1 00:00:03,439 --> 00:00:06,439 is 2 00:00:27,279 --> 00:00:30,279 uh 3 00:00:46,000 --> 00:00:49,000 is 4 00:01:02,960 --> 00:01:04,959 all right everyone welcome to our next 5 00:01:04,959 --> 00:01:06,479 talk 6 00:01:06,479 --> 00:01:08,320 uh just a couple quick notes before we 7 00:01:08,320 --> 00:01:09,840 jump in the next talk 8 00:01:09,840 --> 00:01:11,840 there was a schedule change there was a 9 00:01:11,840 --> 00:01:13,680 talk schedule at 10 o'clock tonight on 10 00:01:13,680 --> 00:01:16,560 social studies steganography that has 11 00:01:16,560 --> 00:01:19,119 been moved to tomorrow morning at 10 a.m 12 00:01:19,119 --> 00:01:21,040 uh in its place there will be a talk 13 00:01:21,040 --> 00:01:22,640 called medical devices security and 14 00:01:22,640 --> 00:01:24,880 privacy issues he's not dead jim not 15 00:01:24,880 --> 00:01:27,439 really so that talk will be here at 10 16 00:01:27,439 --> 00:01:29,840 pm tonight please come and and see it it 17 00:01:29,840 --> 00:01:31,360 would be great 18 00:01:31,360 --> 00:01:32,400 a 19 00:01:32,400 --> 00:01:34,240 couple other notes thank you for wearing 20 00:01:34,240 --> 00:01:35,840 your mask throughout the show we really 21 00:01:35,840 --> 00:01:38,880 appreciate it it really helps us 22 00:01:38,880 --> 00:01:41,360 remain keep keep with our commitment to 23 00:01:41,360 --> 00:01:44,240 preserving our health and our sanity 24 00:01:44,240 --> 00:01:45,520 uh 25 00:01:45,520 --> 00:01:48,000 hackers got talent is tonight so if you 26 00:01:48,000 --> 00:01:50,399 are interested please go in you don't 27 00:01:50,399 --> 00:01:52,240 need to sign up in advance just walk up 28 00:01:52,240 --> 00:01:55,439 and you can go in and participate 29 00:01:55,439 --> 00:01:57,520 lastly workshops definitely need more 30 00:01:57,520 --> 00:01:59,439 helpers for today and for tomorrow so if 31 00:01:59,439 --> 00:02:00,799 you're interested in being a volunteer 32 00:02:00,799 --> 00:02:02,640 and helping out in workshops please go 33 00:02:02,640 --> 00:02:04,560 either the info desk or try and find 34 00:02:04,560 --> 00:02:06,960 mitch either through the 35 00:02:06,960 --> 00:02:09,038 matrix chat channel or 36 00:02:09,038 --> 00:02:11,680 find him walking around in person 37 00:02:11,680 --> 00:02:14,319 lastly please meet your phone during the 38 00:02:14,319 --> 00:02:16,239 talk because the audio equipment is very 39 00:02:16,239 --> 00:02:17,760 sensitive and we want to make sure that 40 00:02:17,760 --> 00:02:19,440 we don't interrupt the talk 41 00:02:19,440 --> 00:02:21,680 our next talk is on the ransomware 42 00:02:21,680 --> 00:02:23,840 protection full of holes 43 00:02:23,840 --> 00:02:27,520 from soya ayama so with that we'll pass 44 00:02:27,520 --> 00:02:31,400 you on the soya enjoy 45 00:02:40,080 --> 00:02:43,120 you're alive right now 46 00:02:45,280 --> 00:02:48,760 you can go ahead 47 00:03:03,280 --> 00:03:06,480 integration rabbit immediate 48 00:03:06,480 --> 00:03:07,920 and 49 00:03:07,920 --> 00:03:13,518 a honda and organized help inside tokyo 50 00:03:13,599 --> 00:03:15,360 unfortunately 51 00:03:15,360 --> 00:03:16,640 i could not 52 00:03:16,640 --> 00:03:18,800 go to new york 53 00:03:18,800 --> 00:03:22,319 because my boss did not allow me to 54 00:03:22,319 --> 00:03:24,799 travel 55 00:03:25,120 --> 00:03:26,720 now 56 00:03:26,720 --> 00:03:28,239 it's 57 00:03:28,239 --> 00:03:29,440 5 am 58 00:03:29,440 --> 