2010 Presentations
Keynote: Closing the TLS Authentication Gap
The recently described TLS Authentication Gap represents one of the most complex security disclosure processes in recent years. Because the flaw had been present since the early days of SSL, a great many products were affected. As a bug in a protocol (rather than a flawed implementation), there was no easy way to roll out a quick fix. Furthermore, because the protocol is generally implemented in a library, a long dependency chain of software and hardware had developed over the years, with interesting interactions between open-source libraries and downstream commercial software. In some cases, open-source products were in direct market competition with commercial counterparts that depended on them. Interoperability of the proposed solution was a major concern.
To address these and other issues, the authors undertook one of the most ambitious private disclosures on record, including representatives from the largest commercial software vendors, the largest open-source projects, the IETF, and others in secret. The working group arrived at a solution and was on the path toward implementation when the flaw was independently discovered and...
In this talk, the authors will discuss the discovery of the flaw, provide a technical overview and demonstrations, and then walk through the rationale and lessons learned in coordinating this disclosure.
Marsh Ray is a Software Development Engineer at PhoneFactor, Inc., a maker of two-factor authentication software, where he is responsible for security software development. Steve Dispensa is the CTO and co-founder of PhoneFactor.
Becoming Jack Flack: Real Life Cloak & Dagger
Are you on too many social networking sites? Have all of your exes found you on facebook? If the fuzz came looking, how easy it would be for them to find
you? kaos.theory, the creators of Anonym.OS, bring you this abridged guide to becoming (and staying) anonymous. Privacy is your right, anonymity is your
path, and kaos.theory will be your guide.
We address anonymity at three progressively comprehensive levels - whether you just want to CLOAK your tracks, go undercover like Jack Flack at the
DAGGER level, or go completely off the grid and be a HERMIT. In this 50 minute session, arcon (Adam Bregenzer) and dr.kaos (Taylor Banks) explore
some of the issues, challenges, and sacrifices you will encounter. After this talk, if you don't cut up your credit cards, we will!
Taylor has written and delivered training and consultation to thousands of security engineers, architects, and managers from hundreds of organizations, as well as the DoD, FBI, Marine Corps and the NSA. Taylor is organizer for the Atlanta DEFCON Group (DC404), and the founder of kaos.theory.
Adam has been involved in technology R&D for over thirteen years. As a founding member of kaos.theory, he developed Anonym.OS, SAMAEL, and Medusa, as well as a number of nationally recognized websites and projects receiving worldwide press from Wired News, the New York Times, and The Register.
BaSO4: A Dynamic Dataflow Analysis Tool for Auditing and Reversing
The complexity of modern applications makes binary auditing a long slow march without a significant investment in tools and techniques. BaSO4 is a new IDA plug-in that highlights the instructions responsible for processing and propogating the information stored at a given input range. Using dynamic dataflow analysis based on a captured execution trace, BaSO4 can compute, for example, the instructions, memory locations, and registers used to process the string table in a Flash SWF file. This information can be used to target manual audits and assist in reverse engineering. The analysis is computed for each byte of the tainted input and is linked to the abstract syntax of the input files. The IDA plug-in switches between various levels of abstract syntax and dynamically updates the highlighted code regions. The Tamarin VM (Adobe's open source AVM2 bytecode engine) is used as a case study to illustrate the strengths and weaknesses of BaSO4.
Dion has been breaking software since 1994, playing with debug.com and Ralf Brown's Interrupt List. Somewhere along the way, he took a more respectable path and ended up as a software developer. He has been writing code for embedded devices for the last 8 years. When not securing pay-per-view porn for his current employer, he spends his time decompiling SNES games, bug hunting, and automating his bug hunting techniques. His relevant interests include compilers, operating systems, programming languages and interpreters.
GPU vs. CPU Supercomputing Security Shootout
You have the fastest Intel/AMD processor in a 500 mile radius thanks to your custom built quad-core, liquid nitrogen cooled, overclocked 5.0Ghz CPU monster. Prepare to be summarily beat down, computationally speaking, by the kid next door who just bought the latest Nvidia GPU to play WOW at 80fps. Video cards, fueled by the gaming industry, have leap-frogged (pun intended) the processing power of the general purpose CPU for certain computational tasks. The rise of the multi-processor based general purpose GPU (GPGPU) platform is taking academia by storm due to its low costs and low barrier to entry into modern day supercomputing. The security community has already embraced the GPU for heavy lifting as have other fields especially when coupled with the sleek marketing efforts by Nvidia and their CUDA development environment, and competing GPU computing platforms from ATI and OpenCL. This 20 minutes session will chronicle the rise of the GPU in high performance computing and will highlight GPU vs. CPU benchmarks of well known security tools including: aircrack (10x speed-up), Pyrit (8x), CUDA Multiforcer, BarsWF MD5 cracker (3x), RainbowCrack multi-GPU CUDA version, and more. Finally, links and tips regarding implementing CUDA in Back|Track 4 are shared.
