me::title_else
My Schedule
8:00 AM
to 8:50 AM
9:00 AM
to 9:50 AM
Keynote
431 schedule::attendees
Location
Augustus Ballroom
10:00 AM
to 11:00 AM
John McDonald & Chris Valasek: Practical Windows Heap Exploitation
65 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
John McDonald & Chris Valasek
event::about As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
10:00 AM
to 11:00 AM
FX: Router Exploitation
155 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Felix 'FX' Lindner
event::about Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimen in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.
event::tags Network, Infrastructure
10:00 AM
to 11:00 AM
Rod Beckstrom: Beckstrom's Law
38 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Legal & Management
Rod Beckstrom
event::about Beckstrom's Law is a new model or theorem of economics formulated by Rod Beckstrom. It purports to answer 'the decades old question of "how valuable is a network."' It is granular and transactions based and can be used to value any network. It applies to any network: social networks, electronic networks, support groups and even the Internet as a whole. To read a white paper explaining the law and mathematics in detail, please see Economics of Networks. This new model values the network by looking from the edge of the network at all of the transactions conducted and the value added to each. It states that one way to contemplate the value the network adds to each transaction is to imagine the network being shut off and what the additional transactions costs or loss would be.
10:00 AM
to 10:20 AM
Dino Dai Zovi: Macsploitation with Metasploit
68 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Dino Dai Zovi, Charlie Miller
event::about While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed
by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.
10:00 AM
to 11:00 AM
Wolfgang Kandek: The Laws of Vulnerabilities 2.0
81 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Wolfgang Kandek (mod), Richard Bejtlich, Mark Weatherford
event::about The Law of Vulnerabilities, version 2.0, is the updated version of the Laws research that was premiered at Black Hat in 2003. This research exposes findings on patch trends, prevalence, persistence and exploitability of vulnerabilities within global enterprise networks for internal and external systems.
What"
What"
10:00 AM
to 11:00 AM
Billy Hoffman & Matt Wood: Veiled - A Browser Based Darknet
119 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Privacy
Billy Hoffman, Matt Wood
event::about The concept of a darknet has been around for several years now: a hidden underground where people anonymously and securely communicate and share files with each other. Various projects like Tor, FreeNet, WASTE, decentralized peer to peer networks, and other services attempt to provide people with some of these properties. Regardless of how people use darknets, the concept of a private secure network where people can freely communicate ideas as well as distribute content is compelling from both a technological and a philosophical perspective. Unfortunately, the reality is not as clean as the idea. Darknets traditionally require various software programs or components to be installed and configured. This is not for the technically faint of heart. This and other barriers of entry limit those who can participate in a darknet.
In this talk we will discuss and demonstrate Veiled, a proof-of-concept browser-based darknet. A browser-based darknet allows anyone to join from any platform which has a web browser whether it be it a PC or an iPhone. Veiled embodies many of the traditional properties of a darknet. Users can communicate with each other through encrypted channels. Shared files are encrypted, fragmented, and redundantly stored locally across members of Veiled. Another feature, inspired by Ross Anderson"
In this talk we will discuss and demonstrate Veiled, a proof-of-concept browser-based darknet. A browser-based darknet allows anyone to join from any platform which has a web browser whether it be it a PC or an iPhone. Veiled embodies many of the traditional properties of a darknet. Users can communicate with each other through encrypted channels. Shared files are encrypted, fragmented, and redundantly stored locally across members of Veiled. Another feature, inspired by Ross Anderson"
10:00 AM
to 11:00 AM
Peter Kleissner: Stoned Bootkit
79 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Peter Kleissner
event::about Stoned bootkit is a brand new Windows bootkit. It is loaded before Windows starts and is memory resident up to the Windows Kernel. Thus Stoned is executed beside the Windows Kernel and has full access to the entire system. You can use it to create your own boot software (diagnostic tools, boot manager, etc.). It gives the user back the control to the system and has exciting features like integrated FAT and NTFS drivers, automated Windows pwning, plugins and boot applications, and much much more. It finally goes back to the roots - so in this way,
Your PC is now Stoned! ..again
Your PC is now Stoned! ..again
10:00 AM
to 11:00 AM
Michael Tracy, Chris Rohlf, & Eric Monti: Ruby for Pentesters
54 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Testing
Michael Tracy, Chris Rohlf & Eric Monti
event::about Getting up to speed quickly on projects where you're down deep reversing protocols or applications can be challenging at best and catastrophic at worst. In this talk we highlight our use of Ruby to solve the problems we're faced with every day. We use Ruby because it's easy to leverage its flexibility and power for everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications. Having a great set of tools available to meet your needs might be the difference between a successful result for your customer and updating your resume with the details of your former employer.
If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented 'bag-o-tricks' approach.
If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented 'bag-o-tricks' approach.
event::tags Ruby, Audit, Pentesting
10:20 AM
to 10:40 AM
Mike Kershaw: Kismet and MSF
102 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Mike Kershaw
event::about Airpwn-style TCP stream hijacking on wifi networks inside the MSF Framework. "You want urchin.js? Sure, we can do that. Here it is. Trust me." Demo client attacks against popular websites by poisoning the TCP stream, feeding MSF payloads to clients, and tail-modification of already transmitted tcp streams.
10:40 AM
to 11:00 AM
Chris Gates: Breaking the 'Unbreakable' Oracle with Metasploit
104 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Chris Gates
event::about Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.