00:03:31,519 in tokyo 59 00:03:31,519 --> 00:03:35,280 so i'm very sleepy 60 00:03:35,440 --> 00:03:37,760 okay 61 00:03:38,000 --> 00:03:39,120 today 62 00:03:39,120 --> 00:03:42,400 i will give a presentation entitled 63 00:03:42,400 --> 00:03:44,560 the last meal protection 64 00:03:44,560 --> 00:03:47,840 of horse 65 00:03:52,959 --> 00:03:54,959 may 12th 66 00:03:54,959 --> 00:03:57,519 2017 67 00:03:57,519 --> 00:04:00,760 do you remember 68 00:04:02,239 --> 00:04:03,519 yes 69 00:04:03,519 --> 00:04:08,799 it's the day of cyber attack by varacry 70 00:04:08,799 --> 00:04:10,879 when i cry cause 71 00:04:10,879 --> 00:04:13,360 tremendous damage 72 00:04:13,360 --> 00:04:16,560 or of the world 73 00:04:20,238 --> 00:04:24,080 microsoft has given one answer to learn 74 00:04:24,080 --> 00:04:25,199 somewhere 75 00:04:25,199 --> 00:04:29,199 if presented by one occli 76 00:04:29,199 --> 00:04:30,080 it's 77 00:04:30,080 --> 00:04:31,280 literally 78 00:04:31,280 --> 00:04:34,719 nasa where protection 79 00:04:34,800 --> 00:04:37,520 microsoft has added 80 00:04:37,520 --> 00:04:39,919 a ransomware protection feature 81 00:04:39,919 --> 00:04:43,919 in the windows 10 or greatest update 82 00:04:43,919 --> 00:04:48,000 of the 2017 release 83 00:04:48,960 --> 00:04:53,280 the new feature helps stop customer from 84 00:04:53,280 --> 00:04:57,440 accessing important files in real time 85 00:04:57,440 --> 00:04:58,560 even if 86 00:04:58,560 --> 00:05:03,360 num somewhere infects the computer 87 00:05:04,400 --> 00:05:07,360 when the feature enables 88 00:05:07,360 --> 00:05:08,840 it protects 89 00:05:08,840 --> 00:05:12,479 folder allowing only authorized apps to 90 00:05:12,479 --> 00:05:15,280 access files 91 00:05:19,680 --> 00:05:22,240 the foundation of windows ransomware 92 00:05:22,240 --> 00:05:23,840 protection 93 00:05:23,840 --> 00:05:27,600 controlled for the access 94 00:05:27,600 --> 00:05:28,400 and 95 00:05:28,400 --> 00:05:30,479 consists 96 00:05:30,479 --> 00:05:31,680 of 97 00:05:31,680 --> 00:05:33,600 protected folders 98 00:05:33,600 --> 00:05:34,560 and 99 00:05:34,560 --> 00:05:36,960 arrow and absolute control for the 100 00:05:36,960 --> 00:05:39,840 access 101 00:05:39,919 --> 00:05:41,360 note that 102 00:05:41,360 --> 00:05:45,280 controlled all the access is disabled by 103 00:05:45,280 --> 00:05:47,840 default 104 00:05:48,160 --> 00:05:49,360 you need 105 00:05:49,360 --> 00:05:54,080 administrator privilege to enable it 106 00:05:58,720 --> 00:06:02,080 protected folders are folders that 107 00:06:02,080 --> 00:06:04,080 protect your files 108 00:06:04,080 --> 00:06:09,359 from being encrypted by nasa where 109 00:06:09,440 --> 00:06:12,880 here you can add the folders you want to 110 00:06:12,880 --> 00:06:15,360 protect 111 00:06:19,199 --> 00:06:22,560 however the default projected folders 112 00:06:22,560 --> 00:06:24,720 such as documents 113 00:06:24,720 --> 00:06:27,520 or pictures are listed 114 00:06:27,520 --> 00:06:32,359 even if you don't specify them 115 00:06:35,440 --> 00:06:38,400 arrow and absolute control folder access 116 00:06:38,400 --> 00:06:40,319 are apps that 117 00:06:40,319 --> 00:06:44,639 can access protected orders 118 00:06:46,960 --> 00:06:48,479 it says that 119 00:06:48,479 --> 00:06:52,319 apps determined by microsoft as friendly 120 00:06:52,319 --> 00:06:55,120 are always arrowed 121 00:06:55,120 --> 00:06:55,919 but 122 00:06:55,919 --> 00:07:00,840 