Schedule for 2010

Thursday Oct 28, 2010
08:30 Registration and Morning Coffee
09:00 Opening Words, Tomi Tuominen
09:15 Keynote: New Network Security Threat Category
Olli-Pekka Niemi and Antti Levomäki
Stonesoft
10:15 Coffee
10:30 Attacking ATMs: Putting the Art into Smart Cards
Rafael Dominguez Vega
MWR InfoSecurity
11:30 Lunch
12:30 Hazards of Duke / Java Sandbox (in)Security
Sami Koivu
Practical Exploitation of Modern Wireless Devices: Keykeriki V2
Thorsten Schröder
Dreamlab Technologies
13:30 Break
13:45 Hazards of Duke / Java Sandbox (in)Security
Sami Koivu
0wning the Datacenter using the Cisco 7000-series Switch - NX-OS insecurity
George Hedfors
Toolcrypt Group
14:45 Coffee
15:00 How to Notice when You Are Re-Owned
Halvar Flake
Zynamics
The Threat in Your Pocket?
Nils
MWR InfoSecurity
16:00 Closing Words for the 1st day, Tomi Tuominen
16:15 Cocktails & Networking: Sponsored by Stonesoft
18:30 Cocktails & Networking ends

Friday Oct 29, 2010
09:30 Morning Coffee
10:00 Hacking Printers for Fun and Profit - Now, Do You Trust Your Printer Anymore?
Andrei Costin
11:00 Coffee
11:15 Some Things That Every Vulnerability Developer Should Know
Halvar Flake
Zynamics
Ruby on Rails security: Understanding the Rails Developers Mind-set
Matti Paksula
12:15 Lunch
13:15 Hacking Femtocells
Kevin Redon and Ravishankar B. Borgaonkar
Security in Telecommunications, TU Berlin
Ruby on Rails security: Understanding the Rails Developers Mind-set
Matti Paksula
14:15 Break
14:30 Cost Efficient Fuzzing Techniques for Fun and Profit
Aki Helin
OUSPG
Real World Code Signing Abuse Today
Jarno Niemelä
F-Secure
15:30 Coffee
15:45 Solving the t2'10 Challenge
Timo Hirvonen
16:45 Closing Words, Tomi Tuominen
17:00 Conference Ends

Keynote: New Network Security Threat Category

Olli-Pekka Niemi and Antti Levomäki @ Stonesoft


Intrusion Prevention capable network security devices are used to protect vulnerable hosts from remote exploits. Exploits can apply multiple evasion methods to bypass the detection of the network security device and break into the remote system.

Security testing products usually contain some evasion techniques, but these tools are still exploit and endpoint-security testing oriented. There is no tool nor product publicly available that can be easily and reliably used for measuring how well a network security device system decodes and blocks attacks enhanced with various evasion techniques.

Lack of testing tools has led into the false assumption that current security appliances with intrusion prevention and application identification capabilities are resistant to evasions. The evasion research framework implemented in Stonesoft has shown that many security devices still handle evasions poorly.

Olli-Pekka Niemi has been working in the area of Internet security since 1996. Since 2000, he has worked at Stonesoft’s R&D department, developing Stonesoft's StoneGate network security solutions. His main areas of responsibility include the analysis of network based attacks and attack methods as well as the research of new detection and analysis methods that could be implemented into StoneGate network security solutions. Mr. Niemi is also the team leader of the Stonesoft Vulnerability Analysis Goup (VAG). Before joining Stonesoft Mr. Niemi worked at KPMG Information Risk Management, where he mainly focused on penetration testing and security audits. He has also worked as a system administrator at the Helsinki University of Technology.

Antti Levomäki has been working at Stonesoft R&D since 2004. His main tasks include the analysis of network based attacks and attack methods as well as the writing of attack and application detection signatures for the StoneGate Network Security Products. His main areas of expertise include the writing of low level packet handling code. Mr. Levomäki holds a Master Of Computer Science degree from the University of Helsinki.


Attacking ATMs: Putting the Art into Smart Cards

Rafael Dominguez Vega @ MWR InfoSecurity


The use of smart cards has become part of our daily routine, when cashing money out from an ATM, accessing buildings, logging in to a computer system or shopping. Often our biggest concern is what the impact will be if we lose our smart card whether it is our credit card, building access card or logon access card. Will we lose our money or it will allow unauthorised access to computer systems or buildings. However, shouldn’t we be more concerned about whether the card itself can be used to attack the backend system handling the smart card input? After all, why steal one person's money or access rights when someone could steal them all.