Collin Brack is a healthcare informatics and medical imaging consultant with experience in computational clusters. He works in academia where he focuses on high performance computing with medical physics researchers. His latest cluster is based on high-end graphics processors to achieve performance gains previously only available to multi-million dollar big iron. He has published and presented on the topics of system design, grid computing, and disaster recovery.
Detection of rogue access points using clock skews: does it really work?
In 2005 Kohno, Broido and claffy noticed that physical devices could
be fingerprinted remotely by repeatedly quizzing them about their
hardware clock time and calculating that clock's unique skew. They
used ICMP timestamp requests, and showed than network latency
interference could be overcome. However, this method requires
Layer 3 connectivity, and isn't so useful with Wi-Fi: by the
time a station associates with an "evil twin" AP and got an IP
address, it can already be owned in several interesting ways.
APs' radio interfaces in master mode use their own microsecond-grained
clocks, which put their timestamps in every beacon frame. Moreover,
similar AP models appear to have similar clock skews, as we pointed
out in our BlackHat '08 talk.
At about the same time at MobiCom '08, a group of researchers claimed
a method for detecting rogue APs by observing the clock skew of their
beacon timestamps.
We will show how a rogue laptop-acting-as-AP can synchronize its
beacons with a legitimate access point's TSF timer and pass the clock
skew test within its normal sensitivity, defeating the clock skew
detection method. We will also show how to detect this behavior.
Sergey Bratus is a Research Assistant Professor of Computer Science at
Dartmouth College. He enjoys wireless and wired network hacking and
tries to help fellow academics to understand its value and relevance.
Chrisil Arackaparambil is a graduate student at Dartmouth. After years
of proving theorems about algorithms, he discovered the joy of Defcon
talks and patching device drivers.
Anna Shubina chose "Privacy" as the topic of her doctoral thesis and
was the operator of Dartmouth's Tor exit node when the Tor network had
about 30 nodes total.
De Gustibus - The Science Behind Taste
Do you geek out over food? Do you rave over a particular vintage? Do you get into fights about relative merits of belgain vs. swiss chocolatiers? Ever done a real chocolate tasting? Wondered what's the big deal with food/wine parings? Come learn about the neuro-science behind that most complex of human senses, like any other electrical/chemical machine the body can be hacked and that includes the tastebuds. And then... we'll Taste Stuff!
You can choose to take part in a food/wine paring, a blind chocolate tasting (rating forms, will be provided, see how you compare to the experts) or experiment with Miracle Fruit (along with many things to try it out on), Real Vintage Balsamic Vinegar (like syrup) - Also feel free to bring something you've discovered and want others to try.
Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. That includes playing with her food. She has been known to starve rather than eat bad food, and spends way too much time exploring new flavors. An active member of the Hacker community, her professional work includes an Air Force Flight Control Computer, a simulator for NASA and singing at Carnegie Hall. She is currently fulfilling a childhood dream, pursuing a Ph.D. in C.S. at the University of Pennsylvania. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles. Her research explores human scale security and the unexpected ways that systems interact.
An Existential Threat To Security As We Know It?
Whether you love it, hate it, or are merely "friends with perks"- compliance is significantly changing what we call security. PCI has been accused of being the Spawn of Satan by some, and yet it has also been credited with advancing security by others. This panel of PCI experts, analysts, and victims will discuss and argue the realities of PCI: its origins, goals, and consequences (intentional and otherwise). PCI is having an impact on priorities, budgets, and personnel, which is being felt throughout the security industry. Unfortunately, there have been few informed discussions of PCI and compliance issues in the technical ranks of the security community. This panel will bring PCI subject matter experts with real-world experience to the technical security professional and hacker audience to discuss, engage, enrage, and argue about what may well be an existential threat to information security as we know it. The diverse viewpoints and experiences of panel members will guarantee a lively and often heated discussion, and will provide a broad base for fielding audience comments, questions, and criticisms. Bring plenty of Shmooballs to this session, you will need all you can get.
Joshua Corman is Research Director for Enterprise Security at The 451 Group and was previously Principal Security Strategist at IBM ISS; Michael Dahn is Global PCI QA Manager for a Verizon Business and was previously the subject matter expert in creating PCI DSS training for Visa USA, Europe, Asia-Pacific, LAC; Dr. Anton Chuvakin is a recognized expert in the field of log management and PCI DSS compliance, he is Principal at Security Warrior Consulting and former Director of PCI Compliance at Qualys; Jack Daniel is some guy with a beard and Sock Puppets who drives the ShmooBus.
