me::title_else
My Schedule
9:00 AM
to 9:50 AM
Keynote
431 schedule::attendees
Location
Augustus Ballroom
10:40 AM
to 11:00 AM
Chris Gates: Breaking the 'Unbreakable' Oracle with Metasploit
104 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Chris Gates
event::about Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks.
11:00 AM
to 11:15 AM
11:15 AM
to 12:30 PM
Michael Eddington: Demystifying Fuzzers
68 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Testing
Michael Eddington
event::about Fuzzing is an important part of the secure development lifecycle (SDL) and a popular tool for both defensive and offensive security researchers, consultants, and even software developers. With this popularity comes a plethora of fuzzers both open source and commercial. This briefing takes a look at these different fuzzers and provides insights in to "if" and "what" they should be used for. As the developer for Peach, I am often asked to compare various fuzzers and clarify terms tossed around such as Smart and Dumb fuzzing. Additionally the hidden costs and pitfalls will be addressed.
1:45 PM
to 3:00 PM
Egypt: Using Guided Missiles in Drive-Bys - Automatic Browser Fingerprinting
66 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Egypt
event::about The blackhat community has been using client-side exploits for several years now. Multiple commercial suites exist for turning webservers into malware distribution centers. Unfortunately for the pentester, acquiring these tools requires sending money to countries with no extradition treaties, taking deployed packs from compromised webservers, or other acts of questionable legality. To ease this burden, the Metasploit Project will present an extensible browser exploitation platform integrated into the metasploit framework.
3:15 PM
to 4:30 PM
Dan Kaminsky: Something to do with Network Security?
186 schedule::attendees
Location
Roman Ballroom
3:50 PM
to 4:30 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 1
101 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Val Smith, Colin Ames, David Kerb
event::about Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
4:30 PM
to 4:45 PM
4:45 PM
to 6:00 PM
Andrew Fried, Paul Vixie & Christopher Lee: Internet Special Ops
126 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Andrew Fried, Paul Vixie, Dr. Chris Lee
event::about Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.
6:00 PM
to 7:30 AM
6:00 PM
to 7:30 AM
Johnny Long: Me to We
150 schedule::attendees
Location
Florentine Ballroom
eventtype Food & Drink
Johnny Long
event::about From scrubby C64 pirate to professional hacker to reluctant "Internet rockstar", the past five years of Johnny's journey have been interesting. The last few months, however, have been straight-up bizarre. While many strain to maintain and others scrape and scratch at the ladder, Johnny's jumped off the top rung. This is a story of what it takes to make it in this industry, and what the view's like from the top. This is a story about how utterly teh suck the view from the top really is and why you might want to just jump off now before it's too late. This is the story of a rise and fall and the crossover cable those terms require. This is a story that's relevant if you're in for the long haul. This is Johnny's story, as only Johnny can tell it. Which means it might be funny.
8:50 AM
to 9:50 AM
10:00 AM
to 11:00 AM
Zane Lackey & Luis Miras: Attacking SMS
135 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Zane Lackey, Luis Miras
event::about With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
11:15 AM
to 12:30 PM
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
136 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Jeremiah Grossman, Trey Ford
event::about Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
2:10 PM
to 2:35 PM
Rachel Engel: Gizmo
68 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Rachel Engel
event::about Gizmo is a free new open source web proxy designed to be lightweight, speedy, and responsive. When someone is performing a web pentest, they want a tool that lets them edit and search through requests quickly. The tool should let them search through and edit requests without slowing down web traffic or taking up the user's attention with heavyweight user interfaces. Gizmo was created with this in mind. The user interface is focused on the keyboard so that once the initial (very small) learning curve is over, the user can operate gizmo without their hands leaving the keyboard. A great deal of effort was also spent ensuring that gizmo proxies traffic snappily enough that a user's web browsing experience isn't hampered. The presentation will be focused on a presentation of the featureset of gizmo, and a demonstration of how snappy and responsive web proxies can be.
3:15 PM
to 4:30 PM
Jesse Burns: Exploratory Android Surgery
57 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Jesse Burns
event::about It's hard to resist open, Linux-based phones with sophisticated programming environments and a novel security model. Android has application-level isolation, new kernel primitives for communication, and fancy UI features wrapped around its open source heart. This talk will explore Android's fancy new kernel and user mode security mechanisms, how to test them, and how to mess around inside your droid.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
Jesse will release and demonstrate new tools for exploring Android devices, including an Intent sniffer, Intent fuzzer, a security policy exploration tool, and a tool for exploring any undocumented or proprietary corners of your device.
In the process, the talk will show hidden features on currently shipping devices, illustrate how Android systems fit together and help the attendee understand what this new security model's capabilities and limitations are. The speaker has worked on the security of dozens of Android applications, and on the operating system itself. He will use this experience to explain some of the most common, new types of security weaknesses facing mobile developers and testers.
4:05 PM
to 4:30 PM
Peter Guerra: How Economics and Information Security Affects Cyber Crime
98 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Peter Guerra
event::about This turbo talk will explore the links between US law, international cybercrime, malware proliferation, and the economics of botnets. During this time, I will present research into the impact the current worldwide economic crisis has had on cybercrime and the impact on security professionals. I will also use economics to link cybercrime activity to emerging markets countries (Brazil, Russia, India, and China) and show research into how the CAN-SPAM act created economic incentives for an increase in botnets, spam, malware, and phishing attacks.
4:45 PM
to 6:00 PM
Bruce Schneier: Reconceptualizing Security
169 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Bruce Schneier
event::about Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields-behavioral economics, the psychology of decision making, evolutionary biology-shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.
footer::loading