List


				

				

Contents

Talks

Sharon Conheady - The Future of Social Engineering

Abstract

The future of social engineering

Social engineering is hitting the headlines more than ever. As computer security becomes more sophisticated, hackers are combining their technical expertise with social engineering to gain access to IT infrastructures and critical information. In any security programme people are the weakest link. It can often be easier and quicker to target the end user than using technical hacking techniques. When you combine both social engineering and traditional hacking techniques, you have an extremely dangerous attack.

So what's next on the social engineering agenda? What are the emerging trends and what social engineering techniques might we expect to see in the future? In this talk, I will give an overview of the types of social engineering attacks people have used throughout the ages, from tricks used by the classic conmen of the past to the phishing attacks that are at an all time high, and the proliferation of social networking and how useful this is to social engineers. I will describe some of the new social engineering techniques and trends that are emerging and discuss war stories from my experience of social engineering, describing techniques I have used to gain access to sensitive information.

Bio: Sharon Conheady

Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. She has presented on social engineering at security conferences including Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe.

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Ivan Medved - Security Development Lifecycle Tools

Abstract

The talk will give a quick overview of the Microsoft's Security Development Lifecycle, discuss the SDL security tools and explain how using them during development and testing can make software more secure. It will cover tools like the SDL Threat Modeling Tools, SDL BinScope, Attack Surface Analyzer (ASA), !exploitable debugger plugin and some others.

Bio: Ivan Medved

Ivan Medvedev has been working in security space for his whole career. After graduation from the Moscow State University with a degree in Computer Science he worked for a Russian security company (http://security.ru) developing crypto products and in 1999 he was recruited by Microsoft and relocated to work in their Redmond campus. For a few years Ivan worked on the Security Team of Common Language Runtime (the core of .NET framework), after that he moved to the TwC (Trustworty Computing) Security team, where he leads the team responsible for developing internal and external security tools such as fuzzers, static code analysis, attack surface analysis, threat modeling, runtime analysis and so forth.

Morgan Marquis Boire and Cory Altheide - Post-Intrusion Problems: Pivot, Persist and Property

Abstract

Post-Intrusion Problems: Pivot, Persist and Property

For years, post-intrusion forensics has been a poorly codified field. While significant research has gone into exploitation and network intrusion, it’s traditionally been difficult to hone in on the various motivations of attackers. Subsequently, accurate prediction of post-intrusion activities has been problematic. The hacker as “mythical unicorn” has been difficult to track. The hacker as state-sponsored agent of espionage and cyberwar, however, is an entirely different beast.

We always thought we had a hacking problem. Only recently, however, have we started to divide our attackers into classes more useful than ‘script kiddie’ and ‘hacker’. It has become glaringly obvious that true distinctions lie in motivation. In the Post-Aurora world, disclosure of intrusions have become increasingly more common place. Recent high-profile intrusions have involved theft of CA certificates, key materials, and the communications of dissidents and political figures. Rather than view these intrusions as ‘hacking’ they can more usefully be discussed as ‘electronic espionage’.

We see post-intrusion forensics as counter-espionage anti-tradecraft. In order to perform a proper counter-espionage forensic examination, you must understand your adversary’s motivations & goals. By identifying goals, you can then identify the actions and targets required to achieve these goals, and focus your investigation on the collection and analysis of these artifacts. We identify and examine these artifacts at three stages of post-intrusion espionage: Pivoting (moving through the network), Persistence (maintaining access), and Property (destruction or theft) attacks. Adopting such a methodology will prove an enabler for not only increased forensic capability, but also in providing a foundation for aggressive defense.

Bio: Morgan Marquis-Boire

Morgan Marquis-Boire is a Security Engineer at Google on the Incident Response Team. He acts as a Technical Adviser at the Citizen Lab, Munk School of Global Affairs, University of Toronto and was one of the original organizers of the KiwiCON conference in New Zealand. In addition to talking about himself in the 3rd person and presenting at security conferences, he has spent time moon-lighting in such diverse fields as environmentalism and academia.

Bio: Cory Altheide

Cory Altheide is a Security Engineer at Google focused on digital forensics and incident response. Throughout his career, Cory has responded to dozens of incidents across numerous industries. He has also performed a wide variety of cyber-crime investigations, ranging from corporate & state-sponsored espionage to distributed financially-motivated criminal organizations, and is the author of the book "Digital Forensics With Open Source Tools."

Benedikt Driessen -Satellite phone - an analysis of the GMR-1 and GMR-2 standards

Abstract

This talk will review a decade of GSM hacking, from initial cryptanalysis to recent attacks on the protocols. The second part of this talk will be dedicated to reverse engineering and breaking the encryption mechanisms used in GMR-1 and GMR-2, two major satellite phone standards.


Bio: Benedikt Driessen

Benedikt is a PhD student at Ruhr-University Bochum and a coding enthusiast ever since discovering QBASIC... After graduating, he spent two years at ESCRYPT GmbH, working as Security Engineer. Then, Benedikt decided to start a PhD at Prof. Christof Paar's Embedded Security group, where he has worked on using analog hardware for cryptanalysis, thwarting face recognition algorithms as well as reverse engineering and breaking satphone encryption.

