Missed Black Hat or DEF CON?

in #black7 years ago

I'm sure lots of you are sad that Black Hat USA 2017 and DEF CON 25 are over. You had a hell of a time in Las Vegas, were given the opportunity to listen to some great talks and meet people who share the same interests. And of course, you've learned a lot and attended many great workshops. If one or more of these points apply to you, this article is probably not interesting for you.

You will find this article interesting if:

Everybody told you that you need to bring a dedicated travel phone when you pass the customs, however, the same people are calling you an idiot for planning to get a burner phone for Black Hat. Out of confusion you just stayed at home.
All you wanted is to see the great talks at DEF CON but it got canceled yet again!
You passed out at the bar when the cons started and woke up to people carrying their IMSI catchers out of the hotel at the end of DEF CON. Nothing to see here.
Your husband, wife or partner made you sleep on the couch until the end of the conferences because you suggesting to fly a few thousand miles to Sin City and leave them alone at home with the kids.

Or in other words: you couldn't attend. In all of those cases, you were probably interested in seeing the awesome talks. Now I have good news and bad news for you. The bad ones first: There are no videos yet. Yes, both conferences will make videos of the talks available over the course of the next few months. However, for now, all you can get are shaky three-minute clips of one-hour presentations and short PoC videos you won't understand if you didn't see the talk.

Now the good news. There are slides available. Yes, we've sifted through hours worth of "What if I told you?" memes and countless pages with the same diagram but different arrows and we've come up with a list of our favorite slides and papers concerning web application security.

SON Attacks, by Alvaro Muñoz and Oleksandr Mirosh

We've heard it countless times in recent years; don't use dangerous deserialization functions on user input, just use JSON instead. Let's just say this didn't work out too well. Thanks to these slides you'll understand why JSON deserialization is not
good idea either. An absolute must-read if you are a developer or hacker.

Do you keep track of all the extensions you have installed? You probably have a weather widget next to the URL bar, an extension that replaces every occurrence of "APT" with " 16-year-old hacker" and hopefully an Ad Blocker. However, after reading this paper you'll probably strip them down to a minimum. You'll probably also spend the rest of the day scrolling through your Facebook messages, just to see if a malicious plugin sent a message to some guy you haven't talked to for three years, asking him if he would like to install the coolest Chrome extension you've seen in a while. Awkward.
Summary

A malicious Chrome extension was spreading through Facebook messages.
Copy of a legitimate extension in the Chrome Web Store.
It loaded a script over the internet and injected it into every single page.
Created wix pages that redirected to the attacker's website.
At a later stage, it used social logins with the victim's Facebook for wix to avoid bot detection.

Abusing Certificate Transparency by Hanno Böck

A modern web without TLS? Not gonna happen. One particularly useful approach to further secure TLS is the certificate transparency log; whenever a new certificate is created it can be submitted there for anyone to see. So no need to disable zone transfers anymore, yay! cough. In the future, certificates that aren't in the log won't be accepted by browsers like Google Chrome. Those Certificate Transparency logs are public and Hanno Böck shows you how attackers can abuse this fact to automatically take over web servers by using install scripts before the user can. But don't worry, he'll also show you how to avoid that effectively.
Summary

He uses crt.sh to find (sub)domains that just got their SSL certificate.
He then checks if there's an install script, e.g. for WordPress.
If there is one, he installs the script using his own database and installs a backdoor script on the server.
After that he reverts all the changes he made, presenting the user with a fresh install script again, however, it still contains the backdoor.

That's All From Black Hat and DEF CON Folks!
Those were our favorite talks of this year's DEF CON 25 and Black Hat USA conferences. We are looking forward to seeing the videos of all the slides and hope you enjoyed them as much as we did. It's time to leave the couch now and buy some flowers for your better half.

Sort:  

Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.netsparker.com/blog/news/missed-blackhat-defcon-2017/

Congratulations @mouach! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

You published your First Post
You got a First Vote

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

verry good job thinks

nice work

Hi, as a sign of my support for the tag #sports and #football, I vote for you and begin to follow you