CyberCyderSecCon is filling in for CiderSecCon! After having canceled our on-site event in the beautiful Technoseum in Mannheim, we decided to go virtual / digitial / stream whatever term fits best! We had 6 talks running on Saturday March 14th and are planning more for today. Streaming will start at 15:45 / 3:45PM CET / Berlin.

Saturday, March 14th

CyberCyderSecCon started live at 15:45 CET / Berlin, with a nice talk by Sebastién Dudek on Smart grid (in)security, just as announced for our on-site event. He was then followed by two lightning talks:

  • Jens Heinrich - CI/CD/CDon’t?- Deliberations on the threat model of continuous delivery systems
  • Matthias: Rosenmontag: Attacking users through third party docker containers

We then continued with a spontaneos contribution by Veronica Valeros presenting about Machete Cyber Espionage Operations in Latin America. We also had a presentation by Patrick Eisenschmidt, who presented is talk on IoT Security and alarm systems. The session was ended by King Kévin’s talk I just want a USB cable!.

All talks were presented via a Zoom meeting and streamed to YouTube, which was the quickest and easiest setup for us to put together on short notice. The recordings will be nicely cut, cleaned and re-published during the week!

Sunday, March 15th

We’ll be continuing streaming, yet again, at 15:45 CET / Berlin. Right now we have two talks aligned:

Please follow us on Twitter for the newest information: CyberCyderSecCon on Twitter

A Few Messages From the Team

Slide2 Slide3
Slide2 Slide3
Slide2 Slide3

A Big Thank You to the Team

Getting here wasn’t easy and a fair amount of work. Thus it’s my honor to send out a Thank You to everyone who made things possible, especially:

Chris as co-organizer, left-hand and right-hand and also his wife for keeping him going!

And the rest of our core team:

Although some of them might not feel the thanks to be necessary, even though the on-site event didn’t happen we wouldn’t have gotten so far without your help!

A further Thank You goes out to Sergej, we’ll have to do that Hacker Jeopardy Revival at some other point!

Yours, Brian

Talk Summaries

In Order of presentation

Veronica Valeros: Machete Cyber Espionage Operations in Latin America

Saturday, March 14th, ~17:30

Authors

Veronica Valeros, Czech Technical University in Prague, veronica.valeros@aic.fel.cvut.cz Maria Rigaki, Czech Technical University in Prague, maria.rigaki@aic.fel.cvut.cz Kamila Babayeva, Czech Technical University in Prague, babaykam@fel.cvut.cz Sebastian Garcia, Czech Technical University in Prague, sebastian.garcia@agents.fel.cvut.cz

Bios

Veronica Valeros

Veronica is a researcher and intelligence analyst from Argentina. Her research has a strong focus on helping people and involves different areas from wireless and bluetooth privacy issues to malware, botnets and intrusion analysis. She has presented her research on international conferences such as BlackHat, EkoParty, Botconf and others. She is the co-founder of the MatesLab hackerspace based in Argentina, and co-founder of the Independent Fund for Women in Tech. She is currently the director of the CivilSphere project at the Czech Technical University, dedicated to protect civil organizations and individuals from targeted attacks.

Maria Rigaki

Maria is a researcher and PhD student at Czech Technical University in Prague. Her research focus is in exploring the limits of machine learning applications in security both from an offensive and a defensive perspective. Before that she spent many years working as a software developer and systems architect. Her work spanned several domains including designing and developing solutions for telecommunications, physical security, emergency response systems and critical infrastructures.

Kamila Babayeva

Kamila is a bachelor student at the Czech Technical University in Prague. She is highly interested in understanding and analyzing malware. She currently works as a junior Malware Reverser at CivilSphere, a project dedicated to protect civil organizations and individuals from targeted attacks. She spends her free time learning and programming in Python.

Sebastian Garcia

Sebastian is a malware researcher and security teacher that has extensive experience in machine learning applied on network traffic. He created the Stratosphere IPS project, a machine learning-based, free software IPS to protect the civil society. He likes to analyze network patterns and attacks with machine learning. As a researcher in the AIC group of Czech Technical University in Prague, he believes that free software and machine learning tools can help better protect users from abuse of their digital rights. He has been teaching in several countries and Universities and working on penetration testing for both corporations and governments. He was lucky enough to talk in Ekoparty, DeepSec, Hacktivity, Botconf, Hacklu, InBot, SecuritySessions, ECAI, CitizenLab, ArgenCor, Free Software Foundation Europe, Virus Bulletin, BSides Vienna, HITB Singapore, CACIC, etc. As a co-founder of the MatesLab hackspace he is a free software advocate that worked on honeypots, malware detection, distributed scanning (dnmap) keystroke dynamics, Bluetooth analysis, privacy protection, intruder detection, robotics, microphone detection with SDR (Salamandra) and biohacking.

Summary

Reports on cyber espionage operations have been on the rise in the last decade. However, operations in Latin America are heavily under researched and potentially underestimated. In this paper we analyze and dissect a cyber espionage tool known as Machete. The results presented in this work are based on the collection, reversing, and analysis of Machete samples from 2013 to 2019. The large collection of samples allowed us to analyze changes in features and the malware evolution, including their latest changes introduced in January 2019.

Our research shows that Machete is operated by a highly coordinated and organized group who focuses on Latin American targets. We describe the five phases of the APT operations from delivery to exfiltration of information and we show why Machete is considered a cyber espionage tool. Furthermore, our analysis indicates that the targeted victims belong to military, political, or diplomatic sectors. The review of the almost six years of Machete operations show that it is likely operated by a single group, and their activities are possibly state-sponsored. Machete is still active and operational to this day.

Jiska Classen: Bluetooth debugging on all platforms

Summary

Debugging IoT devices is cumbersome. Especially their wireless components might fail without further insights on what is happening. In this talk you will learn how to debug Bluetooth connections on mobile devices like smartphones.

Classic Bluetooth and Bluetooth Low Energy (BLE) abstract most of the chip’s lower layer functionality from the host device. Connection management is completely up to the chip. Thus, Bluetooth lower layers are hard to debug and modify. While there exist open tools like ‘bltejack’ for Machine-in-the-Middle (MITM) analysis of BLE connections, they are missing support for current versions of the Bluetooth specification. Moreover, they often fail in following the Bluetooth hopping and encryption scheme and, thus, loose connections or do not even sniff them initially. In contrast, we developed and use ‘InternalBlue’, which runs on the Bluetooth device itself. By design, it cannot miss any wireless packet that arrives on the device. Various devices and operating systems are supported, such as iPhones with jailbroken iOS and the Samsung Galaxy S series with rooted Android. The capabilities of ‘InternalBlue’ go beyond passive analysis of the Host Controller Interface (HCI), which is already supported on these devices. For example, it is possible to see management information from the Link Layer (LL) to further debug connections. With binary patching, even insights on the metadata of each packet can be extracted, such as its current BLE channel and Received Signal Strength Indicator (RSSI), including keep-alive packets that usually are discarded before being forwarded to the host. This information is valuable for debugging connection problems, but also can be used to actively analyze and blacklist channels to further improve throughput. Moreover, the LL also contains details about the security of a connection. It does contain generic information, such as the Bluetooth version and encryption status. However, it is also a rich source for further chip-related security information, such as the chip’s vendor and firmware minor version. This talk provides internals about implementations of Bluetooth stacks on various operating systems, and how to modify them in order to get access to the chip itself. We also show demos and give examples on how to use chip access to build your own patches. Examples include tests for recent attacks like KNOB.