[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

•Download as PPTX, PDF•

3 likes•916 views

The most common story that we hear: something happens with ATM that makes it empty, leaving no forensic evidence. No money and no logs. We have collected huge number of cases on how ATMs could be hacked during our researches, incidents responses and security assessments. A lot of malware infects ATM through the network or locally. There are black boxes, which connect to communications port of devices directly. There are also network attacks, such as rogue processing center or MiTM. How to stop the ATMs fraud? How to protect ATMs from attacks such as black box jackpotting? How to prevent network hijacking such as rogue processing center or MiTM? Some of these issues can be fixed by configuration means, some fixed by compensation measures, but many only by vendor. We will tell you about what bank can do now and what we as a community of security specialists should force to vendors. Before we spoke about vulnerabilities and fraud methods used by criminals. Now we would like to combine our expertise to help financial and security society with more direct advices how to implement security measures or approaches to make ATMs more secure. --- Olga Kochetova Olga is interested in how various devices interact with cash or plastic cards. She is a senior specialist for the penetration testing team at Kaspersky Lab. Olga has authored multiple articles and webinars about ATM security. She is also the author of advisories about various vulnerabilities for major ATM vendors and has been a speaker at international conferences, including Black Hat Europe, Hack in Paris, Positive Hack Days, Security Analyst Summit, Nuit Du Hack, Hack In The Box Singapore and others. --- Alexey Osipov Lead Expert on a Penetration Testing Team at Kaspersky Lab. An author of variety of techniques and utilities exploiting vulnerabilities in XML protocols and telecom equipment security. Author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat, Hack in Paris (presenting the paper on ATM vulnerabilities), NoSuchCon Paris, Nuit du Hack, Hack In The Box Singapore, Positive Hack Days, Chaos Communication Congress.

Technology

ATMs how to break
them to stop the fraud
Olga Kochetova, Alexey Osipov
Kaspersky Lab

root@root:~# whoami
Penetration Testing Department, Kaspersky Lab
• @_Endless_Quest_, @GiftsUngiven
• ATM and POS security assessment
• Penetration Testing
• Forensic Investigation
Speakers at many IT events
Authors of multiple articles, researches and
advisories

About software
• Host (computer)
• MS Windows (Windows XP!!1)
• GUI and device control
• Antivirus/Integrity control software
• Video surveillance
• Radmin/TeamViewer and other crap
• Devices
• Some microcontrollers with RTOS

Cassettes
• Secure casing
• Tamper proof
• Tamper evident

Cassettes
• Tracking system
• Cash spoiling devices
• Alarms

Cash
• Easily traceable
• Can’t be extracted from
cassettes with force

Cards
• No static data
• Dynamic data can’t be
relayed
• Secrets, that dynamic
data is based upon
can’t be extracted

Dispenser
• Contains cassettes
• Cash cassettes
• Reject cassette
• Manages mechanics
• Sends statuses
• Receives commands

Card reader
• Identifies user and his
account
• Can provide
authentication
capabilities
• EMV
• Match-on-card for
biometric data

PIN pad
• Commonly used to
enter authentication
data
• Also used to insert
amount of money
• Sometimes can be
combined with
keyboard

Biometric authentication devices
• Grabs physical
properties of user for
authentication
• Multiple flavors
• Iris
• Fingerprint
• Voice
• Face
• Vein
• etc.

