Election security is far from all that’s on offer during this year’s virtual security briefings

Black Hat USA 2020 - Your guide to the best web hacking sessions

All eyes are on the upcoming US Presidential Election, so it’s perhaps unsurprising that voter security is top of the agenda for Black Hat USA this year.

On Wednesday, August 5, cryptographer and computer scientist Matt Blaze’s opening keynote address will focus on the challenges – technological, logistical, and political – of keeping the US election running during the ongoing coronavirus pandemic.

Security researchers have long warned that the technology and infrastructure relied upon to deliver free and fair elections suffers from exploitable vulnerabilities that could be used to cast doubt on the integrity of the voting process.

Election security at Black Hat – which is being staged virtually for the first time because of the pandemic – doesn’t end with Blaze’s keynote on Wednesday.

Chris Krebs, director of the US Cybersecurity and Infrastructure Security Agency, is due to expand on the topic with a talk focusing on federal efforts to support state and local officials in delivering secure elections in November.

Later on Wednesday, a representative from a voting machine vendor, Chris Wlaschin, will share a platform with Mark Kuhr, CTO of cybersecurity firm Synack, to discuss their relative perspectives and the need for improved collaboration.

“The voting industry and the security researchers who are examining their products need a vulnerability disclosure program so both communities can effectively work together to fix problems in election systems and ultimately make America’s democracy stronger and more resilient,” a preview of the presentation explains.

But election security is far from all that’s on offer from this year’s virtual Vegas event. And for those interested in web hacking, The Daily Swig team has you covered.

The top web security research at Black Hat USA 2020:

Room for Escape: Scribbling Outside the Lines of Template Security
Weds, 10:00 PT / 17:00 UTC

Researchers Alvaro Muñoz and Oleksandr Mirosh discovered multiple ways to achieve remote code execution on multiple popular content management system platforms, including Atlassian Confluence, Alfresco, Liferay, Crafter CMS, dotCMS, XWiki and Apache OfBiz.

“We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them,” the researchers explain.

“We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks where unprivileged users can run arbitrary commands on SharePoint or Liferay servers.”

Check out the session preview for more details.

HTTP Request Smuggling in 2020 – New Variants, New Defenses, and New Challenges
Weds, 10:00 PT / 17:00 UTC

HTTP request smuggling can be used to smuggle requests across WAFs and security solutions, poison HTTP caches, inject responses to users, and hijack user requests.

You might well think an attacker technique that dates back to 2005 would be more or less eradicated 15 years later.

The issue was brought back in the limelight at Black Hat 2019, and Amit Klein will follow up with a talk that further dispels any illusion that defending against request smuggling is a completed job.

Check out the session preview for more details.

An Unauthenticated Journey to Root: Pwning Your Company’s Enterprise Software Servers
Weds, 11:00 PT / 18:00 UTC

SAP’s technology is ubiquitous in the enterprise. The SAP Solution Manager (SolMan) is a mandatory product that’s connected to many other systems.

Researchers Pablo Artuso and Yvan Genuer of Onapsis Research Labs are due to explain how pwning SolMan can give attackers the ERP equivalent of admin privileges on an Active Directory installation.

“From unauthenticated HTTP access, an attacker would be able to compromise all systems in the SAP landscape. Furthermore, chaining a series of vulnerabilities,” the researchers explain, would make it “possible to get reliable root access not only in the attacked core system, but also in all satellites connected to it.”

The researchers worked with SAP to resolve the problems prior to their presentation.

Check out the session preview for more details.

Web Cache Entanglement: Novel Pathways to Poisoning
Weds, 11:00 PT / 18:00 UTC

James Kettle, PortSwigger’s director of research, this year offers a talk on how to identify vulnerable web cache setups on websites. Vulnerable cache deployments can be harnessed to ride roughshod over site security.

Exploit chains can be created to carry out all manner of mischief.

“These flaws pervade all layers of caching – from sprawling CDNs, through caching web servers and frameworks, all the way down to fragment-level internal template caches,” Kettle explains.

“I’ll demonstrate how misguided transformations, naive normalization, and optimistic assumptions let me perform numerous attacks including persistently poisoning every page on an online newspaper, compromising the administration interface on an internal DoD intelligence website, and disabling Firefox updates globally.”

Check out the session preview for more details.

Discovering Hidden Properties to Attack the Node.js Ecosystem
Weds, 12:30 PT / 19:30 UTC

Academics led by computer scientists from Georgia Institute of Technology are due to explain why the security of Node.js is critical to web servers and desktop clients.

The researchers have created a novel attack method against the Node.js platform, called hidden property abusing (HPA).

