Sessions - 2007

Keynotes

	Growing the Security Profession: Dr. Richard Reiner
	Zen and the Art of Cybersecurity: Ira Winkler
	Attack Trends and Techniques: What's Hot!?: Steve Riley
	A Law Enforcement Perspective: Carole Bird, RCMP

Sessions

	"Security Challenges in Virtualized Environments" - Joanna Rutkowska
	"The Evolution of Phishing to Organized Crime" - Rohyt Belani
	"Process Control and SCADA: Protecting Industrial Systems from Cyber Attack" - Mark Fabro
	"Modern Trends in Network Fingerprinting" - Jay Graver and Ryan Poppa
	"Exploit-Me Series " Free Firefox Application Penetration Testing Suite Launch"- Nish Bhalla and Rohit Sethi
	"NAC@ack" - Dror-John Roecher and Michael Thumann
	"Human Factor vs. Technology" - Joanna Rutkowska
	"TCP/IP Perversion" - Rares Stefan
	"Wireless Security - What Were They Thinking?" - Brad "Renderman" Haines
	Black Ops 2007: DNS Rebinding Attacks - Dan Kaminsky
	Hacking Hollywood - Johnny Long
	You're Just Not Pretty Enough to Do Investigations - Kai Axford & local law enforcement
	"SQL Server Database Forensics" - Kevvie Fowler
	"DNSSEC: Theory and Worldwide Operational Experiences" - Paul Wouters
	"Hacking Bluetooth for Fun, Fame and Profit" - Dino Covotsos
	"Securing Commodity Systems using Virtual Machines" - David Lie
	"Data on Threat Evolution - What 47 Leading Security Vendors Are Seeing" - Ben Sapiro
	"Web Application Worms: The Future of Browser Insecurity" - Mike Shema
	"State of the Hack" - Kevin Mandia
	"How Close is the Enemy" - Kevin G. Coleman
	"Cybercrime, CVEs, OVAL, CME and why you must care!" - Gary Miliefsky

KeyNote - Growing the Security Profession - Richard Reiner

As the field of information security matures, several significant barriers to progress that exist today will have to be removed if our capability to manage security risks is to improve. This presentation focuses on several of these, including the lack of truly effective channels to convey current knowledge to front-line practitioners; the division of the information security world into sub-cultures (vendor, researcher, enterprise, academic, and industrial) that communicate little with each other; the frequently non-constructive interactions that exist between security researchers and software vendors, and also between enterprise security professionals and other IT professionals; fragmentation among the available infosec certifications; and more.

top

KeyNote - Zen and the Art of Cybersecurity - Ira Winkler

The biggest problem in corporate information security is the people performing the work. I have found that there are people outside the security field, and even many people inside the field, who think they know what they need to know about security but clearly don't.

Additionally, some people know a great deal about one aspect of security, but are woefully weak in other aspects and don't know it (or want to know it). Because of this phenomenon, most organizations have a very false sense of security. Using entertaining analogies from martial arts and psychology, this presentation discusses this critical security failing. Attendees will learn how to tell if they are dealing with people who are properly skilled, and how to plan their security programs accordingly.

top

KeyNote - Attack Trends and Techniques: What's Hot!? - Steve Riley

The bad guys just keep getting better! They're constantly changing their tactics and inventing new techniques to cause you harm, damage your data, and make your resources unavailable. Why do they do this? What motivates someone to -- let's call it what it is -- commit computer-related crimes? How have they changed and improved? What kinds of attacks are popular now and why are they so effective? What might we expect to see in the future? Steve Riley will help you understand the latest in attack trends and techniques, and maybe even scare you a bit, too!

top

KeyNote - A Law Enforcement Perspective - Carole Bird, RCMP

Today, more than ever, law enforcement must work closely with various partners to identify and develop strategies to address the challenges posed by the diversity and speed of crime on the internet. The fact that a significant percentage of Canada's critical infrastructure is owned and operated by the private sector and that the diversity of crime on the internet continues to grow makes it key that we work closely with the private sector to develop appropriate multi-pronged strategies address cyber crime.

This presentation will review the nature of the current threats in cyber crime and how they appear to be evolving as well as strategies being developed to counter cyber crime.

top

The Evolution of Phishing to Organized Crime - Rohyt Belani

This presentation will discuss the evolution of phishing from being a means of stealing user identities to becoming a mainstay of organized crime. Today, phishing is a key component in a "hackers' repertoire. It has been used to hijack online brokerage accounts to aid pump 'n dump stock scams, and as a means of creating covert channels from compromised user machines to the Internet. During this talk, I will present the techniques used by attackers to execute such attacks and real-world cases that I have responded to that will provide perspective on the impact.

top

DNSSEC: Theory and Worldwide Operational Experiences - Paul Wouters

The Domain Name System (DNS) has been up for an overhaul for many years, as the last "core internet" protocol left without any security. Attacks abusing the DNS to hijack domains, spoof websites and bypass spam filters are on the rise. July 2007 saw a major DNS hijacking attack. Gartner prominently added DNS attacks to their 2007 Hype Cycle.

