A Deep Dive into Go Malware: Using Metadata to Empower the Analyst presented at BSidesSan 2019

by Joakim Kennedy,

Summary : Go is a programming language created at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Their vision was a statically typed, productive, and readable language with good networking and multiprocessing support. By default, Go binaries are statically linked, and it is very easy to cross-compile binaries for different operating systems or CPU architectures. This makes it easy to produce an executable that can be copied to any machine and run without runtime errors due to missing libraries, something that should be appealing to malware authors.While Go has exploded in popularity, the same cannot be said for malware written in it. This presentation will take a look at a few pieces of malware written in Go and how they differ from other malware written in, for example, C and try to answer why we don't see more. Also, this presentation will show how metadata in stripped Go binaries can be used to recover everything from function names to source code tree structure and functions’ number of lines of code, which hopefully can give us an insight to the author behind the malware. How to Lose a Container in 10 Minutes Sarah YoungN/Ahttps://static.sched.com/hosted_files/bsidessf2019/29/How%20to%20lose%20a%20container%20in%2010%20mins%20-%20Sarah%20Young.pdfMoving to the cloud and deploying containers? In this talk I will discuss both the mindset shift and tech challenges, with some common mistakes made in real-life deployments with some real life (albeit redacted) examples. We'll also look at what happens to a container that's been left open to the Internet for the duration of the talk. Arcades and Audits: What Gaming Can Do for Your Security Posture Miranda FullertonN/Ahttps://static.sched.com/hosted_files/bsidessf2019/d2/arcades-and-audits.pdf There are a number of audits related to business operations in the event of a catastrophic disaster, and they can be dull to prepare. How can an organization make preparation of these artifacts more tolerable and increase the participation of operations, engineering, and security teams? Gamify it!This talk will combine research demonstrating the long-lasting positive effects of arcade games (perception, attention, memory, and decision-making) and experience organizing these events at a company with a mature security program. Moreover, the psychology and benefits of gamifying these events can be used for red and blue teams alike. We'll touch on helpful NIST standards, as well as how to make the exercise immersive with simple controls (just like an arcade game). This talk will provide participants with best practices to create their own effective roadmaps for operational resiliency audits, while participants create mental maps for an actual catastrophic event and have fun. Twist & Shout: Ferris Bueller's Guide to Abuse Domain Permutations Kelly Albrink & Rob RaganN/AN/AInternet scammers move pretty fast. If you don't stop and look around once in a while, you could miss it. Just as Ferris Bueller always had another trick up his sleeve to dupe Principal Rooney, attackers are employing homoglyphs, subdomain attacks, typo-squats, bit-squats, and similar attacks to trick internet denizens with fraudulent websites. Adversaries may register domains permutations in order to commit fraud, distribute malware, redirect traffic, steal credentials, or for corporate espionage. We know these threats have been around for a while, but not many defenders adopt proactive technical controls in their social engineering incident response plans.The question isn't what are we going to do about it. The question is what aren't we going to do. With the capability to continuously monitor domain permutations for new HTTP, HTTPS, or SMTP services in real-time, the blue team doesn’t have to trust domain permutations any further than they can throw them. In this talk, we will demonstrate red team and blue team techniques. For Buellers, demonstrations include ways to leverage domain permutations in adversary simulations. For Rooneys, we will detail how to better prepare, identify, contain, and eradicate threats that utilize domain permutations. If you’re not leveraging our recommended technical controls to defeat attackers, you risk fishing for your wallet in a yard full of rage-fueled Rottweilers. The Secure Metamorphosis: Streaming Logs with Kafka and TLS Tyler PaxtonN/AN/AApache Kafka is a widely adopted pub/sub messaging platform that can scale to handle huge volumes of data. It’s a powerful technology but notoriously difficult to configure, especially when it comes to Transport Layer Security (TLS). In this session, we’ll cover TLS best practices that yield a secure and compliant system, as well as critical techniques to maximize performance. Hacking with a Heads Up Display David ScroboniaN/Ahttps://static.sched.com/hosted_files/bsidessf2019/72/Hacking%20with%20a%20%20Heads%20Up%20Display%20%28BSides%20SF%29.pdfIntroducing security testing tools to a QA or developer's workflow can be difficult when the tools aren't easy or intuitive to use. Even for security professionals, the friction of cumbersome security tooling can prevent them from getting the most from a tool or being effective with their time.The OWASP ZAP team is working to help enable developers, QA, and hackers alike with the ZAP Heads Up Display, a more user friendly way to engage with the security testing tool. The Heads Up Display integrates ZAP directly in the browser providing all of the functionality of the tool via a heads up display. The goal is to make ZAP more accessible and enable users, especially developers, to integrate security in their daily workflows. This talk will discuss the importance of usable tools, design tradeoffs made to improve usability, the various browser technologies powering the HUD, and how you can start hacking with a heads up display. Slack App Security: Securing Your Workspaces from a Bot Uprising Kelly AnnN/AN/ASlack's developer platform has some powerful functionality that allows you to customize your org's workflow. But with great power comes great responsibility. While Slack has a robust security posture, do you suffer from insomnia pondering the security aspects of third-party apps? Are coworkers pleading with you to install Slack apps with scopes that frighten you? Join Kelly on a walk through the history of the Slack app directory, the unique security problems surrounding it, and what Slack's doing to make it easier for you and all our users to sleep at night. Attacking Deep Learning-Based NLP