ThinkstScapes

ThinkstScapes Q4’24Wins and losses in the Microsoft ecosystemPointer Problems - Why We’re Refactoring the Windows KernelJoe Bialek[Video]Defending off the landCasey Smith, Jacob Torrey, and Marco Slaviero[Slides] [Code]Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-PremiseYuya Chudo[Slides] [Code]From Simulation to Tenant TakeoverVaisha Bernard[Video]From Convenience to Contagion: The Libarchive Vulnerabilities Lurking in Windows 11NiNi Chen[Slides] [Video]LLM hype continues, as do the security issuesThings we learned about LLMs in 2024Simon Willison[Blog]AI Meets Git: Unmasking Security Flaws in Qodo MergeNils Amiet[Slides] [Video] [Blog]Suicide Bot: New AI Attack Causes LLM to Provide Potential “Self-Harm” InstructionsGadi Evron[Blog]Diving deep, then diving deeperBreaking NATO Radio EncryptionLukas Stennes[Paper] [Video]Exploiting File Writes in Hardened EnvironmentsStefan Schiller[Blog] [Video]Hacking yourself a satellite - recovering BEESAT-1PistonMiner[Video]IRIS: Non-Destructive Inspection of SiliconAndrew 'bunnie' Huang[Blog] [Paper] [Video]SQL Injection Isn't DeadPaul Gerste[Slides] [Video]Nifty sundriesWhat Developers Get for Free?Louis Nyffenegger[Video]Dialing into the Past: RCE via the Fax Machine – Because Why Not?Rick de Jager and Carlo Meijer[Video]Broken isolation - Draining your Credentials from Popular macOS Password ManagersWojciech Reguła[Slides] [Video]I'll Be There for You! Perpetual Availability in the A8 MVX SystemAndré Rösti, Stijn Volckaert, Michael Franz, and Alexios Voulimeneas[Code] [Paper]Exploring and Exploiting an Android “Smart POS” Payment TerminalJacopo Jannone[Video]

Dive into the fascinating world of information security vulnerabilities, exploring issues from dangling domains to static secrets. Discover how sophisticated voice spoofing undermines authentication systems and learn about the risks of email registration vulnerabilities and IPv6 challenges. The podcast also sheds light on potential pitfalls in cloud-native environments and BGP routing. Plus, get insights into the hidden dangers lurking in modern IT systems and advancements in network analysis, including the intriguing snail load technique.

In this insightful discussion, guests include Johann Rehberger, an AI/ML security researcher, and Richard Fang, who evaluates AI exploitation methods. They delve into the complexities of system vulnerabilities, highlighting how teams of large language model agents could exploit zero-day flaws. Rohan Bindu and Akul Gupta share findings on LLM capabilities in offensive security. The group also addresses the limitations of LLMs in recognizing security threats and the implications of managing identities across multi-cloud environments. Don't miss their fresh take on AI security!