DNSSEC is the technology to protect DNS against spoofing. With the US government pushing for adoption through FISMA, and the experience of a few early adopter countries such as Sweden and Bulgaria, DNSSEC deployment is now picking up speed.

Is the world ready for DNSSEC? Who is deploying DNSSEC right now? Does it really mean giving the keys of the Internet to the US Government? Can users gain the advantages of DNSSEC now? Is deployment too risky for the benefits gained? When should you start thinking about DNSSEC?

After attending his presentation, you will be able to make an informed decision about DNSSEC and your organization.

This presentation will include demonstrations of DNSSEC enhanced end user applications.

Paul Wouters has been running DNSSEC on a few hundred domains since 2003, making him one of the most experienced in the field.

top

Process Control and SCADA:
Protecting Industrial Systems from Cyber Attack - Mark Fabro

With the recent advancements in national security initiatives, as well as parallel efforts in research by both the public and the private community, there is an immediate requirement for the strategic development of plans to protect Critical Information and Key Resources (CI/KR) from cyber attack. As such, Process Control and SCADA systems are beginning to move to the forefront as it relates to threats and vulnerabilities. The PCS domain, along with SCADA systems, is becoming more at risk from a cyber perspective. The migration of traditionally closed control networks to open and common protocols, as well as Internet connectivity, introduces severe cyber security risk. Moreover, attacks on industrial command and control systems in the cyber domain often will manifest in the physical domain, putting the systems that control dams, pipelines, and energy distribution (among others) at risk.

The briefing will be a concise introduction to the cyber security issues in the control systems environment, will review historical issues and incidents, and discuss emerging mitigation strategies to help secure critical infrastructure information resources. Topics include:

- Cyber threats and vulnerabilities in the process control/SCADA domain
- Historical analysis of open source security incidents
- Current technical problems requiring attention to mitigate the issues
- Protocol analysis and inherent security weaknesses in process control
- Strategies for defense (Firewalls, IDS, encryption) in process control systems
- Mapping standards to the process control domain
- Forward looking strategies by governments and the public sector

top

Modern Trends in Network Fingerprinting - Jay Graver and Ryan Poppa

Both a WhiteHat Audit and a BlackHat Compromise begin with scoping out
the network. Using OS and Application fingerprinting techniques have
been staples of Network Reconnaissance for close to a decade. Today's
techniques include passive, active, blind and invasive fingerprinting.
A brief review of current and past strategies explains the strengths
and pitfalls of each fingerprinting technique. This leads to the
introduction of our new fingerprinting technique and the release of
our new fingerprinting tool which will attempt to safely and accurately
identify HTTP servers with a single RFC compliant request.

top

NAC@ack - Dror-John Roecher and Michael Thumann

The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attention: "Cisco Network Admission Control". NAC is a pivotal part of Cisco's "Self Defending Network"
strategy and supported on the complete range of Cisco network- and security-products. From a security point of view "NAC" is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of "posture spoofing attack". We will demonstrate code & tool for posture spoofing in Cisco NAC 'secured' networks.

top

Security Challenges in Virtualized Environments - Joanna Rutkowska

This presentation tries to show different security problems that might arise in virtualized environments. It first talks about virtualization based rootkits (AKA "blue pills") -- what so special about them, clarifies some misunderstandings and also discusses how real this threat is today. It also touches on the subject of virtual machine isolation and why we should aim towards thin hardware-based hypervisors. Nested virtualization and its impact on security of virtualized systems is also discussed.

top

Human Factor vs. Technology - Joanna Rutkowska

This lecture will present current challenges in operating systems security - from both a human as well as a technical perspective - and views on possible ways of addressing those issues. The main message will be that the so-called "human factor" is not, in contrast to common belief, the weakest link in IT security, as eliminating the incompetence of users and administrators does not solve many of the serious problems we're facing today.

top

Hacking Hollywood - Johnny Long

Hacking stuff is for the birds. I'm taking a new path in life. I've decided to become a technical consultant for Hollywood. (No, not really, but work with me here). In my new role, I've decided it's time to take up the torch for all my fellow consultants who have been abused by you people through the years. We're all just sick and tired of your snide little comments about hackers in the movies. So go ahead. Make fun of Hollywood. Poke fun at A-list actors who "slide in [a] Trojan horse riding a worm" or B-movie bandits that use "mega modems with compression". Snort your snooty little snicker at smarties who smash 128-bit DES encryption in a skimpy 60 seconds. Who do you think you are, anyway? You've probably never even USED 128-bit DES.

Think you're all �ber because you can sling a bit of code? Let's see you sling a multi-headed worm that sniffs out latent digital footprints throughout an encrypted network. Not leet enough? That's OK. I'll show you how it's done. Think you've found a movie line that's just slam-dunk stupid? A movie line that proves Hollywood is just clueless about technology? Think again. You just misunderstood. I'll use video clips and ultra-magnified freeze-framed screen stills to prove to you that Hollywood is clue++. Failing that, I'll at least distract you with seriously classified hardware and 0day exploits that were leaked through Hollywood films. Then again, you just might be safer if you keep on thinking they're only cheesy movie props. Come and hang out for a while as I continue my crusade to inject fun back into security. NOTICE: Persons with bladder control issues should sit this one out.

top

Exploit-Me Series - Free Firefox Application Penetration Testing Suite Launch - Nish Bhalla and Rohit Sethi

Security Compass is pleased to announce the release of the free Exploit-Me series of application penetration testing tools at SecTor.

