Speaker Selection

ShmooCon and The Shmoo Group are pleased to announce that this year’s keynote address will be given by Edward W. Felten.

Bio:

Edward W. Felten is a Professor of Computer Science and Public Affairs at Princeton University, and is the founding Director of Princeton’s Center for Information Technology Policy. His research interests include computer security and privacy, especially relating to media and consumer products; and technology law and policy. He has published about eighty papers in the research literature, and two books. His research on topics such as web security, copyright and copy protection, and electronic voting has been covered extensively in the popular press. His weblog, at freedom-to-tinker.com, is widely read for its commentary on technology, law, and policy.

He was the lead computer science expert witness for the Department of Justice in the Microsoft antitrust case, and he has testified in other important lawsuits. He has testified before the Senate Commerce Committee on digital television technology and regulation, and before the House Administration Committee on electronic voting. In 2004, Scientific American magazine named him to its list of fifty worldwide science and technology leaders.

SIPping your Network

Humberto J. Abdelnur, Radu State and Olivier Festor

In this talk we will describe briefly a state of the art in current VoIP attacks. This class of attacks may lead to complete takedown of a VoIP network, remote eavesdropping, and even the penetration of an internal network. We well describe the fuzzing techniques inhered by KiF, that allowed us to discover such vulnerabilities. Our tool is: 1) a generic Syntax Fuzzer and 2) the only stateful SIP fuzzer existing as of today, capable to perform advanced syntax, semantic and protocol level fuzzing attacks. We will show SIP attacks and a demonstration of KiF.

Bio - Humberto J. Abdelnu

Humberto is Ph.D. student at INRIA Lorraine, working on security assessment for VoIP services; fuzzing and fingerprinting.

Bio - Radu State

Radu is a Ph.D senior researcher at INRIA Lorraine having as main research activities Network and Service Management and VoIP Security Monitoring and Assessment.

Bio - Olivier Festor

Olivier is a Ph.D research director at INRIA Lorraine, where he leads the MADYNES research team on distributed network, security and service management.

Vulncatcher: Fun with VTRACE and Programmatic Debugging

atlas

Many hours are spent researching vulnerabilities in proprietary and open source software for each bug found. Many indicators of potential vulnerabilities are visible both in the disassembly and debugging, if you know what to look for. How much can be automated? VulnCatcher illustrates the power of programmatic debugging using the VTRACE libraries for cross-platform debugging.

Bio:

atlas is an average joe who spends his time learning new ways to make computer systems dance. When he's not slicing and dicing windows and unix binaries, he's writing tools to make vulnerability research simpler and more enjoyable. His hobbies include deadlisting (opcode disassembly), vulnerability research, and lately he's been working on processor emulation and kernel-mode internals. atlas leads the capture-the-flag team, 1@stplace, who recently won back-to-back victories at defcon, which he blames on his teammates. "I surround myself with brilliant people," he quips.

They’re Hacking Our Clients! Why Are We Focusing Only on the Servers?

Jay Beale

In the face of far stronger firewall and IPS-protected perimeters, attackers are compromising far more systems by hacking our web browsers, e-mail clients, and office document tools. Unfortunately, vulnerability assessment practices still focus on checking listening services, even on workstations. Detecting vulnerable clients is left for patch management tools, which aren’t in consistent or wide enough use. Even when organizations are able to invest the time and money in a patch management system, a series of critical problems keeps the botnet builders in business. This talk, by Bastille UNIX creator and Intelguardians co-founder Jay Beale, introduces free tools to detect vulnerable clients and keep them out of the botnets.

Bio:

Jay Beale created two well-known security tools, Bastille UNIX and the CIS Unix Scoring Tool, both of which are used throughout industry and government, and has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and an author/editor on nine books, including those in his Open Source Security Series and the "Stealing the Network" series. Jay is a security consultant and managing partner at Intelguardians, where he gets to work with brilliant people on topics ranging from application penetration to virtual machine escape.

When Lawyers Attack! - Dealing with the New Rules of Electronic Discover

John Benson, Esq.

The legal community is slowly accepting that the changes to the Federal rules which change the law’s approach to electronic evidence are not going away. Vendors are clamoring to sell their e-discovery "solutions" to law firms and corporations alike, often taking advantage of the uncertainty that comes with such sweeping changes to the law.

The changes to the Federal Rules change the way in which organizations approach their data much in the same way Sarbanes-Oxley has over the past few years. Instead of merely creating compliance headaches for security professionals, however, these changes take data security out of the hands of those charged to protect it and spread data to the wind.

This talk outlines how the electronic discovery process works, why it is costing corporations millions of dollars (but doesn’t have to) and will empower attendees with the knowledge they need to deal with the new legal environment.

Bio:

Specializing in electronic discovery, John Benson (jur1st) is a consultant at a prestigious midwestern law firm. In addition to the work he does for clients, he is the chairman of the Kansas City Metropolitan Bar Association Computer Law and Technology Committee, adjunct professor at the Colorado Technical University and never ceases to be amazed at the rift that exists between the worlds of law and technology.

