|Thursday Oct 29, 2015|
|08:30||Registration and Morning Coffee: Powered by Microsoft|
|09:15||Opening Words, Tomi Tuominen|
First Look Media & Citizen Lab
|10:50||Forging the USB armory
|Practical Adobe Flash analysis
|13:00||A Reasonably Safe Travel Burner Laptop Setup
|Put on your tinfo_t hat if you're my type
|14:20||CosmicDuke: peering inside over 7 years of state-sponsored malware operations
|Windows kernel fuzzing
|15:50||If attackers think in graphs, why can't we?
|16:50||Closing Words for the 1st day, Tomi Tuominen|
|17:00||Cocktails & Networking: Powered by Nixu|
|18:30||Cocktails & Networking ends|
|19:00||Afterparty: Powered by F-Secure|
|Friday Oct 30, 2015|
|09:30||Morning Coffee: Powered by Microsoft|
|10:00||Physical penetration testing
|11:20||Washing away the snake oil of threat intelligence
|13:20||Physical Side Channel Attacks on PCs
Tel Aviv University
|Practical exploit development for AVR-based devices.
Alexander Bolshev & Boris Ryutin
Digital Security & ZORSecurity
|14:40||LTE (in) Security
Ravishankar Borgaonkar & Altaf Shaik
Aalto University & SecT, TU Berlin
|Practical exploit development for AVR-based devices.
Alexander Bolshev & Boris Ryutin
Digital Security & ZORSecurity
|16:00||Solving the t2'15 Challenge
Ludvig Strigeus & Timo Teräs
|17:00||Closing Words, Tomi Tuominen|
Morgan Marquis-Boire @ First Look Media & Citizen Lab
It's a keynote.
Morgan Marquis-Boire is a Senior Researcher at the Citizen Lab, University of Toronto. He is the Director of Security for First Look Media and a contributing writer for The Intercept. Prior to this, he worked on the security team at Google. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Interregional Crime and Justice Research Institute.
In addition to this, he serves as a member of the Freedom of the Press Foundation advisory board and as an advisor to Amnesty International. He has lectured on security, surveillance, and nation-state espionage at Universities around the world including Harvard, MIT, Stanford, Toronto, and the University of Milan.
His research has been featured in numerous print and online publications. In 2012, SC Magazine gave him an honorable mention as one of the influential minds of IT Security. He was named as one of Italian WIRED's 50 people of 2014. In March of 2015 he was named a Young Global Leader by the World Economic Forum.
Forging the USB armory
Andrea Barisani @ Inverse Path
The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.
The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.
The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.
The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.
The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.
The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.
Andrea Barisani is an internationally recognized security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure defense, forensic analysis, penetration testing and code auditing with particular focus on safety critical environments, with more than 14 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.
He is a well known international speaker, having presented at BlackHat, CanSecWest, Chaos Communication Congress, DEFCON, Hack In The Box,among many other conferences, speaking about innovative research on automotive hacking, side-channel attacks, payment systems, embedded system security and many other topics.
A Reasonably Safe Travel Burner Laptop Setup
Georg Wicherski @ CrowdStrike
Physical access to computer devices at borders and in hotel room safes has always been a thing for intelligence gatherers of all kinds. Once Full Disk Encryption took off, firmware and hardware implantation became the method of choice for getting even more persistent access.
The simple solution for many people was to start using burner hardware that has no data but what is needed for the trip and can be thrown away after the trip. Unfortunately, not everyone targeted these days is a C-level executive and has budget for a new laptop for each trip. Sometimes you may even need something on a trip that you don't necessarily want in the hands of your destination country's intelligence services (think economic espionage).
This talk aims at introducing how to build a reasonably safe travel laptop from a firmware and software perspective at low cost using commodity hardware. We will walk through building a trusted boot chain using Coreboot on new Chromebooks with recent and decent hardware, signing everything from bootloader (residing in the firmware EEPROM) to user-space code. The key difference to running a stock Chromebook is replicating the trusted boot chain with your builds and a more powerful working environment.
Georg Wicherski is Manager of Information Dominance at CrowdStrike. He enjoys all kinds of low-level work on x86 and ARM, including reverse engineering, binary exploitation and code development. He has co-authored the Android Hacker's Handbook.
