Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

If you want better security, think like a bad guy: HP ESP represents at Black Hat USA 2014

markpainter ‎07-24-2014 03:04 PM - edited ‎06-11-2015 09:24 AM

From our Capture the Flag event to our most expansive Black Hat demo station ever, HP Enterprise Security Products has a huge presence at Black Hat USA 2014ArcSight, Fortify, and TippingPoint will all be there. For fun, we are hosting a ‘foodie’s dream’ customer dinner. And of course we are also participating in several sessions and briefings.



HP Sponsor Session: A Deep Dive into Zero-Day Security Intelligence and Collaboration

8/7 @ 2:15 pm | Location:  Mandalay Bay I


Despite the success of independent and vendor bug bounty programs, more software vulnerability information is going for sale to the highest bidder on the black market. What does this mean to you? If you’re a security vendor, you miss the opportunity to understand the anatomy of zero-day vulnerabilities and identify new evasion techniques not seen previously to protect your customers. If you’re the affected software vendor, you’re stuck with your pants down not knowing what to fix until it’s too late. If you’re the customer, you’ve probably been the victim of a breach, but you don’t even know it. So what can you do to be prepared for a zero-day attack?


Join experts from HP Security Research Zero Day Initiative and HP TippingPoint to gain a deep understanding of the inner workings of a security research team. Learn the techniques and intelligence behind the discovery, research, creation and deployment of zero-day vulnerability filters and how you can be better prepared to defend against a zero-day attack. You also see how strategic threat intelligence feeds that share threat data and analysis help you gain real-time intelligence on adversaries, attack vectors, methods and motivations behind current threats.


HP Briefings:


Topic: “Reverse Engineering for Fun & Benefit” | Speaker(s): Matt Oh

8/6 @ 10:15 am | Location: Jasmine Ballroom


Summary: There are many benefits to interacting directly with Flash memory when you're having a hard time finding the correct JTAG connection points. That's especially true when you're a software reverse engineer who delves into hardware reversing. Some vendors intentionally obfuscate JTAG points or remove them to prevent reverse engineering.

In this talk, we look closely at the process of reverse engineering embedded devices by interacting directly with Flash memory. We also look at reprogramming chips and putting them back on the board. The fun with this method is that you can access the underlying out-of-band data that contains page and block information. As Flash memory is a fragile media, bad blocks or page data contamination are common problems. Whenever you extract data from memory, you should be able to take care of this meta information. When you write back the data, you need to recalculate sums and set the correct flags on these areas. We talk about the chips we've worked on and how we have dealt with the meta information.


The other entertaining part we'll examine is the file system. Embedded systems that interact directly with Flash memory usually use journaling file systems to avoid repeating write operations on specific pages. The journaling file system is interesting as it contains the entire history of file operations. You can just mount the file system directly from your Linux box or you can write a simple parser to check the history of the file system operations. This feature might give reverse engineers a good view of how Flash memory is programmed and used.


Topic: “Protecting Data In-Use From Firmware and Physical Attacks” | Speaker(s): Steve Weis

8/6 @ 2:50 pm | Location: South Seas IJ


Summary: Recent revelations of the NSA ANT program illustrated the many well-known and low-cost physical and firmware attacks that can compromise data in-use and system integrity. These attacks have become more concerning as more computing infrastructure runs outside an organization's physical control.


This talk will review several such attacks, including SMM bootkits, "cold booting," and malicious devices. We'll discuss several existing tools and technologies that can mitigate these risk such as Trusted Execution Technology (TXT) and memory encryption technologies. We will also discuss how upcoming technologies such as Software Guard Extensions (SGX), Enhanced Privacy ID (EPID), and TPM 2.0 can help protect against firmware and physical threats.


Topic: “Thinking Outside the Sandbox: Violating Trust in Uncommon Ways” | Speaker(s): Brian Gorenc, Jaisel Spelman

8/7 @ 11:45 am | Location: South Seas F


Summary: Attacking the modern browser and its plugins is becoming harder. Vendors are employing numerous mitigation technologies to increase the cost of exploit development. An attacker is now forced to uncover multiple vulnerabilities to gain privileged-level code execution on his targets. First, an attacker needs to find a vulnerability, leak an address to get around ASLR, and bypass DEP to gain code execution within the renderer process. The attacker then needs to bypass the application sandbox to elevate his privileges, which will allow him to do something interesting. Our journey begins at the sandbox and investigates some of the more obscure techniques used to violate this trust boundary.


What should you focus on when you are auditing a sandbox implementation? There are the traditional approaches: find a memory corruption vulnerability in IPC message handling, attack the kernel to get SYSTEM-level privilege escalation, or abuse shared memory regions. Sure, any of these will work but they may not be the easiest way. Our presentation will examine four bypass techniques successfully used in winning entries at this year's Pwn2Own contest. We will analyze the attack vector used, root causes, and possible fixes for each technique. These uncommon, yet highly effective, approaches have been used to bypass the most advanced application sandboxes in use today, and understanding them will provide a unique perspective for those working to find and verify such bypasses.


Topic: Probabilistic Spying on Encrypted Tunnels | Speaker(s): Brandon Niemczyk, Prasad Rao

8/7 @ 5:00 pm | Location: South Seas IJ


Summary: At the network layer, encrypted tunnels are typically seen as black boxes. Network traffic however, leaks side channel information that can often be analyzed to determine what the tunnel is being used for and the type of content being sent over it. Probabilistic algorithms will be explored that can analyze this side channel information and identify application protocols within the tunnel. An open-source toolkit containing the algorithms/attacks presented will be released.


Topic: “Lessons Learned from Recent Breaches:  What should you do now?” | Speaker(s): Steven Riley

8/6 @ 11:45 am | Business Hall Theater B

As analysts interpret and prioritize threats using intrusion detection systems, firewalls, and other boundary protection devices, they discover anomalous data that is often associated with external threats. This session looks through the eyes of a SOC Analyst to diagnose the anatomy of current breaches, including how adversaries successfully gain unauthorized access, infiltration techniques used, and how they maintain access to accomplish their objectives.


You can find information on other briefings and sessions at the Black Hat USA schedule page.

0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all