they are not listed by default 123 00:07:04,400 --> 00:07:05,919 unfortunately 124 00:07:05,919 --> 00:07:09,039 microsoft's nasa may protection is full 125 00:07:09,039 --> 00:07:11,280 of holes 126 00:07:11,280 --> 00:07:14,560 so many researchers are researching way 127 00:07:14,560 --> 00:07:19,280 to bypass nasa protection 128 00:07:19,599 --> 00:07:22,160 this is the techniques to 129 00:07:22,160 --> 00:07:26,080 exploit the inclusion of office apps in 130 00:07:26,080 --> 00:07:28,319 the white list 131 00:07:28,319 --> 00:07:32,160 and bypass control holder access using 132 00:07:32,160 --> 00:07:36,319 office ore objects 133 00:07:40,240 --> 00:07:42,960 this is the technique to bypass control 134 00:07:42,960 --> 00:07:45,280 folder access that 135 00:07:45,280 --> 00:07:48,879 writing the encrypted data from 136 00:07:48,879 --> 00:07:52,479 memory to a new file 137 00:07:52,479 --> 00:07:53,360 and 138 00:07:53,360 --> 00:07:54,960 then using the 139 00:07:54,960 --> 00:07:56,560 rename code to 140 00:07:56,560 --> 00:08:00,879 replace the original file 141 00:08:05,759 --> 00:08:07,919 this is a technique to bypass control 142 00:08:07,919 --> 00:08:10,240 holder access that 143 00:08:10,240 --> 00:08:11,199 takes 144 00:08:11,199 --> 00:08:13,039 advantage of 145 00:08:13,039 --> 00:08:16,160 the fact that security features are 146 00:08:16,160 --> 00:08:17,599 disabled 147 00:08:17,599 --> 00:08:23,240 when windows starts in safe mode 148 00:08:27,759 --> 00:08:28,560 and 149 00:08:28,560 --> 00:08:31,280 my research a technique to bypass 150 00:08:31,280 --> 00:08:34,000 control holder access using 151 00:08:34,000 --> 00:08:37,279 dll injection 152 00:08:37,279 --> 00:08:38,399 this is 153 00:08:38,399 --> 00:08:42,240 explained in detail 154 00:08:46,480 --> 00:08:47,440 in 155 00:08:47,440 --> 00:08:49,360 2018 156 00:08:49,360 --> 00:08:52,240 when i was researching on ransomware 157 00:08:52,240 --> 00:08:54,000 production 158 00:08:54,000 --> 00:08:57,680 i found that file explorer has access to 159 00:08:57,680 --> 00:09:01,120 protected orders 160 00:09:04,640 --> 00:09:06,640 i use 161 00:09:06,640 --> 00:09:10,080 the computer object model hijacked 162 00:09:10,080 --> 00:09:14,000 to inject a merchant's dna into file 163 00:09:14,000 --> 00:09:16,640 explorer 164 00:09:17,440 --> 00:09:21,519 because com objects are managed 165 00:09:21,519 --> 00:09:24,240 in the registry 166 00:09:24,240 --> 00:09:27,120 they can be hijacked by 167 00:09:27,120 --> 00:09:29,600 editing the registry 168 00:09:29,600 --> 00:09:30,640 to 169 00:09:30,640 --> 00:09:34,160 reference managers payloads rather than 170 00:09:34,160 --> 00:09:34,839 this 171 00:09:34,839 --> 00:09:38,720 estimate com object 172 00:09:43,360 --> 00:09:47,680 under context many hundreds in include 173 00:09:47,680 --> 00:09:51,040 a list of shell extensions 174 00:09:51,040 --> 00:09:54,880 used by file explorer 175 00:09:55,279 --> 00:09:56,560 i focus 176 00:09:56,560 --> 00:09:57,519 on the 177 00:09:57,519 --> 00:09:59,839 on this gu id 178 00:09:59,839 --> 00:10:03,800 in that list 179 00:10:07,040 --> 00:10:08,320 if 180 00:10:08,320 --> 00:10:09,760 you search 181 00:10:09,760 --> 00:10:13,920 for this guid in the registry 182 00:10:13,920 --> 00:10:18,880 you will find it under clas id 183 00:10:18,880 --> 00:10:19,680 so 184 00:10:19,680 --> 00:10:25,279 this guid is the series id that 185 00:10:25,279 --> 00:10:29,279 