Revealing more than anticipated, and preventing prying eyesPrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction SoundMan Zhou, Shuao Su, Qian Wang, Qi Li, Yuting Zhou, Xiaojing Ma, and Zhengxiong Li[Paper]ModelGuard: Information-Theoretic Defense Against Model Extraction AttacksMinxue Tang, Anna Dai, Louis DiValentin, Aolin Ding, Amin Hass, Neil Zhenqiang Gong, Yiran Chen, and Hai Li[Paper] [Code]RECORD: A RECeption-Only Region Determination Attack on LEO Satellite UsersEric Jedermann, Martin Strohmeier, Vincent Lenders, and Jens Schmitt[Code] [Paper]Private web search with TiptoeAlexandra Henzinger, Emma Dauterman, Henry Corrigan-Gibbs, and Nickolai Zeldovich[Slides] [Paper] [Video] [Code]Can Virtual Reality Protect Users from Keystroke Inference Attacks?Zhuolin Yang, Zain Sarwar, Iris Hwang, Ronik Bhaskar, Ben Y. Zhao, and Haitao Zheng[Website] [Paper]Backtrace in Time: Revealing Attackers’ Sleep Patterns and Days Off in RDP Brute-Force Attacks with Calendar HeatmapsAndréanne Bergeron[Code] [Blog] [Video]Taking another look with a fresh perspectiveBreaking HTTP Servers, Proxies, and Load Balancers Using the HTTP GardenBen Kallus and Prashant Anantharaman[Code] [Video]Compiler Backdooring For BeginnersMarion Marschalek[Video]Revisiting 2017: AI and Security, 7 years laterThomas Dullien[Video]Automated Large-Scale Analysis of Cookie Notice ComplianceAhmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, and David Basin[Paper] [Code Access]Turning Windows into doorsLSA WhispererEvan McBroom[Slides] [Blog] [Code]Wishing: Webhook Phishing in TeamsMatthew Eidelberg[Blog] [Code]Misconfiguration Manager: Overlooked and OverprivilegedDuane Michael and Chris Thompson[Slides] [Blog] [Code]Smoke and Mirrors: How to hide in Microsoft AzureAled Mehta and Christian Philipov[Video]Nifty sundriesBackdoor in XZ Utils allows RCE: everything you need to knowAndres Freund, Merav Bar, Amitai Cohen, Danielle Aminov, and Russ Cox[Initial Disclosure] [Wiz Blog] [Timeline]More Money, Fewer FOSS Security Problems? The Data, Such As It IsJohn Speed Meyers, Sara Ann Brackett, and Stewart Scott[Video]MUDding Around: Hacking for gold in text-based gamesUnix-ninja[Blog]DeGPT: Optimizing Decompiler Output with LLMPeiwei Hu, Ruigang Liang, and Kai Chen[Paper]

LLMs ain't making life any easierAbusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMsTsung-Yin Hsieh, Ben Nassi, Vitaly Shmatikov, and Eugene Bagdasaryan[Slides] [Paper] [Code]Tree of Attacks: Jailbreaking Black-Box LLMs AutomaticallyAnay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi[Paper] [Code]Avoiding the basilisk's fangs: State-of-the-art in AI LLM detectionJacob Torrey[Slides] [Code] [Video]Dystopian much: The Rise of the Influence MachinesNea Paw[Blog] [Video]Problems in well-trodden areasSMTP Smuggling – Spoofing E-mails WorldwideTimo Longin[Blog] [Video]Blind CSS Exfiltration: Exfiltrate unknown web pagesGareth Heyes[Slides] [Blog] [Code]OLE object are still dangerous today – Exploiting Microsoft Officewh1tc and Zhiniang Peng[Slides] [Demo Videos]The Nightmare of Apple’s OTA UpdateMickey Jin[Slides] [Blog] [Video]Reflecting on our effortsEvaluating the Security Posture of Real-World FIDO2 DeploymentsDhruv Kuchhal, Muhammad Saad, Adam Oest, and Frank Li[Paper]Talking about Pros and ConsJacob Torrey[Slides] [Video]NCC Group’s 2022 & 2023 Research ReportNCC Group[Paper] [Blog]A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lessons LearnedOrange Tsai[Slides] [Video]Nifty sundriesBreaking "DRM" in Polish trainsMrTick, Redford, and q3k[Video]Detection and Blocking with BPF via YAMLKevin Sheldrake[Slides] [Code]AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech SynthesisZhiyuan Yu, Shixuan Zhai, and Ning Zhang[Paper] [Code]A Good Fishman Knows All the Angles: A Critical Evaluation of Google's Phishing Page ClassifierChangqing Miao, Jianan Feng, Wei You, Wenchang Shi, Jianjun Huang, and Bin Liang[Paper] [Code]Spoofing DNS Records by Abusing DHCP DNS Dynamic UpdatesOri David[Blog] [Code] Operation Triangulation: What You Get When Attack iPhones of ResearchersBoris Larin, Leonid Bezvershenko, and Georgy Kucherin[Blog] [Video]Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke EavesdroppingJingyang Hu, Hongbo Wang, Tianyue Zheng, Jingzhi Hu, Zhe Chen, Hongbo Jiang, and Jun Luo[Paper] [Code]

