12 November 2021
We often think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through firmware analysis, decompiling, code review, and vulnerability demos. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your application security knowledge to new areas such as IoT, even if you’ve never done that before.
7 August 2021
We tend to think of AppSec and IoT as two separate infosec disciplines. Sure, the domain knowledge, attack vectors, and threat mitigation are not exactly the same in those two worlds. At the same time, as the hardware continues to evolve, we see more and more tiny general purpose computers around us. Many of these tiny computers nowadays run software that is written in a conventional programming language, listen on network ports, process data inputs, and communicate with the outside world. These devices can be attacked just like any other application running on a desktop, on a server, or in the cloud.
In this talk, I am going to tell you a story about my hacking journey that unexpectedly took me from device configuration settings to software reverse engineering, vulnerability discovery, and six new CVEs. Together, we’ll go step by step through reconnaissance, firmware analysis, decompiling, code review, and remote debugging. I’ll also share my experience with the responsible disclosure process. I hope this talk inspires you to apply your general hacking skills to new areas such as IoT, even if you’ve never done that before.
1 October 2020
Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.”
In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems. Are you not on a red team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!
12 June 2020
Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” Come learn how to exploit common crypto mistakes in theory and in practice!
12 June 2020
Yes, the same talk presented the fifth time :)
28 May 2020
Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.”
In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems.
Are you not on a red team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!
21 May 2020
Cryptography is tricky. Sure, everybody knows not to roll out their own crypto, but is it enough? Are the standard algorithms, libraries, and utilities always used the right way? This is of course a rhetorical question! Humans keep making mistakes that other humans can exploit, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.”
In this talk, not only will we discuss what can go wrong, but also how attackers could take advantage of that. Insufficient entropy? Static initialization vector? Key reuse in stream cipher? Lack of ciphertext integrity? We’ve heard these terms and may be familiar with them in theory, but let’s see actual examples of these and other crypto mistakes and corresponding exploits, and understand how they could lead to real life problems.
Are you not on an offensive team and not interested in exploitation? Then this talk is for you too! Come and learn how to avoid common crypto mistakes in your code!
23 February 2020
Cryptography is hard. Doing it right is even harder, and Murphy’s law continues to prove true: “If there is a wrong way to do something, then someone will do it.” Come learn how to exploit common crypto mistakes in theory and in practice!
23 January 2020
Yes, the same talk presented the fourth time :)
6 December 2019
Yes, the same talk presented the third time :)
25 October 2019
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk.
In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain several code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, cause a denial of service, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java, Python and .NET serialization, as well as JSON and XML formats. Of course, we’ll also talk about how to deserialize in secure way!
Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!
27 September 2019
Serialized data is neither new nor exciting. Serialization and deserialization have been in use by countless applications, services and frameworks for a long time. Many programming languages support serialization natively, and most people seem to understand it well. However, many of us don’t fully understand security implications of data deserialization, and in the last couple of years this topic got an increasing focus in the security community, up to the point that insecure deserialization made it to the list of OWASP Top 10 most critical web application security risks! Needless to say high-severity vulnerabilities in some well-known applications as well as popular frameworks such as Apache Struts and Apache Commons Collections raised awareness of this risk. In this session, we’ll discuss how serialized data are used in software, talk about different serialization formats and the dangers of deserializing untrusted input. We will review some real life vulnerabilities and related exploits. The presentation will contain lots of code examples with live demos of bypassing security controls by exploiting deserialization vulnerabilities. We’ll forge a session cookie, elevate privileges, alter execution flow, and even perform a remote code execution - all via insecure deserialization! The demos will use native Java and .NET serialization, as well as JSON, XML, and other formats. Of course, we’ll also talk about how to deserialize in secure way! Next time you develop your awesome web or mobile app or a microservice, keep in mind how a clever attacker could create and supply malicious data to your application, and thinking like a hacker you could write more secure code!
26 October 2018
If you read this catchy title and thought “Finally, somebody is going to teach me how to easily pass the dreaded CISSP exam!”, you’d be disappointed. This talk is not about cheating a professional exam (who would ever do that?) As a matter of fact, this talk is not much about CISSP at all. Instead, we’ll be talking about reverse engineering a Java program and reusing its code to extract the valuable data, or in other words, using a few hacking techniques against an imperfect application to improve user experience, get the most out of the application, and ultimately, save one’s precious time. I will demonstrate in real time how to crack open an executable, decompile the underlying Java code, understand its behavior, and reuse the existing classes to make them do exactly what you want. While this is not rocket science, you should come to this talk having some basic Java programming knowledge, or at least being able to read and understand Java code. And in case you were wondering, I did pass the exam and got my CISSP certification, and I’m pretty sure this exercise contributed to my success.
