MULTISIEM PYTHON ATTACK FRAMEWORK

Claudio Caracciolo
Eleven Paths
Argentina

SIEMs are defensive tools increasingly used in information security, especially in large companies and regulated companies to monitor critical networks and devices. However, from the standpoint of the attacker, the permissions that the SIEMs have on the devices and accounts of a corporate network are very broad. Administrative access to a SIEM can be used to obtain code execution in the server where the SIEM is installed, and, in some cases, also in the ‘client’ equipment from which the SIEM collects events, such as Active Directory servers, Databases, and network devices like Firewalls and Routers. During our investigation, we detected many attack vectors that could be used in different SIEMs to compromise them, such as: obtaining the user accounts and passwords of critical equipment stored in the SIEM (LDAP/AD servers, databases, network devices, generally accounts with administrative permissions), developing and installing malicious applications such as a bind shell or a reverse shell to compromise the server where the SIEM is installed, or send malicious applications to compromise the devices from which the SIEM collects the events, performing a brute force attack on the SIEM web interface, reading arbitrary files from the server where the SIEM is installed, using log events as intelligence source. Based on the results of this research, we developed an open source tool in Python: SIEMs Framework that allows to automate the mentioned attacks, both in commercial and open source SIEMs.