Windows File Pseudonyms: Strange filenames and haiku
In Windows systems, path and filename normalization routines have some interesting quirks. One file can be referred to with many different filepaths; some are well known, and some are not. The lesser known ways to refer to files are not often considered when designing security mechanisms. By referring to files in these strange ways one can, in many circumstances, cause unexpected behaviour in systems which do not account for alternate prefixes, aliases and mangled versions of filenames. In this presentation, I will show some of these quirks with a live demonstration on real products and how techniques based on these quirks can be used to bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.
Dan is an independent researcher and lecturer, and also works for Core Security Technologies. Most of his free time is spent playing around with Web-based technologies or locks. Dan was the winner of the "Gringo Warrior" lock bypass competition at Shmoocon V and plans to compete again at Shmoocon VI.
Social Zombies II: Your Friends Need More Brains
In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information.
Tom Eston is a penetration tester for a Fortune 500 financial services organization. Tom focuses his research on the security of social media. Tom is also a security blogger and co-host of the Security Justice podcast. Kevin Johnson is a Senior Security Analyst with InGuardians. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS. Robin Wood is a freelance developer, pentester and regular open source contributor whose projects include Jasager, the Interceptor and KreiosC2.
A Tale of Infrastructural Weaknesses in Distributed Wireless Communication Services (aka Femtocell Insecurities)
In order to combat the problem of wireless communication services in remote and well insulated buildings, wireless communication providers have designed and issued a distributed wireless communication device (DWCD... yes I made that acronym up) pushing the cost and installation to the consumer while increasing consumer satisfaction with their wireless coverage. With any distributed end-user hardware device, these DWCDs are susceptible to various security issues and flaws at both a hardware and software level. We'll take a journey into how these DWCDs of various wireless communication services operate and the flaws discovered in their design and implementation as well as the legal issues of investigating these devices. Hardware hackers meet software hackers.
Zack and Jaku are Security Consultants within the Penetration Testing practice at Trustwave's SpiderLabs performing network, wireless, social, and physical pentests. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, Incident Response, and Payment Application testing for Trustwave's clients. Outside of trying to pay the bills, they have been seen associating with MobileDisco, DC312, Chisec, and organizing THOTCON, a security conference hosted in Chicago this April. Find more about Zack at zfasel.com, and more about Jaku at haxbyjaku.com.
Recovering Evidentiary Artifacts from Virtual Machines and Hypervisor Environments
With the growing momentum towards a cloud/virtualized computing environment, gone may be the days that forensic practitioners collect an image of a hard disk and head back to the office to analyze the forensic evidence. High performance, concurrent-access, cluster file systems commonly deployed in virtual environments offer a new set of challenges for forensic and security practitioners, requiring some new thinking in the way we review and analyze electronic evidence. This discussion will provide an overview of desktop and platform virtualization and the key tools and concepts that can be applied when recovering evidence in this new medium. The discussion will introduce these concepts by providing two walk-through scenarios: (1) the restoration of a corrupted virtual disk and content and 2) recovering deleted snapshots and redo logs from VMWare's Virtual Machine File System (VMFS).
Eric M. Fiterman is a former FBI Special Agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses. Eric began his career as a FreeBSD/Solaris software engineer, and is actively involved in the incident response, confidence gaming, and security analysis domains. His work is focused on trade secrets protection, intellectual property misappropriation, and crime prevention. Eric has conducted experiments aboard NASA's KC-135 microgravity research aircraft (the "Vomit Comet"), and was the recipient of a service award from the United States Secret Service for his investigative contributions to law enforcement.
Economics of Cyber Crime
This turbo talk will explore the links between international cyber crime, malware proliferation, and economics. This talk will present updated information on how the cyber crime economy is growing in particular sectors, present research into the impact the current worldwide economic crisis has had on cybercrime, and outline the impact on security professionals.
Peter Guerra is currently working as a security consultant to government and commercial organizations. His diverse IT career has focused on cyber crime, malicious code analysis, security engineering, incident response/forensics, and security operations. He is currently getting his MBA and studying the relationship between economics and information security.
Flying Instruments-Only: Legal and Privacy Issues in Cloud Computing
Cloud computing is taking off, and in the rush to adopt the latest technology, many companies (and a disturbing number of lawyers) are ignoring the security and privacy implications. This talk will be a discussion of both the straight-forward and less-obvious legal risks companies face when storing data in the cloud. It will explore the legal ways in which data can fall into the wrong hands, adherence to existing privacy policies and privacy laws, risks that can be mitigated and those that cannot, legal responsibility for failures and data breaches, and potential legal precautions -- and whether any of that will be enough. The talk will focus on real-world problems, like the effects of search warrants and subpoenas, what provisions are buried in cloud provider agreements, and solutions, if any. Attendees should leave with a greater understanding of the relevant issues, legal risks, and potential solutions, as well as which problems do not have solutions. They should also leave very nervous.