Victor Julien and Eric Leblond: The menace came from below

Abstract

Protocol analysis is necessary for an increasing number of devices. This includes firewall for Application Level Gateway and advanced filtering, IDS/IPS for advanced rules, Deep Packet Inspection for a deep understanding of content. The complexity of protocol analysis is not only bound to the one of the high level layer of the OSI model. Low level manipulation are still a efficient method to attack these systems.

The talk will present some known attacks and will focus on some new ones. The defensive side will be shown to with a explanation of counter-measures that have been implemented on Suricata and Netfilter.

Bio: Victor Julien

Victor has been active as a software developer in the infosec community for many years. He is the creator of the Vuurmuur firewall project, has been one of the developers at the Snort_inline IPS project. Victor has spent the last years doing contract development on Open Source security software including significant additions to Snort. At the end of 2007 he started development on the OISF codebase on which he now leads the Suricata IDS/IPS development effort. Victor maintains a blog at http://www.inliniac.net/blog/ and uses twitter at http://twitter.com/inliniac Victor resides in Amsterdam, The Netherlands.

Bio: Eric Leblond

Eric Leblond is a Free Software and Security hacker. He has started as lead developer the NuFW project which objective was to establish a safer and stricter way to do identity based filtering on network firewall. In 2004, he co-founded a company to promote the project and was the CTO till 2011. He's also a long-term contributor to the Netfilter project where he has worked on kernel and userspace interaction. He is one of the main developer of ulogd2, the Netfilter's userspace logging daemon. He has started working on the IDS/IPS Suricata in 2009 and he is currently working the OISF as developer. He is also freelance consultant.

Moti Joseph: Memory corruption exploitation in Internet Explorer

Abstract

This presentation introduces tools and scripts that one can use to do memory corruption analysis in Microsoft internet explorer. Aka going from crash to exploit via use after free memory corruption

Bio: Moti Joseph

Moti Joseph has been involved in computer security. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti is a former speaker at Black Hat 2007, USA CONF2009, Poland Warsaw, POC 2009, South Korea, ShakaCon 2009, USA, CONF2010, Poland Karkow, CONF2010, Poland Karkow, POC 2010, South Korea, CHINA 2011 at Shanghai Jiao Tong University Turkey Istanbul, 2012 and SysCan2010 Taiwan,Taipe

Andrés Blanco and Matias Eissler: One firmware to monitor 'em all

Abstract

In the last years mobile devices usage has turned massive. These de- vices, in general, follow the IEEE 802.11 standard for wireless connectivity. Broadcom is one of the most important semiconductor companies in the wireless and broadband communication business. Some of their WiFi solutions (BCM4325 & BCM4329 chipsets) are included in great part of the mobile devices market, including vendors like Apple, Samsung, Motorola, Sony, Nokia, LG, Asus and HTC. In this paper we describe the process of modification of the firmware program on these cards. The presented results could open new possibilities to the information security community such as access to baseband components without intervention of the operating system and the capabilities to store information within the network card's internal memory among others. As the reader explores the present work we go through the internals of the firmware program, our reverse engineering process and show, as a proof of concept, how to set these cards on monitor mode.

Bio: Andrés Blanco

Andrés Blanco is a developer in the Core Impact team, the flagship automated penetration testing tool from Core Security Technologies. His research is mainly focused in Wireless, Network Security, Web Application Security and Privacy.

Bio: Matias Eissler

Matias Eissler is a Sr. Developer at Core Security where he worked on the fields of information gathering, attack planning, file infection and client-side attack automation. Lately, he joined the exploit effectiveness team where he focuses on AV evasion.

Nicolas Ruff and Florian Ledoux: A critical analysis of Dropbox software security

Abstract

Dropbox is an online file storage service with at least 50 million users as of October 2011 (source: Forbes). Company market value is estimated over $4 billion. Dropbox is now widely used by mobile workforces for sharing corporate data, as Dropbox started to provide a commercial "team" edition for storing up to 1TB of data "in the Cloud".

Dropbox is a mash-up of several Cloud services (including Amazon Storage), therefore Dropbox "externals" are relatively well-known.

In this paper, we plan to expose Dropbox software internals, protocols, and even worse: security issues. Several alerts were raised in year 2011 (as related on Bruce Schneier's blog), but nobody really took care to look "under the hood" as deep as we did.

Dropbox users, as well as the forensics community, will benefit from this analysis.

Bio: Nicolas Ruff

Nicolas RUFF (news0ft) is a senior researcher at Innovation Works, the European Aeronautic Defence and Space company (EADS) research center in Suresnes, near Paris. His main areas of expertise are Microsoft networks security, security of mobile with an emphasis on iOS, computer forensics, malware protection and analysis, and wireless security. He published several articles about Windows security in French newspapers, gives trainings on a regular basis. He is frequently asked for his opinions regarding the future of security research, and delivered talks at French & European events such as EuroSec, Microsoft TechDays and SSTIC.

