Tag: Black Hat USA

None of My Pixel is Your Business: Active Watermarking Cancellation Against Video Streaming Service

Live video streaming services are getting more and more popular in China. In order to ensure their own interests, various service providers have added visible watermarks, which have become increasingly fierce and vicious. Users (originators and viewers) are fed up...

/ January 15, 2020

TLBleed: When Protecting Your CPU Caches is Not Enough

We present TLBleed, a novel side-channel attack that leaks information out of Translation Lookaside Buffers (TLBs). TLBleed shows a reliable side channel without relying on the CPU data or instruction caches. By Ben Gras Full abstract and materials: https://www.blackhat.com/us-18/briefings/schedule/#tlbleed-when-protecting-your-cpu-caches-is-not-enough-10149

/ January 15, 2020

WebAssembly: A New World of Native Exploits on the Browser

The goal of this talk is to provide a basic introduction to WebAssembly and examine the actual security risks that a developer may take on by using it. We will cover the low-level semantics of WebAssembly, including the Javascript API,...

/ January 15, 2020

It’s a PHP Unserialization Vulnerability Jim, but Not as We Know It

The presentation will include demos of long lived and previously unidentified RCE exploits against some of the most widely deployed open source PHP web applications and libraries. By Sam Thomas Full Abstract and Materials: https://www.blackhat.com/us-18/briefings/schedule/#its-a-php-unserialization-vulnerability-jim-but-not-as-we-know-it-11078

/ January 15, 2020

Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain. By Ling...

/ January 15, 2020

Last Call for SATCOM Security

In 2014, we took to the stage and presented “A Wake-up Call for SATCOM Security,” during which we described several theoretical scenarios that could result from the disturbingly weak security posture of multiple SATCOM products. Four years later, we are...

/ January 15, 2020

Catch me, Yes we can! – Pwning Social Engineers

Social engineering is a big problem but very little progress has been made in stopping it, aside from the detection of email phishing. Social engineering attacks are launched via many vectors in addition to email, including phone, in-person, and via...

/ January 15, 2020

Lessons and Lulz: The 4th Annual Black Hat USA NOC Report

Back with another year of soul crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled, and entertained, year after year. We’ll let you know all the tools and techniques we’re...

/ January 15, 2020

Stop that Release, There’s a Vulnerability!

This presentation looks at the real world process of the BlackBerry Product Security team. In partnership with product owners, developers, and senior leaders, they’ve spent many years developing and refining a software defect tracking system and a risk-based release evaluation...

/ January 15, 2020

Pestilential Protocol: How Unsecure HL7 Messages Threaten Patient Lives

Healthcare infosec is in critical condition- too few bodies, underfunded to a fault, and limping along on legacy systems stuffed with vulnerabilities. From exploited insulin/medication pumps to broken pacemakers, no implantable or medical device is safe. But there’s an even...

/ January 15, 2020

InfoSec Philosophies for the Corrupt Economy

This talk discusses the realities of corruption, with real-life anecdotes from interviews conducted with real criminals and victims. This talk also explains the challenges and differences between trying to ‘do’ information security in developed and developing countries, where often corruption...

/ January 15, 2020

Every ROSE has its Thorn: The Dark Art of Remote Online Social Engineering

In this talk, I place ROSE within the context of other false personae activities – trolling, sockpuppetry, bots, catfishing, and others – using detailed case studies, and provide a comprehensive and in-depth methodology of an example ROSE campaign, from target...

/ January 15, 2020