Cryptography still isn’t easycertmitm: automatic exploitation of TLS certificate validation vulnerabilitiesAapo Oksman[Slides] [Code] [Video]Escaping Phishermen Nets: Cryptographic Methods Unveiled in the Fight Against Reverse Proxy AttacksKsandros Apostoli[Blog]mTLS: When certificate authentication is done wrongMichael Stepankin[Slides] [Blog]Ultrablue: User-friendly Lightweight TPM Remote Attestation over BluetoothNicolas Bouchinet, Loïc Buckwell, and Gabriel Kerneis[Slides] [Code] [Video]HECO: Fully Homomorphic Encryption CompilerAlexander Viand, Patrick Jattke, Miro Haller, and Anwar Hithnawi[Slides] [Paper] [Code][Continued] attack of the side-channelsFreaky Leaky SMS: Extracting User Locations by Analyzing SMS TimingsEvangelos Bitsikas, Theodor Schnitzler, Christina Pöpper, and Aanjhan Ranganathan[Paper] [Code]Downfall: Exploiting Speculative Data GatheringDaniel Moghimi[Code] [Paper] Your Clocks Have Ears – Timing-Based Browser-Based Local Network Port ScannerDongsung Kim[Slides] [Demo] [Video]Composition is hard in the cloudUsing Cloudflare to bypass CloudflareFlorian Schweitzer and Stefan Proksch[Blog] The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency treeAsaf Greenholts[Slides] [Blog] [Video]All You Need is GuestMichael Bargury[Slides] [Code]Nifty sundriesContactless Overflow: Critical contactless vulnerabilities in NFC readers used in point of sales and ATMsJosep Pi Rodriguez[Slides] [Video]Defender-Pretender: When Windows Defender Updates Become a Security RiskOmer Attias and Tomer Bar[Slides] [Code] Fuzz target generation using LLMsDongge Liu, Jonathan Metzman, and Oliver Chang[Results] [Report] [Blog]Route to Bugs: Analyzing the Security of BGP Message ParsingDaniel dos Santos, Simon Guiot, Stanislav Dashevskyi, Amine Amri, and Oussama Kerro[Slides] [Code]It was harder to sniff Bluetooth through my mask during the pandemic…Xeno Kovah[Slides] [Data]

Privacy in the modern eraIPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level GeolocationErik Rye and Robert Beverly[Slides] [Paper] [Code]Device Tracking via Linux’s New TCP Source Port Selection AlgorithmMoshe Kol, Amit Klein, and Yossi Gilad[Code] [Paper]zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity InfrastructureMichael Rosenberg, Jacob White, Christina Garman, and Ian Miers[Paper] [Code]3 Years in China: A Tale of Building a REAL Full Speed Anti-Censorship RouterKaiJern Lau[Slides] [Code] [Video]Embedded [in]securityEmbedded Threats: A Deep Dive into the Attack Surface and Security Implications of eSIM TechnologyMarkus Vevier[Code] [Video]RPMB, a secret place inside the eMMCSergio Prado[Blog]Compromising Garmin’s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual MachineTao Sauvage[Blog] [Video] [Slides]The Impostor Among US(B): Off-Path Injection Attacks on USB CommunicationsRobert Dumitru, Daniel Genkin, Andrew Wabnitz, and Yuval Yarom[Code] [Paper]MagBackdoor: Beware of Your Loudspeaker as A Backdoor For Magnetic Injection AttacksTiantian Liu, Feng Lin, Zhangsen Wang, Chao Wang, Zhongjie Ba, Li Lu, Wenyao Xu, and Kui Ren[Code] [Paper]Issues at the operating system level(Windows) Hello from the Other SideDirk-jan Mollema[Slides] [Code]Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML SignaturesSimon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk[Paper] [Code]Dirty Bin Cache: A New Code Injection Poisoning Binary Translation CacheKoh Nakagawa[Slides] [Code]The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 DecodersWilly R. Vasquez, Stephen Checkoway, and Hovav Shacham[Slides] [Paper] [Code]Nifty sundriesEverParse: Secure Binary Data Parsers for EveryoneTahina Ramananandro[Slides] [Code]InfinityGauntlet: Expose Smartphone Fingerprint Authentication to Brute-force AttackYu Chen, Yang Yu, and Lidong Zhai[Paper]It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and DefensesSoheil Khodayari and Giancarlo Pellegrino[Code] [Paper] [Site]Can you trust ChatGPT’s package recommendations?Bar Lanyado, Ortal Keizman, and Yair Divinsky[Blog]Phoenix Domain Attack: Vulnerable Links in Domain Name Delegation and RevocationXiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li[Slides] [Paper]Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP RedirectsXuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu[Website] [Paper]

