For the second year in a row, BlackHat Asia was held in Singapore, at the end of March, in the luxury Marina Bay Sands hotel.
As usual, the 2 days briefings were fully loaded of plenty of topics. 3 distinct tracks were offered, plus the business track (briefings sponsored by companies) and of course the technical Arsenal rooms.
This year Fortinet had a booth, I was asked to help. We had a lot of great conversations with prospective customers and passerby generally interested in industry trends. I was also able to attend some briefings, some of which really shone through:
I was able to attend two talks on the first day: Eric Filiol and Paul Irolla's "(In)Security of Mobile Banking" which was thought provoking. They presented on some of the mobile banking analysis tools they use and created (Egide, Panoptes, Tarentula). Panoptes, in particular, provides a way to dynamically trace network communications used in running applications. Additionally, they described how they reported some of their findings to various banks and were met with a little less than the desired feedback. Some of the banks corrected flaws in their apps promptly, others just ignored the warnings in the research. I hope some of these tools become available for broader use soon. Here is the paper.
The second talk I was able to make it to was Yeongung Park's "We Can Sill Crack You! General unpacking Method For Android Packer (no root)". he presented a way to control the execution of debuggee using the wait-for-debug feature and MethodEntryEvent before the DEX is loaded in memory. It was quite interesting because to enable that debug feature you will need to repackage the protected app. He did a live demo during the breifing which worked smoothly. There is no plan for now to release it (at least for free). Here is a really great post from Virus Bulletin on Android malware.
On the second day I was able to attend "Security Content Metadata Model with an Efficient Search Methodology for Real Time Monitoring and Threat Intelligence" by Preeti Subramanian. She was presenting the protocol that is federating a number of common open standards like CVE, CVSS, OVAL, etc. I like the way her company is providing a search tool that can let you find and dig into these components. No plan to open it for free at the moment.
I also attended "Browsers gone Wild" by Angelo Prado and Xiaoran Wang. This was by far the most interesting talk. They presented plenty of demos and tricks. I like the way they used the Data URI and some HTML5 to create an entire malware stored in the URI itself.
I was not able to pass by the arsenal rooms and missed the CuckooDroid demo. The project looks quite interesting and certainly hold promise. Some analysts from CheckPoint were able to provide to Cuckoo sandbox an automated way to analyze Android samples. I should give it a try.
This year there were a lot of talks regarding mobile, mostly Android. There is a very promising, mobile specific, summit in London this June
Despite not being able to follow Justin Searle's two hour workshop about "Understanding SCADA's Modbus Protocol", the topic is intiguing. Industrial Control Systems (ICS) are still a hot topic and attacks around the world are till happening. Just last year we saw a German steel mill experience an advanced targeted attack. Ruchna Nigam from our FortiGuard Labs wrote a great primer exploring the knowns and unknowns of SCADA attacks here.
-= FortiGuard Lion Team =-