Bio: Florian Ledoux

Florian LEDOUX (Mysterie) is a student in IT security field and trainee at EADS. Subjects related to reverse engineering, bug hunting, NT OS internals are his main research area. He is co-author of "Bypassing Windows 7 exploit mitigation" in french magazine MISC. Regular wargame/ctf player, author of a blog about security http://mysterie.fr/blog/

Igor Skochinsky: Sony Reader Hacking Story

Abstract

The talk will cover the story of hacking the line of ebook readers produced by Sony. I will cover reversing the USB protocol, getting the internal flash contents, running custom code, reversing the file formats and the custom scripting engine, and some other things. Most of the material will cover the first US model (PRS-500, 2006), but I will also talk about some countermeasures added later by Sony and how they were defeated.

Bio: Igor Skochinsky

Igor Skochinsky was interested in "how stuff works" since childhood and got into software reverse engineering while studying Computer Science at the Belarusian State University. After graduating he spent several years at a big software company but continued to pursue his RE hobby in free time. He had brief periods of internet fame after releasing a dumper for iTunes DRM-ed files (QTFairUse6) and hacking the Amazon Kindle. In 2008 he joined Hex-Rays where he is now helping develop the world-famous Interactive Disassembler and Hex-Rays Decompiler. He previously spoke at the Recon conference on embedded RE and C++ compilers' internals.

Mathieu RENARD - GOTO:Hack iOS applications - Does your company data are safe when stored on iDevices ?

Abstract

Gone are the days when employees only used a company issued phone for work related matters. Today, employees bring personal smart phones and tablets to the office and have access to sensitive company information on these devices.

During this talk the author demonstrates how enterprise class applications like Mobile Device Management (MDM) Client, Confidential contents manager (Sandbox), professional media players and other applications handling sensitive data are attacked and sometimes easily breached.

This talk is designed to demonstrate many of the techniques attackers use to manipulate iOS applications in order to extract confidential data from the device. The audience will see examples of the worst practices we are dealing with every day when pentesting iOS applications and learn how to mitigate the risks and avoid common mistakes that leave applications exposed.

Bio: Mathieu RENARD

(@Gotohack) is a Senior Penetration tester, working for a French company (SOGETI ESEC) where is leading the penetration test team.

His research areas focus in Web Application Security, Embedded Systems, Hardware hacking and recently Mobile device Security. Since last year, he has focused is work (security assessments) and his research on enterprise class applications and their supporting architecture where data security is paramount.

Atul Alex - Buster : Android Security

Abstracts

This presentation will be based on actual research conducted on Android Platform & the currently available Security Products/Security Model for the same. While studying the Android platform & its security model, one can easily identify weak-spots in the way sand-boxing is done, the way applications interact with each other as well as the extent of control a 'regular' application has over the 'overall' functioning of the device. So, I thought of conducting some real-life testing of the available security measures, platform restrictions & the outcome does not look good. This presentation will focus mostly on the 'malwares' that are floating around & why the techniques applied so far are not enough. I'll demonstrate how easy it is to bypass Android antivirus detections & what to expect in the near future. I will also be releasing an open-source desktop based tool to scan your android devices for known threats. During the presentation, I'll demonstrate a Proof-Of-Concept tool that can create fully undetected variants of existing known malware in a matter of seconds & explain why the regular approach fails to detect them.

Bio: Atul Alex

Atul Alex (Aodrulez) is a professional security expert with over 7 years of Research experience. He has authored numerous exploits, shellcodes and security articles. He loves reverse engineering, programming and doing research on new platforms. Atul Alex has spoken at security conferences like MalCon, ClubHACK & Nullcon. You can see his work at exploit-db.com & packetstormsecurity.

Sébastien Dudek and Guillaume Delugré - MobiDeke: Fuzzing the GSM Protocol Stack

Abstracts

Many security issues have been discovered since GSM was designed, both in the protocol stack and the cryptography. Because of the complexity and costs to build a network, reproducing or finding vulnerabilities in GSM was much more complicated before. But thanks to the recent developed equipments and softwares, security researchers are now able to setup their own network, and perform practical attacks. However, trying to find vulnerabilities in the protocol is hard and time consuming. Testcases generation and faults detection are impossible to perform without the right tools.

In this talk we show how GSM messages are represented and sent over-the-air, the framework we made and techniques we used to generate our test-cases for fuzzing. Then we show how we managed to perform the monitoring.

Bio: Sébastien Dudek

Sébastien Dudek is a student in IT and trainee at Sogeti ESEC R&D labs, where he is working on the subject of GSM protocol stack security. His main fields of interest are radio communication technologies (GSM, RFID, Wi-Fi, DECT...), but also other areas like software, web, and network security.

Bio: Guillaume Delugré

Guillaume Delugré is a security researcher working at Sogeti ESEC R&D labs. He is mostly interested in reverse engineering and embedded devices. He has lately been working on basebands and network cards security.

