9:00 AM
to 9:50 AM
8:50 AM
to 9:50 AM
10:00 AM
to 11:00 AM
Datagram: Lockpicking Forensics
84 Attendees
Location
Augustus Ballroom 5-6
Type Random
Datagram
Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.
11:15 AM
to 12:30 PM
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
136 Attendees
Location
Augustus Ballroom 5-6
Type Random
Jeremiah Grossman, Trey Ford
Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
1:45 PM
to 3:00 PM
Hristo Bojinov, Elie Bursztein & Dan Boneh: Embedded Management Interfaces
60 Attendees
Location
Augustus Ballroom 5-6
Type Random
Hristo Bojinov, Dan Boneh, Elie Bursztein
Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
3:15 PM
to 4:30 PM
Alexander Sotirov & Mike Zusman: Breaking the Security Myths of Extended Validation SSL Certificates
87 Attendees
Location
Augustus Ballroom 5-6
Type Random
Alexander Sotirov, Mike Zusman
Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
4:45 PM
to 6:00 PM
Bill Blunden: Anti-Forensics: The Rootkit Connection
77 Attendees
Location
Augustus Ballroom 5-6
Type Random
Bill Blunden
Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.