Richard Goldberg, a software architect turned attorney, represents a wide range of clients, including private software companies, public OpenSource companies, information security consultancies, federal appointees and civil service employees, and corporate officers. His practice ranges from general corporate work, including spin-offs, acquisitions, and privacy and information security issues, to litigation, including vendor, shareholder, and user disputes and government investigations. Prior to joining the legal profession, Richard worked as a software developer and architect at several Internet start-ups and commercial consultancies. There he designed enterprise-level software systems for Fortune 500 companies, government agencies, and the U.S. military. Richard is a graduate of Duke University Law School.
Cyborg Information Security: Defense Against the Dark Arts
As it becomes more mainstream for Humans to change themselves using technology, we are creating a new vulnerability landscape which exposes ourselves to old and new forms of attacks. This talk examines how we are making ourselves in to "New Humans" by going over both real-world and futurist trends (medical implants, bio-engineering, health-care technology, etc). We then explore the intersection of the cyborg trend with hacking and computer security. This talk aims to build a framework for understanding cyborg information security and examines the next generation of socialengineering. If we are all going to end up with mechanical hearts, cybernetics eyes, memory chips and tattoo e-ink we may as well figure out how to do it securely.
Esteban Gutierrez has been involved in enterprise computer security since 1995. During that time he's worked in various industries and roles including .mil, .com, and .org. Esteban holds various and sundry certifications and seldom speaks in public on anything vaguely work related.
Adam Cecchetti is an independent consultant and security researcher at Deja Vu Security. Adam specializes in application and hardware
penetration testing. He is a contributing author to multiple security books, benchmarks, tools, and research projects. Adam holds a masters degree from Carnegie Mellon University in Electrical and Computer Engineering.
Exposed | More: Attacking the Extended Web
We all know the Internet is a series of tubes connecting many systems via networks. This architecture has been in place since the early days of the web. The landscape has changed quite a bit over the past few years with applications themselves becoming interconnected. Interconnecting applications can result in extended trust boundaries and new vectors for attackers to exploit. API's are becoming more and more popular as web sites strive for dynamic, user-generated content. API developers have not always put much thought into how their API can be abused and the resulting effect it has on their application -- after all, APIs are all about access. These APIs are often abused to anonymize attack sources, enumerate services, and gain access to sensitive information. This presentation covers attack scenarios and historical examples of vulnerabilities in APIs that will prove useful to both security testers and developers alike.
Nathan Hamiel is a Principal Consultant for FishNet Security and an Associate Professor at the University of Advancing Technology. He is also the founder of the Hexagon Security Group. Nathan spends most of his time in the areas of application and enterprise security. He has spoken previously at events such as Black Hat, DefCon, ShmooCon, ToorCon, and many others.
Tales from the Crypto
You can't be 'leet if you can't do crypto. There was a time when the difference between good crypto and bad crypto was life and death. Until the advent of modern computing, cryptography was done by hand, sometimes by candlelight by a spy in an attic surrounded by Nazis in occupied France. Today there are at least 2,381 crypto downloads at sourceforge.net, but good crypto is like a good joke -- someone clever had to start it. We'll look at how early crypto formed the foundation for secure communications, and why the discovery of asymmetric crypto is the real reason the Internet got so big so quickly. We'll walk through some crypto contests of the past couple of years, including Shmoocon 2008 and Shmoocon 2009 (as well as the Shmoocon 2009 badge puzzle), and provide you with the foundational understanding of how good crypto works, and why bad crypto fails miserably. You might not become the next Phil Zimmerman by watching this talk, but you will be able to do some pretty cool stuff.
G. Mark Hardy has been doing security since before you were born (well, most of you), working his first "real" computer security job in 1976 and founding National Security Corporation in 1988. With a background in information security planning and policy development, managing security assessment and penetration teams, data encryption and authentication (including "breaking" commercial cryptographic algorithms), software development and strategic planning for e-commerce, and writing commercial risk assessment software, he has presented several hundred talks on information security. He has sponsored crypto contests at Shmoocon, DEFCON, Layer One, and did the badge design for Shmoocon 2009.
Jsunpack-network Edition Release: JavaScript Decoding and Intrusion Detection
Attackers using web exploits are always improving their attacks to make them more effective at exploiting the victim, avoiding detection, and generally making attacks difficult for researchers to understand. While anti-virus products often try to detect malicious content by applying filters and finding hidden content, they generally do not help researchers because the only output they produce is a name indicating whether a file is malicious.
Jsunpack-n reports vulnerabilities that attackers target and full information of decodings. Jsunpack-n contains many unique improvments to last year's 2009 introduction of jsunpack at Shmoocon, most notably these include:
release of full source code,
the ability to use jsunpack-n to actively monitor network traffic (interface/packet capture file),
detection of malicious content using both customizable rules and built-in detection mechanisms,
pdf and swf decoding modules, and
tree structures and URL tracking mechanisms.