Smashing Web3 transaction simulations for fun and profitTal Be'ery and Roi Vazan[Blog] [Video]Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt InjectionKai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz[Paper] [Code] [Demo Website]Using ZK Proofs to Fight DisinformationTrisha Datta and Dan Boneh[Slides] [Video] [Code] [Blog]Crypto Agility and Post-Quantum Cryptography @ GoogleStefan Kölbl, Anvita Pandit, Rafael Misoczki, and Sophie Schmieg[Code] [Video]Server-side prototype pollution: Black-box detection without the DoSGareth Heyes[Blog] [Slides] [Video]Phantom of the Pipeline – Abusing Self-Hosted CI/CD RunnersAdnan Khan, Mason Davis, and Matt Jackoski[Slides] [Code] [Blog]Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit QueuesDomien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef[Slides] [Paper] [Video]Let Me Unwind That For You: Exceptions to Backward-Edge ProtectionVictor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, and Cristiano Giuffrida[Slides] [Paper] [Code]Protect the System Call, Protect (Most of) the World with BASTIONChristopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo Min[Paper]Interoperability in End-to-End Encrypted MessagingEsha Ghosh, Paul Grubbs, Julia Len, and Paul Rösler[Slides] [Paper] [Video]High Risk Users and Where to Find ThemMasha Sedova[Paper] [Video]Why I write my own security toolingJames Forshaw[Code] [Video]Polynonce: A tale of a novel ECDSA attack and Bitcoin tearsMarco Macchetti and Nils Amiet[Blog] [Paper] [Code]Finding 10x+ Performance Improvements in C++ with CodeQLSean Heelan[Blog] [Code]Bridging the gap in the static and dynamic analysis of binaries through decompiler tomfoolery!Zion Basque[Code] [Video]

Hacking the Cloud with SAMLFelix Wilhelm[Slides] [Video]Announcing GUAC, a great pairing with SLSA (and SBOM)!Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team[Blog] [Code] [Presentation]We sign code nowWilliam Woodruff[Blog] [Code] [Video]Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy MechanismsCsaba Fitzl and Wojciech Regula[Slides] Farming The Apple Orchards: Living Off The Land TechniquesCedric Owens and Chris Ross[Slides] [Video]LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary CommandsNasreddine Bencherchali[Blog] POPKORN: Popping Windows Kernel Drivers At ScaleRajat Gupta, Lukas Patrick Dresel, Noah Spahn, Giovanni Vigna, Christopher Kruegel, and Taesoo Kim[Paper] [Code]RC4 Is Still Considered HarmfulJames Forshaw[Blog]Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisionsTom Tervoort[Paper] [Slides]Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC serviceOphir Harpaz and Stiv Kupchik[Slides] [Video]Decentralized Identity Attack SurfaceShaked Reiner[Blog part 1] [Blog part 2]Drone Authentication via Acoustic FingerprintYufeng Diao, Yichi Zhang, Guodong Zhao, and Mohamed Khamis[Slides] [Paper]On the Implications of Spoofing and Jamming Aviation Datalink ApplicationsHarshad Sathaye, Guevara Noubir, and Aanjhan Ranganathan[Slides] [Paper]{JS-ON: Security-OFF}: Abusing JSON-Based SQL QueriesNoam Moshe[Slides] [SQLMap patch] [Blog]Are There Wireless Hidden Cameras Spying on Me?Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim,Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon Lee[Slides] [Paper]