TL1 Device Security

Rachel K. Bicknell

Every SONET, TDM and optical device manufacturer uses the TL1 language as its management protocol for controlling telecommunication devices. This presentation will discuss what TL1 is, why TL1 devices need to be secured, how they can be secured to minimize risk, and tools one can use for management and security of TL1 devices.

Bio:

Rachel K. Bicknell is a Senior Network Engineer at Emdeon Business Services in Memphis, Tennessee. She has worked various telecom and network related companies, including Switch and Data, Akamai and AboveNet. In her spare time she does volunteer work for the Memphis Pug Rescue.

Active 802.11 fingerpinting: gibberish and “secret handshakes” to know your AP

Sergey Bratus, Cory Corneilius and Daniel Peebles

Wireless devices that speak 802.11b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences can suffice to distinguish between APs and other devices from different vendors, and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore “noisy”, but works without either establishing or observing established associations. Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that it is what it claims to be. It will be useful when one does not trust the suspicious AP (or one’s own driver/OS) enough even to engage in a cryptographic exchange to authenticate it.

Bio - Sergey Bratus

Sergey Bratus is a post-doc research associate at the Institute for Security Technology Studies at Dartmouth College. His research is mostly related to application of various mathematical techniques to log and traffic analysis, and other security topics. Before that, he worked on systems and algorithms for extracting information from natural language at BBN Technologies.

Bio - Cory Cornelius:

Cory Cornelius is a recent graduate of Dartmouth College. Cory became interested in reverse engineering and security by way of emulating Blizzard’s Battle.net. He now works for ISTS on various projects related to security and privacy, and is planning to attend graduate school.

Bio - Daniel Peebles:

Daniel Peebles graduated from Dartmouth College in June 2007. He is an active member of the iPhone developer team and was a central contributor to the current jailbreak technique. He currently works for the Institute for Security Technology Studies at Dartmouth on various security projects.

Climbing EVEREST: An inside look at voting systems used by the State of Ohio

Sandy Clark, Matt Blaze, Eric Cronin, Gaurav Shah, Micah Sherr, Pavol Cerny, Adam Aviv

Hanging Chads, Hopping votes, Flipped votes, Tripled votes, Missing memory cards, Machine malfunctions, Software glitches, Undervotes, Overvotes. Reports of voting machine failures flooded the news after the last elections and left most voters wondering "Does my vote really count?" "Can these electronic voting machines be trusted?" "How secure are my state’s voting systems?" We just finished an in depth, source code and hardware analysis of all the voting systems used by the state of Ohio . Come find out what we learned, and draw your own conclusions

Bio - Sandy Clark

Sandy (Mouse) has been taking things apart since the age of two, and still hasn’t learned to put them back together. Luckily, in the University of Pennsylvania’s Distributed Systems Lab, this behavior is actively encouraged. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao and infrastructure hacking. Her research explores human scale security and the unexpected ways that systems interact.

Bio - Matt Blaze

Matt is an associate professor of computer and information sciences and director of the Trusted Network Eavesdropping and Countermeasures project at the University of Pennsylvania. His research interests include secure systems, cryptology and cryptographic protocols, and large-scale systems.

Bio - Eric Cronin

Eric is a Ph.D. candidate in computer and information sciences at the University of Pennsylvania. A longtime member of the hacker community, his research interests include network security, privacy, and distributed systems.

Bio - Gaurav Shah

Gaurav is a Ph.D. candidate in computer and information sciences at the University of Pennsylvania. His research interests include covert channels, network security and distributed systems. His work on Keyboards and Covert Channels won Best Student Paper at Usenix Security Symposium 2006.

Bio - Micah Sherr

Micah is a PhD Candidate in the Department of Computer and Information Science at the University of Pennsylvania. His academic interests include anonymity, e-voting security, and eavesdropping and wiretap systems.

Bio - Pavol Cerny

Pavol is a PhD student at the University of Pennsylvania. His research interests include algorithmic verification of confidentiality and other security properties. He graduated from ENS Paris in 2003.

Bio - Adam Aviv

Adam is a PhD student at the University of Pennsylvania. He received his undergraduate degree from Columbia University.

Path X: Explosive Security Testing Tools Using XPath

Andre Gironda, Marcin Wielgoszewski and Tom Stracener

This talk will cover what XPath is, how it is used to parse XML in web applications in order to aid security testing tools, and why XPath expressions are good locators in comparison to other methods such as DOM or CSS selectors. The presenters will attempt to demonstrate how XPath can be used for good instead of being targeted with injection or blind XPath injection attacks.

The TS/SCI Security team members Andre Gironda and Marcin Wielgoszewski bring you current and highly relevant information on attacking and defending modern applications with only the best security tools. Andre has worked for a number of companies in security roles, including labs deep within Cisco Systems and many years at a major online auction site. Marcin is a recent graduate in Network Security entering the world of application assessments.

