10 Can't-Miss Talks at Black Hat Asia
With threats featuring everything from nation-states to sleep states, the sessions taking place from March 20-23 in Singapore are relevant to security experts around the world.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt6c292ad520467829/64f0d92d2087df839611019a/BHA_intro.png?width=700&auto=webp&quality=80&disable=upscale)
Mobile and platform security are popular topics for next month's Black Hat Asia conference in Singapore, where industry experts will meet from March 20-23 to learn about newly discovered exploits and the tools and techniques to defend against them.
Lidia Giuliano, independent security professional and member of the Black Hat Asia Regional Review Board, notes she was impressed by the diversity of this year's submissions. Session topics cover mobile, cryptography, IoT, exploit development, malware, policy, network defense, data forensics and incident response, reverse engineering, Web application security, the security development lifecycle, hardware, and platform security, among others.
Much of this year's research will dig into mobile threats, particularly on the Android operating system. "People have their whole lives on their mobile phones," Giuliano explains. "It's a window into their lives and that puts people in a really vulnerable position."
Here, we put the spotlight on Black Hat Asia talks that are expected to deliver groundbreaking and useful information for security pros. If you're planning to attend, dig out your schedules and let us know what you're excited to see.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
"This caught the attention of many of us," says Giuliano of the Regional Review Board. "They're tapping into a strategy, a technique that many wouldn't think about: when you're turning your computer off or powering it back on."
When you shut down and reboot a computer, restarting components takes time, and security devices might be temporarily shut down. However, many PCs, laptops and servers that support enhanced configuration and power interface have six sleeping states, and if the firmware only powers down as far as the S3 sleeping state, it can reactivate security devices somewhat more quickly.
This more wakeful S3 state can be manipulated, however. Jun-Hyeok Park and Seunghun Han, both researchers with the National Security Research Institute of South Korea, will explain how attackers can use the S3 sleeping state to neutralize the Intel Trusted eXecution Environment (TXT), a hardware-based mechanism that validates platform trustworthiness during boot and launch. The attackers target tBoot, which protects the Virtual Machine Monitor and OS, to neutralize Intel TXT. This attack has never been published.
"What they're doing is very innovative, thinking outside the box," says Giuliano.
As Google has added mechanisms like PXN and SELinux to improve Android kernel security, manufacturers have added their own mitigations. The top Android OEMs are Samsung, Huawei, Oppo, and Vivo, which collectively made up 47.2% of the global market share in 2017.
Jun Yao and Tong Lin, both security researchers with Core team, conducted in-depth research on these OEMs' security measures. They will disclose the details of these mitigations, demonstrate how to bypass them, and discuss protective steps.
"IPhone is more challenging because it's a closed platform, but with Android and Google, people can take the source and make it their own," says Giuliano, adding that the global market share of the four OEMs makes this research especially noteworthy.
Zhe Zhou, who specializes in vulnerabilities of mobile payment systems at Fudan University, will discuss vulnerabilities in popular mobile payment schemes designed to provide a secure and seamless user experience. In many of these transactions, an attacker can steal the payment token and buy anything on behalf of the victim without their knowledge.
The payment token is the key security element for mobile payments, and researchers argue it is weakly protected. When an attacker steals a token, researchers found the token can be kept alive for a long period of time, during which a thief can use it to spend money. This research included successful attacks against payment service providers Alipay and Samsung Pay.
The current payment framework should be updated for security, researchers say. They recommend every token be bound to a specific transaction.
An Amazon Web Services access key is "an unscratched instant lottery ticket" for attackers, say Atlassian's Dan Bourke and Daniel Grzelak. The senior security analyst and head of security, respectively, will present a project designed to generate, annotate, and alert on AWS keys configured as honey tokens.
"Project Spacecrab" is intended to inform businesses when an attacker finds one of their AWS access keys. Security teams can use their CI/CD or orchestration infrastructure to put keys anywhere, even across the supply chain. When attackers find them, they'll use them and set off alerts so security teams will know when and where a breach happens.
This discussion is newsworthy given the amount of AWS data leaks in the news, Giuliano points out. Many organizations have mistakenly left product keys and open repositories vulnerable to attackers. This project will let them use AWS keys to detect breaches or find exposed keys they didn't know were out there, which she describes as "flipping the concept on its head."
Researcher Moritz Lipp and PhD student Michael Schwarz, both with the Graz University of Technology, will show it's possible to implement malware inside Intel SGX. The technology was created to protect code and data from disclosure or modification.
"What is cool about this is the researchers have created malware that runs in SGX as an unprivileged user without detection," says Giuliano. "Their malware is able to obtain a copy of the RSA keys potentially being stored in the enclave, which appears as a series of memory access calls, making detection challenging."
The team will demonstrate the attack is possible by launching a cross-enclave attack and recovering an RSA key used in a secure signature process. This scenario can be found in the wild for Bitcoin wallets implemented inside SGX to protect the private key; attackers use this attack to steal private Bitcoin keys. Their main takeaway is SGX can help attackers conceal their malware without using any kernel component, privileges, or operating system modifications.
Millions of IoT devices have become part of everyday life but most are vulnerable to cyberattacks, say Chen Geng and Jingyu Yang of Tencent. The security researcher and senior security researcher, respectively, will demonstrate a new worm prototype called UbootKit, which targets the bootloader of IoT devices and spreads across variable devices.
