Jun, 16
11:00
Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS with Mario Heiderich
Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradication of XSS with Mario Heiderich
Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content filters, educational programs and trainings, programmer's best practices and guidelines, proxy filters and many more. Still XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker. This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and light-weighted way - without being “too loud”. Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution privileges. The presentation will show how these work, what the implications are, and what the future of XSS mitigation and eradication might look like.
Speakers
Mario Heiderich
Handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Mario also recently watched "Sharknado" and believes it to be one of the greatest movies of all times. I mean come on! Sharknado? Really?
13:30
Be a smart CISO: learn about people with Bruno Kerouanton
IT Security is a tough subject when it happens to be done from the management perspective. Implementing technical measures and protections is far from enough, as people are and will always be the most important factor. From your IT security staff and contractors which have to be motivated and always aware, to your organisation’s users and customers who believe that security means counter-productivity, not mentionning the executive board (and VIPs) that just want security to be assumed by you with a limited budget, we can conclude that a CISO has to understand people. This lecture will present different ways to understand how your organization behaves from an human point of view, and how to influence people in order to increase the security awareness and level within the organization. Real-life anecdotes and tips about psychology, communication and security marketing will be given, and that can really be the success factor for a CISO working in a large or complex environment.
Speakers
Bruno Kerouanton
Chief Information Security Officer of the Swiss Republic and Canton of Jura. CISSP certified since 2002 and holding a Ms Degree in IT Security, he also teaches in several famous schools (HEC/Mines Paris, …) and frequently involves himself in symposiums and IT security communities, both around technological and management security issues and solutions. He has been awarded twice in 2005 and 2010 as “french CSO of the year”, and also won a swiss hacking security challenge in 2009.
14:30
"Project Quebec" and win32 exploit development with pvefindaddr with Peter Van Eeckhoutte
In this talk, Peter will showcase the numerous features of pvefindaddr, a pycommand for Immunity Debugger. He will explain how the plugin can be used to speed up exploit development for the Win32 platform, and how it automates certain time-consuming tasks. Finally, a preview will be given of “Project Quebec”, which is the Corelan Team effort to further optimize pvefindaddr. During this project, the team will rewrite the entire plugin, further optimize the various functions, add some new features and significantly boost overall performance.
Speakers
Peter Van Eeckhoutte
Peter Van Eeckhoutte is the founder of Corelan Team and the author of the well-known tutorials on Win32 Exploit Development Training, available at https://www.corelan.be. The team gathers a group of IT Security enthusiasts and researchers from around the world, who all share common interests : doing research, gather & share knowledge, and perform responsible/coordination disclosure. Above all, the team is well known for their ethics and their dedication to helping other people in the community. Together with the team, he has developed and published numerous tools that will assist pentesters and exploit developers, and published whitepapers/video’s on a wide range of IT Security related topics (pentesting tools, (malware) reverse engineering, etc). In addition to operating an IRC channel (freenode, channel #corelan), the team is running a slack work space (corelan.slack.com). You can get access to slack by checking out the Corelan Facebook page (@CorelanGCV) or Twitter account (@CorelanGCV), looking for the most recent Slack invitation. Peter is reachable on Twitter (@corelanc0d3r). Peter has been an active member of the IT Security community since 2000 and has been working on exploit development since 2006. He presented at various international security conferences (Athcon, Hack In Paris, DerbyCon, ISSA Belgium) and taught various Win32 Exploit Development courses at numerous places around the globe. He trained security enthusiasts & professionals from private companies, government agencies and military organizations.
16:00
Offensive XSLT with Nicolas Grégoire
XSLT engines are software components aimed to transform a XML content in another format, either XML, HTML, text, PDF, … Some high-level applications use those feature-rich components without fully understanding their features. Given the dangerous functionalities exposed by most XSLT engines, it is expected that a systematic and bottom-up review will highlight high-impact vulnerabilities in various applications using XSLT engines.
Speakers
Nicolas Grégoire
He has nearly 15 years of experience in penetration testing and auditing of networks and (mostly web) applications. A few years ago, he founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world and he was publicly thanked by tons of vendors for responsibly disclosing vulnerabilities in their products. He occasionally participates in bug bounties, aiming at maximum payouts.
17:00
Agnitio: the security code review Swiss army knife with David Rook
Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use. This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmes are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010. In this demonstration filled talk I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 60 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management. Agnitio v2.0 will be released during this talk which will see Agnitio’s already powerful feature set expanded to include more secure coding and security code review guidance, additional report types, developer and reviewer focused metrics and an automated source code analysis module.
Speakers
David Rook
David Rook is the Application Security Lead at Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, BlackHat USA and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja. The Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. In 2011 David received a Developer Security MVP award from Microsoft. David strives to practice what he preaches and has backed up his work experience by developing an open source security code review tool called Agnitio and publishing several Windows Phone 7 applications.
Jun, 17
09:30
Pentesting iPhone & iPad Applications with Flora Bottaccio and Sebastien Andrivet
This presentation covers different aspects of iPhone and iPad applications pentesting, like extraction of application from iTunes, reverse engineering of binaries and interception of communications with web services. The talk will include several live demonstrations, if possible with real-world examples (if an Internet access is available). We will also demonstrate our own pentesting tool that we will release in June (Free / Open Source).
Speakers
Flora Bottaccio
Security Analyst, ADVtools SARL, Switzerland. Flora was a developer for 9 years, in particular in the areas of database development and risk management. Since 2009, she applies her skills in the domain of applications security and ethical hacking.