11:00 AM
to 11:15 AM
11:15 AM
to 12:30 PM
Nathan Hamiel & Shawn Moyer: Weaponizing the Web
130 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Nathan Hamiel, Shawn Moyer
event::about Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
11:15 AM
to 12:30 PM
Aaron LeMasters & Michael Murphy: Rapid Enterprise Triaging
78 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Aaron LeMasters, Michael Murphy
event::about magine this scenario - routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
11:15 AM
to 12:30 PM
Dmitri Alperovitch: Fighting Russian Cybercrime Mobsters
134 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Legal & Management
Dmitri Alperovitch, Keith Mularski
event::about A Supervisory Special Agent from the FBI and a native Russian security researcher join forces to present an in-depth insider view of the most prominent cases against Russian and other Eastern European-based online crime syndicates of the past decade. Learn about their experiences gained from being in the middle of major international cybercrime investigations by US law enforcement. The talk will include an in-depth discussion of the investigation into the DarkMarket carding forum, the biggest cybercrime operation by the FBI of 2008, by the agent who has spent 2 years undercover working to identify and shutdown the leading criminals in the organization.
11:15 AM
to 12:30 PM
Peter Silberman & Steve Davis: Metasploit Autopsy - Reconstructing the Crime Scene
71 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Peter Silberman, Steve Davis
event::about Meterpreter is becoming the new frontier of malicious payloads, allowing an attacker to upload files that never touch disk, circumventing traditional forensic techniques. The stealth of meterpreter creates problems for incident responders. Such as how does a responder determine what occurred on a box exploited by meterpreter?
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes' address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes' memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session - completely from memory - and determine what the attacker was doing on the exploited machine.
The talk will conclude with the demonstration of a new tool, the audience will see how an attacker using meterpreter is no longer hidden from the forensic investigator, as we recreate the meterpreter session from memory.
11:15 AM
to 12:30 PM
Bob West: CSO Panel - Black Hat Strategy Meeting
41 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Bob West (mod), John Johnson, Max Kelly, Dan Klinger, Bob Lentz
event::about A comprehensive inside look at the impact of the research being released at Black Hat this year. The panel will also discuss overall strategy with new vulnerabilities.
11:15 AM
to 12:30 PM
Andrea Barisani & Daniele Bianco: Sniff keystrokes with Lasers / Voltmeters
87 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Privacy
Andrea Barisani, Daniele Bianco
event::about TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data, are often mentioned by the security community, movies and wanna-be spies (or NSA employees, we guess).
While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched.
Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.
We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and power line leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.
We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.
While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched.
Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.
We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and power line leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.
We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.
11:15 AM
to 12:30 PM
Dino Dai Zovi: Advanced Mac OS X Rootkits
63 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Dino Dai Zovi
event::about The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.
11:15 AM
to 12:30 PM
Michael Eddington: Demystifying Fuzzers
68 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Testing
Michael Eddington
event::about Fuzzing is an important part of the secure development lifecycle (SDL) and a popular tool for both defensive and offensive security researchers, consultants, and even software developers. With this popularity comes a plethora of fuzzers both open source and commercial. This briefing takes a look at these different fuzzers and provides insights in to "if" and "what" they should be used for. As the developer for Peach, I am often asked to compare various fuzzers and clarify terms tossed around such as Smart and Dumb fuzzing. Additionally the hidden costs and pitfalls will be addressed.
12:30 PM
to 1:45 PM
1:45 PM
to 3:00 PM
Moxie Marlinspike: More Tricks for Defeating SSL
147 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Moxie Marlinspike
event::about This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
1:45 PM
to 3:00 PM
Erez Metula: Managed Code Rootkits
84 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Erez Metula
event::about This presentation introduces a new concept of application level rootkit attacks on managed code environments, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core. Taking the ".NET Rootkits" concepts a step further, while covering generic methods of malware development (rootkits,backdoors,logic manipulation, etc.) for the .NET framework and Java's JVM, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.
This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.
This presentation will introduce the new version of ".Net-Sploit" - a generic language modification tool, used to implement the rootkit concepts. Information about .NET modification - The Whitepaper, .NET-Sploit, and source code can be found here.
3:15 PM
to 4:30 PM
Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
74 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Mark Dowd, Ryan Smith, David Dewey
event::about Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes coupled with increasingly complex cross-communication layers has created a nuanced and precarious trust layer between many different previously unrelated components.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
3:15 PM
to 4:30 PM
Dan Kaminsky: Something to do with Network Security?
186 schedule::attendees
Location
Roman Ballroom
3:15 PM
to 4:30 PM
Cormac Herley: Economics and the Underground Economy
58 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Legal & Management
Cormac Herley, Dinei Florencio
event::about The popular and trade presses are full of stories about the underground economy and the easy money to be made there. We are told that phishers and spammers harvest money at will from the online population. Even those without skills can buy what they need and sell what they produce on IRC markets. Estimates of the size of this underground economy vary, but common to most accounts is that it is large and growing rapidly.
In a careful examination of the evidence, we find that these claims are speculation, unsupported by evidence. Estimates of the cybercrime economy are enormous extrapolations from very noisy and poorly-sourced data. Reports that exploits like phishing and spam are worth billions appear to be off by orders of magnitude. Our analysis suggests that the laws of economics have not been suspended. Phishing and spam are subject to the tragedy of the commons so that returns are kept low. IRC channels are infested with rippers so that buying and selling is hard. Cybercrime is a ruthlessly competitive business, and low-skill jobs still pay like low skill jobs. Much as in the regular economy, to do well you need a rare skill or a barrier to entry. However cybercrime is still a very big deal.
