8 great talks at #eko11, in english!

So, you don't speak Spanish?

Here are the 8 English talks given at ekoparty last year.
They were professionally translated to Spanish simultaneously for the non-English speaking audience.
Of course, we did the same for talks in Spanish (but translated to english, of course)

In no particular order, the talks:-

Direct X – direct way to Microsoft Windows kernel - Nikita Tarakanov

Graphics technologies expose a large number of APIs in kernel mode drivers that need to be accessible by ring 3 code. Whether you are creating a resource for a video game or a video player you will end up using one of the low level functions that the Windows Display Driver Model provides for interaction with kernel driver. Graphics operations are intensive, complex and accessible as unprivileged user. This research focuses on how to find vulnerabilities in low level, common ring 3 to ring 0 interactions as defined by WDDM and exposed through GDI user mode library. On this presentation we will show you fuzzing statistics, methodologies, and vulnerabilities found on Intel, NVIDIA and ATI drivers.

Faux Disk Encryption: Realities of Secure Storage on Mobile Devices - Drew Suarez and Daniel Mayer

The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss or theft of a device which grants an attacker physical access which may be used to bypass security controls in order to gain access to application data. Depending on the application's data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data. In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for most attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Android respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with an analysis of what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings. At the end of our talk, attendees will understand the significant challenges involved in storing data on an always-on and portable device, how to securely store data for different use cases, and how to uncover secure storage flaws in real-world applications.

Stick That In Your (root)Pipe & Smoke It

You may ask; "why would Apple add an XPC service that can create setuid files anywhere on the system - and then blindly allow any local user to leverage this service?" Honestly, I have no idea! The undocumented 'writeconfig' XPC service was recently uncovered by Emil Kvarnhammar, who determined its lax controls could be abused to escalate one's privileges to root. Dubbed ‘rootpipe,' this bug was patched in OS X 10.10.3. End of story, right? Nope, instead things then got quite interesting. First, Apple decided to leave older versions of OS X un-patched. Then, an astute researcher discovered that the OSX/XSLCmd malware which pre-dated the disclosure, exploited this same vulnerability as a 0day! Finally, yours truly, found a simple way to side-step Apple's patch to re-exploit the core vulnerability on a fully-patched system. So come attend (but maybe leave your MacBooks at home), as we dive into the technical details XPC and the rootpipe vulnerability, explore how malware exploited this flaw, and then fully detail the process of completely bypassing Apple's patch. The talk will conclude by examining Apple’s response, a second patch, that appears to squash ‘rootpipe’…for now.

Satellite TV Receivers: from remote control to root shell - Sofiane Talmat

The evolution of Satellite TV encryption was closely followed by the emergence of new generation of Open Set Top Boxes (Satellite receivers) operating on most of the time on full linux operating system making them more computers like than simple receivers and bringing them to join the IoT. In this engaging session we will teardown a common satellite receiver and deep dive into its vulnerabilities from both design and technical point of view highlighting how far are Satellite TV Receivers from being secure IoT devices. We will start from hardware analysis and components identification to firmware and protocols analysis discovering its vulnerabilities at each level and their exploitability and attack vectors. We will also describe technically how easy an attack could be conducted at every step including its impact knowing that millions of such devices are connected to internet.

Warranty Void If Label Removed - Attacking MPLS Networks - Georgi Geshev

This talk will be a walk-through of research findings from assessing multiple MPLS implementations and the various key weaknesses that were found to affect a number of leading vendors. General MPLS and MPLS related terms and concepts will be briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies. Several network reconnaissance techniques will be presented that allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. The attack scenarios against service provider infrastructure will then be followed by attacks on customers of the MPLS domain. It should be noted that none of the examples and demonstrations require access to the MPLS backbone, i.e. attacks are executed from the perspective of a client of the MPLS domain.​ This talk will be concluded with both general and, where applicable, vendor specific best practices and recommendations on reducing the attack surface of an MPLS network.

Secure DevOps is possible: How osquery is built - Teddy Reed & Javier Marcos

Facebook's osquery is a Linux and OS X intrusion detection and response tool. It supports 10 OS flavors and is continuously built for 8 of those. It is very important that the infrastructure used to test, build, and publish security software be secure itself. This discussion presents how our Security team has enabled any Github contributor to submit C/C++/bash code to our CI and build server, safely. We will guide the audience through our CI hardening process and the attack and vulnerability reports we have received through our bug bounty targeting CI. This includes isolating a Mac Mini fleet of build slaves, not trusting Jenkins as much as possible, automatically building, signing, and publishing packages to AWS S3, doing the same for OS X kernel extension code, adding 2-factor to everything.

System updates, Attack and Defense - Sofiane Talmat

From device firmware to full complex operating systems, system updates are critical to maintain an up to date version of the running software, providing security patches and fixes for vulnerabilities, however many update and upgrade systems contain vulnerabilities that could make things go wrong. In this talk we will not only dissect in details some existing system updates vulnerabilities, we will also deep dive into common vulnerabilities concepts discovered during this research and previous work, we will describe different attack scenarios and approaches and how this could lead to the whole system subversion. We will also talk about both common design and technical mistakes and best practices on how to design secure system updates and upgrade for both devices and softwares.

Learn about the enemy - Moonbeom Park

Many hacking incidents and cyber terrors happen in the South Korea. KrCERT/CC has been analyzing and profiling on 500~1,000 incident cases every year. Among those incidents, there are some of attack and cyber terror against government agency, media, broadcasting services, critical infrastructure, financial sector by organizations from different nation(Suspicious of North Korea cyber warfare activity). They have been using simular malware and attack method that were made for same organization since years of planning, Conclusion can be leaded to unknown enemy that causes cyber warfare. This presentation will be dealing with North Korea cyber warfare organizations and there activity. Presentation includes analysis result of malware and hacking method(Techniques that were used by North Korean hacker). You will be able to learn about malwares and attack method in different incidents by them has something in common.