identifies the com object 186 00:10:30,079 --> 00:10:30,880 and 187 00:10:30,880 --> 00:10:32,959 the default value for 188 00:10:32,959 --> 00:10:38,760 mproc server 32 is 032.dll 189 00:10:40,480 --> 00:10:42,640 if you can change 190 00:10:42,640 --> 00:10:45,519 this to myself dll 191 00:10:45,519 --> 00:10:48,399 you can inject in and 192 00:10:48,399 --> 00:10:52,480 inject it into file explorer 193 00:10:52,480 --> 00:10:53,360 but 194 00:10:53,360 --> 00:10:54,800 you cannot 195 00:10:54,800 --> 00:10:56,640 change this 196 00:10:56,640 --> 00:10:59,120 directory 197 00:10:59,120 --> 00:11:01,200 because it's 198 00:11:01,200 --> 00:11:06,959 managed view of its key classic route 199 00:11:11,200 --> 00:11:12,240 as 200 00:11:12,240 --> 00:11:15,600 described in msdn 201 00:11:15,600 --> 00:11:20,880 the managed view of hp classes route 202 00:11:20,880 --> 00:11:23,519 displays the money's value 203 00:11:23,519 --> 00:11:28,959 hkey local machine and hd current user 204 00:11:28,959 --> 00:11:29,760 and 205 00:11:29,760 --> 00:11:32,800 if both have value 206 00:11:32,800 --> 00:11:36,320 hkey current user will take 207 00:11:36,320 --> 00:11:39,320 proceedings 208 00:11:43,760 --> 00:11:47,360 in the case of this cls id 209 00:11:47,360 --> 00:11:51,360 there is a value in hkey local machine 210 00:11:51,360 --> 00:11:52,160 but 211 00:11:52,160 --> 00:11:53,440 not 212 00:11:53,440 --> 00:11:57,600 in hd current user 213 00:11:57,600 --> 00:11:58,399 so 214 00:11:58,399 --> 00:12:01,440 if you add the value to its 215 00:12:01,440 --> 00:12:03,279 hd current user 216 00:12:03,279 --> 00:12:09,720 you can change value of hd classes root 217 00:12:13,920 --> 00:12:15,760 write a command 218 00:12:15,760 --> 00:12:17,519 in a batch file 219 00:12:17,519 --> 00:12:22,000 to add the path of the merciful 220 00:12:22,000 --> 00:12:25,839 hd current user 221 00:12:26,160 --> 00:12:29,279 in start file explorer it will load the 222 00:12:29,279 --> 00:12:32,240 malicious dll 223 00:12:32,240 --> 00:12:35,440 the mesh sdn runs on file explorer 224 00:12:35,440 --> 00:12:37,279 process 225 00:12:37,279 --> 00:12:39,519 so it can encrypt 226 00:12:39,519 --> 00:12:43,200 rotated for our files 227 00:12:45,279 --> 00:12:48,160 this completes the lassomen 228 00:12:48,160 --> 00:12:51,160 poc 229 00:12:55,519 --> 00:12:57,440 of course 230 00:12:57,440 --> 00:13:01,519 i deported this research result to micro 231 00:13:01,519 --> 00:13:03,680 microsoft 232 00:13:03,680 --> 00:13:04,720 but 233 00:13:04,720 --> 00:13:06,800 they told me that 234 00:13:06,800 --> 00:13:10,480 this is not security vulnerability 235 00:13:10,480 --> 00:13:13,040 for following 236 00:13:13,040 --> 00:13:15,439 reason 237 00:13:18,839 --> 00:13:20,560 resided 238 00:13:20,560 --> 00:13:22,160 are predicated 239 00:13:22,160 --> 00:13:23,200 of 240 00:13:23,200 --> 00:13:26,480 the attacker having logging access 241 00:13:26,480 --> 00:13:27,839 to the target 242 00:13:27,839 --> 00:13:31,200 account already 243 00:13:33,040 --> 00:13:37,760 since you are only able to write to hkcu 244 00:13:37,760 --> 00:13:39,600 you will not 245 00:13:39,600 --> 00:13:44,160 be able to affect other users 246 00:13:47,040 --> 00:13:52,240 the earth's soul does not appear to be 247 00:13:52,480 --> 00:13:56,160 escalation of privileges 248 00:13:56,160 --> 00:13:59,040 and finally 249 00:14:00,320 --> 00:14:01,360 it 250 00:14:01,360 --> 00:14:04,399 