In the past smart card security has often focused on the content stored in the card, the cryptographic implementation and the communication channels used to transfer data. When we consider the sensitivity of the data that is stored and transferred, it is quite understandable that this has received so much attention. However, it is important to consider the system as a whole and appreciate that user data can be passed deep into the business environment. This can expose sensitive systems and processes to attack with potentially significant consequences.

This presentation will therefore focus on attacking sensitive backend environments through smart cards and will include details of the evolution of an attack that can be delivered through a malicious smart card. The talk will include discussion about the different components that are handling data that can be delivered by a smart card and which are therefore potentially at risk with a user with a specially crafted card.

Rafa works in the UK as a Security Consultant and Security Researcher for MWR InfoSecurity. He enjoys testing "out of the ordinary" technology and is particularly interested in embedded devices and hardware hacking.


Hazards of Duke / Java Sandbox (in)Security

Sami Koivu


Java is in the browser, in the database and on the server. And it has the sandbox that can safely run untrusted code in a trusted environment. We'll look at how Java sandbox security works and how it doesn't work. We'll see how Java security has been broken in the past and how it will continue to be broken in the future.

Sami Koivu is a security enthusiast and a security researcher focused with Java security. Participates in the Cert/CC Secure Coding standard for Java. Author of the open-source de/re-compilation library/tool reJ. Currently working with an Identity Management day job.


How to Notice when You Are Re-Owned

Halvar Flake @ Zynamics


This session is going to discuss our research in the area of automated malware clustering and (recently) automated generation of large quantities of different byte signatures from real-world backdoors and rootkits.

Through automated graph-theoretical methods, code similarities between superficially different pieces of malicious software can be identified. Furthermore, these algorithms can be extended to extract "stable cores" for an entire family of malware -- portions of code that are, in some form or the other, present in all executables in a family.

From these stable cores, other algorithms can generate a large quantity of different byte signatures. These can be used with amusing effects - from mutating byte signatures to performing a bsearch on AV users to identify the malware authors, a lot of applications will be discussed.

While this talk won't prevent you from getting owned, it might make it a little bit more complicated to re-own you with the same infrastructure.

Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 11 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).

Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.

Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.


Practical Exploitation of Modern Wireless Devices: Keykeriki V2

Thorsten Schröder @ Dreamlab Technologies


Wireless keyboards have been target to dedicated attacks by Philipp Schroedel, Max Moser and Thorsten Schröder several times. This time, the attack vector is larger: They built new tools in hard- and software, which enable attacks using zero-knowledge approaches without expensive radio equipment. These tools are able to capture and analyze raw data that is transmitted using widely spread, highly integrated, low cost 2.4 GHz transceiver chips. The technique allows also being expanded to different platforms at speeds up to 2Mbit/sec.

Since many wireless embedded devices are using Nordic Semiconductor’s (or other’s) 2.4GHz SoC flag-ships, Schröder and Moser prepared the base for attacks on all NRF24xx “Enhanced Shockburst[tm]” based solutions such as wireless keyboards, security systems, home entertainment, medical devices, ... Their tools are able to capture and inject data into - for example - wireless keyboard communication, thus being able to perform platform independent remote command execution.

Remote command execution and sniffing of wireless keyboard traffic is demonstrated at the presentation, but the technical demonstration and attacks are not limited to wireless keyboards.

New embedded devices of a complete different class are subject to the current research and will be demonstrated for the first time at the t2’10 conference, as well as the current and new Open source release of the Keykeriki V2 tools. The talk will provide a brief introduction to the underlying technics, as well as the challenges during the practical path of exploitation of modern embedded, wireless devices - using the Keykeriki V2.

Thorsten Schröder works as Senior Security Consultant at Dreamlab Technologies AG, Switzerland. Besides his IT security consulting tasks, he’s specialized in software security assessments and Reverse Engineering. Prior joining Dreamlab Technologies, he worked as Senior Security Consultant at Recurity Labs GmbH in Berlin.


0wning the Datacenter using the Cisco 7000-series Switch - NX-OS insecurity

George Hedfors @ Toolcrypt Group


Banks and large corporations are constantly upgrading their infrastructure. One of the latest additions to the Cisco family is the 7000-series with it's new and "secure" NX-OS. This switch can easily take the role as the sole core switch in some of the largest network infrastructures in the world. It manages up to 512 x 10 gigabit interfaces and is a new virtualization platform within networking.

It's new Linux based operating system enables old attack vectors, such as network based denial of service attacks to become remotely exploited buffer overflows. Deployment of generic rootkits is also possible by breaking out of the Cisco CLI environment using a series of undocumented features.