CosmicDuke: peering inside over 7 years of state-sponsored malware operations
Artturi Lehtiö @ F-Secure
The summer of 2014 saw the public outing of a uniquely interesting malware family known as CosmicDuke. While CosmicDuke appeared to primarily target Western governments for espionage purposes, it was also seen targeting Russian speaking criminals involved with illegal substances and child porn. Also, while CosmicDuke seemed to be based on an older malware family called Cosmu, it clearly shared some components with the presumably Russian-backed espionage operation MiniDuke.
In this presentation, we will detail the discoveries we have made over the past year of continuing research into CosmicDuke. We will explain how we worked to identify and extract key "metadata" from CosmicDuke samples and how, by compiling this data from samples we had already encountered, we were able to find additional samples of CosmicDuke, discover previously unseen variants of CosmicDuke, and identify new "strains" of CosmicDuke activity. We will also detail how we were able to use the metadata compiled from samples to attempt to answer questions such as "How has the use of CosmicDuke evolved over the years" and "Is CosmicDuke being operated by a single group of people or are many groups sharing the toolset?".
In this presentation, we will also show how the people behind CosmicDuke have worked to continuously improve their tools. We will show examples of features being ported between different tools in the CosmicDuke toolset, recently published public exploits being turned into new CosmicDuke components, existing functionality being reworked and refactored, and even how ease of testing has been taken into account in CosmicDuke.
Finally, our presentation will also provide insight into an oft-forgotten aspect of malware research: "What happens once its public?" We will therefore conclude our presentation by discussing the ways in which we have observed the people behind CosmicDuke respond to last summer's publications.
By sharing our techniques and the discoveries they led to, as well as the observations we have made through the course of our research, we hope to provide unique insight for anyone researching, countering or otherwise interested in understanding long-running targeted malware operations.
Artturi Lehtiö, born in Finland, began his computer science studies at Aalto University in 2010 and is now finishing up his Bachelor of Science degree there. He has been employed by Finnish security company F-Secure since 2014 where he currently works as a researcher focusing primarily on threat intelligence, threat hunting and reverse engineering.
Practical Adobe Flash analysis
Timo Hirvonen @ F-Secure
Flash files can be divided into two categories: protected and unprotected.
The second category, the protected Flash files, is much more challenging to deal with - and the bad guys know it. They rely on the power of their own protection methods and commercial protectors like DoSWF and secureSWF so much that they often protect only the outmost layer. But what happens if you manage to crack through that layer and access the next layer, the embedded Flash object? Profit!
The second part of the presentation covers the analysis of protected and obfuscated Flash files. I will do live analysis of both custom and commercial obfuscation/protection methods, some of which are quite exotic (to put it mildly)... Your best bet is to forget the decompiler and use custom scripts and dynamic analysis. I will demonstrate the use of Sulo, an open-source tool for dynamic Flash analysis that you can use to intercept additional Flash objects loaded by the outmost layer. I will also share custom tools for decrypting strings from secureSWF protected Flash files.
Even though most of the samples used in the demos will be exploits, this presentation is not about exploit analysis - you can use the same techniques to analyze any Flash for any purpose.
Say no to Death by PowerPoint. Say yes to live demos.
Timo Hirvonen has been with F-Secure for five years, and he currently leads the Malware Protection Team. Timo is an expert in exploit analysis with an emphasis in malicious Java, Flash, and PDF files. He is the author of Sulo, the first publicly available tool for dynamic Flash analysis.
In addition to his four and half t2 talks, Timo has presented at Black Hat USA 2014, Microsoft Digital Crimes Consortium 2014, CARO 2013, and Scandinavian Cybercrime Conference 2013. Timo's mission is to keep the good guys safe by studying the latest tricks the bad guys use.
Put on your tinfo_t hat if you're my type
Miau Biz @ Azimuth Securities
The IDA Pro APIs for interacting with type information are full of opportunities (horrible problems). I will show you how to create unparseable types, how to apply these types to functions and variables and how to transfer these types from one IDB to another.
The user interface of IDA Pro will not allow types with certain characters such as the dollar sign, colons and angle brackets to be inserted into Local Types, or parsed from a header file. It is further not possible to create structs that refer to these types or apply these types to functions or variables. However it is possible to import these types from a PDB, both into Local Types and on to function prototypes.
