Weaponizing Unicode: Homographs Beyond IDNs

Presented at DEF CON 26 (2018), Aug. 10, 2018, 3 p.m. (45 minutes)

Most people are familiar with homograph attacks due to phishing or other attack campaigns using Internationalized Domain Names with look-alike characters. But homograph attacks exist against wide variety of systems that have gotten far less attention. This talk discusses the use of homographs to attack machine learning systems, to submit malicious software patches, and to craft cryptographic canary traps and leak repudiation mechanisms. It then introduces a generalized defense strategy that should work against homograph attacks in any context.

Presenters:

• The Tarquin - Senior Security Engineer, Amazon.com
  The Tarquin is a security engineer at Amazon.com. His security background is in browser development and application security. His hacking background is mainly in attempting to maximize the absurdity content of systems. He also studied philosophy, specializing in the Phenomenology of Technology and seeks to understand the ways in which our systems help the human brain lie to itself. His years as a dev have given him a bad habit of needling red teamers. His years in philosophy have given him a bad habit of switching sides in an argument seemingly at random.

Links:

• https://defcon.org/html/defcon-26/dc-26-speakers.html#Tarquin
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - The Tarquin - Weaponizing Unicode Homographs Beyond IDNs.mp4
• https://infocon.org/cons/DEF CON/DEF CON 26/DEF CON 26 video and slides/DEF CON 26 - The Tarquin - Weaponizing Unicode Homographs Beyond IDNs.srt (subtitles)
• https://www.youtube.com/watch?v=Ec1OOiG4RMA