Bio - Andre Gironda

Andre is a prominent member of the TS/SCI Security team. His recent contributions include the OWASP Evaluation And Certification Criteria and speaking engagements on topics ranging from security in the SDLC to problems with trusting the same-origin policy. Andre has worked for a number of companies in security-qa-developer or network testing roles, including labs deep within Cisco Systems and many years in an operations role at a major online auction site.

Bio - Marcin Wielgoszewski

Marcin founded tssci-security.com back in 2006, a team of researchers interested in web application security, trusted systems, software security and information security assurance. Team TSSCI applies Orange and Red book (TCSEC) concepts to modern day computer security problems. Marcin participated in ShmooCon Labs last year and in the past has worked for fortune-50 companies and defense contractors. He is currently working as a security consultant in the New England area

Bio - Tom Stracener

Tom has been involved in security for 10 years, and is the co-founder nCircle network security. In an industry dominated by vanity and hype he tries to do real research that benefits the community. Tom has spoken at Defcon/Blackhat and over 200 major security conferences and events in the last 3 years, including RSA and CSI, you name it. His hat is white. He is also the co-founder of the ORB Group: www.reversebenchmarking.com. Tom is currently working for Cenzic Inc. as the Sr. Security Analyst.

Got Citrix? Hack It!

Shanit Gupta

Citrix is a widely used remote desktop application utilized in many major corporations around the world. In addition to offering the typical benefits of RDP and Microsoft terminal services, it is capable of sandboxing and restricting the applications that can be executed by the user. Unfortunately, often times the Citrix environment can introduce a false sense of security within organizations. There are several ways to circumvent security controls within the Citrix framework and many system administrators are not aware of these attacks. During this presentation, we’ll demonstrate ways in which to compromise the Citrix environment using multiple attack vectors. Then we’ll show you the corresponding remediation strategies.

Bio:

Shanit Gupta is a Senior Consultant at Foundstone. At Foundstone, Shanit is responsible for creating and delivering the threat modeling and application security service lines. Shanit is also responsible for the design, development and release of free tools offered by Foundstone.

A Hacker Looks Past 50

G. Mark Hardy

"But wait... there’s MORE!" Last year, G. Mark provided an entertaining look at hacking in the 1970’s. He only got through half his material. Enjoy more stories, like the time he "accidentally" switched the FORTRAN and PASCAL compilers on the university mainframe the night before a major programming assignment was due, and other adventures probably best not committed to print. Again, the people and principles haven’t changed, only the speed of the toys. Even more cool swag give-aways than last year.

Bio:

G. Mark Hardy, CISSP, CISM, CISA, founded National Security Corporation in 1988. Since his first legitimate computer security job in 1976 for $2.10/hour, he has presented several hundred talks on information security. A perennial speaker at major security conferences, US and international, he’s popular for his entertaining and informative style.

Intercepting Mobile Phone/GSM traffic

David Hulton

This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for $900. The second part of the talk explains a practical solution how to crack a GSM key. Comments: We may possibly present a couple of quick demos of our A5/1 rainbowtable in action which is arguably the largest rainbowtable ever generated (2**58) or passively monitoring GSM using the USRP board if the law permits it.

Bio:

David Hulton is the Director of Security Applications at Pico Computing, Inc by day and the Chairman of ToorCon by night. He spends most of his work and free time using FPGAs to break many of the different crypto algorithms out there and researching new technologies to pwn your Mom’s computer.

Why are Databases So Hard to Secure

Sheeri Kritzer Cabral

In "Why are Databases So Hard To Secure", noted DBA Sheeri Kritzer Cabral discusses how databases compare with other areas of security concerns, including user/web applications, networks and operating systems. She shows the general risks to be concerned about databases, as well as specific exploits for Oracle, MySQL, SQL Server, SQLite and Postgres databases. This "Break It!" session features many "Fix it!" tips, so the audience not only learns exploits but how to secure against them and assess risk values.

Bio:

Sheeri Kritzer Cabral has a master’s degree in computer science specializing in databases from Brandeis University and works as a MySQL and Oracle DBA for The Pythian Group. Unstoppable as a volunteer/activist since age 14, Cabral founded and organizes the Boston, Massachusetts, USA, MySQL User Group. She also is the treasurer of Technocation, Inc., a not-for-profit providing resources and educational grants for IT professionals.

Hacking Windows Vista

Dan Griffin

"Hacking Windows Vista" will demo various security tools I’ve been working on, addressing both attack and defense: a. Smart cards - a tool for fuzz testing middleware b. Crypto - a tool for adding new cipher support (my example uses Twofish) to Windows c. Firewall - I’ll show why the default rule set for a new application is insecure, and a tool that fixes it d. IPsec - I’ll show an IPv6-compatible command-line debugging tool which dumps out various negotiated parameters between two peers

Bio:

Dan Griffin is a software security consultant in Seattle, WA. He previously spent seven years at Microsoft on the Windows Security development team. A list of publications is available at http://www.jwsecure.com/articles.shtml.