Dispenser/Card reader/PIN pad
• Commands are
authenticated
• Communications are
encrypted
• Firmware is
modification proof
• Sensitive data is
separately protected

Level 1 - Dispenser/Card
reader/PIN pad
• Minimal amount of
command are
authenticated
• Communications are
NOT encrypted
• Firmware can be
modified
• Sensitive data is
separately protected

Communication lines
• Buses
• USB
• SDC (RS485)
• CAN
• Lines
• COM (RS232)
• GPIO

Communication lines
• Data in transit is
encrypted separately
from data
• Tampering with cables
will disable device with
need of physical
manipulation

Level 2 - Communication lines
• Data in transit is NOT
additionally encrypted
• Tampering with cables
will disable device with
need of physical
manipulation. Only
additional modules or
firmware update on
some models

Service providers
• User-space software
communicating with
hardware units
• Created by device
manufacturers
• No single standard for
communication

XFS
• eXtension for Financial
Services
• Provide interoperability
between different
vendors of hardware
and different producers
of software

“Windows application”
• Graphical user interface
• Network client
• Service mode
• Technical
• Money exchange
• Configuration of
security features

XFS/Service providers
• Can be considered as proxies
• Has no knowledge of data, that he
transmits
• Starts secure communication with
device

“Windows application”
• Minimal interface
• Password protection for
all service options
• Secure network
communications

Physical
• Steel-concrete cover
• Tamper proof
• Tamper evident
• Alarm systems

Operating system
• Platform to launch GUI
• Role based access to
system
• Password protection
• Integrity control
• Robust updates

Network
• Communication with
processing center
• Remote system
management
• Customization
information

Screwed?
• netstat -an | findstr
LISTEN
• tasklist
• nmap -sU -sS -p-
ATM_IP
• wireshark
• usbpcap

Have fun
Stay safe
Olga Kochetova, Olga.Kochetova@kaspersky.com,
@_Endless_Quest_
Alexey Osipov, Alexey.Osipov@kaspersky.com,
@GiftsUngiven

What's hot

ATM Compromise with and without Whitelisting

Alexandru Gherman

Making and breaking security in embedded devices

Yashin Mehaboobe

Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI. In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company. Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique). Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

CODE BLUE

Top 10 secure boot mistakes

Justin Black

Ведущий: Артем Шишкин Доклад описывает разработку средства отладки при помощи виртуализации: как применить существующие средства виртуализации для отладки, как обеспечить целостность отлаживаемой среды, как сделать отладку интерактивной и как обуздать низкоуровневую специфику аппаратной виртуализации. Докладчик расскажет об интеграции железа с операционной системой и о том, как встроить отладчик прямо в прошивку. Будут рассмотрены несколько жизненных примеров динамического анализа.

Применение виртуализации для динамического анализа

Positive Hack Days

Kasza smashing the_jars

PacSecJP

At all times there have been bad guys, who tried to steal money. ATM machines containing vast amounts of money have always been attractive targets. Until recently, criminals were only using physical weaknesses. Skimmers and shimmers for stealing magstripe-tracking data, fake pin pads and cameras for stealing pin codes, and even fake ATMs were created. Time passed and ATM software started to unify. Where there is unification, there are viruses. Trojan.Skimmer.*, Ploutus and other named or unnamed trojans. And what did we see on the public scene? Vendors started discussing the skimmers problem only after they were detected in the wild. As you remember, Barnaby Jack presented "Jackpotting Automated Teller Machines" at Black Hat USA 2010. He used some vulnerabilities in ATM software. He showed that malware, was injected into the OS of the ATM via bootable flash drive or via remote management TCP port. Barnaby Jack's work was based on assumptions that most vulnerabilities were concentrated in the host machine and that we can and should reuse software made by ATM vendors. And that's quite true, but... antiviruses, locked firmware upgrades, blocked USB connectors, and encrypted hard drives can mitigate such risks. But, what about connecting not to the host machine, but to devices themselves? What countermeasures exist, when we will try to impersonate ourselves as an ATM host? Hacking ATMs with small computer like Raspberry Pi should be impossible, but it isn't. The point of our presentation is to draw attention to the problem, which has existed for quite a long time. The problem is usage of common interfaces (like RS232 or USB) and protocols of communication from host machine to such devices as card readers, pin pads and/or dispenser units.

Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)

Olga Kochetova

Cloud Security with LibVMI

Tamas K Lengyel

How to hack a telecom and stay alive Speaker: Sergey Gordeychik Penetration testing of telecommunication companies' networks is one of the most complicated and interesting tasks of this kind. Millions of IPs, thousands of nodes, hundreds of Web servers and only one spare month. What challenges are waiting for an auditor during the telecom network testing? What to pay attention on? How to use the working time more effectively? Why is the subscriber more dangerous than hacker? Why is contractor more dangerous than subscriber? How to connect vulnerability with financial losses? Sergey Gordeychik will tell about it and the most significant and funny cases of penetration testing of telecommunication networks in his report.

How to hack a telecom and stay alive

qqlan

This talk briefly discusses strategies and methodologies than can be employed when assessing IoT devices. We look at how to develop credible threat scenarios for different IoT device and systems, perform static and dynamic attack surface mapping, perform static firmware analysis, perform static hardware analysis, undertake a dynamic device security analysis, sources of supporting information, supporting capability requirements and establishment, Execution of dynamic device analysis and approaches around network protocol analysis.

Practical Security Assessments of IoT Devices and Systems

Ollie Whitehouse

Leave ATM Forever Alone

Olga Kochetova

Defcon 22-cesar-cerrudo-hacking-traffic-control-systems

Priyanka Aash

DEF CON 27 - ANISH ATHALYE - Strong Isolation

Felipe Prado

Hacktivity2014: Virtual Machine Introspection to Detect and Protect

Tamas K Lengyel

Virtual Machine Introspection with Xen on ARM

Tamas K Lengyel

31c3 Presentation - Virtual Machine Introspection

Tamas K Lengyel

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass

PROIDEA

Revisiting atm vulnerabilities for our fun and vendor’s

Olga Kochetova

Troopers15 Lightning talk: VMI & DRAKVUF

Tamas K Lengyel

The firmware executed by components found in a car provide a starting point for adversaries to obtain confidential information and discover potential vulnerabilities. However, the process of reverse engineering a specific component is typically considered a complex and time-consuming task. In this paper we discuss several techniques which we used to significantly increase the efficiency of reverse engineering the firmware of an instrument cluster.

Efficient Reverse Engineering of Automotive Firmware

Riscure

What's hot (20)

ATM Compromise with and without Whitelisting

Making and breaking security in embedded devices

CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...

Top 10 secure boot mistakes

Применение виртуализации для динамического анализа

Kasza smashing the_jars

Hack your ATM with friend's Raspberry.Py (Black Hat EU-2014)

Cloud Security with LibVMI

How to hack a telecom and stay alive

Practical Security Assessments of IoT Devices and Systems

Leave ATM Forever Alone

Defcon 22-cesar-cerrudo-hacking-traffic-control-systems

DEF CON 27 - ANISH ATHALYE - Strong Isolation

Hacktivity2014: Virtual Machine Introspection to Detect and Protect

Virtual Machine Introspection with Xen on ARM

31c3 Presentation - Virtual Machine Introspection

CONFidence 2014: Yaniv Miron: ATMs – We kick their ass

Revisiting atm vulnerabilities for our fun and vendor’s

Troopers15 Lightning talk: VMI & DRAKVUF

Efficient Reverse Engineering of Automotive Firmware

Similar to [CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

Inria Tech Talk dédié à une actualité brulante : la sécurité de vos objets connectés. Aujourd'hui, il est indispensable de développer des outils pour générer les tests de sécurité de ces objets dans des scénarios d’usage réalistes. Les chercheurs-experts Inria vous présenteront les attaques existantes et celles développées d’une manière artisanale sur des automates programmables industriels et des objets connectés au cours de ces dernières années. La présentation est disponible ici : https://french-tech-central.com/events/inria-tech-talk-iot/

Inria Tech Talk IoT - 28 Mars 2018

FrenchTechCentral

Coporate Espionage

UTD Computer Security Group

When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all. We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.