What would be impact for a large bank or corporation be if the core switch was infected by backdoors that took control over all VLANs?

George Hedfors has 12 years of professional experience in the field of IT- and information security services. He has worked with some of the well known security consultancy firms, such as good old Defcom and more recently, n.runs in Germany.

Current employer is Cybercom Sweden East AB.


The Threat in Your Pocket?

Nils @ MWR InfoSecurity


We carry mobile phones with us everywhere we go and many people trust them to be secure, right? This talk will look by example (otherwise known as showing exploits) at how well this trust is placed. We will specifically look at two popular mobile platforms: Google Android and Palm WebOS.

Palm WebOS will be investigated as a case study for mobile platforms which haven't been designed with a specific security model in mind and how this can result in an attacker turning a phone into the perfect bugging device.

Additionally, we will look at the Google Android platform, which has been build with security features such as a sandbox. By looking into the specifics of the sandbox implementation we will see how successful attacks are still feasible against android phones.

What you will take away from the talk is an understanding of why a robust security model is important on mobile devices and it will help you to understand the factors you face when assessing the mobile platform that is to be used by your organisation.

Nils is heading the security research at MWR InfoSecurity. He likes to break and exploit stuff, which he has demonstrated at pwn2own 2009 and 2010.


Hacking Printers for Fun and Profit - Now, Do You Trust Your Printer Anymore?

Andrei Costin


While more and more new devices (routers, smartphones, etc.) are getting connected to our SOHO/enterprise environments, all-colour hats are getting plenty of focus on their security: defend and harden on one side; exploit and develop malware on the other.

However, a special class of network devices (specifically network printers/scanners/MFPs), which are networked for more than 15 years, are constantly out of the modern security watchful eye.

And even though we entrust them even the most confidential documents or the most sacred credentials (LDAP, RFID badges, etc.), we don’t realize closely how weak and unsecured they are, despite the few minor security bulletins started to pop-up here and there in the recent few months.

In this presentation, we will try to analyze the reasons why hacking network printers/MFPs is a reasonable and accomplishable idea. Also, we will take a look at current state of (weak) affairs in the vulnerability and security research available. Then we will try to envision types of possible exploitation scenarios, backed-up with a printer remote-exploit demo. We will conclude the presentation with possible solutions and what can be done to protect ourselves as well as our network environments.

Born and grown-up in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publicly available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family.

While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and is currently senior developer at a specialized firm producing custom embedded systems utilizing GSM/UMTS/GPS technologies.

He is passionate about IT/App/Info security and has spoken at various security conferences. He usually doesn't have too much free time, but when he does he enjoys swimming, cycling or just sunbathing under Cyprus' sun.


Some Things That Every Vulnerability Developer Should Know

Halvar Flake @ Zynamics


This session will discuss a number of techniques that, while public, have not received the attention they deserve from the vulnerability-development community.

The talk will focus on two aspects primarily: Leveraging visualization (as demonstrated in Gera's HeapDraw) to understand heap layout better, and using RTTI information to generate full UML-style class hierarchies from binaries. Finally, comments on how these things can be combined profitably will be provided.

Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 11 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).

Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.

Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.


Hacking Femtocells

Kevin Redon and Ravishankar B. Borgaonkar @ Security in Telecommunications, TU Berlin


Femtocell is emerging as a new technology to enhance third generation (3G) coverage and to provide assurance of always best connectivity in the 3G telecommunication networks. It acts as an access point that securely connect standard mobile stations to the cellular operator's core network using existing wired broadband connection. Increased network capacity, lower capital costs, expanded revenue opportunities are some key benefits to the mobile service operator whereas for a user increased indoor coverage, higher speed performance data, higher quality voice, and higher multimedia experience. A femtocell can be deployed in operator- owned spectrum and in the users premises, for example, home, office, and enterprise.

In this talk, we evaluate various security aspects, in particular, location verification techniques used in the femtocell security architecture, device security mechanisms and secure software update process. We show that these various location techniques are inadequate to avoid the misuse of the femtocell technology. In addition, we also show that security solutions related to hardware security of the femtocell described in the 3GPP specifications are insufficient. Further, we show how easy to hack the femtocell devices and to get access to the confidential information stored on the device.

Ravishankar B. Borgaonkar received his M.Sc. (Tech) degrees in security and mobile computing (http://nordsecmob.tkk.fi/) from both Royal Institute of Technology (KTH) and Helsinki University of Technology (TKK) in August 2009. After the graduation, he continued his doctoral studies at the Security in Telecommunication department in Technical University of Berlin.