would appear the attacker would not 251 00:14:04,399 --> 00:14:05,680 again 252 00:14:05,680 --> 00:14:06,959 gain 253 00:14:06,959 --> 00:14:07,920 anything 254 00:14:07,920 --> 00:14:11,040 from this attack 255 00:14:14,720 --> 00:14:18,240 the attacker would gain nothing from 256 00:14:18,240 --> 00:14:21,199 this attack 257 00:14:22,320 --> 00:14:23,120 so 258 00:14:23,120 --> 00:14:24,399 i have 259 00:14:24,399 --> 00:14:27,680 presented this research at similar 260 00:14:27,680 --> 00:14:30,680 conference 261 00:14:33,600 --> 00:14:34,959 this is my 262 00:14:34,959 --> 00:14:36,160 previous 263 00:14:36,160 --> 00:14:39,160 research 264 00:14:46,399 --> 00:14:48,079 well 265 00:14:48,079 --> 00:14:50,160 our hopes artists 266 00:14:50,160 --> 00:14:50,959 in 267 00:14:50,959 --> 00:14:52,800 2021 268 00:14:52,800 --> 00:14:55,040 introduce 269 00:14:55,040 --> 00:14:57,600 windows 10 national production as 270 00:14:57,600 --> 00:14:59,279 effective in 271 00:14:59,279 --> 00:15:03,680 protecting against ransomware 272 00:15:04,160 --> 00:15:06,959 i questioned the windows 10 natural 273 00:15:06,959 --> 00:15:09,360 protection is effective 274 00:15:09,360 --> 00:15:12,480 out of this article 275 00:15:12,480 --> 00:15:13,360 as 276 00:15:13,360 --> 00:15:17,440 i thought my peoc was still valid 277 00:15:17,440 --> 00:15:22,480 and could easily be included 278 00:15:22,800 --> 00:15:23,680 but 279 00:15:23,680 --> 00:15:25,519 just to be sure 280 00:15:25,519 --> 00:15:31,639 i learn my poc on the latest windows 281 00:15:52,240 --> 00:15:55,759 here is a video of the poc 282 00:15:55,759 --> 00:15:59,440 i mentioned earlier learning on windows 283 00:15:59,440 --> 00:16:02,000 11 284 00:16:03,759 --> 00:16:04,800 here 285 00:16:04,800 --> 00:16:08,800 the image of the antenna is 286 00:16:08,800 --> 00:16:13,439 preserved in the high pictures folder 287 00:16:14,880 --> 00:16:16,000 next 288 00:16:16,000 --> 00:16:18,079 open the lasso protection settings 289 00:16:18,079 --> 00:16:21,079 screen 290 00:16:28,399 --> 00:16:30,320 and 291 00:16:30,320 --> 00:16:34,839 enable contour folder access 292 00:16:39,839 --> 00:16:42,480 plants match files that 293 00:16:42,480 --> 00:16:45,759 are being successfully encrypted in the 294 00:16:45,759 --> 00:16:48,759 past 295 00:16:55,279 --> 00:16:58,079 the program was blocked 296 00:16:58,079 --> 00:17:00,319 and 297 00:17:00,480 --> 00:17:01,920 the program 298 00:17:01,920 --> 00:17:05,839 the ekina is safe 299 00:17:10,959 --> 00:17:14,880 finally a check of the block history 300 00:17:14,880 --> 00:17:17,439 so that 301 00:17:17,679 --> 00:17:20,640 the contour folder access protected this 302 00:17:20,640 --> 00:17:26,520 picture folder from the file explorer 303 00:17:37,840 --> 00:17:41,039 as you can see my previous 304 00:17:41,039 --> 00:17:42,080 ex 305 00:17:42,080 --> 00:17:47,280 exploitation is now no longer valid 306 00:17:47,280 --> 00:17:48,960 microsoft said 307 00:17:48,960 --> 00:17:52,480 my report is not vulnerability 308 00:17:52,480 --> 00:17:53,280 but 309 00:17:53,280 --> 00:17:54,640 they had 310 00:17:54,640 --> 00:17:58,320 secretly fixed it 311 00:17:58,960 --> 00:18:01,280 i was so trusted 312 00:18:01,280 --> 00:18:04,799 that i decided 313 00:18:04,799 --> 00:18:07,840 if there were any other holes 314 00:18:07,840 --> 00:18:11,720 in the ransomware production 315 00:18:17,200 --> 00:18:21,200 i checked control folder access