Time: 10:15 AM - 11:00 AM
The research focus is on one of the last phases of the “kill chain” and namely the ‘Data Exfiltration’ stage, that is to explore the extent of a side-channel attack technique that leverages on pixels on screen. The technique is simply to run a program that converts data from files into pixels, and splashes them as images onto the screen within the virtual desktop interface (VDI), while the host computer interacting with the VDI instance performs a periodic screenshot to capture, decode and reconstruct the pixels on screen back into the original file. This technique potentially evades current forms of preventive and detective controls except application whitelisting.
The goal of the research is to determine if such a technique can be feasibly performed over the Internet, determine the reliability of the file transfer and study the extent of evasion detection. If so, the implication is vast, especially to environments where VDI technologies are deployed, commonly by large organizations and alongside other DLP controls, to primarily prevent employees from leaking or stealing files out from corporate network to personal computers.
This technique is not new and has first appeared in November 2017. However, due to the nature of the exfiltration and the lack of awareness and detection techniques, it is unknown if such a technique has been deployed in the wild. The POC tool showcased in November 2017 was insufficient to test real-life over-the-Internet VDI technology due to graphics compression and GUI artefacts. As such, a more robust POC tool was developed to handle graphics compression via alternate ways of pixels presentation and error corrections.
The presentation will primarily discuss the following points:
- Brief overview on current state of DLP technology
- Demonstration of the tool which possibly evades today’s technology
- The core of the technique and implementation feasibility by an attacker
- Issues encountered in real-life vs. lab environment, how they were resolved
- To cover briefly on various ways pixels may be represented and discuss on compensating the compression using simple error correction technique.
Jeremy Soh is an information security professional specializing in deep-dive technical assessments and security automation and engineering. By day, he serves as a penetration tester and a developer to improve the defence posture of an MNC bank. By night, Jeremy enjoys dabbling with attack techniques and researching novel tactics in defeating modern defence, in hope that his work can provide robust and realistic security controls that effectively resist offensive campaigns in the hostile landscape.
Having opportunities to encounter a wide range of technology both over the last 8 years, Jeremy discovered different classes and variants of vulnerabilities in enterprise applications, consumer mobile apps, automated metering infrastructure (AMI) implementations, Internet of Things (IoT) devices and even an elevator intercom system, with a number of them reported via responsible disclosure to the respective product vendors.
Apart from work, Jeremy maintains a small social media presence under the handle @breaktoprotect to engage with the security community with home-made tools, public security advisories and technical rants over Github and Blogspot. Over the years, he was privileged to share his knowledge in various conferences held in Singapore, Hong Kong and the UK, and is excited and looking forward to more such opportunities.