Analyzing the Feasibility and Generalizability of Fingerprinting Internet of Things DevicesDilawer Ahmed, Anupam Das, and Fareed Zaffar[Code] [Paper]Watching the Watchers: Practical Video Identification Attack in LTE NetworksSangwook Bae, Mincheol Son, Dongkwan Kim, CheolJun Park, Jiho Lee, Sooel Son, and Yongdae Kim[Website] [Paper] [Video]Can one hear the shape of a neural network?: Snooping the GPU via Magnetic Side ChannelHenrique Teles Maia, Chang Xiao, Dingzeyu Li, Eitan Grinspun, and Changxi Zheng[Slides] [Paper]LTrack: Stealthy Tracking of Mobile Phones in LTEMartin Kotuliak, Simon Erni, Patrick Leu, Marc Röschlin, and Srdjan Čapkun[Slides] [Paper]IRMA's Idemix core: Understanding the crypto behind selective, unlinkable attribute disclosureMaja Reissner and Sietse Ringers[Site] [Code] [Video]CryptPad: a zero knowledge collaboration platformLudovic Dubost[Code] [Video] [Site]drand: publicly verifiable randomness explainedYolan Romailler[Video] [Code]A dead man’s full-yet-responsible-disclosure systemYolan Romailler[Slides] [Code]Oops... Code Execution and Content Spoofing: The First Comprehensive Analysis of OpenDocument SignaturesSimon Rohlmann, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk[Slides] [Paper]My data in your signed codeAlex Ivkin[Code] [Video]Can You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature VerificationGolan Cohen[Video] [Blog]TLS-Anvil: Adapting Combinatorial Testing for TLS LibrariesMarcel Maehren, Philipp Nieting, Sven Hebrok, Robert Merget, Juraj Somorovsky, Jörg Schwenk[Slides] [Website] [Code]Arbiter: Bridging the Static and Dynamic Divide in Vulnerability Discovery on Binary ProgramsJayakrishna Vadayath, Moritz Eckert, Kyle Zeng, Nicolaas Weideman, Gokulkrishna Praveen Menon, Yanick Fratantonio, Davide Balzarotti, Adam Doupé, Tiffany Bao, Ruoyu Wang, Christophe Hauser, and Yan Shoshitaishvili[Paper] [Code]In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub CopilotHammond Pearce, Benjamin Tan, Brendan Dolan-Gavitt, and Baleegh Ahmad[Slides] [Paper]Catch Me If You Can: Deterministic Discovery of Race Conditions with FuzzingNed Williamson[Slides] [Code]Someone’s Been Messing With My Subnormals!Brendan Dolan-Gavitt[Blog]Attacking AAD by abusing the Sync API: The story behind $40K in bountiesNestori Syynimaa[Slides] [Code] [Video]Towards a Tectonic Traffic Shift? Investigating Apple’s New Relay NetworkPatrick Sattler , Juliane Aulbach , Johannes Zirngibl , Georg Carle [Paper] Hiding malware in Docker Desktop's secret virtual machineAlex Hope[Blog] [Video]Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IISOrange Tsai[Slides] [Blog]Using Trātṛ to tame Adversarial SynchronizationYuvraj Patel, Chenhao Ye, Akshat Sinha, Abigail Matthews, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau, and Michael M. Swift[Slides] [Paper]