Thank you to all who attended INTENT 2021!
On November 16, the cybersecurity community came together for the virtual global summit that’s made for researchers, by researchers.
But don’t worry if you missed any sessions-they’re available to watch now, on demand.
On Demand Sessions
INTENT featured over 20 inspiring speakers from across the global cybersecurity community.
Check out the sessions below to discover the latest insights on some of the biggest security challenges, including the hacking potential of Zoom, 0-days in open-source packages, 1-click attacks designed to infiltrate organizations, and more.
Introduction Talk & Keynote Alyssa Miller: Making Security a Business Function
Join INTENT co-founders Erez and Lavi as they introduce INTENT, the security research summit, and welcome the community of researchers to the event.
They will share what inspired them to create INTENT, how it happened, and what they hope to see during the event (Glorious failures and spectacular screwups!) and in years to come.
And don’t worry… it will be nice and short… Not like other conference keynotes!
In her keynote, Alyssa examines how security can go beyond managing risk and truly demonstrate the value we bring to the business itself. Regardless of whether you’re early in your career as an individual contributor or a seasoned veteran in a high-level leadership role, you’ll discover a new way to present security as a business accelerator. You’ll hear examples of how security can drive product agility, encourage innovation, improve business viability, and ultimately enhance profitability. We’ll even discuss how the emerging role of Business Information Security Officer can be leveraged to make this possible.
Hacking the Pandemic’s Most Popular Software: Zoom
When the pandemic required everyone to work from home we saw a huge growth on the video conferencing market. It was this movement that made the organisation behind the Pwn2Own competition decide to add an ‘Enterprise Communications’ category to this year’s competition. Demonstrating a zero-day attack against the Zoom client would be rewarded with $200,000. We started researching, which resulted in a working exploit against the then latest version of Zoom that would give the attacker full control over your system. Now that Zoom has fixed all the vulnerabilities we found; we can share the details of our research.
Panel: Glorious Failures and Spectacular Screwups
We love success stories, especially about our research. But honestly, for every tale of triumph, there are sometimes several horror stories.
In this panel, we brought together research leaders to reveal some of these stories, think about why we usually hide them, and maybe find some good reasons to share them internally and externally.
Kubesploit: A Post-Exploitation Framework, Focused on Containerized Environments
Kubesploit is a post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments, and built on top of Merlin project by Russel Van Tuyl (@Ne0nd0g).
It supports Go modules and has container breakout modules, kubelet attack, and scanning modules.
Smart Meter Hacking
Hash is reverse engineering smart power meters, everything from undocumented wireless protocols to the firmware used in the microcontrollers and software running on the aggregation devices located within substations. He’s not doing this for the government in a dark underground bunker- he’s doing it publicly in his home office and publishing on YouTube!
Reverse engineering is a rocky journey- the destination is known (total pwnage), but the road there is full of twists and turns. Hash shares the voyage and takes feedback from everyone in a “choose your own adventure” format. Come see where he’s at!
ChainJacking – A New Software Supply Chain Attack Vector
We’ve found a method to scan and take over GitHub accounts that lead to package hijacking attack. This has effect on Go, Swift and other popular programming languages.
Slipping through the cracks between the designs of GitHub and Go Package Manager could allow an attacker to take control over popular Go packages, poison them and infect developers and users.
We have identified several highly popular open-source Go packages that are susceptible to be vulnerable to a new technique dubbed ChainJacking. Some of these vulnerable packages are embedded in popular admin tools.
Tool Demo: reNgine: An automated reconnaissance framework, how and why!
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine’s correlation, it just makes recon effortless. This tool demonstration will give an in-depth view of reNgine, how individuals and companies can use reNgine for continuous monitoring of their assets. This demonstration will be a complete guide on using reNgine, right from installation to tips and tricks of reNgine.
Why Attackers in Code Packages are Getting a Pass
Supply chain attacks are gaining popularity and we wanted to examine, from an attacker’s point of view, the difficulty of poising OSS packages. We found many alarming practices that hold back the security community from detecting those attackers.
This is an invitation and a wake-up call for researchers to start examining new developments in the field of OSS. This field is wide open and susceptible for almost anyone who would want to take advantage of the current state of affairs. For researchers, it is unchartered territory with the possibility to make major advancements with small tools and practices to improve the ecosystem’s ability to face these threats that will most certainly grow and develop.
Bypassing Windows Hello for Business and Pleasure
Windows Hello is the most popular passwordless solution that includes authentication by either PIN code or biometric authentication. Windows Hello promises better security – but is it the truth? In this session, we’ll introduce our research that shows how an attacker can bypass Windows Hello.
Code Obfuscation through Mixed Boolean-Arithmetic Expressions
A Mixed Boolean-Arithmetic (MBA) expression is composed of both integer arithmetic and bitwise operators. Such expressions can be leveraged to obfuscate the data-flow of code by iteratively applying rewrite rules and function identities, complicating its syntax while preserving its semantic behavior. This possibility is motivated by the fact that combinations of operators from these different fields do not interact well together: we have no rules (distributivity, factorization…) or general theory to deal with this mixing of operators.
