by RSS Axelle Apvrille  |  Oct 10, 2013  |  Filed in: Security Research

AppleGoogleMarkets VB2013 Razvan Benchea and Dragos Gavrilut in the middle of their presentation

I am very happy to have been at VB 2013 once again. The talks were quite interesting. If you were not able to attend, here's the write-up of some presentations I went to.

This post is the first in a three part series. Click here for Part 2 and here for Part 3

Andrew Lee - Ethics and the AV industry in the age of WikiLeaks (Keynote)

Andrew showed that surveillance programs were not new (the FISA Act dates back to 1978) and that they exist in numerous countries (not only the US and UK). Example: SORM-2 in Russia. He also listed a few cases where governments have been seen to spread malware: - Magic Lantern CIPAV - a keylogger/spyware by the FBI - Bundestrojaner/R2D2 - for skype monitoring in Germany - FinSpy used in Malaysia, Egypt and Bahrain - Stuxnet/Duqu targetting Iranian equipments, created by the US/Israel Although the military want surveillance on civilians because most terrorists are civilians, Andrew questioned the proportionality of response. Money would have been better spent on education.

Best approximate quote: "Let's do things which aren't just for money"

Xinran Wang - An automatic analysis and detection tool for Java exploits

He started with some background information on the security of Java. 3 Java 0-days were found in a few months in 2013, and it appears that Java exploits have been on a significant raise this year. He then presented his tool to detect Java exploits. He uses several heuristics such as detecting if the java security manager is disabled, attempts to execute external commands etc.

Sabina Datcu - Targeted social engineering attacks. Sensitive information, from a theoretical concept to a culturally defined notion

Sabina presented her research on sensitiveness of information and what people were willing to share or not. You should read the paper for more details, but I'll sum it up with one striking point she made: she managed to access her own bank account by only retrieving public data on Internet + some social engineering. She retrieved her birthday date from a picture of a nice birthday cake she had posted on Facebook. And for credit card number, she inspected a photo she had posted in front of a hotel during her vacation. Then, she called the hotel, pretending to be from a bank and wanting to go over that particular transaction 'to check it'. The hotel gave away the credit card number, expiration date... So what can we safely post on social networks did the audience ask? Well... nothing if you want to be secure ;)

Quick key points of other presentations I went to (this ensures the blog post isn't too long ;)

Vlad Bordianu, Razvan Benchea, Dragos Gavrilu - Google and Apple markets: are their applications really secure?!

In terms of security, the speakers find that both markets are similar Best comparison: repackaged apps are like stolen cars ;)

Justin Kim - In-memory ROP payload detection

He gathered a database of 1.5 million possible ROP gadgets. For example, in hxds.dll, there are 5200 gadgets. As ROP chains are usually encrypted and decrypted at runtime, he performs runtime memory scanning to detect ROP gadgets

Jindrich Kubec, Eric Romang - Big bang theory of CVE-2012-4792

The watering hole attack actually started before December 27th. It is not a targeted attack, as many websites were attacked.

David Sancho, Peter Kruse - Tinba v2

Excellent intelligence presentations on the presumed authors, the organization and connections. Tinba stands for Tiny Banker, and it is quite comparable to ZeuS/Zitmo or SpyEye/Spitmo, with an advanced injection malware on the PC and a credential stealer on the mobile phone. Tinba particularly targeted banks in Turkey and United Arab Emirates.

See you tomorrow!

-- the Crypto Girl

For my post about VB 2013 Day 2 click here.

by RSS Axelle Apvrille  |  Oct 10, 2013  |  Filed in: Security Research