In a careful examination of the evidence, we find that these claims are speculation, unsupported by evidence. Estimates of the cybercrime economy are enormous extrapolations from very noisy and poorly-sourced data. Reports that exploits like phishing and spam are worth billions appear to be off by orders of magnitude. Our analysis suggests that the laws of economics have not been suspended. Phishing and spam are subject to the tragedy of the commons so that returns are kept low. IRC channels are infested with rippers so that buying and selling is hard. Cybercrime is a ruthlessly competitive business, and low-skill jobs still pay like low skill jobs. Much as in the regular economy, to do well you need a rare skill or a barrier to entry. However cybercrime is still a very big deal.
3:15 PM
to 4:30 PM
Amit Yoran: DC Panel - Update from Washington
56 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Amit Yoran (mod), Leslie Gold, Richard H. L. Marshall, Marchus Sachs
event::about Washington is giving cyber security more attention. What does this mean for current cyber security bills? This panel will look at security and website liability, consumer privacy legislation, government access to cloud computing data, location privacy and international human rights issues.
3:15 PM
to 4:30 PM
Steve Topletz, Jonathan Logan & Kyle Williams: Global Spying
81 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Privacy
Steve Topletz, Jonathan Logan, Kyle Williams
event::about When talking about the threat of Internet surveillance the argument most often presented is that "there is so much traffic that any one conversation or email won't be picked up unless there is reason to suspect those concerned; it is impossible that "
3:50 PM
to 4:30 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 1
101 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Val Smith, Colin Ames, David Kerb
event::about Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
4:30 PM
to 4:45 PM
4:45 PM
to 6:00 PM
Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09
67 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Thomas H. Ptacek, David Goldsmith, Jeremy Rauch
event::about Place an order for a stock on a retail brokerage, and you've set off a long chain of events across a broad, proprietary network of systems running at most financial institutions around the world. Orders are created, tagged, and stored in multiple databases. Messages are created in middleware stacks, funneled through order routing systems, and stored in persistence layers backed by everything from embedded databases to Oracle servers. Traders at firms large and small join in as the other side of the order, working from proprietary Windows trading dashboards, web applications, and magical excel spreadsheets. Sub-second latencies matter, so parts of this patchwork quilt are written in C, and virtually none of it is encrypted.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
4:45 PM
to 6:00 PM
Andrew Fried, Paul Vixie & Christopher Lee: Internet Special Ops
126 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Andrew Fried, Paul Vixie, Dr. Chris Lee
event::about Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.
4:45 PM
to 6:00 PM
Jennifer Granick: Computer Crime Year in Review
96 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Legal & Management
Jennifer Granick
event::about Its been a booming year for computer crime cases as cops and civil litigants have pushed the envelope to go after people using fake names on social networking sites (the MySpace suicide case), researchers giving talks at DEFCON (MBTA v. Anderson), and students sending email to other students (the Calixte/Boston College case). The Electronic Frontier Foundation has been front and center in these cases, either filing amicus briefs or directly representing the coders and speakers under attack. At this presentation, Jennifer Granick and other EFF lawyers fresh from the courtroom will share war stories about these cases, thereby informing attendees about the latest developments in computer security law and giving pointers about how to protect yourselves from overbroad legal challenges.
4:45 PM
to 6:00 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 2
60 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Val Smith, Colin Ames, David Kerb
event::about Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
4:45 PM
to 6:00 PM
Rich Mogul: VC Panel - Security Business Strategies During a Recession
42 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Rich Mogul (mod), Becky Bace, Rick Gordon, Mark McGovern
event::about All too often we forget that economics, not any collection of vulnerabilities, exploits, or technologies, affects the practice of security more than any other single factor. Economics determines what data the attackers target, what resources we have for defense, and what technologies are at our disposal. Over the past year we've seen all aspects of the global economy affected by the current recession, and security is no exception.
Our panel of investors and analysts will present their latest findings on the current state of the business side of the security industry, and how to best thrive in a down economy. Is cyber security immune, as some like to claim, or will enterprise budgets be slashed as new technologies wither without funding? Are startups better off now, or will security innovation have to migrate back to the large vendors? Can you take advantage of the downturn to pressure your vendors for better prices and services? Does the recession create opportunities to improve security strategies? How does the economy affect the offensive side of security? As we answer these questions, our panel will also review the major security business trends for the next three years, with specific predictions on which technologies and vendors will survive, which will die, and how it all affects the day-to-day practice of security.
Our panel of investors and analysts will present their latest findings on the current state of the business side of the security industry, and how to best thrive in a down economy. Is cyber security immune, as some like to claim, or will enterprise budgets be slashed as new technologies wither without funding? Are startups better off now, or will security innovation have to migrate back to the large vendors? Can you take advantage of the downturn to pressure your vendors for better prices and services? Does the recession create opportunities to improve security strategies? How does the economy affect the offensive side of security? As we answer these questions, our panel will also review the major security business trends for the next three years, with specific predictions on which technologies and vendors will survive, which will die, and how it all affects the day-to-day practice of security.
4:45 PM
to 6:00 PM
Alessandro Acquisti: I just found 10 Million SSNs
71 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Privacy
Alessandro Acquisti
event::about Social Security numbers (SSNs) were created in the 1930s as identifiers for accounts tracking individual earnings. Over time,they started being used (and abused) as sensitive authenticators. Hence, they became one of the pieces of information most often sought by identity thieves. To respond to growing concerns with SSN over-exposure and counter the rise of identity theft, policy makers have encouraged individuals to keep their SSNs safe and confidential, and, more recently, enacted legislation to reduce their public availability. But what if even well-meaning consumers may provably be unable protect their SSNs, and legislative initiatives aimed at reducing their availability may in fact backfire? We will examine the possibility that SSNs may be more predictable than currently acknowledged, and discuss the unintended consequences of policy initiatives in the area of identity theft prevention.