registry 316 00:18:21,200 --> 00:18:24,960 and the list was empty for 317 00:18:24,960 --> 00:18:26,080 both 318 00:18:26,080 --> 00:18:28,640 arrows applications and 319 00:18:28,640 --> 00:18:32,160 rotated orders 320 00:18:32,400 --> 00:18:34,640 the 321 00:18:35,440 --> 00:18:38,320 default protected folders 322 00:18:38,320 --> 00:18:42,400 such as documents and kick charts which 323 00:18:42,400 --> 00:18:44,000 we discussed 324 00:18:44,000 --> 00:18:46,160 in the first section 325 00:18:46,160 --> 00:18:50,799 were not in protected orders 326 00:18:53,200 --> 00:18:57,039 the default preset folder is in another 327 00:18:57,039 --> 00:18:58,640 registry 328 00:18:58,640 --> 00:18:59,520 and 329 00:18:59,520 --> 00:19:03,919 is in hd current user 330 00:19:03,919 --> 00:19:06,799 this means that folders protected by 331 00:19:06,799 --> 00:19:08,400 default can be 332 00:19:08,400 --> 00:19:13,120 changed with user privileges 333 00:19:17,679 --> 00:19:20,000 when you actually check 334 00:19:20,000 --> 00:19:20,960 the 335 00:19:20,960 --> 00:19:23,600 property of picture folder 336 00:19:23,600 --> 00:19:24,960 it says 337 00:19:24,960 --> 00:19:27,840 you can change 338 00:19:27,919 --> 00:19:29,919 a good idea 339 00:19:29,919 --> 00:19:33,120 but a bad idea for microsoft 340 00:19:33,120 --> 00:19:34,000 just 341 00:19:34,000 --> 00:19:37,679 pops into my head 342 00:19:37,760 --> 00:19:40,640 what happens happens 343 00:19:40,640 --> 00:19:41,840 if you 344 00:19:41,840 --> 00:19:44,720 if you change the location of picture 345 00:19:44,720 --> 00:19:47,200 folder 346 00:19:51,039 --> 00:19:52,480 before change 347 00:19:52,480 --> 00:19:54,000 for that 348 00:19:54,000 --> 00:19:56,960 eyes are protected and 349 00:19:56,960 --> 00:19:59,840 cannot be 350 00:20:04,840 --> 00:20:07,039 encrypted but 351 00:20:07,039 --> 00:20:09,600 by change folder 352 00:20:09,600 --> 00:20:12,159 files in the original folder 353 00:20:12,159 --> 00:20:14,960 are not longer protected 354 00:20:14,960 --> 00:20:20,200 and should be able to be encrypted 355 00:20:24,720 --> 00:20:29,480 i actually try it 356 00:20:47,600 --> 00:20:50,799 a new batch file 357 00:20:52,480 --> 00:20:53,520 this time 358 00:20:53,520 --> 00:20:55,600 reboot the system 359 00:20:55,600 --> 00:20:56,559 after 360 00:20:56,559 --> 00:21:00,158 changing the user folder 361 00:21:00,240 --> 00:21:03,280 this is because the syst 362 00:21:03,280 --> 00:21:04,960 system needs 363 00:21:04,960 --> 00:21:06,559 a level to 364 00:21:06,559 --> 00:21:08,880 recognize the changes 365 00:21:08,880 --> 00:21:11,679 user folder 366 00:21:13,039 --> 00:21:15,039 but 367 00:21:15,039 --> 00:21:16,559 debuting 368 00:21:16,559 --> 00:21:19,840 takes a long time 369 00:21:20,960 --> 00:21:23,919 and i hate it 370 00:21:27,520 --> 00:21:31,840 i'll go with more 371 00:21:37,840 --> 00:21:41,760 unfortunately max has not rotated the 372 00:21:41,760 --> 00:21:44,760 ekina 373 00:21:47,200 --> 00:21:48,000 take 374 00:21:48,000 --> 00:21:50,480 the blog history 375 00:21:50,480 --> 00:21:53,960 out before 376 00:22:04,720 --> 00:22:10,360 there's nothing in the block e3 377 00:22:16,000 --> 00:22:17,280 yes 378 00:22:17,280 --> 00:22:18,080 i 379 00:22:18,080 --> 00:22:22,480 outfox microsoft again 380 00:22:22,480 --> 00:22:24,480 microsoft miss 381 00:22:24,480 --> 00:22:28,799 stimp things like this 382 00:22:30,320 --> 00:22:31,840 well 383 00:22:31,840 --> 00:22:34,720 ah sorry 384 00:22:35,120 --> 00:22:38,960 well don't you want to know my first 385 00:22:38,960 --> 00:22:44,159 the option to this viral tv ipod 386 00:22:49,919 --> 00:22:51,919 what a surprise 387 00:22:51,919 --> 00:22:53,039 this time 388 00:22:53,039 --> 00:22:54,400 it's just 389 00:22:54,400 --> 00:22:57,679 this one phrase 390 00:22:58,720 --> 00:23:02,240 because control of the access is the 391 00:23:02,240 --> 00:23:06,960 defense in depth security features 392 00:23:07,600 --> 00:23:08,799 we cannot 393 00:23:08,799 --> 00:23:12,240 accept merchants to deal with last 394 00:23:12,240 --> 00:23:15,679 representation issue 395 00:23:15,760 --> 00:23:18,480 we need to inform 396 00:23:18,480 --> 00:23:20,159 many people 397 00:23:20,159 --> 00:23:23,280 about this issue 398 00:23:23,280 --> 00:23:27,600 so i created a poc looks even more 399 00:23:27,600 --> 00:23:30,600 dangerous 400 00:23:36,240 --> 00:23:38,400 i'm using the 401 00:23:38,400 --> 00:23:41,120 component object model hijacking 402 00:23:41,120 --> 00:23:43,520 method again 403 00:23:43,520 --> 00:23:49,200 or injecting dln into file explorer 404 00:23:49,440 --> 00:23:50,720 actually 405 00:23:50,720 --> 00:23:53,600 component object order hijacking 406 00:23:53,600 --> 00:23:58,159 can specify the network path 407 00:23:58,159 --> 00:23:59,840 in other words 408 00:23:59,840 --> 00:24:01,520 if you can write 409 00:24:01,520 --> 00:24:04,720 the registry by exploiting 410 00:24:04,720 --> 00:24:06,720 any vulnerability 411 00:24:06,720 --> 00:24:10,240 you can encrypt the file without sending 412 00:24:10,240 --> 00:24:14,679 vl to the target 413 00:24:21,200 --> 00:24:22,320 i use 414 00:24:22,320 --> 00:24:25,760 the cb 2018 415 00:24:25,760 --> 00:24:28,760 3035 416 00:24:28,799 --> 00:24:31,679 command index i command the injection 417 00:24:31,679 --> 00:24:36,240 viability in this poc 418 00:24:36,240 --> 00:24:37,120 this 419 00:24:37,120 --> 00:24:40,720 this is a viability about apache 420 00:24:40,720 --> 00:24:43,720 server 421 00:25:05,919 --> 00:25:09,600 now let me show you 422 00:25:13,200 --> 00:25:17,960 the ekina is safe 423 00:25:29,600 --> 00:25:32,000 open the lasso protection 424 00:25:32,000 --> 00:25:33,679 accepting screen 425 00:25:33,679 --> 00:25:36,679 and 426 00:25:43,919 --> 00:25:48,760 enable control folder access 427 00:25:59,600 --> 00:26:00,480 check 428 00:26:00,480 --> 00:26:02,480 the ip address 429 00:26:02,480 --> 00:26:05,480 and 430 00:26:14,799 --> 00:26:21,000 use it to execute the tica server 431 00:26:29,279 --> 00:26:31,520 from here 432 00:26:31,520 --> 00:26:33,120 the attacker 433 00:26:33,120 --> 00:26:34,080 use 434 00:26:34,080 --> 00:26:36,480 a carry to attack 435 00:26:36,480 --> 00:26:39,720 the target 436 00:26:41,200 --> 00:26:46,440 the message deal is on curry 437 00:26:53,600 --> 00:26:56,159 are created as a samba 438 00:26:56,159 --> 00:26:58,880 user using 439 00:26:58,880 --> 00:27:01,840 ebay edit 440 00:27:02,159 --> 00:27:05,200 and restart 441 00:27:05,200 --> 00:27:08,240 already complete 442 00:27:14,960 --> 00:27:17,679 i created a shade that 443 00:27:17,679 --> 00:27:21,600 it executes the python scripts 444 00:27:21,600 --> 00:27:23,279 downloaded from 445 00:27:23,279 --> 00:27:25,679 expo 446 00:27:25,760 --> 00:27:27,760 excluding 447 00:27:27,760 --> 00:27:30,879 its arguments 448 00:27:32,559 --> 00:27:35,919 the argument is a command to