2023
your contributions, today
Keynoting 0xcon in Johannesburg this year, I had the immense privilege of talking and sharing ideas about something that is dear to my heart. That is, giving back more than you take. And by giving back I don’t mean *just* doing research or writing tools. Instead, giving back includes things like writing documentation or even just teaching someone else! In my talk, “your contributions, today” I reflected on a current view of practical security research and contributions in a time of ever-increasing systems complexity, abstractions and Instagram reels. By drawing parallels to the “Free-rider Problem” as described in an economics context, I argued that as an industry we need to caution against this phenomenon manifesting by actively making contributions.
Why defend harder won’t work in the long run and what to do instead – arrest criminals
The whole of information/cyber security is founded on the idea that we can defend ourselves into security. But in the history of competitive endeavours nobody has won by playing defence alone. We have this idea that we can wrap our users and systems in enough padding to protect them in a world where guns exist. We’ve leaned so hard into this idea that we’re on the floor and it’s time to look up.
we’re going to bsides cape town 2023
Arguably one of the largest hacking conferences in South Africa, BSides Cape Town 2023 is around the corner and the SensePost Team is there with a jam packed agenda demonstrating our latest research (with five talks), challenges and more! In this post, I’ll summarise what you can expect. For timing related information, check out the schedule here. Be sure to come and say hi at our stand in the chill area too.
Black Hat Card Deck CTF
In 2023 we, the training team within Orange Cyberdefense and specifically Ulrich Swart, Matthew Hughes and myself, attempted to do something a little different for Black Hat with regards to our in class competition. Each year we give a select few students some swag for portraying the most “plakker” mindset, being active in class, or finding another method to solve the practical.
The concept we decided to explore that year was creating a deck of standard playing cards they could bring out when friends are over and become a discussion point. The cards have educational tidbits about some material they will learn on some of our flagship courses, specifically the Infrastructure, Web Application, Wi-Fi and Red Team courses each had their own suit.
P4wnP1 LTE updates
After publishing my blog post about running P4wnP1 on an LTE modem, where I explained how to install Linux and P4wnP1 on an actual LTE modem for sneaky USB attacks, and then trying and failing to do an internal presentation to show it off to folks, I realised that I had not completely documented the process. In fact, I had left it rather incomplete as it turned out! As I was intending to give a public demonstration of P4wnP1-LTE, I had some work to do.
Reading Large Files and Perf
One of the things that has often confused me is how little good advice there is for reading large files efficiently when writing code.
Typically most people use whatever the canonical file read suggestion for their language is, until they need to read large files and it’s too slow. Then they google “efficiently reading large files in <lang>” and are pointed to a buffered reader of some sort, and that’s that.
Dress Code – The Talk
TL;DR This post is a summary of the contents of my talk in Defcon 31 AppSec Village last August 2023, and part of what I will explain in Canada at the SecTor conference on the 24th of October 2023 at 4:00 PM.
There are two (big) blocks in this post. Sorry for the length <(_ _)>:
The first part is about the not so well-known CSP bypasses that I found during this research. These can be of use in your next pentest, bug bounty, etc. Have a look at the 8 third-party domains that can be abused to bypass a strict policy to execute that sweet Cross-Site Scripting (XSS) or clickjacking proof of concept that was initially being blocked. The second part takes a step back and delves into the process of getting Content-Securiy-Policy (CSP) data from top 1 million sites and the conclusions I draw from it. After reading this part you will get a sense of how widespread and well-implemented CSP is across the Internet. You will also learn the common pitfalls people fall into when implementing the policy. The tool I wrote to scan and collect this information and review the results can be found in https://github.com/sensepost/dresscode Index Context Bypasses Lab Environment Hotjar Facebook JSDelivr Amazon AWS Cloudfront, Azure, Heroku, Firebase CSP Health Status The Architecture Dashboard – CSP Health Status Conclusions Context Last year I was working on a web application assessment, one of these assessments that are repeated every year in which the analyst has to face a hardened application. Therefore, every year, the report gets smaller and smaller when we look at the number of vulnerabilities.
Filter-Mute Operation: Investigating EDR Internal Communication
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a Windows driver and its user-mode process. Here are some details about that journey.
TL;DR Attackers could use Windows kernel R/W exploit primitive to avoid communication between EDR_Driver.sys and its EDR_process.exe. As a result some EDR detection mechanisms will be disabled and make it (partially) blind to malicious payloads. This blogpost describes an alternative approach which doesn’t remove kernel callbacks and gives some recommendations for protecting against this “filter-mute” attack.
Orange Cyberdefense at Hacker Summer Camp
It’s that time of year again where we head out to the desert, more specifically Las Vegas, for what is known as Hacker Summer Camp to attend Black Hat and DEF CON 31! Like previous years, the SensePost team will be present in full force delivering talks, training and hanging out at numerous occasions. For an idea on what we’ve got lined up, check out the rest of this blog post. If you’re keen to meet up, feel free to reach out!
Browsers’ cache smuggling
On red team engagements, I often use social engineering to get one of my client’s employees to run my malicious code on their machines, allowing me to get access to their system. A typical approach I’ve used is to call them up, tell them I’m from IT support, and then get them to go to an official looking web page that contains some PowerShell code they need to run, to fix some made-up problem.
Page 1 of 2
Next