Slawomir Jasek, IT Security Consultant, SecuRing
The internet of things is rife with devices that make use of Bluetooth Low Energy, but they don’t always take advantage of all the security features of the technology. “A
surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms,” says researcher Slawomir Jasek in his written description of his talk. Instead, security is provided by a higher-level Generic Attribute (GATT) profile to protect communications between IoT devices and their controllers, such as mobile phones. He says it’s easy to spoof an IoT device and trick the phone into connecting to it, setting up a man-in-the-middle (MITM) attack. “[J]ust imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication!” he writes. He will release aBLE MITM proxy tool that “opens a whole new chapter for your IoT device exploitation, reversing and debugging.”
Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools
Wesley McGrew, Director of Cyber Operations, HORNE Cyber
This speaker says that penetration testers are often trained using widely available materials that can lead to inadequate protection of their clients' data and the pen-testing procedure itself. “Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact,” he says. McGrew will demonstrate techniques for hijacking testers' procedures and release all the tools he uses in the demo.
Does Dropping USB Drives in Parking Lots and Other Places Really Work?
Elie Bursztein, Anti-fraud and abuse research lead, Google
Everybody knows that if you drop USB keys in a parking lot, they will be picked up and a high percentage of them will wind up plugged into computers. Bursztein says his research included dropping 300 USB sticks in a parking lot. 98% were picked up and of those, 48% were not only plugged into a computer, but files on them were opened. His talk will analyze why people pick up these sticks, and he will release a tool to help mitigate these attacks.
I Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache
Cara Marie, Senior Security Consultant, NCC Group
Decompression bomb attacks use specially crafted compressed archive files that, when they are unpacked, tie up applications to such an extent that they crash. But not all compression algorithms are equally suitable for the task. Marie has audited a great number of these to find out which are the best bomb candidates and will release them at the conference. They can be used by researchers to test the susceptibility of applications to these particular attacks.
Sign up for CIO Asia eNewsletters.