4:45 PM
to 6:00 PM
Alexander Tereshkin & Rafal Wojtczuk: Introducing Ring -3 Rootkits
104 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Alexander Tereshkin, Rafal Wojtczuk
event::about Rootkit Evolution over the past decade: Ring 3 == usermode rootkits
Ring 0 == kernelmode rootkits
Ring -1 == hypervisor rootkits (BluePill)
Ring -2 == SMM rootkits
Now, we're going to introduce Ring -3 Rootkits.
Ring 0 == kernelmode rootkits
Ring -1 == hypervisor rootkits (BluePill)
Ring -2 == SMM rootkits
Now, we're going to introduce Ring -3 Rootkits.
4:45 PM
to 6:00 PM
Riley Hassell: Exploiting Rich Content
54 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Testing
Riley Hassell
event::about As RIA (Rich Internet Application) technologies flourish onto the marketplace many wonder what impact they will have on the security landscape. Routinely iSEC Partners performs assessments of emerging technologies to better understand their risks and how to remediate these risks in live deployments. As RIA technologies advance vendors move to complex file formats as a solution to deliver rich content. With this in mind iSEC Partners performed an assessment of various file formats used by the popular RIA implementations. During the assessment of these technologies several issues were discovered in the popular technologies. At initial glance these issues may appear harmless. This presentation will demonstrate how these often considered low risk issues can be carefully exploited to have a much deeper impact. Developers should be aware of these common programming mistakes when developing complex file formats, which are especially critical in Rich Internet Applications.
6:00 PM
to 7:30 AM
6:00 PM
to 7:30 AM
Johnny Long: Me to We
150 schedule::attendees
Location
Florentine Ballroom
eventtype Food & Drink
Johnny Long
event::about From scrubby C64 pirate to professional hacker to reluctant "Internet rockstar", the past five years of Johnny's journey have been interesting. The last few months, however, have been straight-up bizarre. While many strain to maintain and others scrape and scratch at the ladder, Johnny's jumped off the top rung. This is a story of what it takes to make it in this industry, and what the view's like from the top. This is a story about how utterly teh suck the view from the top really is and why you might want to just jump off now before it's too late. This is the story of a rise and fall and the crossover cable those terms require. This is a story that's relevant if you're in for the long haul. This is Johnny's story, as only Johnny can tell it. Which means it might be funny.
6:00 PM
to 7:30 AM
Pwnie Awards
112 schedule::attendees
Location
Roman Ballroom
eventtype Food & Drink
event::about The Pwnie Awards will return for the third consecutive year to the BlackHat USA conference in Las Vegas. The award ceremony will take place during the BlackHat reception on July 29, 2009 and the organizers promise an extravagant show.
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:
Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor Response Most Overhyped Bug Best Song Most Epic FAIL Lifetime Achievement award for hackers over 30
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:
Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor Response Most Overhyped Bug Best Song Most Epic FAIL Lifetime Achievement award for hackers over 30
8:00 AM
to 8:00 AM
8:50 AM
to 9:50 AM
10:00 AM
to 11:00 AM
Ales Stamos, Andrew Becherer & Nathan Wilcox: Cloud Computing Models
150 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Alex Stamos, Andrew Becherer & Nathan Wilcox
event::about Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the "big picture"
10:00 AM
to 11:00 AM
Rafal Wojtczuk & Alexander Tereshkin: Attacking IntelĀ® Bios
57 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Hardware
Rafal Wojtczuk, Alexander Tereshkin
event::about We demonstrate how to permanently reflash Intel BIOSes on the latest Intel Q45-based systems. In contrast to a previous work done by other researches a few months earlier, who targeted totally unprotected low-end BIOSes, we focus on how to permanently reflash one of the most secure BIOSes out there, that normally only allow a vendor's digitally signed firmware to be flashed. As an extra bonus we describe yet-another-one, on-the-fly, previously undisclosed attack against SMM on Intel platforms affecting most of the recent chipsets.
10:00 AM
to 11:00 AM
Zane Lackey & Luis Miras: Attacking SMS
135 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Zane Lackey, Luis Miras
event::about With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
10:00 AM
to 11:00 AM
Hacker Court
44 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Kevin Bankston, Carole Fennelly, Jonathan Klein, Brian Martin, Paul Ohm, Kurt Opsahl, Richard Salgado, Simple Nomad, Richard Thieme, Weasel, Peiter "Mudge"
event::about This presentation is a mock trial that demonstrates legal issues in cyberspace. All events are fictitious, but legally accurate. A summary of the case follows:
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
10:00 AM
to 11:00 AM
Datagram: Lockpicking Forensics
84 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Datagram
event::about Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.
10:00 AM
to 10:30 AM
Alfredo Ortega: Deactivate the Rootkit
78 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Alfredo Ortega, Anibal Sacco
event::about There are three things that you should know about the Rootkit:
1. If you have a notebook, you probably have The Rootkit.
2. You can't erase the Rootkit, but you should know how to deactivate it.
3. Finally, you should know how you (or somebody else) could activate the Rootkit.
1. If you have a notebook, you probably have The Rootkit.
2. You can't erase the Rootkit, but you should know how to deactivate it.
3. Finally, you should know how you (or somebody else) could activate the Rootkit.
10:30 AM
to 11:00 AM
Kevin Stadmeyer: Worst of the Best of the Best
69 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Kevin Stadmeyer, Garrett Held
event::about This talk provides an overview of popular, and lesser known but similar sounding awards, and the correlation between them and security vulnerabilities found. The analysis will use publicly available information for statistics and sanitized examples of award-winning products that are clearly vulnerable to common attacks.
