Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
1/17/2019
09:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Go Hands-On with New Security Tricks at Black Hat Asia

Get up close and personal with the latest tools and techniques for testing (and breaking) everything from HTTPS to deep neural networks to Microsoft Office!

Nothing beats practical training and hands-on time with new infosec tools and techniques, so don’t overlook the smorgasbord of opportunities at Black Hat Asia in March.

For example, Microsoft Office is everywhere, and in “Office in Wonderland” you’ll pick up some new tricks to use (and abuse) it for your own purposes. The Outflank B.V. researchers presenting this Briefing will disclose details on new Word and Excel vulnerabilities, release attack vectors that Microsoft deemed features, and demonstrate the security impact of the architectural design of the MS Office suite.

They’ll also share their most recent findings and insights into unexplored legacy functionality in the MS Office suite that can be abused in all stages of an attack. For example, they’ll demonstrate how to abuse Word documents for stealing sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, and how to bypass the most recent security features in MS Office (AMSI for VBA, ASR).

If you’re interested in the inner workings of neural networks, make time to check out the Black Hat Asia 2019 Briefing on “The Cost of Learning from the Best: How Prior Knowledge Weakens the Security of Deep Neural Networks.” Presented by researchers from Baidu and Syracuse University, this Briefing will walk you through an intriguing vulnerability that allows an attacker to effectively attack black-box object detection DNNs (deep neural networks) using adversarial examples generated from white-box open source models.

In practice, that means you’re going to get a guided tour of a new hidden attack vector of DNNs which allows adversarial examples to be efficiently generated against black-box models used in mission-critical tasks such as facial recognition, image classification, and autonomous driving. If you work with (or are thinking of working with) neural networks, this is a Briefing you don’t want to skip!

Got blockchain security on the brain? Consider “Monocerus: Dynamic Analysis for Smart Contract”, an efficient 25-minute Briefing which will introduce you a lightweight, multi-platform framework for dynamic analysis of Ethereum smart contracts.

Smart contracts are a big deal for the future of financial tech, but they can be hard to dynamically analyze and test because of their big selling point: the use of blockchain. Monocerus is designed to lay a foundation for dynamic analysis on the Ethereum blockchain.  If you come to this Briefing you’ll get a first-hand look at how it works. Plus, you’ll get to check out the new analysis toolset built on top of Monocerus (including a bytecode debugger, code tracer/profiler and advanced fuzzer) and see some cool demos.

Plus, check out the “Zombie POODLE, GOLDENDOODLE, and How TLSv1.3 Can Save Us All” Briefing from Tripwire’s VERT (Vulnerability and Exposures Research Team) if you want a practical look at how vulnerable HTTPS encryption is due to the weaknesses of the underlying TLSv1.2 protocol.

This session will highlight research into more effective testing and exploitation techniques for CBC (cipher-block chaining) padding oracles. You’ll see how a slight tweak to the old POODLE attack resurrected the vulnerability in a major enterprise HTTPS implementation more than three years after it had been patched. The presentation will also introduce GOLDENDOODLE, a special case attack based on POODLE with the promise to disclose session IDs in just a fraction of the time it takes to exploit POODLE.

In “Who Left Open the Cookie Jar?”, presented by researchers from KU Leuven, you’ll get useful insight into how cookies are currently used and abused as online authentication tools. You’ll explore several flaws revealed by the presenters’ unique testing framework, which they used to evaluate the policy implementations of seven browsers and 46 browser extensions. 

Even built-in protection mechanisms can be circumvented by the researchers’ novel techniques: they claim to have documented bypasses for every anti-tracking or ad-blocking browser extension tested. How do they work? Why do they work, and how do you deal with them? Come to this Briefing to find out!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29. Early registration pricing for Briefings & Trainings ends Friday, January 18, so register before then to get the best price!

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-23258
PUBLISHED: 2022-01-25
Microsoft Edge for Android Spoofing Vulnerability.
CVE-2021-43799
PUBLISHED: 2022-01-25
Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this inclu...
CVE-2022-23031
PUBLISHED: 2022-01-25
On BIG-IP FPS, ASM, and Advanced WAF versions 16.1.x before 16.1.1, 15.1.x before 15.1.4, and 14.1.x before 14.1.4.4, an XML External Entity (XXE) vulnerability exists in an undisclosed page of the F5 Advanced Web Application Firewall (Advanced WAF) and BIG-IP ASM Traffic Management User Interface (...
CVE-2022-23032
PUBLISHED: 2022-01-25
In all versions before 7.2.1.4, when proxy settings are configured in the network access resource of a BIG-IP APM system, connecting BIG-IP Edge Client on Mac and Windows is vulnerable to a DNS rebinding attack. Note: Software versions which have reached End of Technical Support (EoTS) are not evalu...
CVE-2022-23008
PUBLISHED: 2022-01-25
On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. No...