Sessions - 2008

KeyNote - No-Tech Hacking - Johnny Long

Based on the book No-Tech Hacking, this presentation shows life through the eyes of today's hacker. I'll show what kinds of tactics a hacker will employ and the perspective they have that allows them to stay one step ahead of the good guys. I'll focus on the hacker mind, showing in a compelling way the mindset that must be adopted when it comes to protecting (or violating) assets, resources and and information.

I will show how easy it is to break into buildings, access corporate networks, perform identity theft, steal data and more, all without complicated equipment and tools, focusing instead on manipulating the human elements of trust following the path of least security resistance.

Packed with tons of photos and videos, this talk presents real-world situations, applying the true hacker mindset to each one. I'll warn you though, while you're laughing yourself silly at some of these examples, you may never see the world the same way again.

KeyNote - Baggage: What I took with me when I 'left' Computer Security - Stephen Toulouse

Known by most by his email name, 'Stepto', Stephen Toulouse was involved in some of the most fundamental security incidents and decisions made at Microsoft over the past several years. In 2007 Stepto moved from Microsoft's Trustworthy Computing division to pursue his lifelong dream of being paid to play video games and work for the Xbox team. These days, he works to make Xbox LIVE a safe and enjoyable experience for its users. In this irreverent and humorous presentation, Stepto skewers some common misconceptions about software security at Microsoft, owns up to mistakes, and talks about the role of computer security in today's industry. But most importantly, Stephen covers in detail how the lessons learned in computer security apply to many different jobs in the industry. Other people use the phrase 'have baggage' as a bad thing, meaning stuff they would rather not carry around. Stepto points out how security is a lesson that is applicable across all aspects of the industry. It's baggage you gladly being with you, because it makes you a better computer professional.

Lockpick Village - Running all day in Hall G - Deviant Ollam

Physical security is far too often an overlooked aspect of modern security. 'Its fine, the server room is locked' you say? Come spend some time in the lockpick village. Learn how lock picking, bump keys and other lock bypass techniques work, what makes a lock secure, and what makes it weak. Attendees will get the opportunity to try their hand at picking sample locks, and there will be a contest for those who can do it the quickest.

WiFi Clinic - Running all day in Hall G - Brad Haines (Renderman)

It's a hot topic. You probably know there are a lot of attacks on wireless networks. But do you know how to build and secure your own? Spend some time at the WiFi clinic and learn how these attacks work, how you can audit your own network and corporate environment and learn how to keep yourself secure. Experts at the clinic will be teaching throughout the day and are available to consult on your WiFi security problems. Attendees must bring a laptop. Ideally, your laptop's wireless card is supported by BackTrack 3.0.

The Future of Snort: Why it must change for network security to live. - William Young

With over 3,000,000 downloads, Snort is the most widely deployed and trusted intrusion detection and prevention technology worldwide. How will Snort evolve over the next couple of years to keep up with the ever-changing network security landscape? Join Mr. Young as he shares his vision of future Snort features and why they are needed. This talk will look at how contemporary threats can only be found effectively by understanding a victim's state, the nature of the threat, and the delivery channel that an attack is using. This is the different between effective threat analysis and effective threat monitoring. Protecting the network is no longer about protecting just the server side, but also the unmanageable client as they become unwitting participants in new attack vectors. This talk will explore how some of today's newest threats can not be easily identified by current monitoring solutions without significant data aggregation and analysis. We'll then go into Snort 3.0, address why it was created, the nature of Adaptive IPS, the new Snort 3.0 design, and the strategy for identifying dynamic threats more efficiently. These threats require an aggregated monitoring (not analysis) approach that can combine tools like Snort, network behavioral analysis, access intelligence, asset information, etc.) to identify and stop threats that require a more flexible, module monitoring tool, like Snort 3.0.

MetaSploit Prime - H D Moore

This talk dives into the upcoming features of Metasploit 3.2, including IPv6 support, wireless client exploitation, hardware integration, METASM based payloads, and much, much more. The 3.2 release will be offered under a true open source license by a brand new development team.