Blake Hartstein works on the Rapid Response team at iDefense, a Verisign company. At iDefense, he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. Prior to iDefense, Blake was an author of intrusion detection signatures and contributed to Emerging Threats, an open source community project that promotes a diverse Snort Signature set.
The New World of Smartphone Security - What Your iPhone Disclosed About You
When most people think of Smartphone security, they think forensics, encryption, screen locks, remote wipe, etc. This talk doesn't care about that. The New World of SmartPhone Security tackles security concerns that are not being discussed and have not been publicly disclosed. In this talk we will examine mobile to mobile attacks within cellular IP networks, the iPhone attack surface, iPhone worms, iPhone location-based gaming privacy concerns, and iPhone web application security. Proof of concept attacks, metrics gathered over the last six months, and redacted data gathered during our research will be presented.
Trevor Hawthorn has fourteen years of information security experience in various roles, specializing in risk management, application and infrastructure vulnerability assessments, penetration testing, and incident response. Currently Trevor is a Founder and Managing Principal with Stratum Security. Previously he was a Senior Security Consultant with Cybertrust, where he performed security assessments for organizations across multiple industries. Prior to Cybertrust Trevor was a Router Security Engineer at UUNET Technologies where he was heavily involved in DDoS Attack mitigation, protection of critical infrastructure and special security projects. While at UUNET, Trevor gave regular presentations to the FBI's NIPC group at the FBI Training Academy in Quantico, VA.
How To Be An RSol: Effective Bug Hunting in Solaris
Lately there has been a lot of excitement over the use of DTrace for bug hunting and reverse engineering purposes on platforms that support it such as Solaris. But there are a plethora of advanced tools and techniques out there for other more common x86 based platforms, so does DTrace really add that much? In this talk that question is examined by introducing RSol, a Ruby based debugging component for Solaris in a similar vein to PyDebug for Windows. RSol allows powerful bug hunting tools to be coded quickly, and using this the pros and cons are investigated of using DTrace vs more traditional debugging techniques to achieve different goals in different circumstances. The ultimate plan is for RSol to become a suite allowing debugging and DTrace based techniques to be used together in a complimentary way.
Matt Hillman is a security consultant and researcher at MWR InfoSecurity in the UK, and a hacker at heart. Spotting the need Solaris/SPARC had for the kinds of bug hunting tools available for more common platforms, as well as the hype around using tools such as DTrace, Matt quickly became concerned with investigating which techniques were in fact most appropriate to achieve different goals when reverse engineering, fuzzing and bug hunting.
Cracking the Foundation: Attacking WCF Web Services
Hacking a web service generally isn't rocket science. But what if the web service requires messages to be sent using a binary protocol? What if it requires message level encryption but you don't have a key? These are just a few common scenarios you are likely to encounter when trying to attack a web service built with Windows Communication Foundation (WCF). Through a series of live demonstrations, the presentation will show how to identify and attack WCF web services.
Brian Holyfield is a founding member of Gotham Digital Science. He has worked in the information security industry for over 10 years, and specializes in software security. Brian is a frequent speaker at security conferences and a regular contributor on the GDS Security Blog. Brian has also contributed to books including "Network Security Tools" (O'Reilly), where he outlined techniques for automating the detection and exploitation of web application vulnerabilities.
The Friendly Traitor: Our Software Wants to Kill Us
Browsers, client applications and web functionality are becoming more and more complex as time goes on. In this presentation, Kevin Johnson and Mike Poor of InGuardians will discuss how instead of focusing on 0-day exploits, attackers and penetration testers are able to use the features of our systems against us. They will explore the usage of browser hooks, client provided content and malicious flash applications all in attacking client machines and organizations. During this talk, Kevin and Mike will be debuting tools that they have developed in house to exploit the functionality of these clients. This talk focuses on providing the audience with an understanding of the attacks, examples (including code) of how the attacks are accomplished and copies of the tools used.
Kevin Johnson and Mike Poor are senior security analysts for InGuardians. Mike has packet fu, Kevin is a web app samurai.
Better Approaches to Physical Tamper Detection
Physical tamper detection has been employed for over 7,000 years, but it is still a largely unsolved problem. We will review general problems with tamper-indicating seals and the many ways they can be easily defeated. A much better approach, called the anti- evidence method will then be explained. This will be followed by a demonstration of prototype anti-evidence seals, other types of novel seals, and real-time monitors. This talk is the result of work by the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. The VAT is a multidisciplinary team of physicists, engineers, social scientists, and hackers who conduct vulnerability assessments and develop novel approaches to security.