Sebastien Andrivet
He is playing with computers since the beginning of '80s. After spending some years with 8-bit processor assembly programming, he specialized in the ’90 in C/C++ and i386 assembly programming on Win/Intel. During the Internet years, he participated to several startups and releases some open source softwares, including a multi-platform XML parser written in C++. At this time, he was confronted to software pirates and the world of buffer overflows and SQL injections. In 2002, he switches to applications security and forensics and co-founded ADVTOOLS in Geneva. Since 2014, he works as a reverse engineer for SCRT, a Swiss company near Lausanne.
11:00
Skirack: ROP for masses with Jean-Baptiste Aviat
The ROP exploitation technique allows to bypass DEP in a more flexible way than return-into-libc exploits. In some cases, ASLR systems can also be exploited when using non ASLR libraries. This presentation will introduce the ROP exploitation technique by showing practical exploitation examples. Today, only a few tools allow to help generating ROP oriented exploitation tools. ROPEme does it on Linux, Immunity Debugger may help to generate gadgets, but none of these tools can be easily used to perform advanced ROP shellcodes. This presentation will introduce all along a tool which helps to reduce the human effort needed to generate such payloads.
Speakers
Jean-Baptiste Aviat
He joined the HSC team in 2008. An important part of his work involves penetration testing, system security audit and source code audit, along with the development of security related tools.
13:30
The forbidden image - Security impact of SVG on the WWW with Mario Heiderich
Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG family, their vector based structure allows to display them on many different devices with various screen sizes without losing visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect image format for the future WWW. Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a deep look at SVG from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and other acronyms from a world where imaging and scripting collide. Besides many examples of malicious SVGs the talk will shed light on a novel filtering tool capable of filtering and sanitizing SVG images without losing any important content.
Speakers
Mario Heiderich
Handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than and leads a small yet exquisite pen-test company. He commonly pesters peaceful attendees on various capitalist conferences with powerpoint-slides and profanities. Mario also recently watched "Sharknado" and believes it to be one of the greatest movies of all times. I mean come on! Sharknado? Really?
14:30
A close look at rogue antivirus programs with Alain Zidouemba
We survey the rogue security software field with the analysis of 300+ self- described antivirus/antimalware products. Characteristics, similarities and differences are highlighted through static code and behavioral analysis. The main goal of this presentation is to group rogue security software into families in order to find commonalities which in turn will facilitate the differentiation from legitimate security software. The behind the scenes are examined as well and we demonstrate that it is sometimes necessary to follow the money trail in order to determine whether or not security software can be classified as rogue. Rogue security software is similar to Trojans in the sense that they advertise a function or a service that they fail to deliver on. But do they? Does rogue security software provide any real security feature or are is it just scamming users out of their money? We close out the presentation by showing that rogue security software do provide some benefits.
Speakers
Alain Zidouemba
Research Engineer with the Sourcefire Vulnerability Research Team (VRT). His research focus is reverse engineering, malware analysis, and exploit mitigation. He contributes signatures Snort and ClamAV, two open-source security toolkts. Prior to joining the Sourcefire VRT, Alain held similar positions at CA Technologies and PestPatrol.
16:00
Proactive Network Security through Vulnerability Management with Gary S. Miliefsky
In this session you will gain insider information about the root cause of exploitation. You will learn about Common Vulnerabilities and Exposures (CVEs) and how hackers, viruses, worms, spyware, botnets, rootkits, Trojans, cybercriminals and cyberterrorists use CVEs to exploit networks. Over 95% of successful attacks are exploits of these CVEs. We’ll look at real networking equipment together – VoiP phones, Web Servers, Laptops, Blackberry, Droid and other devices and see how easy they can be exploited because they have CVEs. Then, we’ll discover new techniques on preempting the next attack by finding and fixing our CVEs before they can be exploited. I’ll show you free tools for CVE analysis and some of the best heuristic systems to proactively protect your weak but trusted network assets until you’ve remediated.
Speakers
Gary S. Miliefsky
American entrepreneur, founding member of the U.S. Department of Homeland Security, philanthropist (a founding member of the Walden Woods Project, started by musician Don Henley), and the Founder and Chief Technology Officer of NetClarity, Inc., the network security software and appliance company that he founded in 2003. Miliefsky is one of the best-known entrepreneurs of the network security revolution and a frequent speaker. He is the cover story writer for Hakin9 Magazine (www.hakin9.org). He is widely admired as the inventor of clientless network admission control or clientless NAC and has over a dozen patents published and pending. He served as an informal advisor to President Clinton and helped the President''s Critical Infrastructure Protection Board, under the Bush Administration, which is now known as the National Infrastructure Advisory Council (NIAC) and operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace.
17:00
Escaping Windows Sandboxes with Tom Keetch
Many applications such as Internet Explorer, Adobe Reader and Google Chrome make use of Microsoft's “practical sandboxing” techniques. But how much additional protection does this provide against memory corruption attacks? This talk will evaluate three consumers of this sandboxing mechanism point out similarities, differences and ultimately flaws within each of these “sandbox” mechanisms. This talk was previously presented at Black Hat Europe, but includes updates on vendor responses and other developments.
Speakers
Tom Keetch
Senior Application Security Specialist at Verizon Business within the EMEA Threat & Vulnerability Management practice. There he conducts application security reviews and acts as the SME for security code review in the region. Some of his key areas of interest are in exploit mitigations and defense in depth technologies. He has previously presented research on Protected Mode Internet at Hack.LU in Luxembourg. In a previous role, he was a security specialist for Citrix Systems where he worked extensively on application security in Terminal Server environments.
