Follow live coverage on Twitter: #JailbreakSec
The world's only security summit held at a production brewery.
Join some of the world's best security researchers as they talk about (RE)volutionary Security, covering topics from Ghidra to advanced macOS malware techniques at the only computer security event held at a production brewery. Attendance is limited to 150 to keep the Security Summit small and encourage conversation between speakers, attendees, and sponsors.
Tickets include breakfast, lunch, and an awesome time to chat with fellow security experts.
Come participate in the talks, the conversation, and the beer!
Friday, October 11, 2019
Jailbreak Brewing Company
9445 Washington Blvd N
Laurel, MD 20723
Happy Hour 5p-6p
Without the efforts of these amazing companies, the Jailbreak Brewing Company Security Summit would not have been possible. Please give them your support!
Media coverage provided by:
To subscribE to the CyberWire's free Daily Briefing click the Cyberwire icon above!!
Making the Old, New: repurposing macOS malware
Patrick Wardle is the Principal Security Researcher at Jamf and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.
Whenever a new Mac malware specimen is uncovered, it provides a unique insight into the offensive Mac capabilities of hackers or nation-state adversaries. Better yet, such discoveries provide fully-functional capabilities that may be weaponized for our own surreptitious purposes! Life is short, why write your own?
We’ll begin this talk by discussing the methodology of subverting existing malware for “personal use”, highlighting both the challenges and benefits of such an approach.
Next, we’ll walk-thru the weaponization of various Mac malware specimens including: an interactive backdoor, a file-exfiltration implant, ransomware and a crypto-miner. Customizations include various configuration and runtime binary modifications that will coerce such malware to accept tasking from our own C&C servers, and/or automatically perform actions on our behalf.
Of course, in their pristine state, such samples are currently blocked by macOS and/or detected by AV products. As such we’ll also walk-thru subtle modifications that will ensure our modified specimens remains undetected by traditional detection approaches.
In conclusion, we’ll highlight novel heuristic methods that can generically detect such threats to ensure Mac users remain protected even from such weaponized threats.
Extending Ghidra: from Script to Plugins and Beyond
Mike J. Bell has worked in the intelligence community for 18 years on a wide variety of projects and domains, and currently serves as an engineer at Fortego. He spent eight years helping to develop Ghidra, NSA’s recently released Software Reverse Engineering (SRE) tool, and played a key role training analysts of all levels how to use Ghidra across the agency.
Over the course of his time on Ghidra, Mike has been involved in the design of many of its features, including the Function Graph, Version Tracking, Function ID and the Java Sleigh Compiler, as well as maintaining such processor models as x86, ARM, MIPS, 680x0 and PowerPC. Outside work, he enjoys hacking Arduinos, motorcycling, and spending time with his wife and two sons.
In this talk, Mike will explore the many ways to extend Ghidra. He will demonstrate writing scripts with Java and Python that interact with the component managers, using the interactive console to explore program characteristics in real-time, and how to create custom data types and apply them to programs.
Integration of Ghidra with Eclipse will be demonstrated. Mike will show how the Ghidra ExtensionPoint interface works, its interaction with the class loader, and common extension points of interest. How to write binary format loaders will be briefly discussed, as well as the steps required to start writing plugins and analyzers in order to publish them as official Ghidra Extensions.
Whatsup with WhatsApp: A Detailed Walk Through of Reverse Engineering CVE-2019-3568
Maddie Stone is a Security Researcher on Google Project Zero where she likes to reverse all the things. Previously, Maddie was a Reverse Engineer on Google's Android Security team where she specialized in finding pre-installed malware. She has also spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavors of Renesas, and more. Maddie has previously spoken at conferences including Blackhat USA, REcon Montreal, OffensiveCon, KasperskySAS and more.
This talk will be a detailed walk-through of the WhatsApp bug (CVE-2019-3568) used by NSO's 0-day exploit from May 2019. Not only will this talk explain the bug in detail, but it will also walk through the process and tools to find and reverse engineer the details of the bug.
