July 1, 2018
SummerCon is a different type of conference than most, and honestly sometimes it’s tough to hear the talks over the noise of the crowd at the bar. This year, the organizers added a second venue to try to spread out the noise from the great conversations and impromptu meetings, so some of the talks could be heard. We wanted to share a few notes on our teams’ key takeaways from the weekend.
First of all, congratulations to our team member Alexei Bulazel (@0xAlexei) for sharing his methodology on reverse engineering Windows Defender’s JavaScript engine, and Windows Emulator. Alexei demonstrated custom tooling he built in order to explore these engines, explained his findings from nine months of reverse engineering, and touched on how attackers could evade or exploit the emulator from within.
Vlad Wolstencroft presented an excellent talk entitled “Exploiting the Exploiters: Hunting Fraud in Telecom Networks”. His presentation looked at a part of telecom infrastructure we hadn’t seen discussed on stage before – the GSM gateways (sometimes called “simboxes”) which are used to provide “fake” phones onto mobile networks – often to route calls internationally more cheaply than by the legitimate routes, commit billing fraud, or to inject spam into a network. While we’ve seen numerous issues in telecom devices over the years, seeing Vlad’s talk about these boxes showed these seemed to be in a “different class” – and not in a positive way. These devices have a large amount of personal data, as most telecom infrastructure does, in this case things like the voice and SMS data that is routed by them – including things like 2FA codes from major providers (sidenote: this is one more reason that we’re often working to get our customers to move off of SMS authentication in favor of app or hardware based 2FA tokens).
From a security point of view, Vlad’s results seem to indicate these devices have weak authentication mechanisms, and also have other services like telnet exposed in some cases. The systems also seemed to have very basic vulnerabilities - such as command injection in web UIs that allowed for full access. He showed one device with “custom” authentication; the device gave the operator a challenge that they had to use to compute a response for login. We’ve often seen these type of schemes in devices we target, and most are straightforward to reverse engineer to be able to write a “keygen” for - as was the one that Vlad found. It’s another reminder of why obfuscation and custom-rolled approaches (whenever possible) should be replaced with cryptographically secure systems that don’t rely on hiding secrets in deployed devices. We know all too well from many projects we’ve done that such login schemes could be replaced with a secure system based on standard cryptography.
We enjoyed how this talk covered not just the vulnerabilities, but also discussed the market and specific findings from his mapping work. It was the style of talk with live demos and new content that we don’t often see at conferences anymore.
We also enjoyed the stories in Juan Andres Guerrero-Saade’s talk on “Hunting for Code Similarity at Scale”, and would have loved to see more discussion of the modern work on code similarities or share more about how the challenges of false positive suppression and picking good bytestrings under his method.
Once again, SummerCon delivered a good selection of talks (and entertainment) this year, so we had to focus on a few here. The variety of talks was pretty large, but there was definitely not a lack of technical content to be had. There are lessons from this conference for just about anyone in the field of security. It was great seeing some of our friends, co-workers, and clients, both new and old. We very much look forward to seeing what next year’s conference has in store!