Pwning the proxy - Dino Covotsos

Compromising an internal proxy is easy. If you know what to do. And we'll show you. Brute force, traffic sniffing, internal network scanning, reverse HTTP, social engineering, phishing - there are many methodologies to choose from. This talk will not only cover various ways of using these processes to compromise an internal proxy, but we'll explain to you how not to let yourself fall victim to these methods. We will demonstrate various real-life issues, including a release of an undisclosed issue in Squid Analysis Report Generator (SARG) which we used in one of our case studies to compromise a proxy server.

Security and Robustness in Backbone Design - Raven Alder

This session will explore current issues in backbone design, from large-scale outages and disaster recovery to the logistics and ethics of application layer filtering on backbone networks. The talk will cover the trends and technology advances which have recently evolved in ISP engineering, from inline Layer 7 proxies cleaning up protocols real-time to increasingly challenging design specs. (Or, as one of Raven's clients said, "we need this network to be resilient during undersea cable cuts, earthquake, tsunami, BGP updates, or military coups".) This talk will be about how you build a network like that, and the tools which make it possible.

Security Heretic: We're Doing It Wrong - James Arlen

Information and Computer Security is a multi-million dollar business.
I am part of that business. And it's wrong. An industry that was started with the highest of ideals, the most pure of motives has deteriorated into a crass, commercial race-to-the-bottom. Or at least it feels that way most of the time. In this presentation, a security heretic will outline a very personal journey through the meat-grinder of the information security industry and will ask you to join in this interactive discussion and walk through some critical self-analysis, some harsh criticism, some ludicrous stories, and hopefully exact the answers you need as you work through your own crises of faith in your career in Information and Computer Security.

Owning the Users with The Middler - Jay Beale

This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Python, this tool is easy to both extend and add into other tools.

The New New Thieves and Contemporary Security Analysis - Pete Herzog

An informative look into the modern security industry, the role security testers play, what we should be doing, and how we can address it. This presentation gives a global view from the combined research of recent ISECOM project work in the OSSTMM, Hacker Profiling Project, Trust rules in the OpenTC project, the SCARE (Source Code Analysis Risk Evaluation) Project, The Home Security Methodology, The Child Safety and Security Methodology, and the National Security Guide. In this presentation I will provide the foundation which will allow us to touch on a wide range of security topics and myths.

Under the iHood - Cameron Hotchkies

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section, comparisons of Windows applications and the OS X counterparts. Additionally some time will be taken to discuss the differences in the structure of binaries on the iPhone.

This talk should give attendees insight into what is involved in the analysis of OS X binaries on both Apple machines and iPhones for vulnerabilities and interoperability. Attendees will gain a solid understanding of how windows reversing skills can be quickly applied to OS X binaries, including the common tools and resources available for an Apple security researcher.

Network Security Stripped: From layered technologies to the bare essentials - Jennifer Jabbusch (jj)

2009 will be a big year for network security, with the rejuvenation of NAC technologies, endpoint security and the new 802.1X-REV. In addition to the more complex security systems, organizations will be leveraging features already integrated in their current infrastructure devices, such as DHCP snooping, dynamic ARP protection, port filtering and dynamic IP lockdown. We'll also see how organizations are bringing WAN technologies to the LAN, leveraging firewalls, intrusion detection and NBAD (network behavior anomaly detection) on the inside of the network for protection against 0-day attacks.

Find out how these technologies can help you secure your network with little or no additional investment; and understand when a more robust solution is needed. Learn more about current (and future) network security technologies, best practices and which solutions can help secure your wired, wireless and converged networks.

Advanced Spear Phishing Attack Framework - Joshua Perrymon

This talk will introduce spear phishing and how successful these attacks are in the real-world. It will then introduce a newly developed OWASP open source tool called LUNKER. This tool and research is designed to first educate and illustrate how criminals are using these attacks to gain access to real networks. And how to mitigate this risk. It is an advanced phishing framework being developed using data from over 300 successful audits in the field. The tool offers features unavailable from any other tool available publically. The talk will be a demo on how this attack works as a feature of the framework and will run in local host mode so the crowd could actually participate in this exercise if they have a wireless card.

