Schedule for 2010
| Thursday Oct 28, 2010 | ||
| 08:30 | Registration and Morning Coffee | |
| 09:00 | Opening Words, Tomi Tuominen | |
| 09:15 | Not published yet. | |
| 10:15 | Coffee | |
| 10:30 | Attacking ATMs: Putting the Art into Smart Cards Rafael Dominguez Vega MWR InfoSecurity | |
| 11:30 | Lunch | |
| 12:30 | Hazards of Duke / Java Sandbox (in)Security Sami Koivu | Practical Exploitation of Modern Wireless Devices: Keykeriki V2 Thorsten Schröder Dreamlab Technologies |
| 13:30 | Break | |
| 13:45 | Hazards of Duke / Java Sandbox (in)Security Sami Koivu | 0wning the Datacenter using the Cisco 7000-series Switch - NX-OS insecurity George Hedfors Toolcrypt Group |
| 14:45 | Coffee | |
| 15:00 | How to Notice when You Are Re-Owned Halvar Flake Zynamics | The Threat in Your Pocket? Nils MWR InfoSecurity |
| 16:00 | Closing Words for the 1st day, Tomi Tuominen | |
| 16:15 | Cocktails & Networking | |
| 18:30 | Cocktails & Networking ends | |
| Friday Oct 29, 2010 | ||
| 09:30 | Morning Coffee | |
| 10:00 | Hacking Printers for Fun and Profit - Now, Do You Trust Your Printer Anymore? Andrei Costin | |
| 11:00 | Coffee | |
| 11:15 | Some Things That Every Vulnerability Developer Should Know Halvar Flake Zynamics | Ruby on Rails security: Understanding the Rails Developers Mind-set Matti Paksula |
| 12:15 | Lunch | |
| 13:15 | Not published yet. | Ruby on Rails security: Understanding the Rails Developers Mind-set Matti Paksula |
| 14:15 | Break | |
| 14:30 | The Next Generation of Web Security Testing Power Tools Petko Petkov GNUCITIZEN | Real World Code Signing Abuse Today Jarno Niemelä F-Secure |
| 15:30 | Coffee | |
| 15:45 | Solving the t2'10 Challenge Timo Hirvonen | |
| 16:45 | Closing Words, Tomi Tuominen | |
| 17:00 | Conference Ends | |
Not published yet.
n/a
n/a
Attacking ATMs: Putting the Art into Smart Cards
Rafael Dominguez Vega @ MWR InfoSecurityThe use of smart cards has become part of our daily routine, when cashing money out from an ATM, accessing buildings, logging in to a computer system or shopping. Often our biggest concern is what the impact will be if we lose our smart card whether it is our credit card, building access card or logon access card. Will we lose our money or it will allow unauthorised access to computer systems or buildings. However, shouldn’t we be more concerned about whether the card itself can be used to attack the backend system handling the smart card input? After all, why steal one person's money or access rights when someone could steal them all.
In the past smart card security has often focused on the content stored in the card, the cryptographic implementation and the communication channels used to transfer data. When we consider the sensitivity of the data that is stored and transferred, it is quite understandable that this has received so much attention. However, it is important to consider the system as a whole and appreciate that user data can be passed deep into the business environment. This can expose sensitive systems and processes to attack with potentially significant consequences.
This presentation will therefore focus on attacking sensitive backend environments through smart cards and will include details of the evolution of an attack that can be delivered through a malicious smart card. The talk will include discussion about the different components that are handling data that can be delivered by a smart card and which are therefore potentially at risk with a user with a specially crafted card.
Rafa works in the UK as a Security Consultant and Security Researcher for MWR InfoSecurity. He enjoys testing "out of the ordinary" technology and is particularly interested in embedded devices and hardware hacking.
Hazards of Duke / Java Sandbox (in)Security
Sami KoivuJava is in the browser, in the database and on the server. And it has the sandbox that can safely run untrusted code in a trusted environment. We'll look at how Java sandbox security works and how it doesn't work. We'll see how Java security has been broken in the past and how it will continue to be broken in the future.
Sami Koivu is a security enthusiast and a security researcher focused with Java security. Participates in the Cert/CC Secure Coding standard for Java. Author of the open-source de/re-compilation library/tool reJ. Currently working with an Identity Management day job.
How to Notice when You Are Re-Owned
Halvar Flake @ ZynamicsThis session is going to discuss our research in the area of automated malware clustering and (recently) automated generation of large quantities of different byte signatures from real-world backdoors and rootkits.
Through automated graph-theoretical methods, code similarities between superficially different pieces of malicious software can be identified. Furthermore, these algorithms can be extended to extract "stable cores" for an entire family of malware -- portions of code that are, in some form or the other, present in all executables in a family.
From these stable cores, other algorithms can generate a large quantity of different byte signatures. These can be used with amusing effects - from mutating byte signatures to performing a bsearch on AV users to identify the malware authors, a lot of applications will be discussed.