Walter Belgers - Social Engineering

Abstracts

Technical people look at security mostly from a technical standpoint. Are systems fully patched? Have SQL-injection problems been eliminated? Truth is, the technical aspect of security is just a small part of the problem. People are probably the biggest security problem to fix. Social engineering is conning people into giving you information or access to systems or buildings. It is, in most cases, far more easy than breaking in electronically. In this talk, we will look at what makes social engineering work, how to come up with working scenario's and how to try to avoid these problems. The lecture includes examples from actual social engineering assignments and some hilarious clips from the internet. After the talk, the attendees will hopefully understand the importance of security awareness within their companies, being more alert to attacks at the same time.

Bio: Walter Belgers

Walter Belgers is an ethical computer hacker by profession and by way of life. During his working hours, he tests the security of IT systems using both technical and social means. As a hobby, he opens locks without using the key. He has been on the internet for over half his life, which is not obvious for anybody his age. When he has time, he likes to read, sail, and drift in an old BMW car.

Kevin Allix - Quentin Jerome - A forensic analysis of Android Malware

Abstract

We consider in this paper the analysis of a large set of malware samples for the Android operating system. Although several recent works have addressed this is- sue over the last few years, none has addressed it from a forensic point of view. Using all available malware samples in the wild, we will present some insights in the malware writing process as well as on some very strange artifacts in the data. We highlight some major weak usage and misunderstanding of Android security by the criminal community and show some patterns in their operational flow.

Bio: Kevin Allix

After graduating in 2007, Kevin Allix held operational positions for four years during which he deployed and ran network security equipments for dozens of customers, and built tools to help administrate one of the biggest french Video-on-Demand platform. In 2011, he joined the University of Luxembourg to start a PhD at the 'Centre for Security, Reliability and Trust'. His main research efforts are targeted at smartphone security and Android malware.

Bio: Quentin Jerome

At writing time of this paper Quentin JEROME was still a student in Nancy in an engineering school where he studied information system and networks. In the same time he prepared a master in computer sciences in the University of Lorraine. The contribution on this paper was made during his internship at SnT in the IT security research team. His fields of interest are IT security, malware analysis and machine learning techniques. He is fascinated by underground skills (exploitation, fuzzing ...) and sometimes he tries to learn some tricks but he believes that it is a hard and long way.


Philippe Langlois - Remotely crashing HLR or why it took telecom industry 20 years to recognize the problems with SS7

Abstract

When you speak about telecom networks, people believe in magic, powerful and super secure networks. On the contrary, we'll show here how some fuzzing now considered quite typical for TCP/IP looks like science fiction for telecom signaling networks. Real world HLR-crashing attacks will be demonstrated and explained during this conference. Recognizing the problem about 2G and 3G networks: totally inadequate MSC and HLR equipment hardening at the vendor level, unpatched TCAP vulnerability for 10 years (!), total openness to spoofing at the STP level, lack of perimeter protection, and on top of it, lack of recognition of the problem has made the problem rampant. One big false sense of security now comes from the belief that switching to 4G, S1 and X2 protocols and SIP-I and SIP-T as a replacement of the old signaling network protocol suite would help. The problem does not lie in the technology but the lack of understanding of the security implication of signaling outside fraud and reliability. Vulnerabilities and malicious attackers are joining the party and ruining the designs and plans for perfect security. We'll see how the same patterns of vulnerability and fallibility of these past signaling systems and networks are now causing country-wide outage in 3G and 4G LTE networks such as in Vodafone, O2, France Telecom Orange and many other operators.

Bio: Philippe Langlois

Founder of P1 Security and Senior Researcher for Telecom Security Task Force. Philippe Langlois has proven expertise in network security. He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF). He founded Qualys and led the world-leading vulnerability assessment service. He founded a pioneering network security company Intrinsec in 1995 in France, as well as Worldnet, France's first public Internet service provider, in 1993. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (Interop, BlackHat, HITB Dubai, Hack.lu). Now Philippe is providing with P1 Security the first Core Network Telecom Signaling security scanner which help telecom companies, operator and government analyze where and how their critical telecom network infrastructure can be attacked. He can be reached through his website at: http://www.p1security.com


Paul Rascagnères - Hugo Caron Malware.lu overview

Abstract

Malware.lu (http://www.malware.lu) opened in May 2012. This web site is a malware repository hosted in Luxembourg. The goal of the project is to provide malware samples and technical analysis to security researchers. We will present the project and an analysis of the most notable malware samples (and their history) found in the repository. One of the sample to be presented was nominated for the Pwnie Awards 2012... http://pwnies.com/nominations/

Bio: Paul Rascagnères - Hugo Caron

Malware.lu is a project of community created and maintained by Paul Rascagnères (aka RootBSD) and Hugo Caron (aka y0ug). We are specialised in malware analysis and reverse engineering. The purpose of the project is to provide a repository of malware to security researcher interested in malware and virus analysis. We provide technical analysis of several specifics samples. Actually, we share more than 2 millions of samples.

