Conference Talks – September/October 2022

Throughout September and October, members of NCC Group will be presenting their work at SANS CyberThreat, 44CON, ResponderCon, BSides St John’s, ICMC, DevOps World, RootCon, Hexacon, and Hardwear.io NL.

  • Ollie Whitehouse & Eric Shamper, “Enterprise IR:Live Free, live large” to be presented at Sans CyberThreat (September 12-13 2022)
  • NCC Group, “Mastering Container Security,” training to be presented at 44CON (September 12-14 2022)
  • Balazs Bucsay, “Alternative way to detect mikatz” to be presented at ResponderCon (September 13 2022)
  • Jeremy Boone, “Shooting yourself in the Boot – Common Secure Boot Mistakes” to be presented at BSides St John’s (September 15 2022)
  • Paul Bottinelli, “Selected Cryptography Vulnerabilities of IoT Implementations” to be presented at the International Cryptographic Module Conference (September 16 2022)
  • Viktor Gazdag, “War stories of Jenkins Security Assessments” to be presented at DevOps World 2022 (September 28-29 2022)
  • Balazs Bucsay, ” Alternative way to detect mimikatz” to be presented at RootCon (September 28-29 2022)
  • Cedric Halbronn & Alex Plaskett, “Toner Deaf – Printing your next persistence” to be presented at Hexacon (October 14-15 2022)
  • Sultan Qasim Khan, “Popping Locks, Stealing Cars, & Breaking a Billion Other Things: Bluetooth LE Link Layer Relay Attacks” to be presented at Hardwear.io NL (October 27-28 2022)

Please join us!

Enterprise IR: Live free, live large

Ollie Whitehouse & Eric Shamper

SANS CyberThreat 22

September 12-13, 2022

Abstract forthcoming.

Mastering Container Security

NCC Group

44CON

September 12-14, 2022

Containers and container orchestration platforms such as Kubernetes are on the rise throughout the IT world, but how do they really work and how can you attack or secure them?

This course takes a deep dive into the world of Linux containers, covering fundamental technologies and practical approaches to attacking and defending container-based systems such as Docker and Kubernetes.

In the 2022 version of the course the trainers will be focusing more on Kubernetes as it emerges as the dominant core of cloud native systems and looking at the wider ecosystem of products which are used in conjunction with Kubernetes.

Alternative ways to detect mimikatz

Balazs Bucsay

ResponderCon

September 13 2022

Mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is “sniffed”, but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.

Shooting Yourself In The Boot – Common Secure Boot Mistakes

Jeremy Boone

BSides St. John’s

September 15 2022

Secure boot is the mechanism by which an embedded device safely loads and cryptographically verifies its runtime firmware or software. Secure boot is an important and necessary feature for embedded systems — without it, an attacker could compromise the device, implant a rootkit or bootkit, and even persist across factory resets or OS reinstalls. In this talk, I will describe how hardware devices typically implement secure boot, and will dive into several common implementation mistakes and foot-guns that can enable an adversary to bypass these low level hardware security controls.

Selected Cryptography Vulnerabilities of IoT Implementations

Paul Bottinelli

International Cryptographic Module Conference (ICMC 2022)

September 16, 2022

In this talk, Paul will present a number of selected cryptography vulnerabilities encountered during security reviews and penetration tests of IoT solutions.

War stories of Jenkins Security Assessments

Viktor Gazdag

DevOps World

September 29 2022

I will talk about 3 security engagements and how I was able to gain access to the Jenkins environment.

There will be an overview about what security configurations are available and what additional plugins can be installed for improving the security posture.

We will answer the question if these settings are working or is there any missing gaps/parts (like audit plugins available, but has vulnerabilities)?

Sharing a Jenkins hardening checklist for easy wins and making an attacker’s life hard when they are attacking.

Alternative ways to detect mimikatz

Balazs Bucsay

RootCon

September 28-30 2022

Mimikatz is detected by AVs and EDRs in different ways, mostly based on signatures and behavior analysis. These techniques are well known, but we looked into a few other things to find more exotic ways. Turns our that mimikatz by default talking to USB devices, so I created an emulated device as a user-mode driver for Windows, which is capable to detect most mimikatz variants out-of-the-box. Other technique was implemented and will be part of the presentation, where the console communication is “sniffed”, but this technique can be applied to other malware as well. Both techniques will be published and code will be opensourced after the con.

Toner Deaf – Printing your next persistence

Cedric Halbronn & Alex Plaskett

Hexacon

October 14-15 2022

In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.

This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.


Popping Locks, Stealing Cars, and Breaking a Billion Other Things: Bluetooth LE Link Layer Relay Attacks

Sultan Qasim Khan

Hardwear.io Netherlands

October 27-28 2022

In this presentation I will show the workings of Sniffle Relay, the world’s first link layer relay attack on Bluetooth Low Energy (BLE), categorically defeating existing applications of BLE-based proximity authentication currently used to unlock millions of vehicles, smart locks, building access control systems, mobile devices, and laptops. This attack can be used to relay unlock commands over long distances, even when link layer encryption or GATT latency bounding have been used to mitigate against existing BLE relay attack tools.

Unlike all pre-existing GATT-based BLE MITM and relay tooling, Sniffle Relay allows relaying connections that employ link layer encryption. Furthermore, Sniffle Relay applies novel relaying techniques that limit the added latency to within the range of normal GATT response timing variation, in many cases hiding the added latency altogether.

To emphasize the impact of these findings, I will demonstrate how this attack can be used to steal a Tesla Model Y, alongside multiple other demos – affecting in some cases up to hundreds of millions of devices each – some of which can be unlocked from halfway around the world.