Web Portals, Gateway to Information or a Hole in our Perimeter Defenses

Deral Heiland

If web portals can be used to aggregate information and resources from multiple locations, and deliver it to users at a single point of access. Could an attacker use these same functions and features to gain access into unauthorized internal systems? In this presentation we will explore using a web portal interface to query resources behind the firewall by tunneling request through the portal services using a cross-site-scripting (XSS) like vulnerabilities.

Bio:

Deral Heiland CISSP Serves as a Senior Information Security Analyst for a fortune 500 company. In addition Deral is the founder of Layered Defense Research and co-founded of Ohio Information Security Forum a non-profit organization focused on information security training and education. With over 15 years of work in the Information Technology field, Deral has held prior positions including: Senior Network Analyst, Network Administrator, Database Manager, and Financial Systems Manager.

Forced Internet Condom

Aaron Higbee and Jaime Fuentes

In a former life, Aaron Higbee and Jaime Fuentes, served as network abuse administrators for national ISPs and advocated port filtering. Years later they’ve realized that their stance on ISP filtering was completely wrong and is damaging innovation.

This presentation is about our shrinking Internet and the slippery slope that started when the first ISP filtered port 25. The presentation will cover the history of port filtering, the current state of ISP filtering, and emerging trends in ISP traffic tampering. Presenters will show results for some national ISPs and see how they stack up.

Unfortunately security experts have given the bean counters at ISPs the ammunition needed to slowly reduce the Internet to port 80. The presentation will conclude with a plan to call out ISPs to disclose their filtering practices so consumers can have real information before committing to service. It will also highlight some grassroots projects aimed at Internet neutrality advocacy.

Bio - Aaron Higbee

Aaron Higbee is a Managing Partner and co-founder of the Intrepidus Group, a boutique information security consulting company who also developed phishme.com. He has over 10 years of information security experience with reputed companies like Foundstone, Lucent Technologies, and EarthLink. Seven of those years have been in information security consulting. Mr. Higbee speaks regularly about security and network abuse at conferences such as Las Vegas Black Hat, Defcon, and Hack-In-The-Box (HITB).

Bio - Jaime Fuentes

Jaime Fuentes, CISSP, is a Principal Consultant with the Intrepidus Group, specializing in network and application security. He has performed penetration tests and risk assessments for numerous Fortune 500 clients. Prior to joining Intrepidus Group’s professional services team, Jaime served as a Senior Consultant at Foundstone. Previously, he was Senior Security Engineer for Time Warner Cable. In this capacity, he became thoroughly acquainted with the tactics of spammers, hackers, and network abuse trends. Jaime is a Certified Information Systems Security Professional (CISSP) and has previously held a top secret clearance.

Hacking the Samurai Spirit

Isaac Mathis

This presentation hopes to shed some light into the not so well-known Japanese security scene. It will go over the culture differences, history, and mindset of the Japanese as it relates to Information Security.

Bio:

Isaac has been working with computer security and Japanese for the past thirteen years. He currently leads the security team of a Japanese company in Kobe, as well as engages in various other security-related affairs in Japan.

Virtual Worlds - Real Exploits

Charlie Miller and Dino Dai Zovi

Virtual worlds serve as a new way to deliver exploits to the masses. Besides traditional attacks, they also allow attackers to control the "avatars" of players, including being able to steal the player's virtual money and possessions. When there is a link between the virtual money and real money, this can be an easy way for an attacker to profit. This talk will address these issues and illustrate the technical details of a Second Life exploit.

Bio - Charlie Miller

Charlie Miller is Principal Analyst at Independent Security Evaluators. Previously, he spent five years at the National Security Agency. He is probably best known as the first to publicly create a remote exploit against the iPhone. He has a Ph.D. from the University of Notre Dame and has spoken at the Workshop on the Economics of Information Security, Black Hat, DEFCON, and ToorCon.

Bio - Dino Dai Zovi

Dino Dai Zovi is an information security professional, author, and independent researcher. His previous projects have included co-authoring the book "The Art of Software Security Testing", creating the Vitriol hardware virtualized rootkit for MacOS X on Intel processors, and the KARMA framework for wireless client-side penetration testing. He is perhaps best known in the security and mac communities for winning the Pwn-to-Own contest at CanSecWest 2007.

Flash Drives & Solid State Drives Data Recovery Comparison to Hard Drives: Animated!

Scott Moulton

ANIMATIONS Again! As we are all aware, solid state hard drives are going to overtake the hard drives soon rather than later. I am going to discuss a few new items in data recovery that I am working on with rebuilding solid state drives and flash USB memory sticks for data recovery. I have begun experimenting with flash drives by removing the chips and moving them to a new flash drive to recover the data. I am going to compare the processes we use with Hard Drives for recovery to Flash and SSD and do it all animated as I did last year with hard drives. I know how you all love animations!

Bio:

Scott Moulton is the president of Forensic Strategy Services and began his forensic computer career after being the first person arrested for port scanning. One of his specialties is rebuilding hard drives for investigation purposes and he has rebuilt hard drives for several murder investigations. While testifying, Scott was questioned about forensic people having to maintain a PI license. He is currently combating against computer forensics and security people having to be a PI.