Through this workshop, attendees will receive a comprehensive introduction to the study, analysis and implementation of code obfuscation mechanisms relying on MBA expressions.
Automated 0-day Discovery in 2021 – Squashing the Low-Hanging Fruit
In past years, publicly available infrastructures such as Ghidra, AFL and Angr have put the “holy grail” of vulnerability research within our grasp: real-world automated 0-day identification, without any reliance on source code and with zero/minimal pre-configuration. After quickly presenting the INFRA:HALT vulnerabilities (affecting HCC embedded TCP/IP stack) and discussing exploitation techniques for the most critical ones from the batch, we will treat them as a case study to present a myriad of contemporary techniques for vulnerability detection by using binary firmware image static analysis. This will include data flow analysis, symbolic execution and standard library function detection through emulation.
Eclectic Research, Esoteric Results
In this talk, Pedro will present some of his previous research, ranging from data exfiltration to IoT, from Android apps to back-end servers, exploring the barrier between the enthusiasm of the findings and the external perception of the results. He will talk about research results and their implications, explain the vulnerabilities themselves, the intellectual challenges, research process, bounties, rewards and media exposure. We all have pet bugs, interesting back stories and usually a slightly different view of our findings than the rest of the world. More often than not, we can only find true understanding amongst our fellow peers.
Dissecting and Comparing Different Binaries to Malware Analysis
By the end of this talk, this will be clear to everyone: differences in binaries structures, how the researcher should conduct each of these kinds of analyses; and, of course, to seek more basic knowledge on file structures, software architecture and programming language.
Shades of Red: RedXOR Linux Backdoor and its Chinese Origins
New malware targeting Linux systems are being discovered on a regular basis. Backdoors attributed to advanced threat actors are disclosed less frequently. In this talk, we will share a technical analysis of a recently uncovered backdoor we named RedXOR and explain why it is likely attributed to the Winnti umbrella. We will also touch upon the Linux threat landscape and how Linux malware find their way to compromised servers.
As well as understanding RedXOR malware, which is among the most sophisticated Linux malware discovered in the past year, attendees of this talk will gain knowledge about Winnti Linux TTPs and ELF malware analysis.
Cross-Document Messaging Technology – How to Hack it, and How to Use it Safely
Cross document messaging is a very common communication method. It has been around for a while, and yes, IT IS exploitable if you do not implement it according to its security model. However, the messages sent using the postMessage command will not show up in your standard debugger proxy because they work without networking inside the browser’s memory. Watch Enso’s Chief Architect Chen Gour-Arie explain cross-document messaging technology, how to hack it, and how to use it safely.
Chen and a team of AppSec professionals had released a free open-source project named Posta ( https://github.com/benso-io/posta ) a tool for researching Cross-document Messaging communication. It allows you to track, explore and exploit postMessage vulnerabilities and includes features such as replaying messages sent between windows within any attached browser.
HTTP Request Smuggling
HTTP request smuggling is difficult to understand (payloads can be confusing at first sight) and the exploitation is no different. What better way to understand this trending new vulnerability than by seeing it from an attacker perspective. It will be an overview of the latest research on the topic.
Load balancers and proxies, such as HAProxy, Varnish, Squid and Nginx play a crucial role in website performance, and they all have a different HTTP protocol parser implemented. HTTP Request Smuggling (HRS) is an attack abusing inconsistencies between the interpretation of requests ending by HTTP request parsers. What might be considered the end of one request for your load balancer might not be considered as such by your web server.
We will see how an attacker can abuse several vulnerable configurations. HTTP Request Smuggling (HRS) enables multiple attack vectors, including cache poisoning, credential hijacking, URL filtering bypass, open-redirect and persistent XSS. For each of these vectors, a payload will be showcased and explained in-depth. Also, a live demonstration will be made to see the vulnerability in action. Aside from exploitation, we will show how developers and system administrators can detect such faulty configurations using automated tools.
How to Systematically Find 0-days in Open-Source Packages
In the realm of open-source packages, it’s sometimes easier for an attacker to find many less-sophisticated 0-days that affect many packages, rather than spending weeks or months to find a single hard-core 0-day vulnerability. In this talk, I’ll walk you through the processes we built for that.
1-Click to Infiltrate your Organization via Vulnerable VS Code Extensions
Attackers have looked all around for means to compromise organizations through developers: malicious 3rd party packages, leaked credentials, unpatched vulnerabilities, and more. But the place that has become the new threat laid under their nose: the IDE.
CTF Winners Announced & Closing Remarks
Drumroll please! Join Shaked and Tomer, INTENT CTF creators, as they announce the CTF winners and provide a few insights on the challenges developed by INTENT founders and partners.
Erez and Lavi will then wrap up the summit with some closing remarks and share what you should expect to see at INTENT 2022.