Social Network For Security Executives: Network, Learn & Collaborate
Our editorial team has handpicked the best of the best talks at DEF CON 26 -is one of the world's largest hacker conventions, held annually in Las Vegas, Nevada. Following is the list of top talks on Authentication Security at DEF CON 26.
DEFCON 2018, 26th Def-Con Hacking Conference is among one of the most main event on Computer, Information Technology, Cyber Security, Software, Hacking and Hack topics.
(Source: DEF CON 26)
Gabriel Ryan, Co-Founder / Principal Security Consultant @ Digital Silence
In this talk, we will introduce a novel technique for bypassing 802.1x-2010 by demonstrating how MacSEC fails when weak forms of EAP are used. Additionally, we will discuss how improved 802.1x support by peripheral devices does not necessarily translate to improved port-security due to the widespread use of weak EAP. Finally, we will consider how improvements to the Linux kernel have made bridge-based techniques easier to implement and demonstrate an alternative to using packet injection for network interaction. We have packaged each of these techniques and improvements into an open source tool called Silent Bridge, which we plan on releasing at the conference.
Are current techniques for audio generation enough to spoof voice authentication algorithms? We demonstrate, using freely available machine learning models and limited budget, that standard speaker recognition and voice authentication systems are indeed fooled by targeted text-to-speech attacks. We further show a method which reduces data required to perform such an attack, demonstrating that more people are at risk for voice impersonation than previously thought.
Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned—a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol' denial of service attacks.
This talk discusses the security of various inter-process communication (IPC) mechanisms that local processes and applications use to interact with each other. In particular, we show IPC-related vulnerabilities that allow a non-privileged process to steal passwords stored in popular password managers and even second factors from hardware tokens. With passwords being the primary way of authentication, the insecurity of this "last mile" causes the security of the rest of the communication strands to be obsolete. The vulnerabilities that we demonstrate can be exploited on multi-user computers that may have processes of multiple users running at the same time. The attacker is a non-privileged user trying to steal sensitive information from other users. Such computers can be found in enterprises with centralized access control that gives multiple users access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.
Get your FREE Guide on Top Talks @ DEF CON 26 . Our editorial team has gone through all the talks and handpicked the best of the best talks at DEF CON into a single guide. Get your Free copy today.