The IDA Pro APIs for interacting with types allow both the insertion of unparseable types and their application to functions and variables. The APIs are unfortunately undocumented and there are, if any not many, public resources demonstrating their use. This presentation will show how to create unparseable types, how to apply them to functions and variables.
Unparseable types can be inserted into Local Types by inserting them using temporary names, without any special characters, and renaming the types to their actual names after insertion. Any character is allowed in a type's name when it is renamed. Because types extend other types and refer to further types, inserting a type may require temporarily renaming all types in that type's hierarchy and all types referred to anywhere in that hierarchy.
Types may be applied to functions and variables either through tinfo_t structures, renaming them before application, or by reversing the serialization format used by a subset of IDA Pro's type APIs.
miaubiz is a senior doctor of security at Azimuth Security. he has previously found bugs in web browsers and has spoken at T2, SyScan, and Infiltrate. his interests are bad APIs and sniffing ARMpits.
Windows kernel fuzzing
Nils @ Bytegeist
Attackers often rely on Windows kernel vulnerabilities to break out of application sandboxes and escalate privileges. To rapidly identify such vulnerabilities, we adapted techniques from browser fuzzing to assess the kernel and have reported a number of critical issues to Microsoft. All aspects of the fuzzer, from test case generation to testcase minimisation are highly distributed and it produces high quality testcases for reproduction.
This talk will discuss our approach for fuzz testing the Windows kernel, from assessing the kernel's attack surface and effective test case generation, to the design and architecture of a highly distributed fuzzer that scales to many hundreds of CPU cores.
Nils is a security researcher heading up bytegeist, an MWR company that delivers highly specialised security research. Nils' previous research areas include the Windows kernel, EMV payment systems, Android and browser security. He has successfully competed in pwn2own a few times.
If attackers think in graphs, why can't we?
Microsofts John Lambert said "Defenders think in lists. Attackers think in graphs". If attackers can reason about a system using graphs, why can't we as defenders use the same methods to better protect ourselves?
This talk will present an alternative to checklist-based security by using a methodical approach to reasoning about the security of a system.
Instead of just telling you what you should be doing to defend yourselves, checklist style, this talk will give you the tools you need to actually figure out what controls are most relevant for your specific environment.
Practical information assurance advice such as "what to ask for in a security assessment report" will also be offered, which should be applicable even for those not yet willing to change their information security processes.
Along the way, we might have a few laughs at the expense of some "security experts". Because why not.
olleB better known by his childhood name Olof Baldwin is an internationally recognized security expert and second cousin of Alec Baldwin. His research focus revolves around client-side authorization and input validation.
In 2013 after releasing the critically acclaimed debut single threeOne Olof was approached by several American music executives, but could not leave Visby due to commitments to the royal family. A CISSP holder and discoverer of the first POST XSS vulnerability in Sweden make OlleB a socialite comparable to Taylor Swift's twitter account.
A loophole in the local historic legislation allows him to be one of the handful people in Sweden with an open carry permit for a cyber gevär.
Physical penetration testing
Walter Belgers @ Madison Gurkha
Your assignment is going great. You're past the reception desk, thanks to your social engineering skills. You made it to the rack that contains the server you are pentesting. But it's locked.. So is the drawer that might hold the key.
With some knowledge and a lot of training, many locks can easily be opened, be it the lock in a 19" rack, a drawer, a lock that is attached to a laptop, etc. In this talk, we will look at the art of lockpicking and how these techniques can be applied to open disc locks (including the Abloy Classic), pin tumbler locks, wafer locks (found in cabinets) and tubular locks (like kensington).
Walter Belgers is an ethical computer hacker by profession and by way of life. During his working hours, he tests the security of IT systems using both technical and social means at Madison Gurkha, a major Dutch penetration testing company. He is also the fastest lockpicker on earth and president of The Open Organisation of Lockpickers. He likes Turkinpippuri and on his bucket list is rally driving in Finland.
Washing away the snake oil of threat intelligence
David Chismon @ MWR InfoSecurity
"Threat Intelligence" is at peak hype currently and is being seen by many organisations as the "cure for cyber". As such, many companies are leaping on the bandwagon and selling a vast array of products under the banner of TI. However, no encompassing definition exists as to what TI is and how to use it and ensure that it is protecting the organisation.