11:00 AM
to 11:15 AM
11:15 AM
to 12:30 PM
Matt Conover: SADE: Injecting agents in to VM guest OS
113 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Matt Conover
event::about As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by virtual machines running on the same physical machine could significantly reduce the overall resource consumption. The refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine's virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification.
To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.
To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.
11:15 AM
to 12:30 PM
Travis Goodspeed: A 16-bit Rootkit and Second Generation Zigbee Chips
39 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Hardware
Travis Goodspeed
event::about This lecture in two parts presents first a self-replicating rootkit for wireless sensors, then continues with recent research into the security of second generation Zigbee radio chips such as the CC2430/2431 and the EM250. A live demo and a vulnerability will be released as a part of this presentation.
11:15 AM
to 12:30 PM
Charlie Miller & Collin Mulliner: Fuzzing the Phone in your Phone
123 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Charlie Miller, Collin Mulliner
event::about In this talk we show how to find vulnerabilities in smart phones. Not in the browser or mail client or any software you could find on a desktop, but rather in the phone specific software. We present techniques which allow a researcher to inject SMS messages into iPhone, Android, and Windows Mobile devices. This method does not use the carrier and so is free (and invisible to the carrier). We show how to use the Sulley fuzzing framework to generate fuzzed SMS messages for the smart phones as well as ways to monitor the software under stress. Finally, we present the results of this fuzzing and discuss their impact on smart phones and cellular security.
11:15 AM
to 12:30 PM
Hacker Court (continued)
39 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Kevin Bankston, Carole Fennelly, Jonathan Klein, Brian Martin, Paul Ohm, Kurt Opsahl, Richard Salgado, Simple Nomad, Richard Thieme, Weasel, Peiter "Mudge"
event::about This presentation is a mock trial that demonstrates legal issues in cyberspace. All events are fictitious, but legally accurate. A summary of the case follows:
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
A federal grand jury indicted two men, known as "Weasel and Silent Nomad" for their alleged role in perpetrating a hoax on the online social messaging utility, "Wanker"
11:15 AM
to 12:30 PM
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
136 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Jeremiah Grossman, Trey Ford
event::about Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
11:15 AM
to 12:30 PM
Nick Harbour: Win at Reversing
102 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Reverse Engineering
Nick Harbour
event::about This presentation will discuss a new free tool for Reverse Engineering called API Thief, the "I Win" button for malware analysis. The unique way the tool operates will be explored as well as how it is able to provide better quality data than other tracing tools currently availible. Advanced usage of the tool for malware analysis will be demonstrated such as Sandboxing functionality and a new technique for automated unpacking.
11:15 AM
to 11:40 AM
Daniel Raygoza: Automated Malware Similarity Analysis
50 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Daniel Raygoza
event::about While it is fairly straightforward for a malware analyst to compare two pieces of malware for code reuse, it is not a simple task to scale to thousands of pieces of code. Many existing automated approaches focus on run-time analysis and critical trait extraction through signatures, but they don't focus on code reuse. Automated code reuse detection can help malware analysts quickly identify previously analyzed code, develop links between malware and its authors, and triage large volumes of incoming data. The tool and approach presented is best suited for groups that often perform in depth analysis of malware samples (including unpacking) and are looking for methods to develop links and reduce duplicated effort.
11:40 AM
to 12:30 PM
Chris Weber: Unraveling Unicode
56 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Chris Weber
event::about The complex landscape of Unicode provides many angles for exploiting software and end users. We've known about some of these for years, we've seen buffer overflows exploited because of faulty Unicode handling, and we've seen homograph attacks in URL's. However, the real mysteries remain latent, unapparent to most software developers and even to the security community. I'm going to raise awareness around the interesting attack vectors and new areas of research into Unicode, as well as open people's eyes to the modern Visual Spoofing attacks of today.
This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks. We'll take a close technical look at many of the issues in Unicode software which are not well-known even in the security research community:
* How Unicode characters can be mishandled to take on powerful formatting properties such as white space.
* When unexpected UTF-8 sequences can lead to over-consumption and character deletion which enable attacks such as cross-site scripting and file system manipulation.
* What happened to non-shortest form UTF-8 and UTF-7?
* Why best-fit mappings lurking in common frameworks and API's will enable drastic misbehavior and attacks within your applications, allowing for control over file systems and interpreters/parsers such as HTML.
* When casing operations enable a special character to be converted into something useful for cross-site scripting and other attacks.
* Why normalization operations can enable a Latin Modifier character to be converted into an exploitable HTML greater than sign.
* How normalization and casing operations can expand a single character by up to 18x leading to buffer overflows.
* Why the BOM and Mongolian Vowel Separator are great inputs to use in test cases.
* How Internationalized Domain Names work and why they're still vulnerable to Visual Spoofing attacks today.
This presentation's intention is to educate the audience on categorized security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases, inputs, and practices for finding and avoiding vulnerabilities. I'll also cover the visual security issues relating to script spoofing and the 'confusables'. Internationalized Domain Names have been with us since 2003 yet are less understood in the security community. Internationalized top-level-domains are coming up, as are email addresses. I'll be demonstrating how I can fool end users with lookalikes and homograph attacks in modern browsers with common .COM and .ORG domains.
Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future.