Systems with Malicious Word Embeddings Toshiro NishimuraN/Ahttps://static.sched.com/hosted_files/bsidessf2019/0a/Attacking%20Deep%20Learning-Based%20NLP%20Systems%20with%20Malicious%20Word%20Embeddings%20-%20Toshiro%20Nishimura.pdfRecent Deep Learning-based Natural Language Processing (NLP) systems rely heavily on Word Embeddings, a.k.a. Word Vectors, a method of converting words into meaningful vectors of numbers. However, the process of gathering data, training word embeddings, and incorporating them into an NLP system has received little scrutiny from a security perspective. In this talk we demonstrate that we can influence such systems by manipulating training data and how we can inject them into real-world systems. Security Automation Simplified Moses SchwartzN/Ahttps://static.sched.com/hosted_files/bsidessf2019/68/Security%20automation%20simplified%20-%20Moses%20Schwartz.pdfSecurity automation can look a lot like magic, and many feel a strong temptation to go buy $HOT_SECURITY_ORCHESTRATION_PRODUCT, but it's really not hard to get started automating SecOps with the tools you already have, free and open source tools, and a little bit of code. In this talk I will give a high level view of how a SecOps or other IT group can use automation to save time and effort. I'll walk through an example, with screenshots and code, of how to automate an ops process. I want to remove the magic from automation and present concrete ways for any ops team to do this. This is not a "no code required!" approach to automation, but it's practical and easy enough to get started. Offensive Javascript Techniques for Red Teamers (Or Anyone Really) Dylan Ayrey & CHristian FrichotN/AN/AAppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance with JavaScript becomes tricky if the victim doesn't keep the tab open for long.This presentation will discuss relatively new techniques and features of JavaScript that have made it easier for sophisticated threat actors to craft JavaScript payloads that target internal network vulnerabilities, as fast as a person can think to close a tab. We'll also show new reconnaissance techniques traditionally used by red teams, post-malware implant, that can be used to get a foothold onto a network from a browser, pre-malware implant. We'll also show some real examples of this, crafting external payloads that target internal assets at large companies, and we'll show how responsible disclosure for intranet facing bugs typically gets resolved. Friend or Replicant: How Attackers Automate and Disguise Themselves in a Shroud of Authenticity to Gain Followers, Control Influence, and Malign Credit Anna WesteliusN/AN/AIs this "real"? This is the story of how attackers today leverage a variety of tools and tricks to impact the influence landscape at scale. Many have heard of "fake news" and know that those "friends," "matches," or "followers" might not all be real; the information we consume is inflated with likes and ratings generated by coordinated attackers utilizing anything from users' browsers to IoT devices.How are these fake accounts and likes and clicks created? To what extent are they "real"? This session will explore the fake account ecosystem, with specific focus on the lifecycle of a fake account and how specific tools and attacks are used to create likes and clicks; sometimes through automation and emulators, sometimes using real people through phone farms, mechanical turks, and sweatshops. We'll dissect the different main attack vectors and how they are being exploited:Content: repurposed to fit a different context,Access & Authentication: gained through Account Takeovers and credential cracking,Fake Accounts: created strategically to build trust,Usage: to emulate "real" users and not get caughtTogether, we’ll workshop practical steps to building an army of influencers (on a budget) using off-the-shelf tools and show some more advanced techniques seen in attacks today. Owning the Smart Home with Logitech Harmony Hub Joseph BinghamN/Ahttps://static.sched.com/hosted_files/bsidessf2019/c3/Owning%20the%20Smart%20Home.pptxThis talk will walk through reverse engineering Logitech's Harmony smart home hub from a blackbox perspective. The process of vulnerability hunting in the device will be outlined along with discussion of vulnerabilities found and post exploitation implications. Bye-Bye False Positives: Using AI to Improve Detection Ivan NovikovN/AN/AMainstream IPS/IDS solutions including WAF, NGWAF, and RASPs produce so many false positives they are almost impossible to manage. The reason for that is that they rely on outdated detection mechanisms like signatures, human-defined rules, regexps, etc. In this talk we want to suggest a better method, based on neural network, provide an overview and comparison for several AI-based injection detection architectures, and release a specific architecture and implementation which has produced the best results. To illustrate the application of this methodology, we will review in detail the implementation of AI-based false-positive detection for a SQL injection. The insight is to represent the injection as time series which then lets us apply the same AI-approach as those used in time-series classification. To find the difference between normal requests and attacks/injections, we normalize query to the sequence of tokens/lexemes and pass them to our recurrent-based neural network model which predicts the probability that is the injection. The best architecture to apply here was proven to be bidirectional recurrent neural network with LSTM cells. As a result, it was possible to achieve 96.07% false positive detection quality at the false_positives dataset of 433 samples from libinjection (https://github.com/client9/libinjection/blob/master/data/false_positives.txt).The implementation of presented model is already used in production at Wallarm for reducing false positive events.Attendees will take away understanding of most modern AI injection detecting methods, a methodology for building their own RNN network for detection, understanding of the training and test datasets and methodology for accuracy testing. Building Identity for an Open Perimeter Tejas DharamshiN/AN/ANetflix is a 100% cloud first company. The traditional corporate network security perimeter no longer meets our needs. In this talk, I will be covering the core building blocks comprising of identity, single sign-on using standards like SAML, OIDC and OAuth, multi-factor authentication, adaptive authentication, device health, and authorization we have invested in, to make identity as the new security perimeter.