BSides London 2015 - Proprietary network protocols - risky business on the wire.

Jakub Kałużny

Sergey Gordeychik - How to hack a telecom and stay alive

DefconRussia

How to hack a telecommunication company and stay alive. Sergey Gordeychik

Positive Hack Days

How to Hack a Telecom and Stay Alive

Positive Hack Days

java-card20232024999999999999999999999999999999999999999999999999999999999999...

ouahibakellou

Architectural Patterns in IoT Cloud Platforms

Roshan Kulkarni

In my topic I’ll share my experience in analysis of most popular open and vendor’s specific proprietary industrial protocols. For each protocol I will present packet structure, real examples, (in)secure features and possible hacks. At the end of the topic I’ll share my practial approach, methodology and useful scripts. During the presentation we will talk about: Well-known protocols: Profinet, Modbus, DNP3 IEC 61850-8-1 (MMS) IEC 61870-5-101/104 FTE (Fault Tolerant Ethernet) Siemens S7

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...

PROIDEA

SCADA deep inside: protocols and security mechanisms

Aleksandr Timorin

Scada Strangelove - 29c3

qqlan

Avast @ Machine Learning

Avast

Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause. This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC. This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.

Blackhat USA 2016 - What's the DFIRence for ICS?

Chris Sistrunk

640-554 IT Certification and Career Paths

hibaehed

Kaseya Connect 2012 - THE ABC'S OF MONITORING

Kaseya

CNIT 121: 9 Network Evidence

Sam Bowne

How to secure electronic passports

Riscure

Track 5 session 1 - st dev con 2016 - need for security for iot

ST_World

Malware cryptomining uploadv3

Setia Juli Irzal Ismail

CNIT 152: 9 Network Evidence

Sam Bowne

Similar to [CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov (20)

Inria Tech Talk IoT - 28 Mars 2018

Coporate Espionage

BSides London 2015 - Proprietary network protocols - risky business on the wire.

Sergey Gordeychik - How to hack a telecom and stay alive

How to hack a telecommunication company and stay alive. Sergey Gordeychik

How to Hack a Telecom and Stay Alive

java-card20232024999999999999999999999999999999999999999999999999999999999999...

Architectural Patterns in IoT Cloud Platforms

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...

SCADA deep inside: protocols and security mechanisms

Scada Strangelove - 29c3

Avast @ Machine Learning

Blackhat USA 2016 - What's the DFIRence for ICS?

640-554 IT Certification and Career Paths

Kaseya Connect 2012 - THE ABC'S OF MONITORING

CNIT 121: 9 Network Evidence

How to secure electronic passports

Track 5 session 1 - st dev con 2016 - need for security for iot

Malware cryptomining uploadv3

CNIT 152: 9 Network Evidence

More from CODE BLUE

It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

CODE BLUE

Most 5G networks are built in fundamentally new ways, opening new hacking avenues. Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks. The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.

[cb22] Tales of 5G hacking by Karsten Nohl

CODE BLUE

Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

CODE BLUE

While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定米国からは、国家安全保障のための脆弱性情報の開示方針（Vulnerabilities Equities Process）、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

CODE BLUE

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

CODE BLUE

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

CODE BLUE

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

CODE BLUE

Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year). At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365. Currently, he is learning about ROP derivative technology and embedded equipment security.