This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks. We'll take a close technical look at many of the issues in Unicode software which are not well-known even in the security research community:
* How Unicode characters can be mishandled to take on powerful formatting properties such as white space.
* When unexpected UTF-8 sequences can lead to over-consumption and character deletion which enable attacks such as cross-site scripting and file system manipulation.
* What happened to non-shortest form UTF-8 and UTF-7?
* Why best-fit mappings lurking in common frameworks and API's will enable drastic misbehavior and attacks within your applications, allowing for control over file systems and interpreters/parsers such as HTML.
* When casing operations enable a special character to be converted into something useful for cross-site scripting and other attacks.
* Why normalization operations can enable a Latin Modifier character to be converted into an exploitable HTML greater than sign.
* How normalization and casing operations can expand a single character by up to 18x leading to buffer overflows.
* Why the BOM and Mongolian Vowel Separator are great inputs to use in test cases.
* How Internationalized Domain Names work and why they're still vulnerable to Visual Spoofing attacks today.
This presentation's intention is to educate the audience on categorized security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases, inputs, and practices for finding and avoiding vulnerabilities. I'll also cover the visual security issues relating to script spoofing and the 'confusables'. Internationalized Domain Names have been with us since 2003 yet are less understood in the security community. Internationalized top-level-domains are coming up, as are email addresses. I'll be demonstrating how I can fool end users with lookalikes and homograph attacks in modern browsers with common .COM and .ORG domains.
Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future.
12:30 PM
to 1:45 PM
1:45 PM
to 3:00 PM
Haroon Meer: Clobbering the Cloud!
132 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Haroon Meer, Nick Arvanitis, Marco Slaviero
event::about Cloud Computing dominates the headlines these days but like most paradigm changes this introduces new risks and new opportunities for us to consider. Some deep technical research has gone into the underlying technologies (like Virtualization) but to some extent this serves only to muddy the waters when considering the overall threat landscape. During this talk, SensePost will attempt to separate fact from fiction while walking through several real-world attacks on "the cloud." The talk will focus both on attacks against the cloud and on using these platforms as attack tools for general Internet mayhem. For purposes of demonstration we will focus most of our demos and attacks against the big players...
1:45 PM
to 3:00 PM
Joe Grand, Jacob Appelbaum & Chris Tarnovsky: 'Smart' Parking Meter Implementations, Globalism, and You
69 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Hardware
Joe Grand, Jacob Appelbaum, Chris Tarnovsky
event::about Throughout the United States, cities are deploying "smart" electronic fare collection infrastructures that have been commonplace in European countries for many years. In 2003, San Francisco launched a $35 million pilot program to replace approximately 23,000 mechanical parking meters with electronic units that boasted tamper resistance, payment via smart card, auditing capabilities, and an estimated $30 million annually in fare collection revenue. Other major cities, including Atlanta, Boston, Chicago, Los Angeles, New York, Philadelphia, Portland, and San Diego, have made similar moves.
In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.
In this session, we will present our evaluation of electronic parking meters, including smart card protocol analysis and emulation, silicon die analysis, and firmware reverse engineering, all of which aided in successful breaches.
1:45 PM
to 3:00 PM
Kevin Mahaffey, Anthony Lineberry & John Hering: Is Your Phone Pwned?
127 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Kevin Mahaffey, Anthony Lineberry, John Hering
event::about The world has never been more connected. Over a billion mobile devices ship every year, five times the number of PCs in the same period. The iPhone and Android have accelerated the mass adoption of smart devices, mobile applications, and high speed mobile networks. Meanwhile, mobile devices are now a material target: they contain sensitive personal and corporate data, access privileged networks, and routinely perform financial transactions. The question remains, how do we keep these devices safe?
Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.
Learn about how to detect vulnerabilities on mobile devices, exploitation techniques, how the security architecture of major mobile platforms work, and how to protect your mobile device(s) in the threat landscape of a constantly evolving mobile world. We'll be demonstrating a new mobile device vulnerability (we're also providing a hotfix tool) and analyzing other vulnerabilities that affect major mobile platforms, one of which is already being actively exploited in the wild. To top it off, we will be releasing our 'Sniper' mobile fuzzing framework, a tool specifically designed to fuzz mobile platforms that includes support for major file formats and protocols typically present on mobile devices.
1:45 PM
to 3:00 PM
1:45 PM
to 3:00 PM
Hristo Bojinov, Elie Bursztein & Dan Boneh: Embedded Management Interfaces
60 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Hristo Bojinov, Dan Boneh, Elie Bursztein
event::about Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
1:45 PM
to 3:00 PM
Danny Quist & Lorie Liebrock: Reverse Engineering by Crayon
76 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Reverse Engineering
Danny Quist, Lorie Liebrock
event::about Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we'll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.
1:45 PM
to 2:10 PM
Bryan Sullivan: Defensive Rewriting
60 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Bryan Sullivan
event::about Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
2:10 PM
to 2:35 PM
Rachel Engel: Gizmo
68 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Rachel Engel
event::about Gizmo is a free new open source web proxy designed to be lightweight, speedy, and responsive. When someone is performing a web pentest, they want a tool that lets them edit and search through requests quickly. The tool should let them search through and edit requests without slowing down web traffic or taking up the user's attention with heavyweight user interfaces. Gizmo was created with this in mind. The user interface is focused on the keyboard so that once the initial (very small) learning curve is over, the user can operate gizmo without their hands leaving the keyboard. A great deal of effort was also spent ensuring that gizmo proxies traffic snappily enough that a user's web browsing experience isn't hampered. The presentation will be focused on a presentation of the featureset of gizmo, and a demonstration of how snappy and responsive web proxies can be.