Legal Issues for Bot-net Researches and Mitigators

Alexander Muentz

Botnet research, mitigation and the law. Botnets are not only a novel technical problem to be solved. While researchers and security professionals race to understand and counteract each new threat, the law and courts are slow to catch up.

Ironically, laws designed to protect individuals and organizations from computer criminals may ensnare botnet researchers and IT defenders. Could your research network or countermeasures expose you or your organization to criminal or civil liability?

US State and Federal law will be discussed, with an eye to current research and mitigation methods.

Bio:

Alex Muentz is both an IT professional and a practicing lawyer. A 2006 graduate of Temple University School of Law, he does his best to explain the idiosyncrasies of the law to his fellow geeks and technology to other lawyers.

He occasionally writes and presents about the intersection of law and technology. To make a living, he slaves away in the underbelly of the law, and is trying his hand at teaching undergraduates this year.

When he’s not working or blathering on, he tries to spend time with his wife, motorcycle and cats.

Practical Hacker Crypto

Simple Nomad

Encryption is one of those things everyone should be doing, and no one seems to be doing it. This talk looks at hacker deployments of encryption with an emphasis on anonymity and privacy. Topics covered will include encryption of files and file systems, covert channel communication, steganography, and a special WWDKD section (What Would Dan Kaminsky Do?) that will introduce a new crypto tool. We preach about encryption, so we should be doing it ourselves!

Bio:

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job. He speaks on security and privacy topics at conferences around the globe, as well as entertaining the press via interviews in television, print, and online mediums. In addition to being one of the most attractive hackers on the planet, he did not write his own bio. Really. Seriously. Ok...fine, I did. So sue me.

New Countermeasures to the Bump Key Attack

Deviant Ollam

If you haven’t yet heard of the physical security risk known as "bump keying" there’s a good chance you’ve either been living under a rock or have no duties that involve oversight of facilities or infrastructure. In a short session, Deviant will cover the basics of the bump key threat and describe the techniques that hardware manufacturers and locksmiths are experimenting with to counter it. Some of these developments have real promise, others may just be smoke and mirrors... don’t invest in one of the wrong solutions that are being rolled out in the face of this highly-charged (and often misunderstood) security concern.

Bio:

While paying the bills as a network engineer and security consultant, Deviant Ollam’s first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology’s "Science, Technology, & Society" program, he is fascinated by the interplay between human values and developments in the technical world. A fanatical supporter of the philosophy that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at universities, conferences, and even the United States Military Academy at West Point.

VoIP Penetration Testing: Lessons Learned

Jason Ostrom and Jon Kindervag

This session will explore a Case Study of a successful VoIP penetration test. A publicly accessible hotel room phone was used to access a hotel corporation's network, and gain access to corporate records, CEO emails and financials. We will uncover lessons learned, discuss a specific VLAN attack against VoIP, and review mitigation controls and best practices for securing VoIP networks. We'll also detail an open source tool to help test VoIP systems for vulnerabilities, and enable remediation.

Bio - Jason Ostrom

Jason Ostrom is a Security Tester for Vigilar, Inc. Jason is a graduate of the University of Michigan, Ann Arbor. His previous work experience includes stints for International Network Services (INS) and NTT/Verio.

Bio - John Kindervag

John is a 20-year veteran of the high-technology world. He has been involved with a variety of engineering projects ranging from basic LAN networking to sophisticated microwave and satellite technology. Currently, Kindervag is the Senior Security Architect for Vigilar, Inc., where he helps corporations design secure networks. Additionally, he manages Vigilar’s Vulnerability Assessment and Compliance Practice. He has particular expertise in the areas of PCI Compliance, Wireless Security, Intrusion Prevention, and Application Security. Kindervag also speaks to security conventions, user groups and technology associations on various security topics. Kindervag is also and "Ask the Expert" for SearchSecurityChannel. Prior to joining Vigilar, Kindervag started the security practice for a Cisco Gold VAR, Flair Data Systems, where he was principal security consultant. Kindervag holds a Bachelor of Arts degree in Communications from the University of Iowa.

Baked not Fired: Performing an Unauthorized Phishing Awareness Exercise.

Syn Phishus

This talk will illustrate how, without getting fired, to perform an unauthorized internal phishing exercise within a large corporation to raise security awareness and demonstrate why processes need to change. The phishing attack was orchestrated to allow incidence response to quickly determine the author and support the forensic investigation that followed. Phishing is easy; this is how to stand up and rock the boat hard while remaining on board.

Bio:

Syn Phishus, former punk, is a security professional whose past employer was too embarrassed to learn from its mistakes. He respects authority but asks many questions so that he can learn. Sometimes this gets him branded a maverick and laid-off, but it hasn’t gotten him fired (yet). Syn Phishus is a Certified Internal Secret Phishing Professional (CISPP) which is not an (ISC)2 trademark. His alter-ego has presented at MISTI and other security conferences.

