Black Hat Asia
March 26-29, 2019
Singapore
Black Hat USA
August 3-8, 2019
Las Vegas, NV, USA
Black Hat Europe
December 3-6, 2019
London UK
1/17/2019
09:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Go Hands-On with New Security Tricks at Black Hat Asia

Get up close and personal with the latest tools and techniques for testing (and breaking) everything from HTTPS to deep neural networks to Microsoft Office!

Nothing beats practical training and hands-on time with new infosec tools and techniques, so don’t overlook the smorgasbord of opportunities at Black Hat Asia in March.

For example, Microsoft Office is everywhere, and in “Office in Wonderland” you’ll pick up some new tricks to use (and abuse) it for your own purposes. The Outflank B.V. researchers presenting this Briefing will disclose details on new Word and Excel vulnerabilities, release attack vectors that Microsoft deemed features, and demonstrate the security impact of the architectural design of the MS Office suite.

They’ll also share their most recent findings and insights into unexplored legacy functionality in the MS Office suite that can be abused in all stages of an attack. For example, they’ll demonstrate how to abuse Word documents for stealing sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, and how to bypass the most recent security features in MS Office (AMSI for VBA, ASR).

If you’re interested in the inner workings of neural networks, make time to check out the Black Hat Asia 2019 Briefing on “The Cost of Learning from the Best: How Prior Knowledge Weakens the Security of Deep Neural Networks.” Presented by researchers from Baidu and Syracuse University, this Briefing will walk you through an intriguing vulnerability that allows an attacker to effectively attack black-box object detection DNNs (deep neural networks) using adversarial examples generated from white-box open source models.

In practice, that means you’re going to get a guided tour of a new hidden attack vector of DNNs which allows adversarial examples to be efficiently generated against black-box models used in mission-critical tasks such as facial recognition, image classification, and autonomous driving. If you work with (or are thinking of working with) neural networks, this is a Briefing you don’t want to skip!

Got blockchain security on the brain? Consider “Monocerus: Dynamic Analysis for Smart Contract”, an efficient 25-minute Briefing which will introduce you a lightweight, multi-platform framework for dynamic analysis of Ethereum smart contracts.

Smart contracts are a big deal for the future of financial tech, but they can be hard to dynamically analyze and test because of their big selling point: the use of blockchain. Monocerus is designed to lay a foundation for dynamic analysis on the Ethereum blockchain.  If you come to this Briefing you’ll get a first-hand look at how it works. Plus, you’ll get to check out the new analysis toolset built on top of Monocerus (including a bytecode debugger, code tracer/profiler and advanced fuzzer) and see some cool demos.

Plus, check out the “Zombie POODLE, GOLDENDOODLE, and How TLSv1.3 Can Save Us All” Briefing from Tripwire’s VERT (Vulnerability and Exposures Research Team) if you want a practical look at how vulnerable HTTPS encryption is due to the weaknesses of the underlying TLSv1.2 protocol.

This session will highlight research into more effective testing and exploitation techniques for CBC (cipher-block chaining) padding oracles. You’ll see how a slight tweak to the old POODLE attack resurrected the vulnerability in a major enterprise HTTPS implementation more than three years after it had been patched. The presentation will also introduce GOLDENDOODLE, a special case attack based on POODLE with the promise to disclose session IDs in just a fraction of the time it takes to exploit POODLE.

In “Who Left Open the Cookie Jar?”, presented by researchers from KU Leuven, you’ll get useful insight into how cookies are currently used and abused as online authentication tools. You’ll explore several flaws revealed by the presenters’ unique testing framework, which they used to evaluate the policy implementations of seven browsers and 46 browser extensions. 

Even built-in protection mechanisms can be circumvented by the researchers’ novel techniques: they claim to have documented bypasses for every anti-tracking or ad-blocking browser extension tested. How do they work? Why do they work, and how do you deal with them? Come to this Briefing to find out!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29. Early registration pricing for Briefings & Trainings ends Friday, January 18, so register before then to get the best price!

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.