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

CODE BLUE

2021年10月、Lazarusグループに関連する可能性が高いユニークなローダーであるWSLinkの最初の分析を公開。ほとんどのサンプルは難読化され、高度な仮想マシン（VM）難読化機能で保護されている。サンプルには明確なアーティファクトが含まれておらず、当初は難読化を公的に知られているVMと関連付けなかったが、後にそれをCodevirtualizerに接続することに成功。このVMは、ジャンクコードの挿入、仮想オペランドの暗号化、仮想オペコードの重複、難読化手法仮想命令のマージ、ネストされたVMなど、いくつかの追加の難読化技術を導入する。本発表では、VMの内部を分析し、合理的な時間で難読化技術を「見抜く」ための半自動化されたアプローチについて説明する。また、難読化されたバイトコードと難読化されていないバイトコードを比較し、本手法の有効性を紹介する。われわれの手法は、仮想オペコードのセマンティクスを抽出する既知の難読化解除手法に基づいており、単純化規則によるシンボリック実行を使用。さらに、バイトコードチャンクとVMの内部構成を記号ではなく、具体的な値として扱い、既知の難読化手法で追加の難読化技術を自動的に処理できるようにする。

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

CODE BLUE

In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM. Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

CODE BLUE

Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials. The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals. CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle. In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust. In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection. In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

CODE BLUE

Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace. In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

CODE BLUE

Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration. In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

CODE BLUE

Goで書かれたマルウェアは年々増加している。Goはクロスプラットフォームの性質を持っており、複数のプラットフォームを標的にしたい攻撃者にとって好都合な言語である。その一方で、ライブラリが静的にリンクされていることからユーザ関数とライブラリの区別が難しく、アナリストにとって解析が困難である。そうした状況で、Goマルウェアの分類や探索の需要が高まっている。本講演ではgimpfuzzyという新たな提案手法を用いてGoマルウェアに対し類似性の計算や分類が可能であることを検証する。われわれは既存手法であるgimphashにFuzzy Hashingを組み込んだ「gimpfuzzy」を新たに実装した。講演では提案手法を利用した分類の判別率を検証し、分類された結果の中からいくつかの事例を取り上げその妥当性について確認する。また、Goマルウェアの分類における課題についても検討を行う予定である。

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

CODE BLUE

Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg. For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad. Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations. After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

CODE BLUE

We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware. To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed. * Malware C2 Monitoring * Malware Hunting using Cloud * YARA CI/CD system * Malware Analysis System on Cloud * Memory Forensic on Cloud Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

CODE BLUE

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...

[cb22] Tales of 5G hacking by Karsten Nohl

[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（4） by 板橋博之

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（3） by Lorenzo Pupillo

[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（2）by Allan Friedman

[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...

[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション（1）by 高橋郁夫

[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...

[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka

[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...

[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...

[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...

[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...

[cb22] Mal-gopherとは？Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部祐太, 甘粕伸幸, 野村和也

[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...

[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...

Recently uploaded

💥 You’re lucky! We’ve found two different (lead) developers that are willing to share their valuable lessons learned about using UiPath Document Understanding! Based on recent implementations in appealing use cases at Partou and SPIE. Don’t expect fancy videos or slide decks, but real and practical experiences that will help you with your own implementations. 📕 Topics that will be addressed: • Training the ML-model by humans: do or don't? • Rule-based versus AI extractors • Tips for finding use cases • How to start 👨‍🏫👨‍💻 Speakers: o Dion Morskieft, RPA Product Owner @Partou o Jack Klein-Schiphorst, Automation Developer @Tacstone Technology

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

UiPathCommunity

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

MINDCTI Revenue Release Quarter One 2024

MIND CTI

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Architecting Cloud Native Applications

WSO2

ICT role in 21st century education and its challenges

rafiqahmad00786416

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam

Strategies for Landing an Oracle DBA Job as a Fresher

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

CNIC Information System with Pakdata Cf In Pakistan

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

MINDCTI Revenue Release Quarter One 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Artificial Intelligence Chap.5 : Uncertainty

WSO2's API Vision: Unifying Control, Empowering Developers

[BuildWithAI] Introduction to Gemini.pdf

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Vector Search -An Introduction in Oracle Database 23ai.pptx

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Architecting Cloud Native Applications