Arturo Filastò - Cypherpunks write code: Hacking on Tor

Abstract

We will explain the basic concepts behind Tor and then cover a wide variety of projects that are corollary to Tor and hopefully get people in hacking on them. This talk will then lead to a later workshop session on the projects mentioned in the talk. We invite all people interested in playing around with anonymity and censorship circumvention technology to join in!

Bio: Arturo Filastò - hellais

Arturo Filastò is a developer at GlobaLeaks and The Tor Project. He studied Mathematics and is currently student of Computer Science at Università di Roma “La Sapienza”. He is a well known security researcher and regularly gives lectures at international conferences. He has trained activists in the use of security and censorship circumvention technologies. He is also the lead developer of OONI (Open Observatory of Network Interference), a project aimed at detecting and monitoring censorship in the world.


Wil Allsopp - My Life as an International Arms Dealer - Social Engineering and the Psychology of Anonymity

Abstracts

In the last five years the Internet black market has blossomed; from opiates to heavy weapons sellers trade with impunity.

How is this possible? How do these markets work? How secure and anonymous are they in reality?

This presentation dives into the black market and explores the possibilities and pitfalls it presents. We enter the market as an illegal arms dealer and quickly build credibility using nothing but social engineering skills, a few bit coins and a wikipedia knowledge of firearms.

You'll meet scammers of all kinds (who'll be outdone), criminals who will boast of their wares and ultimately get to see how you can be respected as an international criminal without breaking the law (or even leaving your house).

This is a lighthearted look at a dark dark world and a wake up call.

Bio: Wil Allsopp

For more than a decade, Wil Allsopp has carried out penetration tests in every corner of the globe. Whilst perfectly at home hacking code or reverse engineering iOS applications, his true interests lie in social engineering, breaking into buildings and corrupting innocent minds. He works full time for Verizon's Threat & Vulnerability practice and part time as a gentleman thief. Allsopp is the author of Unauthorised Access - Physical Penetration Testing for IT Security Teams

Eric Vyncke -The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

Abstract

The Internet transitions from IPv4-only to IPv6 in order to address IPv4-address exhaustion. While IPv6 is quite similar to IPv4, it has a couple of different properties and details, notably ARP is being replaced by Neighbor Discovery Protocol (NDP).

Neighbor Discovery Protocol was specified in 1997 without security in mind and before the IPv4 ARP/DHCP spoofing attacks existed, hence, NDP suffers from the same defaults as ARP. The most well-known attacks against NDP are the rogue-RA (quite often caused by misconfiguration), DAD DoS, NDP spoofing, NDP cache exhaustion.

This session details the different attacks, presents the work done at the IETF at the SAVI working group and the implementation on existing switches.

Bio: Eric Vyncke

Eric Vyncke works as a Distinguished Consulting Engineer for Cisco. Eric wrote the security section of Networks: Internet, Telephony, Multimedia: Convergences and Complementarities (Springler Verlag, 2003), and has a Master Degree in Computer Science Engineering from the University of Liège.

Cosmin Ciobanu - ENISA Study Outcome of "Early Warning: Study on Honeypots"

Abstract

The talk will be based on the outcomes of the study "Early Warning: study on honeypots", it will include short intro to different types of honeypots, along with challenges & shortcomings, future of honeypots.


Bio: Cosmin Ciobanu

Cosmin Ciobanu is currently expert in network and information security, also information security officer at European Network and Information Security Agency, before ENISA I worked for almost 4 years in the IT Security Dep. of national ISP in Romania as an IT Security engineer. Most of my work so far has been related with: network security, pentesting & vulnerability assessment, security advices & consultancy.


Guy Martin - Real-time network forensics using pom-ng

Abstract

When you are presented with a lot of traffic to analyse, it is not feasible to dig into each network stream manually. An automated way is needed. In this talk, challenges in performing real time network analysis in a multi-threaded will be explained as well as ways to accommodate in a modular way for each protocol specificities. Moreover, a demo of pom-ng will be performed showing a live network analysis showing how easy it is to recover various information such as images, videos and passwords as well as generating logs.

Bio: Guy Martin

Guy Martin is an active open source developer currently working for PwC Luxembourg as a pen-tester. During his free time, he provides his help in multiple areas ranging from porting Gentoo on HPPA to linux DVB driver coding. After discovering a way to sniff DOCSIS network (cable modems) using a simple method, he developed packet-o-matic to analyse all the traffic which he presented at Defcon. After a few years of development, he now started a rewrite of his network forensic tool even more featureful.

Adrien Kunysz - BOFH meets SystemTap

Abstract

The Bastard Operator From Hell enjoys abusing his users. SystemTap allows for very easy dynamic code injection system-wide (kernel, libraries, applications).

This talk gives a brief overview of what is SystemTap and its capabilities. We then demonstrate how it can be used to dynamically insert questionable code at any level to spy on users and modify behaviours of applications and system components very easily. This is not about novel techniques or breaking trust boundaries (we assume you are root already). This is only about making things easier for both the good and the bad guys.