“The new attack leverages the widely used data exchanging feature of JavaScript to tamper critical program states of Node.js programs, like server-side applications. HPA entitles remote attackers to launch serious attacks, such as stealing confidential data, bypassing security checks, and launching denial of service attacks,” a synopsis for the talk explains.

Check out the session preview for more details.

Needing the DoH: The Ongoing Encryption and Centralization of DNS
Weds, 14:30 PT / 21:30 UTC

In an attempt to protect DNS queries from Monster in the Middle (MITM) interception and manipulation, DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) have emerged as important networking technologies.

The technologies offer enhanced privacy but have nonetheless generated concerns about centralization as users migrate to the few DNS providers that support DoT/DoH.

During a presentation at Black Hat, researcher Eldridge Alexander is set to argue that while concerns around centralization are “well founded, they are in all likelihood temporary”. Similarly, worries about visibility and control as DoT and DoH are rolled out can also be addressed, according to Alexander.

Check out the session preview for more details.

When TLS Hacks You
Weds, 14:30 PT / 21:30 UTC

Researcher Joshua Maddux will explain how “features intended to make TLS fast have also made it useful as an attack vector” for server-side request forgery (SSRF), among other attacks.

“While past work using HTTPS URLs in SSRF has relied upon platform-specific bugs such as SNI injection, we can go further, the researcher explains. “I [will] present a novel, cross-platform way of leveraging TLS to target internal services.”

Check out the session preview for more details.

I calc’d Calc – Exploiting Excel Online
Thurs, 11:00 PT / 18:00 UTC

Exploits targeting Office applications are (sadly) everyday occurrences but what about the online version of tools like Word?

Nicolas Joly, a security engineer at Microsoft, set out to discover an answer to that question two years ago. In the process he discovered a flaw in Excel Online, details of which are due to be presented at Black Hat.

“This short presentation describes an integer overflow vulnerability in the fnConcatenate formula (CVE-2018-8331) and how one could chain Excel formulas together to get RCE on the server,” he explains.

Check out the session preview for more details.

Lateral Movement and Privilege Escalation in GCP; Compromise any Organization without Dropping an Implant
Thurs, 14:30 PT / 21:30 UTC

The security of Google Cloud will be put under the microscope in a talk by researchers Dylan Ayrey and Allison Donovan.

The researchers plan to demonstrate several techniques to “perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud”.

Check out the session preview for more details.

You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
Thurs, 14:30 PT / 21:30 UTC

The shortcomings of email sender authentication are due to be outlined in a presentation by researchers Jianjun Chen, Vern Paxson, and Jian Jiang.

The team identified 18 types of attacks to bypass email sender authentication (including SPF, DKIM, and DMARC) before testing these attack vectors against 10 popular email providers and 19 email clients.

Check out the session preview for more details.

Second helping

Other virtual Black Hat USA sessions that we will be glued to this year:

We went to Iowa and all we got were these Felony Arrest Records
Weds, 12:30 PT / 19:30 UTC

Coalfire Systems’ Justin Wynn and Gary Demercurio offer an in-depth discussion of a red team engagement that resulted in an unprecedented outcome. Read more

Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks
Weds, 12:30 PT / 19:30 UTC

James Pavur takes an experimental look at attacking satellite broadband communications across land, air, and sea. Read more

FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud
Weds, 13:30 PT / 20:30 UTC

This talk will offer analysts an opportunity to understand the underlying, publicly documented standards that allow the FASTCast and INJX_Pure malware families to operate. Read more

Healthscare – An Insider’s Biopsy of Healthcare Application Security
Weds, 12:30 PT / 19:30 UTC

Seth Fogie on vulnerabilities and design issues within contemporary healthcare solutions. Read more

Making an Impact from India to the Rest of the World by Building and Nurturing the Women Infosec Community
Weds, 13:30 PT / 20:30 UTC

Vandana Verma Sehgal will discuss how the Infosecgirls community has been bringing more women into the cybersecurity workforce. Read more

A Decade after Stuxnet’s Printer Vulnerability: Printing is still the Stairway to Heaven
Thurs, 11:00 PT / 18:00 UTC

Peleg Hadar and Tomer Bar take a deep dive into the notorious Stuxnet computer worm before offering a live demonstration of two zero-day vulnerabilities in the Windows Print Spooler. Read more

The Dark Side of the Cloud – How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis
Weds, 13:30 PT / 20:30 UTC

This presentation promises to show evidence of how the opioid crisis exposed an operational security weakness with electronic healthcare record systems, and why just patching those alerts doesn’t address it. Read more

The Daily Swig will be back with coverage from Black Hat USA throughout the week

Additional reporting by James Walker.

RELATED Virtual cybersecurity conferences: An expanding list