On the Social Responsibility of Hackers

Panel: Bruce Potter (moderator), Simple Nomad, Johnny Long, Rick Dakan, TBD

What good is a hacker? Hell, what is a hacker? Over the years the hacker culture has evolved from a small group of "damn the man" information seekers to a large, diverse mass of individuals who have a demonstrable impact on society. At the same time, the world has come to rely on IT systems for daily life; everything from our electricity and sewage to transportation to education depends on the security and safety of computers world wide. But is securing these systems a "greater good" on par with feeding starving children and providing shelter to those out in the cold? Further, does the hacker and security community have a role in securing these systems?

This panel will examine the role of hackers and security professionals in todays society. By combining a grey beard, an historian, some first class defenders, and a few other odds and ends, we hope to figure out what some "greater good" problems are with respect to information security. We also hope to explore the evolving role of hackers and security professionals in society. This should be a fun and interesting way to end ShmooCon. At the very least, if you want to get the prizes in the closing remarks, you should sit through this panel first. :)

Bio - Bruce Potter

Bruce Potter is the founder of the Shmoo Group of security professionals, as well a the co-founder of Ponte Technologies, a company focused on deploying advanced defensive technologies. His areas of expertise include wireless security, network analysis, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders.

Bio - Simple Nomad

Simple Nomad is a security researcher and architect, which means he is a hacker who got a job. He speaks on security and privacy topics at conferences around the globe, as well as entertaining the press via interviews in television, print, and online mediums. In addition to being one of the most attractive hackers on the planet, he did not write his own bio. Really. Seriously. Ok...fine, I did. So sue me.

Bio - Johnny Long

Johnny Long is a professional hacker by trade, a pirate by blood, a ninja in training, a security researcher and author. He can be found lurking at his website (http://johnny.ihackstuff.com). Johnny is the founder of Hackers For Charity (http://ihackcharities.org), an organization that provides hackers with job experience while leveraging their skills for charities that need those skills.

Bio - Rick Dakan

Rick Dakan is the author of Geek Mafia and Geek Mafia: Mile Zero as well as the co-creator if the hit MMORPG, City of Heroes. He's spent the last two years studying and slowly being seduced by the hacker community and is working on two non-fiction books about privacy issues and an overview of hacker culture. For more of his ramblings, see rickdakan.com.

Malware Software Armoring Circumvention

Danny Quist and Valsmith



Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this talk we will present our forensically sound debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Bio - Danny Quist

Software armoring techniques have increasingly created problems for reverse engineers and software security analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common, newer methods must be developed to cope with them. In this paper we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from most software armoring systems.

Bio - Valsmith

Valsmith has been involved in the computer security community and industry for over ten years. He currently works as a professional security researcher on problems for both the government and private sectors. He specializes in penetration testing (over 40,000 machines assessed), reverse engineering and malware research. Valsmith is a member of the Cult of the Dead Cow Ninja Strike Force. He also works on the Metasploit project as well as other vulnerability development efforts and can be seen every year at Blackhat/Defcon.

How do I pwn thee? Let me count the ways

RenderMan

The wonders of technology have given rise to a new breed of workforce, the mobile workforce. Able to leap large oceans in a single cattle class bound, they are the newest agent of business and the newest pain in your butt. The average business traveler carries with him a multitude of ways to get pwn’d while away from the office and away from your watchful BOFH eye. Come count the ways we can pwn that beleaguered business traveler without even touching him.

Bio:

RenderMan is a Canadian born and raised hacker making the rough transition to the professional world. He is a frequent speaker at hacker cons and security cons around the world. He is also co-author of RFID security and the upcoming Kismet Hacking book by Syngress Publishing. When not adding to his expanding collection of badges, he is desperately seeking employment with a company who can support such a lifestyle and allow him to continue stuffing electronics into fuzzy dolls.

Advanced Protocol Fuzzing - What We Learned when Bringing Layer2 Logic to "SPIKE Land"

Enno Rey and Daniel Mende

The talk is based on a research project whose goal was to evaluate the security of network devices used in carrier space. After some (very short) introduction into the main concepts of fuzzing (in particular of network protocols) we will explain which options of existing fuzzers and frameworks we found and why we finally chose SPIKE. Given SPIKE has no Layer2 functionality by default we were forced to write some additional modules like a (libnet-based) generic Layer 2 packet generator and lots of SPK-scripts for different protocols. We will describe this development process, the pitfalls and lessons learned. Furthermore we will release all the code and discuss the results of performing extensive fuzz-testing of network devices and some common operating systems.

Bio:

Daniel and Enno are long time network geeks who love to explore protocols and to break flawed ones.

"The Geek and the Gumshoe" or "Can Mathematics and Computers Really Solve Crimes?"