While this talk won't prevent you from getting owned, it might make it a little bit more complicated to re-own you with the same infrastructure.
Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 11 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).
Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.
Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.
Practical Exploitation of Modern Wireless Devices: Keykeriki V2
Thorsten Schröder @ Dreamlab TechnologiesWireless keyboards have been target to dedicated attacks by Philipp Schroedel, Max Moser and Thorsten Schröder several times. This time, the attack vector is larger: They built new tools in hard- and software, which enable attacks using zero-knowledge approaches without expensive radio equipment. These tools are able to capture and analyze raw data that is transmitted using widely spread, highly integrated, low cost 2.4 GHz transceiver chips. The technique allows also being expanded to different platforms at speeds up to 2Mbit/sec.
Since many wireless embedded devices are using Nordic Semiconductor’s (or other’s) 2.4GHz SoC flag-ships, Schröder and Moser prepared the base for attacks on all NRF24xx “Enhanced Shockburst[tm]” based solutions such as wireless keyboards, security systems, home entertainment, medical devices, ... Their tools are able to capture and inject data into - for example - wireless keyboard communication, thus being able to perform platform independent remote command execution.
Remote command execution and sniffing of wireless keyboard traffic is demonstrated at the presentation, but the technical demonstration and attacks are not limited to wireless keyboards.
New embedded devices of a complete different class are subject to the current research and will be demonstrated for the first time at the t2’10 conference, as well as the current and new Open source release of the Keykeriki V2 tools. The talk will provide a brief introduction to the underlying technics, as well as the challenges during the practical path of exploitation of modern embedded, wireless devices - using the Keykeriki V2.
Thorsten Schröder works as Senior Security Consultant at Dreamlab Technologies AG, Switzerland. Besides his IT security consulting tasks, he’s specialized in software security assessments and Reverse Engineering. Prior joining Dreamlab Technologies, he worked as Senior Security Consultant at Recurity Labs GmbH in Berlin.
0wning the Datacenter using the Cisco 7000-series Switch - NX-OS insecurity
George Hedfors @ Toolcrypt GroupBanks and large corporations are constantly upgrading their infrastructure. One of the latest additions to the Cisco family is the 7000-series with it's new and "secure" NX-OS. This switch can easily take the role as the sole core switch in some of the largest network infrastructures in the world. It manages up to 512 x 10 gigabit interfaces and is a new virtualization platform within networking.
It's new Linux based operating system enables old attack vectors, such as network based denial of service attacks to become remotely exploited buffer overflows. Deployment of generic rootkits is also possible by breaking out of the Cisco CLI environment using a series of undocumented features.
What would be impact for a large bank or corporation be if the core switch was infected by backdoors that took control over all VLANs?
George Hedfors has 12 years of professional experience in the field of IT- and information security services. He has worked with some of the well known security consultancy firms, such as good old Defcom and more recently, n.runs in Germany.
Current employer is Cybercom Sweden East AB.
The Threat in Your Pocket?
Nils @ MWR InfoSecurityWe carry mobile phones with us everywhere we go and many people trust them to be secure, right? This talk will look by example (otherwise known as showing exploits) at how well this trust is placed. We will specifically look at two popular mobile platforms: Google Android and Palm WebOS.
Palm WebOS will be investigated as a case study for mobile platforms which haven't been designed with a specific security model in mind and how this can result in an attacker turning a phone into the perfect bugging device.
Additionally, we will look at the Google Android platform, which has been build with security features such as a sandbox. By looking into the specifics of the sandbox implementation we will see how successful attacks are still feasible against android phones.
What you will take away from the talk is an understanding of why a robust security model is important on mobile devices and it will help you to understand the factors you face when assessing the mobile platform that is to be used by your organisation.
Nils is heading the security research at MWR InfoSecurity. He likes to break and exploit stuff, which he has demonstrated at pwn2own 2009 and 2010.
Hacking Printers for Fun and Profit - Now, Do You Trust Your Printer Anymore?
Andrei CostinWhile more and more new devices (routers, smartphones, etc.) are getting connected to our SOHO/enterprise environments, all-colour hats are getting plenty of focus on their security: defend and harden on one side; exploit and develop malware on the other.
However, a special class of network devices (specifically network printers/scanners/MFPs), which are networked for more than 15 years, are constantly out of the modern security watchful eye.
And even though we entrust them even the most confidential documents or the most sacred credentials (LDAP, RFID badges, etc.), we don’t realize closely how weak and unsecured they are, despite the few minor security bulletins started to pop-up here and there in the recent few months.
In this presentation, we will try to analyze the reasons why hacking network printers/MFPs is a reasonable and accomplishable idea. Also, we will take a look at current state of (weak) affairs in the vulnerability and security research available. Then we will try to envision types of possible exploitation scenarios, backed-up with a printer remote-exploit demo. We will conclude the presentation with possible solutions and what can be done to protect ourselves as well as our network environments.
