Speakers
Alex Kirk - Combatting client-side attacks using near-realtime detection
Alex is a senior researcher with the Sourcefire Vulnerability Research Team (VRT), and the head of that group's Awareness, Education, Guidance, and Intelligence Sharing (AEGIS) program which is designed to increase direct collaboration between customers and the VRT in the interests of improved detection and coverage. In his 6 years with the VRT, Alex has become one of the world's leading experts on Snort rules and has honed skills in reverse engineering, network traffic analysis, and systems security. Outside of Sourcefire, Alex has contributed to the open source community through efforts such as scrubbing entries for OSVDB and writing documentation for running the NetBSD operating system on the Sega Dreamcast.
The level of sophistication currently demonstrated both by malware actors and publicly available exploit frameworks such as Metasploit, CANVAS and Core Impact leave increasingly fewer options to provide robust detection of attacks on client software. The Razorback project is designed to provide enterprise defense teams with a framework for developing the kinds of detection necessary to combat these threats. Razorback addresses these issues by providing a core infrastructure that matches declared data types to the individual capabilities of various detection systems. By providing an open, documented API, arbitrary data sources can be paired with one or more arbitrary detection systems to provide detection solutions that would otherwise be impossible due to limited data access or restriction on system resources. This talk will discuss the concepts, design, and architecture of the Razorback Framework as well as introduce several modules for performing advanced inspection, detection, and alerting of network events. Additionally, the capability to update network defense mechanisms based upon these events will be demonstrated. The current implementation of the framework uses a stripped-down version of snort as a data collector, but any data collection engine could be used, including server-based modules designed to work with squid, procmail,or any other proxy or server.
Walter Belgers - Abstract Lockpicking 101
Walter is the founder of the Eindhoven chapter of TOOOL, The Open Organisation of Lockpickers in the Netherlands. He is a multiple winner of the TOOOL championships. He works for Madison Gurkha as an ethical hacker.
This lecture go into the basics of lockpicking. Why does it work, and how? It focuses on standard pin-tumbler locks, but will also discuss other types, such as wafer locks, tubular locks, things like Assa Abloy, Medeco etc. Although the focus lies on traditional lock picking techniques, also pick guns, bumping, impressioning and other techniques will be explained. Walter will also be setting up a table in the venue to allow people to practice lockpicking on standard pin-tumbler locks. Tools and locks will be provided.
Julia Wolf - PDF Syntax Abuse
Julia is a senior security researcher at FireEye's Malware Intelligence Labs where she works on reverse-engineering the latest malware threats and building advanced protection mechanisms for customers of the FireEye Malware Protection System.
This presentation will demonstrate how no two PDF-parsers will see a PDF file the same way, which is useful is you want to sneak an exploit past an Anti-Virus scanner. You will also get a pretty good introduction to the PDF syntax that will make sense to a security professional and see the kind of tricks current malware samples are using to obfuscate their payloads.
Kugg - Hacking the RKF ticket system and How to stay invisible (while still using cellphones)
Kugg is an IT consultant with focus on creativity, integrity and organization, who has never lost hope in free secure uninterpretable communication.
RKF (Rese Kort Föreningen) is a standard designed to securely contain and update travel purses for RFID Mifare Classic travel cards in the Scandinavian region. To gain access to the RKF data one has to crack the mifare classic and then analyze the datastructures on the card. In this presentation you will see the structure of RKF2 fully exposed. Learn what it takes to alter the files and checksum-system of travel cards. See how to manipulate travel history and statistics of the RKF system.
It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.
Michael Kemp - Into the Black: Exploring DPRK or 'How I Learned to Stop Worrying and Love the Bomb'
Michael is an experienced UK based security consultant, with a specialization in the penetration testing of web applications and
the testing of compiled code bases and DB environments to destruction. As well as the day job, Michael has been published in a range
of journals and magazines, including heise, Network Security, Inform IT and Securiy Focus. To date, Michael has worked for NGS
Software, CSC (Computer Sciences Corporation), British Telecom, and a host of freelance clients throughout the globe.
Presently, Mike is working in a day job for Xiphos Research Labs. When not breaking things, Michael enjoys loud music, bad movies,
weird books and writing about himself in the third person. Mike has previously presented at security conferences in Jakarta, Hawaii,
New York, Warsaw, Prague, Zagreb and London (on subjects as diverse as virtualisation, malware, and why the government suck), and is always keen to embarass himself in new and exotic locales.
North Korea scares people. Allegedly DPRK has a super l33t squad of killer haxor ninjas that regularly engage in hit an run hacks against the Defense department, South Korea, or anyone else who pisses of the Glorious Leader. DPRK also has no real Internet infrastructure to speak of (as dictators don't like unrestricted information), although it does have a number of IP blocks (unused?). This talk examines some of the myths about DPRK, and some of their existing and emerging technologies. In 2008, Orascom Telecom formed a partnership with the DPRK government and set up the state run mobile carrier, Koryoloink, and DHL are part of the European Business Association (presumably for when dictators need to "Add Value, Be Valued"). This talk examines some of the available infrastructure associated with DPRK (funnily enough some of which is in South Korea and Japan) and explores the potential technical threats posed by a pernicious regime, as well as exposing some of the huge gaps in logic that have led to the world potentially engaging in chicken little syndrome when it comes to DPRK. No 0days will be demonstrated, however this talk will discuss some new information that hasn't yet been made public.
Andrei Costin - Exploiting printers: Let me make your printer the hacker
Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in
Biometrics and Image Processing. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first
publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family. While starting out his
IT-career in the Computer Games industry, he has worked in the Telecom field running GSM core-networks and is currently
Senior Developer at a specialized firm producing custom embedded systems utilizing GSM.
