Schedule for 2011

Thursday Oct 27, 2011
08:30 Registration and Morning Coffee
09:25 Opening Words, Tomi Tuominen
09:30 Keynote: International Terrorism
Juha-Antero Puistola
National Defence University
10:30 Coffee
10:45 Creating a High Security Virtual Environment for Apps That Matter
Toby Kohlenberg
Intel
11:45 Lunch
13:00 Practical Freescale MC13224 Firmware Extraction
Travis Goodspeed
Chip & PIN is Definitely Broken
Andrea Barisani
Inverse Path
14:00 Break
14:15 Remotely Exploiting the PHY Layer
Travis Goodspeed
Making Life Difficult for Malware
Jarno Niemelä
F-Secure
15:15 Coffee
15:30 Orbiting MARS
Mark Debenham
Microsoft
16:30 Closing Words for the 1st day, Tomi Tuominen
16:45 Cocktails & Networking: Sponsored by nSense
18:30 Cocktails & Networking ends

Friday Oct 28, 2011
09:30 Morning Coffee
10:00 How RSA Was Breached
Timo Hirvonen
F-Secure
11:00 Coffee
11:15 A New Model for Enterprise Defense
Toby Kohlenberg
Intel
12:15 Lunch
13:15 Automatically Identifying Security Related Commits in Open Source Repositories
Tuomas Kärkkäinen
Case Study - Operation Carder Kaos
Richard LaTulip
U.S. Secret Service
14:15 Break
14:30 Windows Pwn 7 OEM - Owned Every Mobile?
Alex Plaskett
MWR InfoSecurity
Critical infrastructure insecurity - Why vendor obscurity will kick us in the teeth
Tom Van de Wiele
nSense
15:30 Coffee
15:45 Solving the t2'11 Challenge
Timo Hirvonen
F-Secure
16:45 Closing Words, Tomi Tuominen
17:00 Conference Ends

Keynote: International Terrorism

Juha-Antero Puistola @ National Defence University


Social media networks were used in the Arab Spring in two distinct ways: as organizing tools and as broadcasting platforms. However digital activism has been going on ever since blogs existed and different extremist groups have exploited internet for years. A rising trend is that English-speaking militants are increasingly connected to each other through online venues like discussion forums and video-sharing platforms. Al Qaida inspired groups are distributing their propaganda more and more effectively.

But cybersympathy is one thing, and real-world action is another. Many participants in online communities have real-world relationships with extremists who bolster their radicalism and mobilize them toward violent action.

That said, the symbiosis between off-line activity and online activism is critical. As social networks have gotten more sophisticated, it's been harder for governments to control or even monitor them. However, user data is easy for IT companies (Google, Facebook etc.) to track – and to share with governments, if required.

This presentation is to give a broader perspective on terrorism and counter terrorism from cyber point of view. Internet is a promising tool for extremists and governments alike.

Commander Juha-Antero Puistola

Head Lecturer, Department of Strategic and Defence Studies

National Defence University


Creating a High Security Virtual Environment for Apps That Matter

Toby Kohlenberg @ Intel


Everyone talks about virtualization security. Unfortunately what most of defenders mean is virtual firewalls and access controls for administrators. In contrast, most attackers are thinking about flaws in the virtualization software itself.

When we were asked to create a virtual environment that was sufficiently secure to handle high value applications and data it was necessary to go beyond available products and standard practices. This talk discusses the threats we identified as top priority, the mitigations we used and the results (so far) of implementing it.

Toby is an opinionated loud mouth who occasionally has interesting insights and useful things to say about a wide variety of information security topics. He's worked on a large number of different technologies in the information security space. His primary job is telling people how bad their ideas are and then having to find a way to make them secure anyway. He spends a great deal of time hating technology for being stupid and appreciating it for being less stupid than humans. He also has the distinction of having had more shmooballs thrown at him than any other non-speaker.


Practical Freescale MC13224 Firmware Extraction

Travis Goodspeed


The Freescale MC13224 is a system-on-package device containing an ARM7 microcontroller and an IEEE 802.15.4 radio. It is used in embedded ZigBee devices, such as the Ninja Party Badge that debuted at Defcon 18. This lecture demonstrates two methods of extracting firmware from an MC13224 after JTAG has been disabled.

The first of these methods is invasive, requiring that the chip packaging be removed and then new connections be made with a wedge bonding machine. The second method is non-invasive, requiring only a clever trick, a custom PCB, and a hot-air soldering station.

Travis Goodspeed is a neighborly engineer of Tennessee-shaped, electronic belt buckles from Southern Appalachia. He hacks 8-bit and 16-bit embedded systems, particularly those used in ZigBee and the Smart Grid. He started the GoodFET, an open source programmer and debugger for MSP430, AVR, PIC, Chipcon, ARM7, SPI Flash, and other chips. It also packet sniffs ZigBee and ANT radio packets when so inclined.