Michael Schearer and Frank Thornton

Twelve million people tune in every Friday night to catch the latest episode of NUMB3RS, where mathematics is now the sexy way to solve crime. But do these numbers really add up? Can mathematics, whether simple formulas or complex computer algorithms, really help to solve crimes? Exploring the evolution of crime-fighting techniques from pin mapping through geographic profiling and beyond, the authors will examine the application of mathematical analysis as legitimate investigative approaches. There are compelling arguments to be made for using math and computers to solve crimes, although a healthy dose of skepticism can be applied to such techniques by those trained in classic crime solving. In the end, two questions remain: Can you really catch crooks with math and computers? And if you can, can "Minority Report" type predictions be far behind?

Bio - Michael Schearer

Michael "theprez98" Schearer (the geek): Recently separated from 8+ years of active duty in the U.S. Navy, theprez98 is fascinated by the application of mathematics to real-world situations. While he will never likely win the Fields Medal or solve P vs. NP, his interests include the history of mathematics, cryptography, probability theory, and graph theory. Michael is an active member of the NetStumbler, DEFCON, and Remote Exploit forums, a football coach, and a father of three.

Bio - Frank Thornton

Frank "Thorn" Thornton (the gumshoe): While computers and wireless technology keep Thorn busy these days, he used to spend his time investigating crimes and collecting forensic evidence at crime scenes. Covering a twenty-year period, Frank was a law enforcement officer and a forensic specialist. He served in a variety of police positions from Patrol Officer to Detective to Chief of Police. Rated as a Class I (Homicide) Death Investigator by Vermont’s Office of the Chief Medical Examiner, he has investigated thousands of crimes from burglaries to homicides.

I Will Be Your Eyes and Hands: Colossal Cave, Adventure, and Reality

Jason Scott

During the process of filming his documentary on text adventures, GET LAMP, Jason Scott decided to include footage from inside Bedquilt Cave, the actual location that the seminal game "Adventure" is roughly based on. To do so required months of preparation and discussions, and brought an intersection of filmmaking, history, and the real adventure of "Caving". Besides the experience of being in this historically important part of computer game history, Jason also learned about the Cave Research Foundation and their half century of work in surveying and protecting the enormous Mammoth Cave system, which is over 300 miles of cave beneath Kentucky.

In a fast-paced narrative, you’ll learn about text adventures, caving, engineering and clearance issues involving filming on parks, and that moment when it all came together. Photos and videos will be shown.

Bio:

Jason Scott is the proprietor of TEXTFILES.COM, the director of "BBS: The Documentary", and is currently filming a documentary on text adventures called GET LAMP. He never shuts up.

Using Aspect Oriented Programming to Prevent Application Attacks

Rohit Sethi and Nish Bhalla

Aspect Oriented Programming (AOP) has been around for several years but is only starting to hit main-stream programming. Designed to address "cross-cutting concerns", AOP is starting to become a very impressive tool for protecting existing insecure apps.

In this talk we will learn how to take existing code and add: -Input validation (XSS, SQL Injection, etc.) -Strong error handling -Access control without ever changing the existing source code! See for yourself just how this simple but powerful technique can be for securing exisiting, insecure apps.

Bio - Rohit Sethi

Rohit Sethi, is a specialist in building application security into the SDLC. He is a SANS instructor, has spoken and taught at SecTor, CSI National, Infosecurity New York and Toronto as well as written articles for Security Focus and WASC. He is a noted expert on application security and has been quoted in both itworldcanada and Computer World.

Bio - Nish Bhalla

The Founder of Security Compass, Nish Bhalla is a specialist in product, code, web application, host and network reviews. Coauthor of "Buffer Overflow Attacks: Detect, Exploit & Prevent". He is a frequent speaker on emerging security issues. He has spoken at reputed Security Conferences such as at "Reverse Engineering Conference 2005", the "HackInTheBox? 2005" and "ISC2’s Infosec Conference".

Forensic Image Analysis for Password Recovery

David C. Smith

Last year I overheard a conversation about passwords being recovered from forensic images by searching for strings under the assumption that passwords can get recorded in written buffers, swap and slack space, core dumps, and log files at some time or another. After searching and not finding a lot of data on this subject, I created a set of tools to help extract passwords from images and score them based on length, complexity, entropy, and readability. While string extraction may result in millions of possible passwords, some of the scoring methods I use can develop a manageable set of possible passwords for dictionary based attacks.

Bio:

David C. Smith works at Georgetown University as the University Information Security Officer and is a co-owner of HCP Forensic Services. He manages teams to provide a variety of security services this time of data loss and e-discovery peril. Prior to becoming much more of "the man" than he intended, Dave was a security consultant, active with open source projects, was a 2600 meeting regular in DC / Northern VA area, and ran a bitchin WWIV BBS - The Last Cigarette.

21st Century Shellcode for Solaris

Tim Vidas

Solaris shellcode has not really been publicly re-visited in > 5 years. Unlike most *nix and *bsd’s that have a very transparent system call layer, new versions of solaris have taken advantage of the posix abstraction layer and now much smaller shellcode can be developed. We will start out out with a little shellcode 101, then dive in deeper into some solaris internals (as presented to non-solaris people), and finish with some pretty small shellcode payloads - and of course a flashy shellcode demo...ok, that’s just a lie, it’s not very flashy.