12 October 2018
Insecure deserialization was recently added to OWASP’s list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.
We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities. The presentation will contain several code examples with live demos of bypassing security controls due to incorrect deserialization. The examples and demos will use Java and its native serialization, but the techniques can be extrapolated to other languages and formats.
22 May 2018
Panel discussion - Join local industry practitioners as they discuss the best practices used in getting superior results from your Pen Testing. Also share your ideas on Dos and Dont’s of Pen testing.
Moderator: Brian Ventura
Panelists: Alexei Kojenov, Ian Melven, Benny Zhao, and Scott Cutler
15 May 2018
Insecure deserialization is one of the most critical web application security risks, yet it is by no means a new vulnerability category. Data serialization and deserialization have been used widely in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, finally, remote code execution. Two recent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, helped raise awareness of this risk.
We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities.
16 April 2018
Insecure deserialization was recently added to OWASP’s list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. Data serialization and deserialization have been used widely in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, finally, remote code execution. Two recent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, helped raise awareness of this risk.
We will discuss how data serialization and deserialization are used in software, the dangers of deserializing untrusted input, and how to avoid insecure deserialization vulnerabilities.
21 October 2017
All modern software, but the most trivial one, relies on common libraries to perform routine work. Your software may be bastion of security, exhaustively tested and evaluated, but once a vulnerability is discovered in a library you depend on, all bets are off. These large and pervasive vulnerabilities quickly become popular targets, exploited by everybody from script kiddies, to professional hackers, to state actors. It is no surprise that the use of vulnerable libraries is included in the OWASP Top 10 list. The Australian Signals Directorate (ASD) lists patching operating systems and applications as two of their top four strategies to mitigate security incidents!
During a recent hacking game, we’ve identified and exploited a vulnerability not anticipated by the developers. One little crack in a widely used library gave us the footing we needed to construct an attack chain of remote code execution, file upload, data exfiltration, source code disassembly, and branching into a private network, all despite extremely high level of hardening on the target from unintended attacks. We’ll share with you how a safe and fun library exploitation can be in the confines of a hacking game, and how there are serious implications for your corporate applications where the stakes are much higher. In fact, the very same vulnerability we exploited to own the hackathon was used by criminals to breach Equifax!
14 September 2017
All modern software, but the most trivial one, relies on common libraries to perform routine work. Your software may be bastion of security, exhaustively tested and evaluated, but once a vulnerability is discovered in a library you depend on, all bets are off. These large and pervasive vulnerabilities quickly become popular targets, exploited by everybody from script kiddies, to professional hackers, to state actors. It is no surprise that the use of vulnerable libraries is included in the OWASP Top 10 list. The Australian Signals Directorate (ASD) lists patching operating systems and applications as two of their top four strategies to mitigate security incidents!
During a recent hacking game, we’ve identified and exploited a vulnerability not anticipated by the developers. One little crack in a widely used library gave us the footing we needed to construct an attack chain of remote code execution, file upload, data exfil, source code disassembly, and branching into a private network, all despite extremely high level of hardening on the target from unintended attacks. We’ll share with you how a safe and fun library exploitation can be in the confines of a hacking game, and how there are serious implications for your corporate applications where the stakes are much higher.
19 June 2017
All modern software, but the most trivial one, relies on common libraries to perform routine work. Your software may be bastion of security, exhaustively tested and evaluated, but once a vulnerability is discovered in a library you depend on, all bets are off. These large and pervasive vulnerabilities quickly become popular targets, exploited by everybody from script kiddies, to professional hackers, to state actors. It is no surprise that the use of vulnerable libraries is included in the OWASP Top 10 list. The Australian Signals Directorate (ASD) lists patching operating systems and applications as two of their top four strategies to mitigate security incidents!
During a recent hacking game, we’ve identified and exploited a vulnerability not anticipated by the developers. One little crack in a widely used library gave us the footing we needed to construct an attack chain of remote code execution, file upload, data exfil, source code disassembly, and branching into a private network, all despite extremely high level of hardening on the target from unintended attacks. We’ll share with you how a safe and fun library exploitation can be in the confines of a hacking game, and how there are serious implications for your corporate applications where the stakes are much higher.