2:45 PM
to 3:05 PM
Tony Flick: Hacking the Smart Grid
109 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Tony Flick
event::about The city of Miami and several commercial partners plan to rollout a "smart grid" citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.
3:15 PM
to 4:30 PM
Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
142 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Kostya Kortchinsky
event::about Virtualization is everywhere, and VMware is a major actor in the domain. A MacOS user running a Windows only application in a Fusion guest. A malware researcher analysing the latest Conficker in a Workstation guest. A big company running a cloud virtualized on some ESX servers. All of them rely on the security offered by the virtualization software, as a breakout would have disastrous consequences.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
3:15 PM
to 4:30 PM
Chris Tarnovsky: What the Hell is In there?
55 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Hardware
Chris Tarnovsky
event::about An in-depth look inside the latest high-security smartcard devices commonly found inside GSM sim cards. Several different manufactuers have been torn down. Most are certified at the highest Common Criteria levels available. High-resolution images will be the focal point of the discussion as well as how secure really are these devices. Is the latest Comp128 algorithm secure or is there is a risk of exposure from one of these sim cards?
3:15 PM
to 4:30 PM
Jesse Burns: Exploratory Android Surgery
57 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Jesse Burns
event::about It's hard to resist open, Linux-based phones with sophisticated programming environments and a novel security model. Android has application-level isolation, new kernel primitives for communication, and fancy UI features wrapped around its open source heart. This talk will explore Android's fancy new kernel and user mode security mechanisms, how to test them, and how to mess around inside your droid.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
3:15 PM
to 4:30 PM
Meet the Feds: Feds vs. Ex-Feds
116 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Feds: Jim Christy, Mike Convertino, John Garris, Barry Grundy, Bob Hopper, Mischel Kwon, Robert Lentz, Rich Marshall, Stephane Turgeon, Shawn Henry, Ken Privette, Paul Sternal, Jamie Turner, Lin Wells
EX-FEDS: Rod Beckstrom, Jerry Dixon, Andy Fried, Greg Garcia, Jon Idonisi, Ray Kessenich, Kevin Manson, Keith Rhodes
EX-FEDS: Rod Beckstrom, Jerry Dixon, Andy Fried, Greg Garcia, Jon Idonisi, Ray Kessenich, Kevin Manson, Keith Rhodes
event::about Did you ever wonder if the Feds were telling you're the truth when you asked a question? This year we're inviting you to "Meet the Feds and Ex-Feds" to answer your questions. The objective is to get you the answers to your questions without getting a public official fired! Come ask your question and compare the answers you get.
Each of the agency reps and ex-agency rep will make an opening statement regarding their agencies role, then open it up to the audience for questions.
Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.
Each of the agency reps and ex-agency rep will make an opening statement regarding their agencies role, then open it up to the audience for questions.
Agencies that will have representatives include: Defense Cyber Crime Center (DC3), FBI, IRS, NCIS, NASA, DHS USCERT, DoJ, National White Collar Crime Center (NWC3), NSA, US Postal IG, Office of the Secretary of Defense, National Defense University.
3:15 PM
to 4:30 PM
Alexander Sotirov & Mike Zusman: Breaking the Security Myths of Extended Validation SSL Certificates
87 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Alexander Sotirov, Mike Zusman
event::about Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
3:15 PM
to 4:30 PM
K. Chen: Reversing and Exploiting an AppleĀ® Firmware Update
51 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Reverse Engineering
K. Chen
event::about I describe how an attacker can install malicious code into the firmware of an Apple aluminum keyboard.
3:15 PM
to 3:40 PM
Marc Bevand: MD5 Chosen
53 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Marc Bevand
event::about In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. Software techniques to achieve the breakthrough performance gain will be demonstrated.
3:40 PM
to 4:05 PM
Steve Ocepek: Long-Life Sessions
69 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Steve Ocepek
event::about Whether it's a credit card sniffer, a chatty web application, or unauthorized remote control software, long-lived network sessions are frequently being used to establish bi-directional conduits into and out of our networks. Unlike traditional "pull" oriented sessions, long-life sessions create channels that last anywhere from several minutes to several days. This behavior is not inherently bad, but since each connection represents a direct path into a network resource, being able to scrutinize these pathways would certainly even the odds a bit.
This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.
This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.
4:05 PM
to 4:30 PM
Peter Guerra: How Economics and Information Security Affects Cyber Crime
98 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Peter Guerra
event::about This turbo talk will explore the links between US law, international cybercrime, malware proliferation, and the economics of botnets. During this time, I will present research into the impact the current worldwide economic crisis has had on cybercrime and the impact on security professionals. I will also use economics to link cybercrime activity to emerging markets countries (Brazil, Russia, India, and China) and show research into how the CAN-SPAM act created economic incentives for an increase in botnets, spam, malware, and phishing attacks.
4:30 PM
to 4:45 PM
4:45 PM
to 6:00 PM
Bruce Schneier: Reconceptualizing Security
169 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Bruce Schneier
event::about Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields-behavioral economics, the psychology of decision making, evolutionary biology-shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.