Roger G. Johnston, Ph.D., CPP heads the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. From 1992-2007 he was the founder and head of the VAT at Los Alamos National Laboratory. Roger has provided consulting, vulnerability assessments, and security solutions for over 4 dozen different government agencies and private companies. He has won numerous awards, has given 60+ invited talks including keynote addresses, holds 10 U.S. patents, and has authored over 115 technical papers. Dr. Johnston is the author of the book Security Sound Bites: Important Ideas About Security from Smart- Ass, Dumb-Ass, and Kick-Ass Quotations.
WiFi Bombs Shaken not Stirred
Wireless de-authentication and disassociation are nothing new. The problem with it stems from the fact that tools are either too limited in scope IE... aireplay-ng or way to broad and no discriminating IE.... Mdk3. Enter Airdrop-ng. Taking the best from each and built around a solid rule parser you can preform both a very targeted attack or unleash the packets from hell and rain down packets of death on the wireless networks of the world. Airdrop-ng is more then just a deauth tool its a client control facilitator. Side note, the tool has an OUI lookup feature which can be utilized to deny or permit access to only specified manufacturers. So yes with a single command you can deny access to all craple devices. Sample Ipwn rules included.
Tuna - is a little bastard from florida who has been providing wireless equipment to you
con-goers for years. Tuna is currently an independent security consultant providing wireless
and wired network security solutions to large enterprises. Current research besides wireless
includes bot-net tracking based on IPs that have attacked an organization.
Thex1le -is a self taught packet junkie and shmoocon veteran and Aircrack-ng Team
Member. Currently working as a security consultant TheX1le's free time is filled with abused
access points and disconnected clients as well as reverse engineering malware and other fun
things.
Back to the Glass House
Today's attacks go after the weakest link in the system - the end user. Securing the end user desktop in medium/large organizations is a constant, resource intensive job requiring vulnerability detection and patch management systems and the people who understand how to interpret the results and respond accordingly. One approach to reducing the resources required to deal with vulnerability/patch management is to reduce the number of systems requiring such services. This talk presents one approach to doing just that. The presentation will provide an overview of the current threat environment and the bad guy tactics and techniques being observed in this environment. The talk will then present how virtualization technologies could be deployed to counter the bad guys. Finally, I will present the current status of an on-going pilot deployment of these technologies with a large organization's desktop environment. This status will include the current hardware and software architecture, pros/cons, and lessons learned from the pilot deployment.
Jim Manley is a Fellow with Lockheed Martin and a 27 year veteran in the information technology area. In his current assignment as chief IT infrastructure architect for the Aeronautics business area, Jim guides the strategic development of the security architecture and computing infrastructure supporting the development of advanced fighter aircraft. In what spare time he has, Jim enjoys biking (the two wheel, human powered variety) and supporting charitable organizations like hackersforcharity.org.
Ring -1 vs. Ring -2: Containerizing Malicious SMM Interupt Handlers on AMD-V
This talk deals with how to containerize a malicious system mode interrupt handlers on the AMD-V platform so that System Mangement Mode code will not be able to bypass the memory protections added by the virtualization extensions.
In recent years we've heard about System Management Mode(SMM) Rootkits and seen how they can be used to bypass Intel's Trusted Execution Technology. AMD-V is a different design than the Intel-VX / VT-D. The talk covers the differences, reviews system management mode and the relationship between SMM and Virtualization on the AMD-V platform. After the review, how one installs a SMI handler is covered followed by a discussion of how to construct a hypervisor that can containerize system management interrupt handling code so that it runs inside of a guest virtual machine.
Pete Markowsky has been involved with information security and application development since first working with Northeastern University in 2001. He has worked all over the security industry from .edu to .mil to .com in roles such as development, QA, Security Engineer, Risk Analyst and Security Researcher. Pete is currently supporting Crucial Security / Harris in a number of security research and development projects, including two SBIR efforts involving the implementation of a code slicing engine and hypervisor based process isolation.
Stealing Guests... The VMware Way
During this talk, we'll reveal how to steal VMware guests from within other guests using the vulnerability we identified in CVE-2009-3733. Quick and dirty... we'll discuss how we stumbled upon the vulnerability, determined its capabilities, and its potential implications to virtualization...complete with a live demonstration. Bring your own notebook for hands-on goodness.
Justin Morehouse leads the assessment team at one of the nation’s largest retailers and founded the OWASP Tampa chapter. He's spoken at EntNet, ISSA, and ISACA conferences and is an adjunct professor at DeVry University. Tony Flick is a Principal with Tampa based FYRM Associates. He's presented at Black Hat, DEFCON, ISSA and OWASP conferences. Additionally, Tony has been recognized as a security subject matter expert and utilized by such media outlets as the Associated Press, SC Magazine, Dark Reading, and eWeek.