While more and more new devices (routers, smartphones, etc.) are getting connected to our SOHO/enterprise environments, all-colour hats are getting plenty of focus on their security: defend and harden on one side; exploit and develop malware on the other. However, a special class of network devices (specifically printers/scanners/MFPs), which have been networked for more than 15 years are constantly out of the modern security watchful eye. And even though we entrust them even the most confidential documents or the most sacred credentials (LDAP, RFID badges, etc.), we don't realize closely how weak and unsecured they are, despite the few minor security bulletins that recently started popping up here and there. In this presentation, we will take a look at current state of (weak) affairs in the vulnerability and security research available. Then we will try to envision types of possible exploitation scenarios, backed-up with a printer remote-exploit demo. We will conclude the presentation with possible solutions and what can be done to protect ourselves as well as our network environments.
George Hedfors - Owning the datacenter using the Cisco 7000-series switch
Banks and large corporations are constantly upgrading their infrastructure. One of the latest additions to the Cisco family
is the 7000-series with it's new and "secure" linux-based NX-OS. This switch can easily take the role as the sole core switch in some of
the largest network infrastructures in the world. It manages up to 512 x 10 gigabit interfaces and is a new virtualization
platform within networking. Unfortunately, its new operating system also exposes old attacks, previously classified as network based denial of service, as remotely exploitable buffer overflows. Deployment of generic rootkits is also possible by breaking out of the
Cisco CLI environment using a series of undocumented features. What would be the impact for a large bank or corporation be if the core switch was infected with backdoors that gave an attacker control over all VLANs?
Ranjit and Raf - In and Out! Ninjitsu Style
Rafael Dominguez Vega works in the UK as security consultant and security researcher for MWR InfoSecurity.
He enjoys testing "out of the ordinary" technology and he has balanced his technical skills with a good understanding on social engineering and physical security. With a 100% success rate in gaining unauthorised physical access to organisations, Rafa has performed physical security testing to different organisations, ranging from bluechip companies to governmental organisations and is potentially the man most hated by receptionists across the UK.
Ranjit Singh Sandhu is a UK based penetration tester and IT security consultant for MWR InfoSecurity. He enjoys testing different aspect of security, particularly performing social engineering and physical security assessments. He has led multiple social
engineering projects and his latest achievement was obtaining the encryption key from a laptop, which Rafa had obtained from
a physical security test, simply by talking to an IT guy over the phone.
It is worth nothing to have the most secure network if someone can just walk into your organisation and plug themselves in. We do that on a consistent basis using techniques borrowed from social engineering.
Ranjit and Raf, number one super guys. Ranjit and Raf, quicker than the human eye. They've got style, a groovy style, and stories that just won't stop. When the going gets tough, they're really rough, with the Health Inspector's chop (Hi-Ya!)
If you think Physical Testing and Social Engineering sound like fun you better come along and find out what really happens on an assignment. Find out why listening to Keith Lard can help develop your testing skills and how you can get a really good lunch without paying a penny. Also, if you think you're cut out for this type of testing you better listen up as it is not all champagne and caviar.
Neil "mu-b" Kettle - Vulnerabilities in Full/Virtual Disk Encryption products
Neil works as both a Security Consultant and Researcher
for Convergent Network Solutions and an independent Researcher which
leaves little time for doing anything else! Neil's background is in
theoretical computer science although his real-world interests range
from vulnerability research, reverse engineering and development of
tools and exploits in both userland and kernel space (which are later
posted to digit-labs.org).
This talk will attempt to demonstrate just how easy it really is to
subvert the security of many commercial virtual/full-disk encryption
solutions for the Windows Operating System in local multi-user
scenarios. The presentation covers a multitude of implementations with
special emphasis will be paid to Government "approved" or "accredited"
solutions ranging from the ominous DESLock+ to the ubiquitous BeCrypt;
while vulnerabilities range from farcical logic flaws to blatantly
obvious memory corruption. The root cause of the flaws will be discussed
leaving little doubt as to just how bad the security situation is with
regard to developer competence.
Luke Jennings - Weapons of Mass Pwnage
Luke Jennings is a security consultant in the UK working for MWR InfoSecurity. He is both a UK CESG CHECK Team Leader and a CREST Consultant and so spends most of his days penetration testing networks and applications in a wide variety of environments. When he gets the chance he enjoys engaging in active security research and presenting the results at cool security conferences around the world.
Large organisations have problems of scale. How do you manage deploying
and maintaining consistent builds across 10,000 desktop systems and 500
servers? How do you patch the latest Adobe vulnerability on all 2,000 of
your road warriors' laptops? Many turn to deployment solutions.
Deployment solutions can have a significant impact on the security of an
environment, even aside from specific vulnerabilities such as buffer
overflows that may be present in the software. This talk will consider
the different risks involved when using them. Whether you are a
penetration tester assessing environments where deployment solutions are
in use or a system administrator looking to secure your implementation,
you will find something of use here.
As a case study we will be looking at Symantec's Altiris Deployment
Solution, which is one widely used example of deployment software...and,
hey, it does a great job! Plus you can use it to patch all your
non-Microsoft vulnerabilities, so it makes you more secure...right? This
talk is about when and why that might not be the case.
What if you knew how to pwn an Altiris deployment server and use it to
mass rootkit an entire network? What if you knew how to automatically
pwn any Altiris managed laptops the instant their owners connected them
to the same hotspot as you? This talk will teach you all these things.
There have been some serious vulnerabilities in Altiris before...today you can expect some more.
