10:00 AM
to 11:00 AM
FX: Router Exploitation
155 Attendees
Location
Roman Ballroom
Type Infrastructure
Felix 'FX' Lindner
Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimen in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.
Tags Network, Infrastructure
11:15 AM
to 12:30 PM
Aaron LeMasters & Michael Murphy: Rapid Enterprise Triaging
78 Attendees
Location
Roman Ballroom
Type Infrastructure
Aaron LeMasters, Michael Murphy
magine this scenario - routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
1:45 PM
to 3:00 PM
Graeme Neilson: Netscreen of the Dead
46 Attendees
Location
Roman Ballroom
Type Infrastructure
Graeme Neilson
Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
3:15 PM
to 4:30 PM
Dan Kaminsky: Something to do with Network Security?
186 Attendees
Location
Roman Ballroom
4:45 PM
to 6:00 PM
Andrew Fried, Paul Vixie & Christopher Lee: Internet Special Ops
126 Attendees
Location
Roman Ballroom
Type Infrastructure
Andrew Fried, Paul Vixie, Dr. Chris Lee
Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.