ICT role in 21st century education and its challenges

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

1. ATMs how to break them to stop the fraud Olga Kochetova, Alexey Osipov Kaspersky Lab

2. root@root:~# whoami Penetration Testing Department, Kaspersky Lab • @_Endless_Quest_, @GiftsUngiven • ATM and POS security assessment • Penetration Testing • Forensic Investigation Speakers at many IT events Authors of multiple articles, researches and advisories

3. What is ATM

4. Lego

5. About hardware

6. About software • Host (computer) • MS Windows (Windows XP!!1) • GUI and device control • Antivirus/Integrity control software • Video surveillance • Radmin/TeamViewer and other crap • Devices • Some microcontrollers with RTOS

7. About logic

8. Level 0

9. Cassettes • Secure casing • Tamper proof • Tamper evident

10. Cassettes • Tracking system • Cash spoiling devices • Alarms

11. Cash • Easily traceable • Can’t be extracted from cassettes with force

12. Cards • No static data • Dynamic data can’t be relayed • Secrets, that dynamic data is based upon can’t be extracted

13. Level 0

14. Level 1

15. Dispenser • Contains cassettes • Cash cassettes • Reject cassette • Manages mechanics • Sends statuses • Receives commands

16. Card reader • Identifies user and his account • Can provide authentication capabilities • EMV • Match-on-card for biometric data

17. PIN pad • Commonly used to enter authentication data • Also used to insert amount of money • Sometimes can be combined with keyboard

18. Biometric authentication devices • Grabs physical properties of user for authentication • Multiple flavors • Iris • Fingerprint • Voice • Face • Vein • etc.

19. Dispenser/Card reader/PIN pad • Commands are authenticated • Communications are encrypted • Firmware is modification proof • Sensitive data is separately protected

20. Level 1 - Dispenser/Card reader/PIN pad • Minimal amount of command are authenticated • Communications are NOT encrypted • Firmware can be modified • Sensitive data is separately protected

21. Level 2

22. Communication lines • Buses • USB • SDC (RS485) • CAN • Lines • COM (RS232) • GPIO

23. Communication lines • Data in transit is encrypted separately from data • Tampering with cables will disable device with need of physical manipulation

24. Level 2 - Communication lines • Data in transit is NOT additionally encrypted • Tampering with cables will disable device with need of physical manipulation. Only additional modules or firmware update on some models

25. Video Black box

26. Level 3

27. Service providers • User-space software communicating with hardware units • Created by device manufacturers • No single standard for communication

28. XFS • eXtension for Financial Services • Provide interoperability between different vendors of hardware and different producers of software

29. “Windows application” • Graphical user interface • Network client • Service mode • Technical • Money exchange • Configuration of security features

30. XFS/Service providers • Can be considered as proxies • Has no knowledge of data, that he transmits • Starts secure communication with device

31. “Windows application” • Minimal interface • Password protection for all service options • Secure network communications

32. Level 3 – Malware

33. Level 3 – Malware

34. Video Win32.Skimmer

35. Level 4

36. Physical • Steel-concrete cover • Tamper proof • Tamper evident • Alarm systems

37. Operating system • Platform to launch GUI • Role based access to system • Password protection • Integrity control • Robust updates

38. Network • Communication with processing center • Remote system management • Customization information

39. Level 4 - Physical

40. Level 5 - Network

41. Level 5

42. Processing

43. Processing

44. Processing

45. Video Rogue Processing

46. Not a conclusion

47. Current state of ATM security

48. Screwed? • netstat -an | findstr LISTEN • tasklist • nmap -sU -sS -p- ATM_IP • wireshark • usbpcap

49. Choose wisely

50. Security is a process

51. Have fun Stay safe Olga Kochetova, Olga.Kochetova@kaspersky.com, @_Endless_Quest_ Alexey Osipov, Alexey.Osipov@kaspersky.com, @GiftsUngiven

Editor's Notes

USB ports
Gives attacker unlimited control to device
Gives attacker unlimited control to device

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to [CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

Similar to [CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey Osipov

Editor's Notes