Blackhoodie18 Berlin Conference Report
Blackhoodie RE - a one day conference(which I’ll be talking about in this blogpost) and two-day intensive security topics bootcamp(next blogpost) - took place this weekend in Berlin and I was fortunate enough to be able to attend! Phew! The weather was cold (hi Berlin, you remind me of Helsinki!), but my braincircuits were still overclocked by all the great talks and the two day bootcamp in Track 3 - lots of crypto, Return Oriented Programming and exploits, and Windows Kernel internals. I’m already excited for next year and I’m hoping I can contribute back and help to organise the event/give a workshop next year!
The Blackhoodie event was started by Mari0n as a way to share knowledge and increase the number of women in reverse engineering and other low level infosec jobs. The event from this weekend was organised by a great team - _KYLMA, barbie, Priya, Gwaby, Ninon and Bhavna (apologies if I missed anyone!). It takes a lot of effort to organise an amazing event, so a big thank you to the Blackhoodie 18 organising team, Andreas and HERE Technologies for hosting us and to all of the wonderful instructors, speakers and attendees! Anyone interested in learning more, please checkout the Blackhoodie website and especially the conference talks section.
Day 1 - Blackhoodie Conference
First day! A cold morning, but a warm welcome at HERE Technologies and then on to a full day of talks. First up was a talk by .bx on reversing bootloaders and in particular the Das U-Boot loader. What are loaders and why do we need them? A loader transforms a binary to a running application. A bootloader is a special loader that runs before the operating system starts. Reversing bootloaders can give us a better understanding of bootloader security and help us design hardening techniques that can retroactively applied to existing bootloaders. An interesting property of bootloaders is that they can self-relocate in memory!
After U-Boot, the audience heard from Anna Neal who presented her attempts to reverse engineer the Stern Iron Maiden pinball game. The coolest part of the talk was that Anna had written her own program to unpack the .spk format which the Stern games are packaged in! Following the pinball reverse engineering, the audience heard about TinyNuke, a French made banking malware. Nha-Khanh Nguyen demonstrated how to reverse engineer the malware to understand how it infects the victim’s computers. Turns out some early versions of FireFox allowed the loading of unverified DLLs and the malware was able to exploit this by installing an early version of FireFox and then loading the malicious payload into it.
After TinyNuke, Veronica Valeros give a walkthrough of a real life investigation of a university Linux server being attacked by a Monero cryptominer (the lesson learnt here was: patch/update your Jenkins! Those CVEs can come back and bite you!), anais gave us a walkthrough of a tool she and her colleagues developed to run Android applications that detected a rooted environment in a rooted environment (do some cool memory tricks to launch a rooted shell after the application is running), Maria Rigaki spoke about using Generative Adversarial Networks to train malware to mimic the network traffic patterns of two users having a Facebook Messenger conversation. Afterwards, Dana Baril did a deep dive into how Windows Credential manager works and explained her work to detect when an application does a malicious credential request (as was the case with the mimikatz malware that dumped a user’s credentials). Dana added a new event to the Windows event logs to help detect when an application maliciously dumps all of the user’s credentials. This data is then sent on for further analysis with ML algorithms.
Continuing with the theme of ML and security, Aurore Fass spoke about JaST, a random forests based classifier for detecting malicious Javascript, Luca Nagy gave an overview of the Matrix Ransomware and introduced the ChaCha cipher and Carly gave a demo of some mindboggling “features” in C++. After a short break, we saw two great presentations: Patricia Aas speaking on sandboxing and how Linux OS namespaces help browsers run external code safely and Essy presenting on the topic of ‘hidden in plain sight’ - various methodologies and tools that can be used by attackers to mask malicious activity with legitimate process. The one thing that I found particularly interesting was LOLbas which aims to use binaries natively available on Windows to find exploits.
For a security newbie and a first time Blackhoodie attendee, this was a lot to take in, but I still enjoyed every moment!
Here are some other writeups of Blackhoodie events:
- Blackhoodie #4 by Veronica Valeros and Maria Rigaki