Justin and Tony are co-authoring "Securing the Smart Grid," which will hit shelves in Q2 of 2010.
DIY Hard Drive Diagnostics: Understanding a Broken Drive
This is the basic process to start doing diagnostics on your damaged hard drive. The point is to help you determine what the problem is so that you know if it's the board, the heads, media, etc. I will do a shotgun approach to diagnostics by the process of elimination, but more significantly explain when you should STOP before destroying your chance at important data.
For example, if you have a hard drive that you cannot see at all in the BIOS that does not mean it can't be read using something smarter than your motherboard. Yet can you tell if it's a head problem or a firmware issue? Well, if you know the basics of the "POST" process for a modern drive, you might know that if you could see a serial number that the head probably read data from the drive after being instructed to by the firmware. So the real question is, why can't you read the data?
These are the topics I am going to cover from my experiences in running a successful data recovery company for 10 years. If you are interested in fixing drives, or just a better understanding of how the drive works, then this is the talk you don't want to miss.
Scott Moulton is a forensic specialist and runs a data recovery company out of Atlanta called My Hard Drive Died where he uses his forensics experience to recover hard drives, and teach an advanced class in data recovery. He has been running a data recovery company for six years, doing recoveries for some very high profile forensic cases. His specialty is working with damaged hard drives in forensic cases. And yes he does have a clean room onsite! Company Name: Forensic Strategy Services. LLC. /www.MyHardDriveDied.com /www.ForensicStrategy.com
honeyM: A Framework For Virtual Mobile Device Honeyclients
This talk will discuss an implementation of a honeyclient framework for mobile devices. In wireless environments, honeypots typically mimic access points or a single protocol of a device. The authors implemented a framework that can simultaneously imitate the WiFi, Bluetooth, and GPS behavior of multiple instances of different devices. This talk focuses on the challenges associated with accurately pretending to be somebody you are not and how honeyclients can contribute to the future of mobile device security.
The members of the above team are all cadets and faculty at the United States Military Academy, where in addition to studying wireless and mobile security they enjoy pulling guard duty, seeing who can count to the highest prime number, and building cow-patty tables of their favorite instructor's SSIDs. They are all one year from graduating the military academy and joining the fighting force.
Bluetooth Keyboards: Who Owns Your Keystrokes?
Despite security concerns, Bluetooth keyboards continue to gain popularity. Apple now ships one with every new iMac. We'll look at weaknesses in the Bluetooth keyboard specification as well as variations among implementations. Special attention will be given to methods that can be used to assess target devices, and new tools for Bluetooth analysis, including over-the-air keylogging, will be demonstrated.
Michael Ossmann is a software radio freak who enjoys making and breaking wireless technologies. By day, he is a wireless security researcher for the Institute for Telecommunication Sciences at the U.S. Department of Commerce Boulder Laboratories in Colorado.GSM: SRSLY?
The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.
From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that *really* wanted to talk to us. It all came as a surprise -- stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.
Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.
Chris Paget's technical focus is on systems analysis, analogue design, and microcontrollers. His recent work has concentrated on RFID technologies such as Prox, EPC Gen2 and EMV, he was the lead designer on the ProxPick. Chris is a regular presenter at Defcon, Shmoocon, and Black Hat.
Leading H4RDW4RE's Berlin research laboratory, Karsten Nohl's particular expertise is in cryptography and smart-card security. His recent work includes reverse-engineering and cryptanalysing MiFare, Legic, and other security-centric silicon. Karsten is a regular presenter at the CCC and as many other security conferences as he has time for.
Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals.
In recent news stories. we've been presented with the arrests of several individuals whom have been arrested for stealing identities that they allegedly acquired over P2P networks. Combine this with corporate data leakage via P2P networks, we put on our thinking caps and tried to see how hard it really was. What we found was astounding. We'll share with you our methodologies for evil searches, tools and the results of our findings with real worked examples. We'll show you how to add P2P into your information gathering and reckon program, as well as a tool for detecting information leakage in your organizations.
A hardware hacker and penetration tester, Larry Pesce is also a Security Evangelist and co-host for the PaulDotCom Security Weekly podcast at www.pauldotcom.com. Larry is also an author with Syngress publishing.
Mick Douglas enjoys and actively participates in penetration testing, his true passion is defense -- tweaking existing networks, systems, and applications to keep the bad guys out. In addition to his technical work, Mick jumps at every chance to participate in a social engineering engagement.
WLCCP - Analysis of a Potentially Flawed Protocol
The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. One prominent example is Cisco's Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management, and still deployed in a number of corporate networks. The proprietary "Wireless LAN Context Control Protocol" (WLCCP) plays a major role here. Unfortunately it seems the design of the protocol might be debatable in several aspects, leading to some theoretical and, well, practical vulnerabilities. In this talk we will describe the inner workings of this piece, dissect the vulnerable parts and have some discussion on good or bad protocol design. As usual, some demos will add spice and some code will be released.