Poking the Bear - Teasing out Apple’s Secrets Through Dynamic Forensic Testing and Analysis
Sarah is a mobile forensic engineer working in DC metro area specializing in Mac and Mobile Forensics. She has worked with various federal law enforcement agencies and has performed a variety of investigations including computer intrusions, criminal, and counter intelligence/terrorism/narcotics. Sarah’s research interests include anything and everything Apple related, mobile devices, digital profiling, and Mac and mobile device security. Sarah has presented at many industry security and forensic conferences and is the author/instructor of SANS FOR518 Mac Forensic Analysis and Incident Response.
If I come across a useful piece of data on macOS or iOS I do not just assume I know what it means - especially if my whole case depends on it. My experience with Apple data is that it is consistently inconsistent. They certainly do some questionable things. Testing is the only way to get that warm fuzzy feeling that the awesome piece of data you found truly means what you think it means. Yes, testing takes time. Yes, testing can be tedious. However, testing can make or break cases. This talk will go through my testing processes on Mac and IOS platforms to show that sometimes a quick test really is a quick test. A 30 second test may be well worth the investment in the long run. I will also show how more intensive testing can be implemented to tease out the strange oddities of native and 3rd party data stored in various SQLite databases using some of my APOLLO modules as examples.
ALLSTAR: New Challenge Problems for Static Analysis
evm has been staring at code for longer than he cares to remember. A recovering Windows internals guy, he now spends most of his time in embedded systems. At JHU/APL he helped start an RE working group, and a hacker magazine. He enjoys teaching at APL and in the JHU EP program.
Some of the hard research problems in binary static analysis have been reduced to practice (esp. decompilation and function matching). This has made RE incrementally easier, but it remains a challenging, time-consuming, laborious task. Can we build off our existing tools to make the process more streamlined and approachable to the novice? We'll describe new challenge problems for RE research as well as a large public dataset we built to start working on these problems.
Binary Emulation for Threat Analysis and Hunting with Binee
Erika Noerenberg is a Senior Threat Researcher with Carbon Black’s Threat Analysis Unit, with over 15 years of experience in the security industry specializing in digital forensics, malware analysis, and software development. Previously, she worked as a forensic analyst and reverse engineer for the Defense Cyber Crime Center (DC3), performing system and malware examinations in support of intrusions investigations for the Department of Defense and FBI.
In August of 2019, Carbon Black researchers Kyle Gwinnup and John Holowczak introduced and open sourced a novel tool called Binee (Binary Emulation Environment) at DEF CON 27. Binee is a complete x86 binary emulation environment focusing on introspection of all IO operations. Because Binee can run on Windows, OS X, and Linux, it can be integrated into existing analysis and processing frameworks regardless of platform.
Methods for extracting data from binaries at scale typically rely on static analysis. Binee additionally provides a method for capturing runtime information typically obtained from dynamic analysis, but at the cost and scale at which static analysis can run. Furthermore, Binee can run in the cloud at scale and output structured data to be analyzed. This can facilitate the automation of malware analysis, data extraction, and hunting across large datasets.
In this talk, I will briefly introduce Binee and demonstrate how static process emulation can assist with both malware analysis and hunting for Windows threats. I will also discuss how this capability can facilitate automation of analysis tasks, as well as preview future work currently in planning.
It only seems fitting...
That the world's only security summit held at a production brewery be held at Jailbreak Brewing Company. Jailbreak Brewing Company was founded by computer security professionals looking to liberate themselves from cubicle jobs and to create a product that helps free you from whatever drama is present in your life.
While some of the world's finest security researchers are talking about security topics, our brew team will be hard at work on the other side of the gigantic window making the next batch of creative juice for your enjoyment. During breaks in the summit, tours of the brewery will be given to those who want to see the magic happening.
Our tasting room provides the perfect venue for creative discussion over some cold, fresh beer.