Access will be made available to the tool so the audience so see it hands on (minus outbound attack mode). A special LiveCD with the tool would be made and given to participants attending the talk.

Finding Cryptography in Object Code - Jason Wright

Finding and identifying cryptography is a growing concern in the malware analysis community. The current state of the art is to locate it manually and identify it based on various constants used by the algorithms. By examining the operations used by cryptographic functions, it is possible to locate it based on heuristics.

The types and arguments of processor instructions show a tendency to be unique in cryptographic functions vs. regular functions. I assign weights based upon some empirically determined properties to determine the probability that a function contains cryptography. This type of heuristic method is not prone to subtle peturbations of magic constants currently used for location and identification.

The Four Horsemen Of the Virtualization Security Apocalypse: My Little Pwnie Edition - Christofer Hoff

Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh! This talk will focus on virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM's, we'll explore the real issues that exist today as well as those that are coming that aren't being discussed or planned for.

RFID Unplugged - Eric Johanson

RFID system usage is increasing in the transit, access control, and payment sectors, with little to no foresight into effective security. This presentation will cover potential threat and attack models from the business, integrator, and consumer perspective. Beginning with an overview of the systems in place today, we will review specific vulnerabilities - many with demos - and offer potential mitigations.

Security implemented in current RFID systems is very reminiscent ofearly wavelan or SIM technology. This talk will review classes of attacks in detail, including OTA sniffing, MITM, reply attacks, backend wire interception, duplication, data tampering, Denial of Service, escalation of privilege, etc. In addition, the real-world impacts of the cracked NXP-mifare-crypto1 system will be reviewed. Paypass vulnerabilities will also be demonstrated.

Double Trouble: SQL Rootkits and Encryption - Kevvie Fowler

This is a joint session covering two critical SQL Server risks; SQL Server rootkits and common SQL Server encryption implementation mistakes that result in data exposure.

SQL Server Rootkits: To date there has been no database rootkit research that focused directly on SQL Server, that is until now. Attendees will see first-hand how rootkits can be used to conceal unauthorized SQL Server access and how they can perform logging of both GUI and SQL based activity.

The insecure implementation of secure encryption: Some trusted SQL Server experts and reputable SQL Server web sites provide users with guidance on how to implement native SQL Server data encryption. However, following this advice can result in the unintentional exposure of sensitive plain-text data. Learn the proper way to implement native SQL Server data encryption to avoid this data exposure.

This SQL Server security 'double-feature' is a must see for anyone tasked with auditing, securing, investigating or simply using Microsoft SQL Server.

Novel Malware Detection - Bruce Potter

The last few years represent a large change in the threats against our systems. The attacks that are hitting enterprises today are much more targeted and malicious than at previous times. Where once we had script kiddies and general purpose attacks aimed at the entire Internet, now we face highly skilled software engineers who are motivated by money more than fame. At the same time, many organizations are discovering that the standard suite of security products (firewalls, IDS, and AV) aren't stopping these new attacks. Worse, there aren't a lot of new products popping up to help out.

This talk will examine current trends in the attack and malware space. From there, we will take a look at ways to defend your network that you may not have thought about before. Non-conventional audit records like network flow data, crash dumps, and detailed system enumeration can represent a wealth of information that you may be overlooking today. This talk will discuss these mechanisms and how to use them with open-source software currently available. At the end of the talk, you should have a better appreciation for how bad the current security situation is but you also feel better armed to defend yourself and your network.

Googless - Christian Heinrich

The October 2008 Update of the OWASP "Google Hacking" Project will demonstrate the "Spiders/Robots/Crawlers" and "Search Engine Reconnaissance" sections of the OWASP Testing Guide v3, the "Speak English" Google Translate Workaround and a demonstration of two Proof of Concept (PoC) that implement the Google SOAP Search API:
1. "Download Indexed Cache" which retrieves content indexed within the Google Cache 3
2. "TCP Input Text" which extracts TCP Ports from Google Search Results as input for nmap and nc aka netcat.