The toolset is made specifically for security consultants, developers and QA staff to facilitate testing of applications. The Exploit-Me series of tools are plug-ins to Firefox that allow for easy "right-click" style parameter fuzzing for web applications.

Included in the Exploit-Me series are:

SQL Inject-Me - Point to any HTML field in your Firefox browser and
try to inject it with an individual SQL injection payload or
multiple-payloads via fuzzing by simply right clicking on the field
and selecting "SQL-Inject Me".

XSS-Me - As with SQL-Inject me, point to any field on an HTML document
and attempt to perform Cross-site scripting by right-clicking and
choosing "XSS-Me".

Web Service Exploit-Me - Enter a valid WSDL location and try fuzzing
various parameters in a simple-to-use HTML interface in Firefox using
Web Service Exploit-Me. The interface will also allow for you to
attempt SQL-Injection and XSS through web services.

top

SQL Server Database Forensics - Kevvie Fowler

Databases are the single most valuable asset a business owns. Databases store and process critical financial, healthcare and HR data, yet businesses place very little focus on securing and logging the underlying database transactions. As well, in an effort to trim costs, many organizations are consolidating several databases on to single mission critical systems which are frequently targeted by attackers.

With large data security breaches occurring at an alarming rate, several database logging tools have been released in the industry, however adoption of these products is slow leaving these mission critical systems vulnerable and ill-equipped for traditional forensic analysis.

Database forensics is a relatively unknown area of digital investigation but critical to investigating data security breaches. There is very limited information available today on this subject and, at the time of this writing, no known information targeting SQL Server 2005 forensics. This presentation provides attendees a 'real world' view into SQL Server 2005 forensics. How to gather evidence from hidden database repositories using forensically sound practices, and the investigation pitfalls to avoid.

top

TCP/IP Perversion - Rares Stefan

The evolution of rogue code has somewhat ignored the opportunities offered by kernel network drivers. In this paper we will analyze such opportunities and demonstrate several methods of data theft and system commandeering while evading perimeter/host based security systems and operating undetected in the long term.

End node TCP/IP perversion relies on a kernel module in the data path that will passively (without initiating a network session itself) modify incoming and outgoing traffic. We will focus on the Microsoft kernel and present several ways to insert an inline network driver that will intercept, redirect and modify TCP sessions. ..

top

Wireless Security - What Were They Thinking - Brad "Renderman" Haines

Wireless technology was supposed to mean freedom from wires and desks. It has instead become one of the biggest security nightmares for IT. How did we get here, what are the threats (existing and emerging), and where do we go from there.

With wireless available on every new laptop and even Ipods now, it's with us to stay for quite a while and IT professionals have to live with it. This talk will provide a look at past, present, and proposed security standards and the weaknesses of each, as well as some of the process that caused these problems to occur. We'll also look at some emerging threats to some of the latest security standards for 802.11 networks, as well as bluetooth and RFID, the often forgotten wireless.

top

Hacking Bluetooth for Fun, Fame and Profit - Dino Covotsos

Enhancements in cellular technology and mobile computing in recent years has lead to the availability of affordable and powerful mobile devices. Where before cellular phones where relegated only to the business class and other members of the upper-echelon of society, today they are deemed a necessity and have become so cheap in comparison to phones of years past that almost anybody can own one. One of these enhancements is definitely the Bluetooth specification, which allows for the creation of short range wireless personal area networks. In recent years however, it has come to light that various flaws exist in certain Bluetooth implementations. Our paper aims at demystifying these vulnerabilities. Amongst other things it will include the procedures involved in bluesnarfing, the potential hazards of bluejacking as well as the backdooring of mobile devices. We will also be demonstrating the tools and techniques used in accomplishing the above listed attacks.

top

Securing Commodity Systems using Virtual Machines - David Lie

top

Data on Threat Evolution - What 47 Leading Security Vendors Are Seeing - Ben Sapiro

top

Web Application Worms: The Future of Browser Insecurity - Mike Shema

top

State of the Hack - Kevin Mandia

top

Black Ops 2007: DNS Rebinding Attacks - Dan Kaminsky

top

You're Just Not Pretty Enough to Do Investigations - Kai Axford and local law enforcement

top

How Close is the Enemy - Kevin G. Coleman

top

Cybercrime, CVEs, OVAL, CME and why you must care! - Gary S. Miliefsky

95% of downtime and successful criminal hacker attacks are because of your known vulnerabilities - find out what they are, current standards and new trends from the international standards body at MITRE, funded by the US Department of Homeland Security. Miliefsky is a Board member of this organization and will provide insights and free resources you can take advantage of today to harden your networks against attack, downtime and IT related regulatory compliance issues.

top