His research interest includes embedded systems security, M2M security and computer & network security.

Kevin Redon received his bachelor of Computing from Napier University Edinburgh, Scotland. He is now finishing his Master degree in Computing with specialization in Communication Systems at the Technical University of Berlin. while doing masters, he joined the Security in Telecommunication work group in co-operation with the T-labs.

His research interest includes network security, in particular telecommunication network as GSM/UMTS, peer to peer networks, and smart cards security.


Cost Efficient Fuzzing Techniques for Fun and Profit

Aki Helin @ OUSPG


OUSPG has been searching, finding and responsibly disclosing issues in various programs, appliances and protocols for a long time. One of the simplest, and sadly still quite effective, techniques of finding issues has been to point a black-box fuzzer at a product and waiting for it to fail in an interesting way. Even the crudest fuzzers still find probably exploitable issues in many currently used programs, and more advanced techniques tend to find more of them.

One of our current projects is to collect several old and new sample-based black-box fuzzing algorithms to an easy to use tool. The hope is that by making such techniques easier to use at least some vendors could start running their own tests, while others already using similar techniques could easily throw it in with their existing tools.

So far the tool has at least turned out to be useful for hunting bug bounties.

This presentation will discuss the currently implemented fuzzing algorithms, some of the results, experiences and lessons learned during the last year.

Aki Helin is one of the usual suspects at OUSPG. He likes to make stuff, and at work makes stuff that breaks stuff.


Solving the t2'10 Challenge

Timo Hirvonen


Not available.

Timo Hirvonen is working for F-Secure Corporation as an Anti-Malware Analyst. Prior to joining F-Secure in July 2010, he worked for the leading data erasure company Blancco. Timo considers winning the t2'09 challenge his greatest achievement so far and also one of the most remarkable things that have ever happened to him. In his free time he enjoys cycling, playing piano and listening to jazz.


Ruby on Rails security: Understanding the Rails Developers Mind-set

Matti Paksula


Ruby on Rails is a mature web development framework that is being used more and more in the industry to replace Java and PHP based projects. Framework provides a set of tools for fast and streamlined web development. This makes development with Rails a lucrative option over other techniques. However, the combination of a bleeding edge framework and the steep learning curve required for deep understanding can result in severe security flaws.

While SQL injection and other common web exploits are possible within the framework, this presentation solely focuses on security issues specific to Ruby on Rails. The framework relies on "Convention over Configuration" design paradigm to speed up the development of a typical web application. This also makes the codebases of different Rails applications to look very identical. For seasoned Rails expert it is easy to guess the implementation details even without access to source code.

In the presentation the dynamic nature of Ruby and the learning curve of "doing the things Rails way" is also evaluated against security issues that araise mostly when developers are hacking some clever Ruby code. An overview of deploying Rails applications into production is also given, as well as a summary of the current state and future trends of the framework. Lastly a live demo session of Rails hacking is performed.

Matti Paksula has been using Ruby on Rails since early 2006. Using Rails in enterprise settings in addition to many smaller scale projects and working with hosting services, has given him insight in auditing Rails applications. He has lectured a six week course called Agile Web Development with Ruby on Rails in the University of Helsinki, Department of Computer Science. Currently he works as research assistant and does Rails specific security audits.


Real World Code Signing Abuse Today

Jarno Niemelä @ F-Secure


Code signing systems are gaining more attention and becoming ever more important part of computer security. As the numbers of trojans, backdoors and other malware is all the time increasing, code signing systems are viewed as part of the solution for deciding that applications can be trusted and allowed to run in the system.

The basic idea of code signing, such as Microsoft Authenticode, is that as long as binary is signed it can be trusted as much as the vendor who produced the software. And in marketing code signing to public, this message is often simplified as if it's signed it can be trusted.

In ideal world, if every application would be signed, there would be no need to scan files, just decide whether you trust the vendor who signed the software or not.

However like any other trust system designed and implemented by humans, code signing systems can be subverted and abused to give false trust on malicious applications. There are already thousands of malicious applications and hundreds of thousands of potentially unwanted software out there, all with cryptographically valid code signing signature.

This presentation gives overview of code signing abuse as it happens today, what kinds of tricks are played against certification authorities issuing the keys, what kind of tricks are used to fool system administrators and forensic investigators trying to figure out whether given file can be trusted, and what kinds of actions malware can take in system to subvert code signing mechanisms once it has infected the system.

Jarno Niemelä has spent the past 10 years at F-Secure security lab working on mobile threats, scan engines and for past couple years on analyzing and identifying malicious behavior and automatic malware.