New Research on Canadian Privacy Breaches - Tracy Ann Kosa

Canadian organizations must contend with 5 pieces of privacy legislation governing different sectors and industries and the expectations of personal information management. Preliminary results indicate that certain industries have a higher occurrence of different types of privacy incidents. Types of privacy breaches, in particular, tend to be clustered into unauthorized collection, use and / or disclosure depending on the industry in questions. This new qualitative and quantitative research, framed with established risk management practices, can provide meaningful methods for the application of scarce resources within organizations. It can also be utilized to support decision-making for security and privacy practices.

Tracking Current and Future Botnets - Matt Sergeant

Since 2004 when the outbreak of the MyDoom virus installed botnet spamware software on the victim's PCs, we have been identifying and tracking various forms of spamming botnets. The most recent large scale example of this is the Srizbi botnet, which numbers in the hundreds of thousands of actively spamming IP addresses, potentially indicating millions of infected machines.

Botnets behave in specific ways which often allow them to be identified. By fingerprinting specific bots we are able to maintain a database of millions of IPs participating in the botnets. By doing so we can track the rise and fall of specific botnets, such as the meteoric rise seen by the Storm botnet, and the very sudden drop-off as various anti-spam outfits, including the Microsoft Malicious Software Removal team, rose up to the challenge of cleaning up the Storm infestation.

This talk will detail ways in which these botnets can be detected, both in an email setting and from a network operations viewpoint, including such activities as the use of TCP fingerprinting to identify unusual bot practices, the use of inbound traffic filtering, and even some simple pattern matching. Practical information about securing your network against these kinds of activities will be given. Furthermore we will discuss various activities within the global anti-spam community that are being undertaken to help reduce the impact of these botnets and reduce the capacity of the miscreants who own and run them.

Ten Things Everyone Should Know About Lockpicking & Physical Security - Deviant Ollam

Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Discussion as well as direct example will be used to demonstrate the grave failings of low-grade hardware... much of which will be opened by audience members with no prior training. What features to look for in locks and safes will be covered, and how to invest in systems that are easiest to manage in large environments will be discussed.

Exploit-Me for Fun and Profit - Jamie Gamble & Tom Aratyn

The Exploit-Me suite of tools provide a powerful platform for testing websites for application vulnerabilities. Jamie Gamble and Tom Aratyn of Security Compass will demonstrate how the Exploit-Me tools could have been used to catch common vulnerabilities in real world applications, and how they could have saved time and embarrassment.

We'll start with a demonstration of the Exploit-Me tools being used to find a vulnerability in a commercial application. Target the page, click the button, and uncover a cross-site scripting vulnerability. Simple.

Following the initial demonstration, we'll briefly introduce the common problems and vulnerabilities that are plaguing web applications today we'll touch on how penetration testers may typically carry out the process of uncovering these security holes through manual testing. This will lead into an introduction of the Exploit-Me tools; their names, their jobs, and our goals for their future.

Once you're familiar with the tools, we'll discuss various vulnerabilities that have been identified in web applications and demonstrate how the Exploit-Me tools can be utilized to aid in the discovery of similar vulnerabilities during the application development and testing phases. Using examples of vulnerable applications, the presentation engages in a discussion with the audience as to how the Exploit-Me suite of tools can help testers and developers save time.

More SCADA/ICS Security: Findings from the field - Mark Fabro

The last several years has seen a rapid growth in critical infrastructure cyber security. Within this domain, the issue related to SCADA and process control have received much attention. As a follow on to last years session that was an introduction to cyber security and industrial control systems, this briefing will extend the material to look at vulnerabilities and test results in the industrial automation and SCADA realm. Topics covered will include:

- Overview of common vulnerabilities in SCADA/ICS
- Examples of how open source data can be used to build target folders
- Geo locating resources and cross-sector security concerns
- Analysis of results from in-house testing of control systems
- Discussion of results from a national scan of identified resources (Nation not named)
- Analysis of SCADA/ICS traffic on the internet (where it really shouldn't be)

*these topics may change slightly depending on availability of data at time of briefing