Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
1/17/2019
09:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Go Hands-On with New Security Tricks at Black Hat Asia

Get up close and personal with the latest tools and techniques for testing (and breaking) everything from HTTPS to deep neural networks to Microsoft Office!

Nothing beats practical training and hands-on time with new infosec tools and techniques, so don’t overlook the smorgasbord of opportunities at Black Hat Asia in March.

For example, Microsoft Office is everywhere, and in “Office in Wonderland” you’ll pick up some new tricks to use (and abuse) it for your own purposes. The Outflank B.V. researchers presenting this Briefing will disclose details on new Word and Excel vulnerabilities, release attack vectors that Microsoft deemed features, and demonstrate the security impact of the architectural design of the MS Office suite.

They’ll also share their most recent findings and insights into unexplored legacy functionality in the MS Office suite that can be abused in all stages of an attack. For example, they’ll demonstrate how to abuse Word documents for stealing sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, and how to bypass the most recent security features in MS Office (AMSI for VBA, ASR).

If you’re interested in the inner workings of neural networks, make time to check out the Black Hat Asia 2019 Briefing on “The Cost of Learning from the Best: How Prior Knowledge Weakens the Security of Deep Neural Networks.” Presented by researchers from Baidu and Syracuse University, this Briefing will walk you through an intriguing vulnerability that allows an attacker to effectively attack black-box object detection DNNs (deep neural networks) using adversarial examples generated from white-box open source models.

In practice, that means you’re going to get a guided tour of a new hidden attack vector of DNNs which allows adversarial examples to be efficiently generated against black-box models used in mission-critical tasks such as facial recognition, image classification, and autonomous driving. If you work with (or are thinking of working with) neural networks, this is a Briefing you don’t want to skip!

Got blockchain security on the brain? Consider “Monocerus: Dynamic Analysis for Smart Contract”, an efficient 25-minute Briefing which will introduce you a lightweight, multi-platform framework for dynamic analysis of Ethereum smart contracts.

Smart contracts are a big deal for the future of financial tech, but they can be hard to dynamically analyze and test because of their big selling point: the use of blockchain. Monocerus is designed to lay a foundation for dynamic analysis on the Ethereum blockchain.  If you come to this Briefing you’ll get a first-hand look at how it works. Plus, you’ll get to check out the new analysis toolset built on top of Monocerus (including a bytecode debugger, code tracer/profiler and advanced fuzzer) and see some cool demos.

Plus, check out the “Zombie POODLE, GOLDENDOODLE, and How TLSv1.3 Can Save Us All” Briefing from Tripwire’s VERT (Vulnerability and Exposures Research Team) if you want a practical look at how vulnerable HTTPS encryption is due to the weaknesses of the underlying TLSv1.2 protocol.

This session will highlight research into more effective testing and exploitation techniques for CBC (cipher-block chaining) padding oracles. You’ll see how a slight tweak to the old POODLE attack resurrected the vulnerability in a major enterprise HTTPS implementation more than three years after it had been patched. The presentation will also introduce GOLDENDOODLE, a special case attack based on POODLE with the promise to disclose session IDs in just a fraction of the time it takes to exploit POODLE.

In “Who Left Open the Cookie Jar?”, presented by researchers from KU Leuven, you’ll get useful insight into how cookies are currently used and abused as online authentication tools. You’ll explore several flaws revealed by the presenters’ unique testing framework, which they used to evaluate the policy implementations of seven browsers and 46 browser extensions. 

Even built-in protection mechanisms can be circumvented by the researchers’ novel techniques: they claim to have documented bypasses for every anti-tracking or ad-blocking browser extension tested. How do they work? Why do they work, and how do you deal with them? Come to this Briefing to find out!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29. Early registration pricing for Briefings & Trainings ends Friday, January 18, so register before then to get the best price!

For more information on what’s happening at the event and how to register, check out the Black Hat website.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.