Bio:Adrien Kunysz

Adrien Kunysz enjoys playing with Unix systems, breaking things, fixing things, reading code (be it machine code, C or whatever is the fancy language of the year) and tinkering with low level components and tools (kernel, libc, debuggers,...). I am not a security professional but I sometimes act as one at conferences.

Edward Fjellskål and Kacper Wysocki - Varnish Security Firewall - high voltage protection for your web apps

Abstract

Varnish is the swiss army knife of the HTTP transport, and its flexible configuration language has long been used to thwart application attacks and DoS with custom rulesets. Varnish is fast, lightweight, aids in enabling applications to handle tremendous loads, and there are numerous security barriers in the architecture. The new Varnish Security Firewall framework enables us to rapidly secure web applications, and how it allows for easy and fast rule writing to enhance the security and quickly react to attacks. This approach lends itself well to securing cloud applications.

Bio:Edward Fjellskål

Edward Fjellskål has since 1998 actively worked with Open Source Software privately and for business with a focus on Network Security Monitoring. He is one of the developers of tools such as prads, cxtracker, passivedns and security.vcl to mention some. He has put down years being a linux sysadmin and long experience with monitoring networks for security incidents, doing penetration testing and forensics. He is always working on enhancing his detection capabilities to capture even more badness speeding over the wire. He likes to have fun on and off the job and is pretty good at making people work for it. Edward doesn't use twitter, but has an old fashion blog at www.gamelinux.org

Bio:Kacper Wysocki

Kacper Wysocki is a informatics researcher with too many interests and too little spare time. He has a background in computer science and liberal arts and is currently gainfully employed as a security and infrastructure consultant, where he solves problems others don't want to solve and handles incidents others don't know what to do with. He was one of the founding members of the Hackeriet hackerspace in Oslo, where he encourages the responsible albeit creative use of dangerous techniques and continually changes merge strategies. Kacper is also a person that knows his way around nibbels and bits and is very social and a good communicator of new and exciting ideas. Kacper maintains a very simple site at http://u.delta9.pl/ where you can find his projects, interests and a blog on the fastest way to break a machine.

Fyodor Yarochkin and Vladimir Kropotov - Real-time malicious domain detection and malicious activity analysis

Abstract

From the last year until now there is a quantum leap in cybercrime activity worldwide. We've been tracking massive malicious campaigns in Europe and Asia and monitoring how attacker tools and techniques evolve and change over time. In this presentation we will present historical records from last year until present moment on detected malicious activities, including botnet distribution, targeted attackers, covert channels used in botnet control and more. Compromised infrastructure is a valuable asset to the botmasters. We will also discuss a range of techniques, which attackers use to prevent automated detection of their infrastructure and make manual analysis difficult. Further, we will demonstrate tools and methods, which we use to perform real-time malicious domain detection and malicious activity analysis.

Bio:Fyodor Yarochkin

Fyodor Yarochkin is a security analyst with P1sec and research assistant with Academia Sinica/Taiwan. Fyodor is mostly known for his research work in online crime analysis. building automated tools for proactive intrusion detection and network monitoring. Fyodor's current research interests cover large-scale network analysis, intrusion detection, threat prediction and incident response.

Bio:Vladimir Kropotov

Vladimir Kropotov is an independent security researcher and Security Operations Center lead at RN-Inform with main interests in network traffic analysis, incident response, botnet investigations, and cybercrime. Frequent speaker at a number of conferences including CARO, PhDays, ZeroNights.

Eric Chassard and Maxime Clementz - Insecurity of Security Equipments

Abstract

Our topic is about equipments used for Physical Security such as surveillance cameras, fire detection, access control systems, intrusion detection…

We will not focus on how those equipments could be defeated but how they could ruin the security level of a whole organisation. Indeed, those equipments are more and more sold as turnkey solutions, deeply integrated within the existing IT network. We will show that those equipments are often overlooked when it comes to IT Security, probably because of the thought: “it’s secure because it’s for Security”.

Bio: Eric Chassard

Eric is mainly responsible for managing projects linked to IT security at PwC. He also assumes a technical expert role in the field of IT security.

Bio: Maxime Clementz

Maxime is in last year at ESIAL school and is doing an internship in the IT Consulting department in order to obtain an Engineer diploma (Master’s degree). Since the beginning of his education, Maxime has been a self-learning student regarding IT security, besides following a more general course in IT networks and systems. Besides working on his internship subject about security equipments, Maxime is learning ethical hacking, pentesting, reverse engineering...


Patrice Auffret - SinFP3: More Than A Complete Framework for Operating System Fingerprinting

Abstract

In 2008 [springer, 2008], we released a new version of SinFP [cpan] and a paper describing unification of active and passive operating system fingerprinting. SinFP is the first of its category to provide both active and passive fingerprinting over IPv4 and IPv6 using the same signature format. SinFP is designed to work in the worst network conditions: one heavily filtered open TCP port on the target. Today, we decided to improve its fingerprinting algorithms, and to extend its usage to network discovery framework.

