(Ping! Zine Web Tech Magazine) – Leading global IT security consultancy, Bishop Fox, announced today that several of its researchers will present at Black Hat and Security B-Sides in Las Vegas Aug. 5 – 8.
Joe DeMesy, Senior Security Associate and Dan Petro, Senior Security Analyst, will present “Untwisting the Mersenne Twister: How I Killed the PRNG” at Security B-Sides on Tuesday, Aug. 5 at 3 PM PST.
Later that week, Senior Security Associates Rob Ragan and Oscar Salazar will present “CloudBots: Harvesting Crypto Coins Like a Botnet Farmer” at Black Hat on Wednesday, Aug. 6 at 11:45 AM PST.
Bishop Fox’s researchers will also unveil three new tools at the Black Hat Tools Arsenal: Fran Brown’s “Oops, I RFIDID It Again,” Dan Petro’s “Rickmote Controller,” and DeMesy’s “iSPY.”
“Our researchers at Bishop Fox are proud to contribute to the security research community and are excited to be part of these two major events in Vegas next week,” said Vincent Liu, Partner at Bishop Fox. “We’re thrilled to have two presentations at Black Hat and B-Sides, and the three new tools we’re unveiling at the Black Hat Tools Arsenal.”
“CloudBots: Harvesting Crypto Coins Like a Botnet Farmer”
Ragan and Salazar’s CloudBots talk at Black Hat will show how they built a botnet from freely available cloud services, and how cybercriminals are doing the same. It will explain how cloud services can be used for botnet activities like crypto-coin mining, click fraud, and distributed network-based attacks.
The duo researched cloud services and built a framework to help security professionals simulate real-world attacks. The anti-anti-automation framework is a set of techniques for assisting security professionals in exploiting insufficient anti-automation security controls.
Using only an Internet connection, a browser and a $200 laptop, the team abused free registration and trials, and subverted weak security controls to demonstrate how anyone could maliciously leverage free online services.
Ragan commented, “Cybercriminals may take it further and use stolen credit cards, credentials, or compromised computers in large-scale attacks while staying anonymous. Our research shows how easy it is for attackers to disguise themselves by hopping through different systems.”
During their presentation, Ragan and Salazar will discuss why online service providers should carefully review their current anti-automation security controls, increase the cost and effort required for an attacker to automate processes, and implement techniques to slow down and monitor users attempting to abuse the system.
They will also discuss how online services should build a plan to deter, prevent, detect, delay, respond, and recover from automated attacks.
“Untwisting the Mersenne Twister: How I Killed the PRNG”
DeMesy and Petro’s “Untwisting the Mersenne Twister” talk at Security B-Sides will focus on random number generation’s security. Many applications today rely on random number generation. It can be a catastrophic security failure when these numbers turn out to be not so random.
The researchers will reveal how they created “Untwister,” an attack tool for breaking insecure random number generators and recovering the initial seed, the number used to generate all further random numbers.
Computer-generated random numbers are used in many important security-related contexts. If an attacker could accurately predict all future “random” numbers from a website, he or she could cheat online gambling sites, impersonate other users, or even access private data.
DeMesy said about his presentation, “Many papers have been written on PRNG (pseudo-random number generator) security, but there is nearly nothing practical pen testers can use to break live systems in the wild. This talk focuses on weaponizing the previously theoretical. Our talk will not only describe this threat, but explain why application developers should use a secure algorithm for random number generation for any security-related context.”
Bishop Fox’s research team will be in Las Vegas next week to discuss their findings. Please contact Arissa Aguilera on [email protected] to set up a time to meet with the team.
About Bishop Fox
Bishop Fox is a global security consulting firm. They are the trusted advisors to the Fortune 1000, financial institutions, and high-tech startups — helping to secure their commerce, data, IT infrastructure, and intellectual property. Founded in 2005, their team consists of dedicated individuals with a combined 400+ years of experience working in both corporate America and global security.
In addition to authoring several best-selling security books, writing numerous industry articles, and being cited in well-respected journals, the Bishop Fox team has been presenting its security research for more than a decade. Bishop Fox speakers have been featured at many top security industry venues, including Black Hat, DEF CON, RSA, InfoSecWorld, OWASP, SANS, and Microsoft BlueHat.