UbootKit is a manipulation attack against the bootloader. Attackers can use it to remotely control infected devices and spread malware across devices. It's difficult to remove, even with pressing the reset button, and affects different IoT devices running on Linux.
Geng and Yang will show how UbootKit propagates across ARM and MIPS-based devices and spreads to other devices using password scanning or remote execution exploits. They'll also present a mitigation solution of adding an integrity verification procedure at the on-chip code.
SEAndroid, or SELinux in Android, was implemented in Android 4.3 to enforce mandatory access control over all processes and improve security by restricting privileged processes. However, its effectiveness depends on corporate policies. Many policy engineers give too much permission and, in doing so, increase the attack surface and lead to privilege escalation attacks.
Alibaba Group's Xiangyu Liu, Yang Song, and Yi Zhang will demonstrate a new policy analysis tool called VSPMiner, which uses machine learning to detect vulnerable SEAndroid policies in the wild. The team evaluated this tool on policy rules belonging to more than 2,000 images with different information covering 22 popular vendors. It detected up to 132,702 vulnerable policy rules, they report.
Giuliano explains how this is noteworthy because people typically only focus on policy violations. This goes a step further to detect when vulnerable policies are created.
"Instead of saying 'We forgot to add this policy,' it's saying 'Someone has created a policy but we don't think it's in line,'" she explains. "To me, this sounds like it has huge potential."
MacOS malware is growing in popularity as more people use Macs, but malware analysis for the operating system is still lagging behind. Researchers have created a MacOS analyzer called "Mac-A-Mal," which monitors components at the kernel level so analysts can investigate malware on MacOS. It uses a kernel-level system called "hooking" to detect and mitigate malware anti-analysis techniques.
Fabio Massacci, professor at Italy's University of Trento, and Pham Duy Phuc, malware analyst at SfyLabs B.V., created the tool and used it to hunt Mac samples on VirusTotal. They discovered a new organized adware campaign which uses several Apple developer certificates, undetected keyloggers, and Trojan samples, as well as hundreds of other malware samples.
"There's a lot of vulnerability research done in Windows or Linux, but nobody ever talks about MacOS," says Giuliano. "I love the fact that they're addressing static and dynamic malware," she adds, noting that some vendors don't address both.
This continues the theme of Apple-focused research. The Apple platform, specifically iOS, is believed to be immune from global threats like WannaCry due to its system security feature and strict Apple Store security policy. Now, researchers claim to have discovered a ransomware remote attack affecting iOS and OSX platforms in the wild.
Ju Zhu and Moony Li, both staff engineer-developers at Trend Micro, will discuss how they hunted for a remote iOS ransomware attack based on profile installation, and defeated it in the cradle. They'll show how the iOS ransomware hijacks your phone screen or causes system crashes using profile installation, or as they call it, "death profile." As part of their presentation, they'll demonstrate static and dynamic solutions to find and remediate the threat.
Starting in 2016, researchers began noticing significant changes in the targets and motivations of Lazarus Group, Bluenoroff, and Andariel, three APT groups believed to operate out of the same country and known for deconstruction, cyber heist, and espionage.
Independent security researcher Chi-en (Ashley) Shen will join Kyoung-ju Kwak, manager of the Korea Financial Security Institute (KFSI), and KFSI assistant manager Min-Chang Jang to discuss four recent campaigns conducted by the groups. These targeted banks in South Korea and EMEA, as well as an ATM company and Bitcoin exchange service providers. The researchers will share the malware, vulnerabilities, IoC, and attack vectors they found, and explain how they uncovered the new command-and-control infrastructure.
Starting in 2016, researchers began noticing significant changes in the targets and motivations of Lazarus Group, Bluenoroff, and Andariel, three APT groups believed to operate out of the same country and known for deconstruction, cyber heist, and espionage.
Independent security researcher Chi-en (Ashley) Shen will join Kyoung-ju Kwak, manager of the Korea Financial Security Institute (KFSI), and KFSI assistant manager Min-Chang Jang to discuss four recent campaigns conducted by the groups. These targeted banks in South Korea and EMEA, as well as an ATM company and Bitcoin exchange service providers. The researchers will share the malware, vulnerabilities, IoC, and attack vectors they found, and explain how they uncovered the new command-and-control infrastructure.
Mobile and platform security are popular topics for next month's Black Hat Asia conference in Singapore, where industry experts will meet from March 20-23 to learn about newly discovered exploits and the tools and techniques to defend against them.
Lidia Giuliano, independent security professional and member of the Black Hat Asia Regional Review Board, notes she was impressed by the diversity of this year's submissions. Session topics cover mobile, cryptography, IoT, exploit development, malware, policy, network defense, data forensics and incident response, reverse engineering, Web application security, the security development lifecycle, hardware, and platform security, among others.
Much of this year's research will dig into mobile threats, particularly on the Android operating system. "People have their whole lives on their mobile phones," Giuliano explains. "It's a window into their lives and that puts people in a really vulnerable position."
Here, we put the spotlight on Black Hat Asia talks that are expected to deliver groundbreaking and useful information for security pros. If you're planning to attend, dig out your schedules and let us know what you're excited to see.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024