To respond to this we studied the field, in work supported by CPNI and CERT-UK, and present a model for classifying all types of threat intelligence to allow evaluation of them. We find that although much of what is being sold is unlikely to help protect organisations, there is a core idea that can, and which doesn't have to cost money.
David is a senior researcher and consultant with MWR InfoSecurity in the UK. His previous research includes analysis of how nation state attackers are exfiltrating data from corporate networks and biometric authentication in mobile devices. He was the lead author on the recent "Threat Intelligence: Collecting, Analysing, Evaluating" paper published with the support of CPNI and CERT-UK.
Physical Side Channel Attacks on PCs
Lev Pachmanov @ Tel Aviv University
Can secret information be extracted from personal computers by measuring their physical properties from the outside? What would it take to extract whole keys from such fast and complex devices? We present myriads way to do so, including:
- Acoustic key extraction, using microphones to record the high-pitched noise caused by vibration of electronic circuit components during decryption.
- Electric key extraction exploiting fluctuations in the "ground" electric potential of computers. An attacker can measure this signal by touching the computer's chassis, or the shield on the remote end of Ethernet, VGA or USB cables.
- Electromagnetic key extraction, using a cheap radio to non-intrusively attack laptop computers.
The talk will discuss the cryptanalytic, physical and signal-processing principles of the attacks, and include live demonstrations.
Joint works with Daniel Genkin, Itamar Pipman, Adi Shamir, and Eran Tromer.
Lev Pachmanov is a M.Sc. student at the Tel Aviv University, advised by Dr. Eran Tromer. His research area is cryptography, information security.
LTE (in) Security
Ravishankar Borgaonkar & Altaf Shaik @ Aalto University & SecT, TU Berlin
Most of the traditional IMSI catcher attacks would not work against LTE (4G) mobile phones. This is due to the fact that LTE is more secure than old generations technologies. In this talk, we build an IMSI catcher to investigate LTE security mechanisms in practice and show how popular smartphones fail during a live demo. In addition, we discuss common LTE configurational mistakes of mobile network operators and smartphone vendors that allow IMSI catcher type of attacks.
Ravishankar works as a Senior Researcher at Aalto University and ICRI-SC. His research themes are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS/LTE network security to end-user device security.
Altaf works as a PhD student in Security in the Telecommunications Department at Technical University Berlin. Altaf is interested in network and protocol security.
Practical exploit development for AVR-based devices.
Alexander Bolshev & Boris Ryutin @ Digital Security & ZORSecurity
Today, one can find many devices based on AVR microcontrollers. The range of such devices spans from Arduino-based amateur projects to serious automotive, home automation or industrial control system controllers and gateways. There are many talks have been given on reversing and exploits development for AVR-based devices, however there is still a lack of full-scale guide that answers the question: "I have AVR device. I (possibly) have firmware. I found potential flaw that looks like an exploitable vulnerability. What should I do now?" The goal of this workshop is to give answers to such type of questions.
During the workshop, the audience will learn how to reverse engineer AVR firmware and specifics of exploitation. We will review AVR architecture, detail on tools and technics, teach how to write ROP chains for AVR and demonstrate other approaches to enforces MCU to do what wasn't expected by firmware developer. We will also cover post-exploitation topics such as reflashing and altering the bootloader. The journey into secrets of AVR microcontrollers will start from simple programs, quickly move on to popular Arduino libraries and finish with a case of the real exploitation of an industrial gateway. We will talk about how to use Radare2 and IDA for reversing and exploiting of AVR firmware. Besides we will release additional tools that make the outlined tasks easier.
If you have Arduino or other AVR development board, please bring it to workshop: you will be able to do all examples concurrently with us; also, we will give you more firmware samples to train acquired skills.
Alexander Bolshev is the information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. He works on distributed systems, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights, t2.fi, Confidence, S4.
Boris (@dukebarman) has graduated from the Baltic State Technical University "Voenmeh", faculty of rocket and space technology, and is currently a postgraduate student there. An security engineer at ZORSecurity. A recurring writer for the IIakep magazine, a contributor and developer in several open-source information security projects. Radare2 evangelist. Boris has been awarded with some bug bounties.
Solving the t2'15 Challenge
Ludvig Strigeus & Timo Teräs