SOURCE: Synack, Inc.

Synack, Inc.

March 12, 2015 15:26 ET

Synack to Unveil Security Research Related to Apple OS X and Smart Home Devices at CanSecWest 2015 and BSides Vancouver

Discoveries to Reveal a New Class of Attacks Against OS X and Dissect the Zigbee Smart Energy Standard

VANCOUVER, BC--(Marketwired - Mar 12, 2015) - Synack, which has created a unique enterprise-caliber system to safely crowdsource and manage security testing, today announced its participation at the CanSecWest and BSides conferences in Vancouver, Canada. Synack will be represented by Patrick Wardle, Director of Research, who will disclose a new class of attacks against OS X that can be abused by local and remote attackers to perform a wide range of malicious actions, and Wes Wineberg, Security Research Engineer, who will uncover security concerns with the Zigbee Smart Energy standard and share insights on how to improve the overall security of smart home technology.

Founded in 2013 by security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO, Synack offers a unique Crowd Security Intelligence® solution that delivers actionable vulnerability intelligence to proactively reduce business risk. Synack's security-as-a-service offering redefines the traditional methods of security testing by providing a proactive, adversarial perspective of the enterprise IT environment.

For additional information about the two sessions, see details below.

About Patrick's Talk at CanSecWest
What: CanSecWest Applied Security Conference: Vancouver 2015
Who: Patrick Wardle, Synack Director of Research
When: March 19, 2015 at 10:30 a.m.
Where: Sheraton Wall Centre Hotel, 1088 Burrard St., Vancouver, British Columbia

DLL Hijacking on OS X? #@%& Yeah!
In 2010, Windows was found to be vulnerable to an attack known as "DLL Hijacking." Patrick Wardle's CanSecWest presentation will discuss a conceptually similar issue affecting OS X. The talk will detail how attackers need only to plant specially crafted dynamic libraries to have their malicious code loaded into vulnerable applications. Patrick will discuss how he uncovered a wide-range of vulnerable applications including those from both Apple and 3rd-parties such as Microsoft. Hackers could easily abuse this hijack flaw and exploit vulnerable applications to perform a variety malicious actions -- the most severe being a bypass of GateKeeper, Apple's primary anti-malware defense. To highlight the seriousness of this attack class, Patrick designed an experimental piece of next-generation OS X "malware" that leveraged various flavors of the hijack attack in order to spread, persist, and exfiltrate sensitive user data. This code was tested against all popular OS X security, firewall, and antivirus products, and it generically bypassed every single one. At the conclusion of the talk, Wardle will release code and tools that can automatically uncover vulnerable applications or detect if you've been hijacked.

About Wes' Talk at BSides
What: BSides Vancouver
Who: Synack Security Research Engineer Wes Wineberg
When: March 17 at 11 a.m., 2015
Where: The Imperial Vancouver, 319 Main St., Vancouver, British Columbia

Electromagnetic Hypersensitivity and You -- Analyzing the EMU-2 Zigbee Home Energy Monitor
In light of recent questions regarding Internet of Things security, Wes Wineberg's BSides Vancouver presentation will discuss the security mechanisms used by the Zigbee Smart Energy standard, the standard to which many smart home thermostats and energy monitoring devices are held. This is a topic of particular interest to Wineberg's audience in Vancouver, as BC Hydro has approved the Zigbee protocol for two smart meter devices. This talk will also explore the security of the Rainforest Automation EMU-2 device itself, determining the security of both its hardware and software. 

Tools and techniques for examining Zigbee security have been available for several years, but making practical use of them has remained difficult. Different Zigbee profiles, such as Smart Energy, have different requirements which are sparsely documented. This presentation will walk through what is needed to successfully transmit, receive and decrypt Zigbee communications using real-world examples.

About CanSecWest
CanSecWest, the world's most advanced conference focusing on applied digital security, will be held March 18-20, 2015 and focuses on bringing the industry luminaries together in an environment which promotes collaboration and social networking. The conference lasts for three days and features thought-provoking presentations, each prepared by an experienced professional and talented educator.

About BSides Vancouver
BSides Vancouver is a two-day gathering for information security professionals, hackers, coders and the greater tech community. During the conference attendees will share, discuss and learn about information security, privacy and technology in the heart of Vancouver. BSides Conferences are not-for-profit, independently run, community supported, low cost security conferences that happen all over the world.

About Synack
Based in Redwood City, California, Synack is redefining the traditional model of security testing with technology that allows enterprise customers to safely engage a global, on-demand community of skilled and trusted security researchers. Synack's platform is massively scalable and enables rapid and efficient vulnerability discovery. Synack was founded in 2013 by security experts Jay Kaplan, CEO, and Dr. Mark Kuhr, CTO. For more information, visit www.synack.com.

Contact Information