be executed 449 00:27:35,919 --> 00:27:37,600 on the target 450 00:27:37,600 --> 00:27:41,039 which is the change and execute 451 00:27:41,039 --> 00:27:44,679 logical time 452 00:27:59,840 --> 00:28:02,880 unfortunately microsoft could not rotate 453 00:28:02,880 --> 00:28:06,120 the akina 454 00:28:16,080 --> 00:28:17,520 yes 455 00:28:17,520 --> 00:28:23,120 i brilliantly included files remotely 456 00:28:23,120 --> 00:28:24,159 will 457 00:28:24,159 --> 00:28:25,440 microsoft's 458 00:28:25,440 --> 00:28:28,720 secretary fix it again 459 00:28:28,720 --> 00:28:31,840 probably yes 460 00:28:39,520 --> 00:28:42,240 in summary 461 00:28:42,320 --> 00:28:45,760 as you can see this time 462 00:28:45,760 --> 00:28:47,840 i could encrypt 463 00:28:47,840 --> 00:28:49,840 the user data 464 00:28:49,840 --> 00:28:51,919 in a very easy 465 00:28:51,919 --> 00:28:54,640 and very ridiculous 466 00:28:54,640 --> 00:28:56,880 way 467 00:28:57,279 --> 00:29:00,000 it is so simple that 468 00:29:00,000 --> 00:29:02,880 anyone can easily 469 00:29:02,880 --> 00:29:04,320 imitate 470 00:29:04,320 --> 00:29:06,720 i imitate it 471 00:29:06,720 --> 00:29:10,640 but please never create rasam area using 472 00:29:10,640 --> 00:29:13,840 this method 473 00:29:14,880 --> 00:29:16,399 i think 474 00:29:16,399 --> 00:29:19,360 backup is the only way 475 00:29:19,360 --> 00:29:24,320 to protect your data from run somewhere 476 00:29:24,559 --> 00:29:28,159 i suggest that you always 477 00:29:28,159 --> 00:29:32,480 have a backup of your data 478 00:29:36,720 --> 00:29:40,640 okay my presentation is over 479 00:29:40,640 --> 00:29:43,039 thank you 480 00:29:47,760 --> 00:29:50,159 all right thank you so much soya this is 481 00:29:50,159 --> 00:29:51,919 a chance for anyone to ask any questions 482 00:29:51,919 --> 00:29:53,360 he can't directly you hear your 483 00:29:53,360 --> 00:29:55,120 questions but we can either have you i 484 00:29:55,120 --> 00:29:56,640 can walk up to the mic we can bring the 485 00:29:56,640 --> 00:29:58,480 mic around if anyone has a question or 486 00:29:58,480 --> 00:30:00,159 you can relate to me and i'll relay it 487 00:30:00,159 --> 00:30:03,320 to him 488 00:30:12,399 --> 00:30:14,720 so the question soy is what was 489 00:30:14,720 --> 00:30:16,880 microsoft's reaction or what was your 490 00:30:16,880 --> 00:30:19,279 reaction back to microsoft from the 491 00:30:19,279 --> 00:30:21,279 email you received saying it wasn't a 492 00:30:21,279 --> 00:30:23,840 problem 493 00:30:32,159 --> 00:30:36,039 did you hear the question soya 494 00:30:40,559 --> 00:30:44,120 did you hear the question 495 00:30:58,399 --> 00:31:00,719 ah 496 00:31:01,039 --> 00:31:03,279 so 497 00:31:03,279 --> 00:31:05,120 microsoft 498 00:31:05,120 --> 00:31:07,439 says 499 00:31:18,500 --> 00:31:21,589 [Music] 500 00:31:31,039 --> 00:31:34,960 of course any other questions 501 00:31:39,279 --> 00:31:40,880 all right well thank you again for the 502 00:31:40,880 --> 00:31:43,120 talks toy it was fascinating and thank 503 00:31:43,120 --> 00:31:44,840 you audience for 504 00:31:44,840 --> 00:31:46,960 participating and please come back for 505 00:31:46,960 --> 00:31:49,440 our next talk at the top of the hour 506 00:31:49,440 --> 00:31:52,559 right what is our next one 507 00:31:52,559 --> 00:31:53,919 right to repair 508 00:31:53,919 --> 00:31:58,919 fixing the dmca and legalizing tinkerine 509 00:32:39,840 --> 00:32:41,918 you