Bio

Tim has been focusing research in the field of digital forensics for a few years and now primarily works in the area of trusted operating systems and kernels. In addition to strongly preferring the "R" in R&D, he enjoys teaching and has a wide set of IT-related interests. Tim has a BS and MS in CS, and a few industry certifications. In his free time he toys around with forensic competitions, CTFs, and the like.

Smarter Password Cracking

Matt Weir and Bill Glodek

Password cracking usually is portrayed as some arcane art read from a voodoo cookbook. Start with a dictionary, sprinkle in a few word mangling rules and let it sit for several months. The problem is things are starting to get harder for forensics investigators (and the occasional hacker). People are using better passwords, and newer password hashing algorithms drastically slow down how fast you can make guesses. In the future, voodoo is not going to cut it; we need science.

With more real password lists being disclosed to the public, we can finally analyze how people actually create passwords. Our talk will go over our results, tools, along with some general musings on doing hacking research in college.

Bio - Matt Weir

Matt is a PhD student at Florida State University. Before his journey back into academia, he worked as a network security engineer for Northrop Grumman. The projects he’s been a part of have ranged from providing first responders with wireless access, to assisting the Defense Department with computer forensics. Why he decided to go back to school no one knows (including him sometimes). It wasn’t the pay that’s for sure!

Bio - Bill Glodek

Bill is currently a second year graduate student at Florida State University studying Information Security, where he is the recipient of the NSA/DoD Information Assurance Scholarship. He has worked with the U.S. Army Research Laboratory’s Center for Intrusion, Monitoring and Protection (ARL CIMP) for the past three summers. His research interests include password security and general computer security. Bill also received the Computer Hacking Forensic Investigator certification in June 2007.

You Must be This Tall to Ride the Security Ride

Joel Wilbanks and Pete Caro

Unless your organization is big enough (i.e. with enough budget to pay for and resource 2-3 full-time security professionals) you probably can’t afford proper security. Sure, there are exceptions--like every person in this room whose five-person company does security. That aside, can small organizations achieve effective security? Should they bother trying? What happens to them when they don’t? The talk opens in a brightly lit auditorium, and then the zombies show up in hacker shirts and jeans. But seriously, this talk is all about the astronomical costs of security, the costs vs benefits of implementing security and what happens when you realize that security costs more than you can afford.

Bio - Pete Caro

Pete has been performing operational IA for the last ten years, often on other continents; often while toting a rucksack and a rifle. He currently works on a variety of network and security projects for a consulting firm in the DC area.

Bio - Joel Wilbanks

Joel has had a passion for Information Technology for the past 11 years and has worked in almost every major industry. For the past 6 years, his efforts have been focused on Information Security. He currently serves as a security analyst in the DC area. Joel attends and presents at security conferences where people wear hacker shirts and terrify hotel security.

Passive Host Characterization

Matthew Wollenweber

Passive Host Characterization is technology similar to IDS systems, but with several distinctions. The basic idea is to deploy sensors around your network to passively monitor traffic. Rather than looking for signatures, you’re going to focus on rules that collect data from the observed traffic. That data is then aggregated, reduced, and stored in databases. Via data-mining you can then see patterns in your network useful for applications such as host monitoring, content filtering, penetration testing, patch management, or detecting bots.

Bio:

Matthew Wollenweber is a key member of Foundstone’s team, responsible for providing strategic and tactical security consulting to Fortune 500 and government clients. As a consultant, Matthew focuses on offensive network security and application security. Prior to joining Foundstone, Matthew worked for several consulting and professional services companies providing information security services for government and commercial customers. In those roles Matthew has been a penetration tester, exploit developer, and software engineer. Projects ranged from performing red team assessments of military command and control systems to penetration testing utility companies to developing a software system to passively monitor and characterize Department of Defense computer networks.

PEAP: Pwned Extensible Authentication Protocol

Josh Wright and Brad Antoniewicz

WiFi networks leverage various EAP types to authenticate wireless users. Many of these EAP installations are vulnerable to a variety of attacks, often revealing authentication credentials for users. In this presentation, the author will present attacks against multiple EAP types including PEAP and TTLS, demonstrating how an attacker can compromise these otherwise strong authentication mechanisms.

Bio - Brad Antoniewicz

Brad is a senior security consultant for Foundstone Professional Services where his focus is on wireless security assessments. In the past, Brad has also worked with businesses to deploy large scale 802.11 wireless networks particularly in highly stressful, dense environments. Overall, Brad is a big fan of the wifi, and enjoys long warwalks in commercial areas.

Bio - Joshua Wright

Joshua is the author of several tools designed to demonstrate vulnerabilities in wireless networks, an editor for the Wireless Vulnerabilities and Exploits (WVE) project, and a regular speaker at information security conferences. When not breaking wireless networks, Josh likes to work on his house, where he breaks things of a different sort.

For comments or questions about this website, please email info@shmoocon.org
Legal • Copyright © 2004-2006 The Shmoo Group • Updated » 15:25:03 09-Apr-2008