Remotely Exploiting the PHY Layer

Travis Goodspeed


For too long, Layer 1 has been considered of little security interest, as it was assumed to be too low level to be remotely exploitable.

This lecture introduces the Packet-In-Packet (PIP) method of remote Layer 1 frame injection, allowing arbitrary frames to be injected by abuse of in-band signaling mechanisms common to all modern digital radios and older varieties of Ethernet. Tested examples of PIP exploits for 802.15.4 (ZigBee) and 2FSK radios are presented, along with details for implementing the technique on 802.11 and other protocols.

Travis Goodspeed is a neighborly engineer of Tennessee-shaped, electronic belt buckles from Southern Appalachia. He hacks 8-bit and 16-bit embedded systems, particularly those used in ZigBee and the Smart Grid. He started the GoodFET, an open source programmer and debugger for MSP430, AVR, PIC, Chipcon, ARM7, SPI Flash, and other chips. It also packet sniffs ZigBee and ANT radio packets when so inclined.


Orbiting MARS

Mark Debenham @ Microsoft


Operation b49 was a Microsoft-led initiative to take down a known botnet - Waledac - through industry collaboration and legal process. Operation b49 is just one action in a long term effort by Microsoft to combat cyber threats and advance the security of the Internet for everyone.

Operation b49 has been followed now by Operation b107, a similar legal and technical operation to take down the notorious Rustock botnet. These operations are part of a sustained effort by Microsoft known as Project MARS to disrupt botnets and begin to undo the damage the botnets have caused by helping victims regain control of their infected computers.

This talk will cover aspects of these Operations which may be valuable to the t2 audience.

In the last five years Mark has spoken at T2 about working with MSRC and breaking Virtualisation, what he wasn't able to tell you about in 2009 was just what he was working on at the time.

In 2010 the Microsoft MARS project took out the Waledac Botnet because the industry claimed it couldn't be done.

In 2011 the same project took out the rustock botnet, once again because of claims it was bullet proof. This resulted in a significant drop in spam on the internet in general.

Mark is fairly confident you'll like the things he can talk about.

As ever: Those of you who have seen Mark talk in any of his former guises will know that his presentations tend to be dynamic and sometimes even amusing, t2 2011 will continue this trend.


Chip & PIN is Definitely Broken

Andrea Barisani @ Inverse Path


The EMV global standard for electronic payments is widely used for inter-operation between chip equipped credit/debit cards, Point of Sales devices and ATMs.

Following the trail of the serious vulnerabilities published by Murdoch and Drimer's team at Cambridge University regarding the usage of stolen cards, we explore the feasibility of skimming and cloning in the context of POS usage.

We will analyze in detail EMV flaws in PIN protection and illustrate skimming prototypes that can be covertly used to harvest credit card information as well as PIN numbers regardless the type/configuration of the card.

The discovered attacks are effective in bypassing existing protections and mode of operations.

As usual cool gear and videos are going to be featured in order to maximize the presentation.

Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.

His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting.

Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.

He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.


Making Life Difficult for Malware

Jarno Niemelä @ F-Secure


Just about everybody has heard that malware tends to be highly sensitive for system configuration. It is a fair assumption that malware writers don't test their creations with anything else than basic configuration of Windows XP. So hardening your system definitely makes sense to protect against infections.

But what exactly are those settings that should be adjusted and why?

This presentation malware infections from statistical point of view, what malware needs to thrive in the system, and how to configure your system so that malware cannot live on it. We will cover what most of the malware do when they infect the system, where they copy their files, what settings they modify.

And based on this information we will cover system modifications that could be done to prevent malware from functioning properly in the system even if it would be able to get in the first place.

Jarno Niemelä has spent the past 10 years at F-Secure security lab working on mobile threats, scan engines and for past couple years on analyzing and identifying malicious behavior and automatic malware.


How RSA Was Breached

Timo Hirvonen @ F-Secure


RSA, the security division of EMC, was attacked in March 2011. Attackers stole information that compromised 40 million RSA SecurID tokens. The same information was used to attack the systems of U.S. defense contractor Lockheed Martin in May 2011. The breach cost EMC $66 million.

This presentation explains in detail how attackers were able to install a backdoor into RSA employee's PC. Instead of Death by Powerpoint, we focus on performing live analysis with tools that we utilize for malware research on daily basis. Starting from the very same email that was sent to a small group of RSA employees, we analyze the attached Excel file "2011 Recruitment plan.xls" that exploited the Adobe Flash vulnerability CVE-2011-0609 (zero-day at the time of the attack). We also analyze the customized variant of the Poison Ivy Remote Administration Tool that the attackers installed. Finally, we give some recommendations on how to avoid similar attacks.

Timo Hirvonen has been working for F-Secure Corporation as an Anti-Malware Analyst since July 2010. Winning the t2'09 challenge started a chain of events that led Timo to the job that he had previously only dreamed of. He is passionate about exploit analysis, especially malicious Flash and PDF files.