Bio: Patrice Auffret

Patrice <GomoR> Auffret is a senior security engineer specialized in network protocols hacking and reverse engineering. He is author of numerous Perl modules to craft network packets (Net::Frame framework, and many protocols like LLTD, OSPF, or ICMPv6). He wrote articles in french security magazine MISC and also spoke at security conferences including IT Underground 2007 (OSPF Attack Shell tool), SSTIC 2008 (SinFP operating system fingerprinting tool), EuSecWest 2012 (SinFP3 network reconnaissance framework) and ekoparty 2012 (SinFP3 network reconnaissance framework).


Jonathan Dechaux - The Office Demon: Minos

Abstract

Office documents (Microsoft Office and LibreOffice) has become a standard for transmitting information. They are used daily by many users. It should however be remembered that this type of documents are much more than inert files. They may contain an executable part who is called macro. Macros are present since the creation of these Office suites to automate some actions.

It is possible to divert the initial use of macros to make it a true infection vector of systems. Since 2007 and the case of the attack on the German chancellery, the number of attacks via this type of documents continues to grow. The ability to access high-level programming languages and interact with the target system, greatly increases the risk of attacks. Changing the security of these Office suites is easy, leaving the door open for malicious attacks without the user noticing.

In this paper, we present one tool that is a proof of concept. It is intended for the prevention of the user. It aims to give demonstrations of risks associated with Office documents. It is able to change the security of Office suites and infect documents directly with a macro. It also includes a USB mode of infection, to retrieve all documents from a USB stick and then infect all Office documents.

It is possible with Minos, to control and modify the security of versions 2003, 2007 and 2010 of Microsoft Office and versions 3.4 and 3.5 of LibreOffice. Similarly it is possible to infect documents Word, Excel, Powerpoint of Microsoft Office and their counterparts in LibreOffice. If a file already contains macros, you can either delete the macro and replace it by your macro or include your macro next to the other macros.

The data presented in this report are technical and operational. We have worked in environments with restricted rights showing that it is possible to make powerful attacks by infecting Office documents.

Bio: Jonathan Dechaux

Jonathan Dechaux is a Research Engineer in the Cryptology and Virology lab- oratory at ESIEA in Laval, France. He began working with Office documents with the evaluation of fifteen antiviruses for the EICAR 2010 and iAwacs 2010 in Paris, France. He continued his work of these documents with a paper for Hack.Lu 2010, ECIW 2011 and participated in the conference LibreOffice 2011. He is interested by Cyberwarfare, new technologies, Office documents, software development.


Workshops

Hynesim : hybrid network simulation for security training

The Hynesim project's goal is to provide the open source community with an information systems hybrid simulation platform. The purpose of this network oriented project is to integrate low and high interaction hosts in complex topologies, based on a massively distributed simulation. The major advantage of this system is the interconnection between real and virtual machines. The aims of this platform are to offer an all-in-one solution allowing preparation, construction, simulation and operation of a virtual information system, so as to observe the evolution of its security. Based as much as possible on pre-existing Open Source components (COTS), the Hynesim project will provide the ISS community with a way of deploying large virtual information systems at a low cost. The foundations of the Hynesim project are based on 10 years of thinking on the subject, and on the lessons learned from a first approach through the BridNet project (http://www.bridnet.fr). Beyond the technological and conceptual framework of the project, the members of the Hynesim project wish to bring a genuine expertise on tools such as VirtualBox, KVM/Qemu, Dynamips, OpenVZ, vde, libvirt.... by sharing the experience gained through their usage and development in the field of hybrid network simulation.

This workshop aims to introduce this framework (architecture, internal details) in order to apprehend its use (simple, advanced, specific features) and to show how to install & deploy it. Virtual machines and specific use cases (network/topology) will be available for participants to perform their own tests.

The workshop is a mix of tutorials, hands-ons & demos. For the hands-ons, we will distribute bootable live USB keys (based on Debian 6 stable 64bits) with all the necessary drivers & hynesim standard master/node configuration already installed.

There are 15 USB keys available, so you need to be in the first 15 if you want one.

Requirements:

- Laptop (i5 or i7, 4Go) with USB port able to boot a Live USB key.

Bio: Guillaume Prigent

Guillaume PRIGENT, founder and CTO of diateam, is a computer security research engineer, and has worked in the field of security simulation for the last 10 years. He began as a research engineer in 1999 at CERV, the European Centre for Virtual Reality in Brest, where he developed the concepts of hybrid simulation for the French Department of Defense. Guillaume Prigent is the Project leader and architect of the open source Hynesim project. He has developed many "proofs of concept" and some tools like netglub and also gives talks and classes in many engineering schools (ENIB, ENSIETA, ESM Saint-Cyr, ...). Guillaume is the author of several papers on security, and is a frequent speaker and/or attendee at security and testing conferences such as SSTIC, HITB, HACK.LU, FRHACK, ...