Oliver and Enno are long time network geeks who love to explore protocols and to break flawed ones.
The Splendiferous Story of Archive Team and the Rapidly Disappearing Digital Heritage
The Splendiferous Story of Archive Team and the Rapidly Disappearing Digital Heritage is a fast-paced, context-heavy, hilarious yet intense overview of ways in which digital history has been lost, how it might be saved, and what it all means. It is a manifesto and a narrative about work being done on many quarters by a ragtag bunch of volunteers to gather and contain various lost sites, as well as a fist-waving rant about the downward spiral of over-reliance on the idea of the Cloud and the forfeiting of digital identity to parties truly unknown. Archive Team mascot Jason Scott will cover what's being done, how it's being done, and what you can do to help.
Jason Scott is a full-time computer historian dedicated to saving the stories, data and artifacts of bygone technology. Besides TEXTFILES.COM, his collection of BBS-era data and software, he also has filmed documentaries and acquired thousands of magazines and writes an awful lot of stuff at ascii.textfiles.com. He is also popular on twitter, but is overshadowed by his cat Sockington, who has a million and a half followers. Poor Jason.
Blackberry Mobile Spyware - The Monkey Steals the Berries
Spyware has become a primary tool used in the capture of personal and private data. Surreptitiously installed on the computing system of a target victim, spyware can capture, log, monitor, and exfiltrate any data that the spyware owner desires. Your phone holds all of the same personal information as your computer, only in a smaller form factor. While a number of "vendors" sell Blackberry spyware, until now only a limited number of public code examples exist. Real time capture of SMS messages, Emails, and phone call logs are a fraction of the features to be presented. Full source code to the spyware will also be released. Definition of the potential risk and threat involved in mobile related spyware is a requirement to implementation of security mechanisms. A fully functional reference code has yet to be presented and released that can be used in a positive manner. Until now only shady web sites selling compiled versions of spyware code for $100 or more dollars a copy exist. This is a future looking presentation that will help others learn about the security of their personal data in the time of mobile devices.
Tyler Shields is a Senior Researcher for the Veracode Research Lab whose responsibilities include understanding and examining interesting and relevant security and attack methods for integration into the Veracode product offerings. In the past, Tyler has worked as a consultant for both @Stake and Symantec, delivering security assessments to fortune 500 companies, major financial institutions, institutions of higher education, and the highest levels of the U.S. government. Tyler has presented at major industry conferences including H.O.P.E and SOURCE Boston and released numerous security advisories.
Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications
As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.
Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.
Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research at Zscaler, a Security-as-a-Service provider, Michael heads the research and development arm of the company. Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics, which was acquired by Hewlett-Packard in 2007. Previously, Michael was a Research Director at iDefense where he led iDefense Labs. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.
Build your own Predator UAV @ 99.95% Discount
Ever wished for your own Predator UAV drone so you can track that punk kid who keeps bashing your mailbox from the confines of your couch? Curious what war driving would be like from the eyes of an eagle? Lucky for you, cheap DIY drones have become a reality!
The presenter will introduce the current state of open source/open hardware UAV autopilots and then reveal his very own complete UAV system. This system provides "over the hill" capabilities through an intuitive interface that allows operators to fly different payloads autonomously overhead for cheap and with nearly no training. A demo mission scenario will be presented with video.
Michael Weigand has been breaking things and causing trouble since childhood... So he decided to make a career of it! He is currently studying computer science and military art at the United States Military Academy (West Point), with the goal of becoming an Army officer. He spends most of his free time racing sailboats, listening to trance, and working on crazy homebrews he thinks are applicable to the military.
Learning by Breaking: A New Project for Insecure Web Applications
The idea of creating web applications with intentional vulnerabilities is nothing new. It seems that everyone created at least one such application around the turn of the millennium. The problem is, most of those applications haven't been updated since then. In addition to being dated, these applications are largely closed source, can be complicated to set up, and often conflict with one another. In an effort to address these issues, this talk will describe the release of a new, completely free, virtual machine running a variety of open source, vulnerable web applications. This virtual machine is ideally suited for use as both a training environment and as a testbed for experimenting with web application and source code analysis tools and techniques.
Doug Wilson started into formal IT work at a web hosting startup in 1999, and has been "the security guy" everywhere he's been employed since then. Doug firmly believes that Washington DC should have the best security community in the US, if not the planet. To that end, he is the coordinator of the monthly CapSec DC happy hour, co-chair of OWASP DC, and was one of the organizers of the AppSec DC 2009 Conference. When not volunteering for far too many things, Doug works as a Principal Consultant for MANDIANT finding evil and solving crime.