Timo enjoys keeping the good guys safe by studying the latest tricks the bad guys use. Timo is the creator of t2'10 and t2'11 challenge. In addition to his long-standing hobby of keyboard playing, Timo challenges himself in free time by training for his first half marathon.


A New Model for Enterprise Defense

Toby Kohlenberg @ Intel


We have a problem; attackers are getting better and better, users are getting more demanding and stupid and the computing models are getting more complex and obfuscated. With that in mind a small group of us got together and started imagining what it would look like if we redesigned our IT security architecture from scratch. Then we figured out how we could get from where we were to that idyllic future state.

We have persuaded Intel's management that this is a good idea and have begun implementing the steps necessary to get to the new architecture. We've also started talking to vendors and encouraging them to create the solutions we are going to need. This talk will be about the general approach, but specifically about the challenges we are running into and the areas we are seeing significant activity around.

Toby is an opinionated loud mouth who occasionally has interesting insights and useful things to say about a wide variety of information security topics. He's worked on a large number of different technologies in the information security space.

His primary job is telling people how bad their ideas are and then having to find a way to make them secure anyway. He spends a great deal of time hating technology for being stupid and appreciating it for being less stupid than humans. He also has the distinction of having had more shmooballs thrown at him than any other non-speaker.


Automatically Identifying Security Related Commits in Open Source Repositories

Tuomas Kärkkäinen


Version control systems for open source projects reveal lots of information about security related bugs. Sometimes this information is available for months or years before the fix is rolled out to affected users. This talk will look at the available information: committer, reviewer, commit message, automated tests, whether the referenced bug is publicly visible and the time to merge to stable branch.

The talk includes a case study of the WebKit project, its process and its version control and an attempt to automatically deduce if any particular commit is security related. specific vulnerabilities are reviewed and the diffusion of their resolutions is compared among consumers of WebKit.

Tuomas is a mild mannered programmer by day, mild mannered bug finder by night since t2'10. He found 30 RCE in WebKit in 2011.


Windows Pwn 7 OEM - Owned Every Mobile?

Alex Plaskett @ MWR InfoSecurity


The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.

The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.

A number of OEM manufacturer weaknesses, "features?" will be discussed and a demonstration of how these "features" can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM "functionality" to compromise sensitive information.

Alex is a security consultant at MWR InfoSecurity and has a passion for bug hunting and exploit development. Alex has previously identified a number of serious vulnerabilities in IBM software (Lotus Domino, WebSphere MQ) and is currently interested in embedded and mobile systems security.


Solving the t2'11 Challenge

Timo Hirvonen @ F-Secure


Not available.

Timo Hirvonen has been working for F-Secure Corporation as an Anti-Malware Analyst since July 2010. Winning the t2'09 challenge started a chain of events that led Timo to the job that he had previously only dreamed of. He is passionate about exploit analysis, especially malicious Flash and PDF files.

Timo enjoys keeping the good guys safe by studying the latest tricks the bad guys use. Timo is the creator of t2'10 and t2'11 challenge. In addition to his long-standing hobby of keyboard playing, Timo challenges himself in free time by training for his first half marathon.


Case Study - Operation Carder Kaos

Richard LaTulip @ U.S. Secret Service


The presentation is concerning the undercover operations, logistics and aspects of Operation Carder Kaos. (i.e. TJX/Heartland/Maksik) Operation Carder Kaos focused on identifying, locating and arresting high value members of the numerous illegal carding websites. This case was one of the first investigations to focus on developing relationships/rapport with the high value carding members within the cyber world. The focus was to take the undercover cyber operations and turn them into "traditional" face to face undercover meetings. The undercover meetings were planned to occur at different locations throughout the world.

  • 1995 - Bachelor of Arts Degree from Indiana University - Major: Criminal Justice; Minors: Speech Communications and History
  • 1995 - 1998 - Patrol Agent - U.S. Border Patrol
  • 1998 - present - Special Agent - U.S. Secret Service
  • 1999 - 2003 - Assigned to the San Diego Regional Fraud Task Force
  • 2003 - 2010 - Assigned to the U.S. Secret Service's Electronic Crimes Program
  • 2011 - Present - Assigned to the U.S. Embassy Tallinn, Estonia


Critical infrastructure insecurity - Why vendor obscurity will kick us in the teeth

Tom Van de Wiele @ nSense


As industrial control systems are becoming the next hype and focal point of information security and the media, we take a deeper look at what really is at stake, what the current trends are and what the main problems are with ICS systems in general.

Topics discussed will be a short introduction to ICS systems, why ICS is such a hot topic, the problems with ICS vendors and the legislation of the countries they reside in. So what can be done to protect critical infrastructure and why should you be pessimistic. Or not.

Tom Van de Wiele has spent the last 10 years consulting as an information security consultant, attack and penetration tester and advisor. Currently he is employed as principal security consultant at nSense Denmark.