Bio: Jean-Baptiste Rouault & Sylvain Gerard

Jean-Baptiste ROUAULT & Sylvain GERARD are members of the hynesim core development team. Research & Development software engineers, they are currently in charge of core features such as the distributed computing framework and virtual machines hypervision. Jean-Baptiste & Sylvain also gives classes and training sessions in the hynesim training center.


SHODAN: Global Logfile of INsecurity

SHODAN is a global logfile of network and webserver security, but skiddies and pentesters think it should be used to 'find neat stuff'.

This is a workshop designed to show you how to use the APIs for SHODAN, but more importantly to encourage you to 'think bigger'. This is an opportunity to derive, define, and deploy, security metrics globally in anything that interests you. SHODAN is a rich data source from which you could be doing research, aggregating data, and doing statistics at national scales. This workshop will not focus on my work, but how you could use your own expertise to create a 'global picture' of any security problem we can find in SHODAN.

To whet your appetite, this workshop will start briefly with funny examples and weird ways you can use SHODAN (personally, I find looking at webcams the worst use of your time), then progress to getting you up and running with the API quickly. I will suggest a number of novel applications that an enthusiastic user could flesh into a future paper or security conference talk. For example, detecting the number of counterfeit devices for a product line, finding meterpreter shells or webshells, studying a company or a country over time, finding weird addressing problems, comparing good/bad practices at ASNs, detecting webservers run on phones, SSL certificate anomalies, VOIP deployments, Plug-N-PLay default device states, and other odd applications.

If you are a penetration tester, do your own scans, they are fresher. However, if you want to do *research*, SHODAN is an open dataset that can help you tackle global myths and pervasive insecurity. The best part of organising these workshops is what other researchers find. They bring their own domain expertise and always show me something novel. The aim of this workshop will be to motivate them from 'Hmmmm. That's odd!' to writing a paper or talk that changes the way we see the world. if you don't have an idea yet, I'm literally giving away neat things I've seen I don't have time or interest to chase.

Bio: Eireann Leverett

Eireann Leverett studied Artificial Intelligence and Software Engineering at Edinburgh University and went on to get his Masters in Advanced Computer Science at Cambridge. He studied under Frank Stajano and Jon Crowcroft in Cambridge's computer security group. In between he worked for GE Energy for 5 years and has just finished a six month engagement with ABB in their corporate research Dept. He now proudly joins IOActive to focus on Smart Grid and SCADA systems.

His MPhil thesis at Cambridge was on the increasing connectivity of industrial systems to the public internet. He focussed on finding the cheapest way to find and visualise these exposures and associated vulnerabilities. He shared the data with ICS-CERT and other CERT teams globally, and presents regularly to academics and government agencies on the security of industrial systems.

More importantly, he is a circus and magic enthusiast, and likes to drink beer.

White Hat Shellcode

The goal of this workshop is to plant a seed: that shellcode has a place in your defense toolbox. The goal is not to learn to write shellcode, neither is it to present a complete anthology of white hat shellcode. I want to show a few examples to help you be more creative, so that when you are facing a problem in your IT sec job, you will also consider shellcode as a potential solution. Shellcode is almost always used in attack scenarios, but it can also be used to defend. Shellcode is just a tool, and it can be a solution to your problem. In this workshop we will work together on 5 cases:

  1. loading/unloading a DLL
  2. enforcing DEP
  3. testing your security setup
  4. patching an application
  5. preventing heapsprays with shellcode

Setting up the environment

I'm not providing a virtual machine with Windows installed because of licensing. You need to prepare your own machine. Use a 32-bit Windows XP SP3 install, preferably a virtual machine, because we will install some software.

If you use an install with AV or other security software, be sure it permits the creation of remote threads.


Bio: Didier Stevens

Didier Stevens (Microsoft MVP Consumer Security, CISSP, GSSP-C, MCSD .NET, MCITP, MCSE/Security, RHCT, CCNA Security, OSWP) is an IT Security Consultant currently working at a large Belgian financial corporation.

He is employed by Contraste Europe NV, an IT Consulting Services company (http://www.contraste.com) You can find his open source security tools on his IT security related blog at http://blog.DidierStevens.com

Beer homebrewing workshop

My enthusiasm for homebrewing was kindled here in Luxemburg during a beer brewing demo, organized as a social event after the LinuxDays conference in 2006. While they didn't get much further than explaining about the mashing, I'm taking you through all the steps of brewing your own double fermentation Belgian style lager, using only natural ingredients and simple DIY equipment. The goal of this workshop is to show that anyone can do it, that you don't need special equipment, and that beer should be free.

Bio: Machtelt Garrels

Machtelt has been an Open Source guru for the best part of her carreer. She's the author of the "Introduction to Linux" and the "Bash Guide for Beginners", among several other works that are freely available online. Being fed up with being called "Mr Garrels", she decided to try something else. It soon proved that making beer was a much more fun way to spend your days and so she has been teaching beer brewing workshops on a regular basis since 2009. It also combines better with having a family - whose members of legal beer drinking age fully support her new activities. The only things that haven't changed is the mainly male company and the slight surprise of my students when they find out that the teacher is female.