0800 - 0900 |
REGISTRATION AND COFFEE
|
|
0900 - 0915 |
OPENING AND WELCOME ADDRESS
|
THOMAS LIM
SyScan'10, COSEINC
|
0915 - 1015 |
There are more than a dozen LPAN radio protocols in the Sub-GHz and 2.4GHz ISM bands,
used for everything from home and industrial automation to toy communications. Some have
halfway decent cryptography, but most are left unencrypted, relying upon the obscurity of
encoding to protect packets from listeners. By use of an in-circuit debugger and some
machine-readable chip documentation, it is possible to hijack the radios of development
kits and children's toys. These can then be used as intelligent packet sniffers and
injectors, already having the proper analog chain and being reprogrammed with any of
several digital configurations. The required soldering is minimal, and the hardware can
be purchased cheaply once the toys go out of style.
This lecture presents a new implementation of such a radio framework, targeting Python through the
GoodFET as well as a self-contained packet sniffer in embedded C for the Girltech IM ME toy.
Additionally, methods for locally extracting keys for use with the sniffer will be covered.
|
TRAVIS GOODSPEED
Independent Hacker
|
1015 - 1030 |
Coffee Break (Beer Available) |
|
1030 - 1130 |
Virtualization and its natural evolution, cloud computing, are young yet pervasive
technologies. A fast-changing environment, where rules are rewritten every time a
vendor releases a significant upgrade. Private Clouds are a relatively recent evolution,
yet their management and deployment models have a significant impact on the security
they can achieve at the moment and the level of security they will be able to offer in the future.
In this talk, we will explore the virtualization security domain through the custom tools we've
developed in the vasto suite and by a detailed analysis of existing technological solutions and
their features... and failures.
|
CLAUDIO CRISCIONE
Secure Network
|
1130 - 1145 |
Break (Beer Available) |
|
1145 - 1245 |
This is a multipart presentation presented by engineers working on Microsoft Office security.
The first part will detail a distributed fuzzing framework. The second part will detail
engineering defenses to fuzzing attacks in the upcoming release of Office (Office 2010).
Security researchers and zero day exploits continue to leverage fuzzing bugs in Microsoft
products. What are we doing to defend our products? As presented during Blue Hat 2009 (Jason Shirk)
and Cansecwest 2008 (Charlie Miller), the more fuzzing iterations performed, the more likely you
are to find bugs. The SDL now requires a clean fuzz run of half a million iterations in order to
ship. Seems like a good idea and achievable, but what happens if your application parses more than
200 formats? Time to think like a black hat and leverage the power of a botnet to get your work done -
complete with fuzzing commands and control servers to delegate work to the fuzzing bots.
This presentation covers a framework built by the Office team to efficiently fuzz
any file format parser. This framework can be used by any internal product team that
parses file input and significantly reduces the pain around file fuzzing. This framework
is not a fuzzer itself. You won't need to rewrite your fuzzers. Instead it allows existing
fuzzers to plugin and run in a distributed fashion. The Office team is using this system to
perform millions of iterations per day without purchasing any additional hardware. The
Office team turned desktop machines and lab machines into a botnet for fuzzing during downtime.
Other challenges that are solved by the distributed fuzzing framework and covered in
this presentation include central run management, recurring job scheduling, duplicate
detection across machines and runs, automated regression passes, and automated bug filing.
Even with millions of fuzz iterations and following the best
practices of the Security Development Lifecycle (SDL), some bugs will be missed.
The Office security team has engineered a series of layered defenses in addition
to strengthen the parsers themselves. This presentation also covers two of these
layers. The first layer, Gatekeeper, helps validate if the data should be loaded
by the target application. The Gatekeeper architecture allows it to be used by
other applications and describe additional binary formats. The second layer discussed
leverages Windows Integrity Levels and is known as Protected View. Even if malicious
code runs inside of Protected View, it should not be able to alter the host machine.
The presentation will demonstrate how recent MSRC cases are mitigated by Protected
View and Gatekeeper.
|
TOM GALLAGHER
&
DAVID CONGER
Microsoft
|
1245 - 1400 |
Lunch |
|
1400 - 1500 |
Network reconnaissance is an art as old as hacking, but
the days of dumpster diving and fingering your away around
the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan,
target acquisition is king: there's a new exploit every day, who's going down
after you've finished your first cup of coffee tomorrow?
In this presentation, Metlstorm examines the practicality, implementation
and effect of datamining country-scale network targeting databases. Building
on the experience of spending the previous year mapping the New Zealand internet
for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low
Hanging Kiwifruit toolchain against its newest target: Singapore.
So, Singapore, are your networks open? How many open DSL routers are there
in Singapore? Which ISP has their blade switches open for you to telnet to? Just
how useful is it to full text search every SSL certificate name, 302 Redirect
target and DNS entry?
|
METLSTORM
|
1500 - 1515 |
Break (Beer Available) |
|
1515 - 1615 |
When an attack is detected on a web server, some defenders try to handle that incident,
by getting rid of the intruders and by hardening their infrastructure so that they won't
be owned again. Sometimes they get enough spare time to analyze what happened exactly,
by doing some kind of forensics actions, or by contacting remote administrators and
authorities, etc. But recently, attackers might not really be afraid of the consequences
of their digital crimes.
This talk proposes to think further and to re-balance the Internet war between the light
side and the dark side. We will add a new way to behave when evil hackers are caught on a
host. Indeed, TEHTRI-Security will explain how to strike back against your web assailants,
so that you would be able to: get more information about them or identify them, steal
their tools and methods, or sometimes to penetrate back their own computers too. Of course
those technical initiatives might lead to legal issues, depending of the international and
local laws (self defense, etc). But this talk will focus on tactical issues, to show real
life examples when it might be possible to hack the web hackers.
|
LAURENT OUDOT
TEHTRI-Security
|
1615 - 1630 |
Coffee Break (Beer Available) |
|
1630 - 1730 |
Rich Internet Application, known as RIA, is a new concept of modern web2.0. Moving
logic from the server to an untrusted client may open up security holes that never
present in the page-oriented "Web 1.0" architecture. (Adobe?) Flash and PDF are 2 of
the most important RIA formats and are most widely used by internet users. During past
2 years hackers have pay more attention to RIA exploits especially to Adobe's vulnerabilities
through internet, Adobe software was believed to be the 2nd Microsoft.
In this presentation, we will start with the threat trend of SWF and PDF applications,
various kinds of attacks rely on vulnerabilities through web browsers spreading to in the internet.
Followed by showing how AV handles and how hackers manage to bypass them. We'll then demonstrate
technical details on the format change and advancement of the malicious SWF and PDF files aimed to
bypass antivirus software. To fight against these Web2.0 based attacks, we will present a research
project on an analysis tool for malicious content parser. In the end, we will present a frame of
real-time RIA scanner between gateway and user browser.
This presentation has never been published to public before.
|
HERMES LEI LI & ULYSSES WANG
Websense
|
1730 - 1830 |
If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the
Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing.
In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines
which is optimised for fuzzing. Last year we released some metrics, then MS released better ones.
So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond
Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full
of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After
grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist
root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using
magic, funky graphs and compression before comparing them side by side with the clean run. Our diff
files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the
trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.
|
BEN NAGY
COSEINC
|
|
End of Day 1 |
|