Born and grown-up in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publicly available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family.
While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and is currently senior developer at a specialized firm producing custom embedded systems utilizing GSM/UMTS/GPS technologies.
He is passionate about IT/App/Info security and has spoken at various security conferences. He usually doesn't have too much free time, but when he does he enjoys swimming, cycling or just sunbathing under Cyprus' sun.
Some Things That Every Vulnerability Developer Should Know
Halvar Flake @ ZynamicsThis session will discuss a number of techniques that, while public, have not received the attention they deserve from the vulnerability-development community.
The talk will focus on two aspects primarily: Leveraging visualization (as demonstrated in Gera's HeapDraw) to understand heap layout better, and using RTTI information to generate full UML-style class hierarchies from binaries. Finally, comments on how these things can be combined profitably will be provided.
Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 11 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA).
Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.
Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.
Not published yet.
n/a
n/a
The Next Generation of Web Security Testing Power Tools
Petko Petkov @ GNUCITIZENWith the adoption of HTML5 and other web technologies on the Desktop and the Mobile, we will be faced with new challenges in the information security space.
This presentation will discuss what advancements can be made in order to bring the typical security toolbox up-to-date with the latest web standards and will also demonstrate some of the most cutting-edge penetration testing technologies currently developed in private.
Petko D. Petkov, a.k.a pdp, is founder of GNUCITIZEN, Weaponry, Websecurify and number of other information security initiatives. PDP is a recognised information security researcher, penetration tester, frequent speaker at industry recognised events, and published author who has contributed to several best-selling books, numerous blogs and magazines.
Solving the t2'10 Challenge
Timo HirvonenNot available.
Timo Hirvonen is working for F-Secure Corporation as an Anti-Malware Analyst. Prior to joining F-Secure in July 2010, he worked for the leading data erasure company Blancco. Timo considers winning the t2'09 challenge his greatest achievement so far and also one of the most remarkable things that have ever happened to him. In his free time he enjoys cycling, playing piano and listening to jazz.
Ruby on Rails security: Understanding the Rails Developers Mind-set
Matti PaksulaRuby on Rails is a mature web development framework that is being used more and more in the industry to replace Java and PHP based projects. Framework provides a set of tools for fast and streamlined web development. This makes development with Rails a lucrative option over other techniques. However, the combination of a bleeding edge framework and the steep learning curve required for deep understanding can result in severe security flaws.
While SQL injection and other common web exploits are possible within the framework, this presentation solely focuses on security issues specific to Ruby on Rails. The framework relies on "Convention over Configuration" design paradigm to speed up the development of a typical web application. This also makes the codebases of different Rails applications to look very identical. For seasoned Rails expert it is easy to guess the implementation details even without access to source code.
In the presentation the dynamic nature of Ruby and the learning curve of "doing the things Rails way" is also evaluated against security issues that araise mostly when developers are hacking some clever Ruby code. An overview of deploying Rails applications into production is also given, as well as a summary of the current state and future trends of the framework. Lastly a live demo session of Rails hacking is performed.
Matti Paksula has been using Ruby on Rails since early 2006. Using Rails in enterprise settings in addition to many smaller scale projects and working with hosting services, has given him insight in auditing Rails applications. He has lectured a six week course called Agile Web Development with Ruby on Rails in the University of Helsinki, Department of Computer Science. Currently he works as research assistant and does Rails specific security audits.
Real World Code Signing Abuse Today
Jarno Niemelä @ F-SecureCode signing systems are gaining more attention and becoming ever more important part of computer security. As the numbers of trojans, backdoors and other malware is all the time increasing, code signing systems are viewed as part of the solution for deciding that applications can be trusted and allowed to run in the system.
The basic idea of code signing, such as Microsoft Authenticode, is that as long as binary is signed it can be trusted as much as the vendor who produced the software. And in marketing code signing to public, this message is often simplified as if it's signed it can be trusted.
In ideal world, if every application would be signed, there would be no need to scan files, just decide whether you trust the vendor who signed the software or not.
However like any other trust system designed and implemented by humans, code signing systems can be subverted and abused to give false trust on malicious applications. There are already thousands of malicious applications and hundreds of thousands of potentially unwanted software out there, all with cryptographically valid code signing signature.
This presentation gives overview of code signing abuse as it happens today, what kinds of tricks are played against certification authorities issuing the keys, what kind of tricks are used to fool system administrators and forensic investigators trying to figure out whether given file can be trusted, and what kinds of actions malware can take in system to subvert code signing mechanisms once it has infected the system.
Jarno Niemelä has spent the past 10 years at F-Secure security lab working on mobile threats, scan engines and for past couple years on analyzing and identifying malicious behavior and automatic malware.