4:45 PM
to 6:00 PM
Mike Davis: Recoverable Advanced Metering Infrastructure
46 schedule::attendees
Location
Milano Ballroom 5-6-7-8
eventtype Hardware
Mike Davis
event::about Smart Grid. Smart Meters. AMI. Certainly no one has escaped the buzz surrounding this potentially ground-breaking technology. However, equally generating buzz is the heightened threat of attack these technologies provide. Mike Davis and a team of IOActive researchers were able to identify multiple programming errors on a series of Smart Meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues. The team was able to "weaponize"
4:45 PM
to 6:00 PM
Vincenzo Iozzo & Charlie Miller: Post Exploitation Bliss - Loading Meterpreter on a Factory iPhone
59 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Vincenzo Iozzo, Charlie Miller
event::about IPhones are now widely used by people; as a consequence the number of factory phones is ever increasing. Until very recently, researchers focused on exploitation techniques for jailbroken phones. Most of these approaches are not usable on factory phones due to a number of protections including code signing and additional memory protections. For that reason, even with the ability to execute arbitrary code in an exploit, it is very hard to know what to do. This presentation will show how is it possible to effectively run high level payloads on a factory phone by defeating code signing protections after exploitation. Specifically by injecting an arbitrary non-signed library in the victim's process address space, an attacker is able to run his own code thus granting a much higher attack efficacy. This is especially important because on factory iPhones, there are no useful utilities, not even a shell. With this technique, an attacker can bring along their own tools, including the ability to get directory listing, upload and download files, even pivot attacks, in the form of Meterpreter!
4:45 PM
to 6:00 PM
A Black Hat Vulnerability Risk Assessment
78 schedule::attendees
Location
Pompeiian Ballroom
eventtype Panels
Jerry Dixon, David Mortman, Alex Hutton
event::about Security professionals regularly fall into the trap that security is only about vulnerabilities and who has more. In reality, vulnerabilities need to be viewed in the context of how the system or "
4:45 PM
to 6:00 PM
Bill Blunden: Anti-Forensics: The Rootkit Connection
77 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Bill Blunden
event::about Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.
4:45 PM
to 6:00 PM
Mario Vuksan: Fast & Furious Reverse Engineering with TitanEngine
51 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Reverse Engineering
Mario Vuksan, Tomislav Pericin
event::about A great challenge of modern reverse engineering is taking apart and analyzing binary protections. During the last decade, vast number of shell modifiers has appeared. At the same time protection tools have evolved from encryption that protects executable and data parts to sophisticated protections that are "packed" with tricks that are specifically tasked to slow down the reversing process. As the number of such techniques increase, we need to ask ourselves, can we keep up with the tools that we have?
Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.
TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:
* In-depth description of integrated x86/x64 debugger
* Debugger: software, hardware, memory, library and flex breakpoints
* Dumping memory and loaded modules
* Comprehensive description of integrated import resolving module
* Repairing import table with a simple data gathering
* Automatic scan for all known import redirections and eliminations
* In-depth description of integrated PE file manipulation module
* Working with PE header, imports, exports, relocations, resources
* Complete description on how to use the engine to write an unpacker
* Making an executable unpacker
* Making a library unpacker
The talk will conclude with demos of two new tools that are based on the TitanEngine:
* RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
* ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports
This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.
Come to this talk to learn the most optimal strategies in dealing with complex binary code and to see in action the new open source framework, the TitanEngine, addressing advanced file analysis. Today reverse engineers are limited to writing their own code for every new scenario that they encounter or to using outdated solutions that do not cover all the needed aspects. Yet when the speed is of essence, as in dealing with new outbreaks or Botnet infections, new tools are necessary to deal with the large volume of incoming samples. Accurate detection, relevant data extraction and fast decomposition in a safe and controlled manner are critical requirements.
TitanEngine has been designed so that writing unpackers would mimic the manual unpacking process. Guided execution with the set of callbacks simulates the presence of a reverse engineer. This is done by creating an execution timeline equal to the one used by reverse engineers to unpack the file. Information is gathered as the execution is led to the point from where the protection passes the control to the original code. At that point we have all the data we need to create a sample valid for execution and further analysis. During the talk, a new open source project, the TitanEngine, will be introduced and discussed in detail. Special attention will be given to addressing automation problems when writing unpackers. We will cover the following topics:
* In-depth description of integrated x86/x64 debugger
* Debugger: software, hardware, memory, library and flex breakpoints
* Dumping memory and loaded modules
* Comprehensive description of integrated import resolving module
* Repairing import table with a simple data gathering
* Automatic scan for all known import redirections and eliminations
* In-depth description of integrated PE file manipulation module
* Working with PE header, imports, exports, relocations, resources
* Complete description on how to use the engine to write an unpacker
* Making an executable unpacker
* Making a library unpacker
The talk will conclude with demos of two new tools that are based on the TitanEngine:
* RL!dePacker - generic PE x86/x64 unpacker which supporting over 100 formats
* ImportStudio - OllyDBG plugin which provides an interface for easily fixing imports
This talk will be a Black Hat exclusive; a launch and demonstration of the major version upgrades of RL!dePacker, ImportStudio that are based on the new open source project titled "The TitanEngine." All components will be available for distribution with the conference materials.
4:45 PM
to 5:10 PM
Michael Brooks: BitTorrent hacks
94 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Michael Brooks, David Aslanian
event::about This is the journey of two pirates hacking BitTorrent. This talk will cover ways of abusing the BitTorrent protocol, finding vulnerabilities in BitTorrent clients and exploiting them. We will also cover counter measures to these attacks.
5:10 PM
to 5:35 PM
Mikko Hypponen: The Conficker Mystery
170 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Mikko Hypponen
event::about Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. Apparently written in Ukraine, this worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
5:35 PM
to 6:00 PM
Muhaimin Dzulfakar: Advanced MySQL Exploitation
111 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Muhaimin Dzulfakar
event::about This talk focuses on how MySQL SQL injection vulnerabilities can be used to gain remote code execution on the LAMP and WAMP environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.
footer::loading