Schedule for 2009

Thursday Oct 29, 2009
08:30 Registration and Morning Coffee
09:00 Opening Words, Tomi Tuominen
09:15 Keynote
Mikko Hyppönen
10:15 Coffee
10:30 Sniff Keystrokes with Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage
Andrea Barisani
Inverse Path
Ten Years of Vulnerability Handling - A Personal History
Juhani Eronen
11:30 Lunch
12:30 Sniff Keystrokes with Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage
Andrea Barisani
Inverse Path
Ten Years of Vulnerability Handling - A Personal History
Juhani Eronen
13:30 Break
13:45 Playing in a Satellite environment 1.2
Leonardo Nve
USB Attacks: Fun with Plug & 0wn
Rafael Dominguez Vega
MWR InfoSecurity
14:45 Coffee
15:00 Case m00p
Mikko Hyppönen
16:00 Lightning talk: Discovering a New Class of Vulnerability Through Binary Analysis
Christien Rioux
16:25 Closing Words for the 1st day, Tomi Tuominen
16:30 Cocktails & Networking: Sponsored by Microsoft
18:30 Cocktails & Networking ends

Friday Oct 30, 2009
09:30 Morning Coffee
10:00 Keynote: Security FAIL - We're doing it wrong
Scott McIntyre
11:00 Coffee
11:15 Don't Do This At Home: 0wning Botnets
Felix Leder and Tillmann Werner
University of Bonn
Forensics on GSM phones
David Batanero
12:15 Lunch
13:15 Don't Do This At Home: 0wning Botnets
Felix Leder and Tillmann Werner
University of Bonn
Spying via Bluetooth
Jarno Niemelä
14:15 Break
14:30 Virtually (un)breakable?
Mark Debenham
Microsoft UK
Advanced MySQL Exploitation
Muhaimin Dzulfakar
Next Generation Security Software
15:30 Coffee
15:45 Technical Aspects of SAP Security
Alexander Polyakov
Digital Security
Solving the t2'09 Challenge
Oliver Gruskovnjak
Portcullis Computer Security Ltd
16:45 Closing Words, Tomi Tuominen
17:00 Conference Ends


Mikko Hyppönen @ F-Secure

It is a keynote.

Mikko Hyppönen is the Chief Research Officer for F-Secure. He does his own stunts.

Sniff Keystrokes with Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage

Andrea Barisani @ Inverse Path

TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data, are often mentioned by the security community, movies and wanna-be spies (or NSA employees we guess...). While some expensive attacks, especially the ones against CRT/LCD monitors, have been fully researched and described, some others remain relatively unknown and haven't been fully (publicly) researched. Following the overwhelming success of the SatNav Traffic Channel hijacking talk we continue with the tradition of presenting cool and cheap hardware hacking projects.

We will explore two unconventional approaches for remotely sniffing keystrokes on laptops and desktop computers using mechanical energy emissions and power line leakage. The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required.

We will show in detail the two attacks and all the necessary instructions for setting up the equipment. As usual cool gear and videos are going to be featured in order to maximize the presentation.

Andrea Barisani is an internationally known security researcher. His main experiences focus on large-scale IDS/Firewall deployment and administration, forensic analysis, vulnerability assessment, penetration testing, security training and his Open Source projects.

Being an active member of the international Open Source and security community he is maintainer/author of the tenshi and FTester projects as well as the founder and coordinator of the oCERT effort, the Open Source Computer Emergency Response Team.

He has been involved in the Gentoo Linux project, being a member of the Gentoo Security and Infrastructure Teams, and the OSSTMM, becoming an ISECOM Core Team member.

He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, LDAP and other topics.

Playing in a Satellite environment 1.2

Leonardo Nve

This presentation acts as a warning call to those who use or provide data connection (especially the Internet) via satellite. The presentation will cover topics like insecurity of the communications, malicious active attacks and getting an anonymous connection.

The attendees will learn how insecure satellite connections are and why they need a more secure platform for this kind of environment. Also, they will learn how these attacks can be made, including how to get an anonymous satellite connection.

Previously satellite presentations exists, but these are focused only in feeds capturing and a bit in sniffing data, treating this as a passive vulnerability. This presentation will focus more to the active attacks that someone can make against the clients and ISPs.

Leonardo Nve is a senior security auditor that has been interested in computer security since 1996. He has managed several research activities on various security technologies such as DOCSIS, Wireless and SCADA with various papers published in various Spanish publications.

Case m00p

Mikko Hyppönen @ F-Secure

This presentation is a case study into an investigation against an international malware writing group. The investigation spanned several years, included law enforcement from multiple countries, and resulted in several arrests on multiple continents.

The "m00p" group was using online attacks to steal money from various organizations. They used several advanced methods in their attacks, and even had a front-end company to mask their illegal operations. Some of the group members have not yet been prosecuted in a court of law.

This presentation is not open for media and the presentation material will not be made available.

Mikko Hyppönen is the Chief Research Officer for F-Secure. He does his own stunts.

Ten Years of Vulnerability Handling - A Personal History

Juhani Eronen @ CERT-FI

Vulnerability work started for me on 7 July 1999 with the discovery of buffer overflows in vCalendar software. I had just joined OUSPG and started to try out the first alpha versions of testing tools developed in the PROTOS project. The years that followed brought forth a number of test sets - WAP, SIP, HTTP, SNMP - and a veritable plenitude of vulnerability. Later I joined CERT-FI, where I had to change my perspective from testing to trying to cope with the prevalence of software flaws within our society.

In this presentation, I try to summarise a part of my findings along the way, on the pains of vulnerability researchers, reporters, coordinators as well as the developers trying to enhance their products, and the end user. The most important aspect of vulnerability handling is that it is a problem of resource limitations.

The researchers try to maximise their productivity in terms of vulnerability sophistication, volume and impact, all considered hard research problems. Coordinators and reporters try to relay this information to the vendor in a clear and concise manner, while avoiding false positives, hype and needless pressure. Developers and vendors have goals ranging from protecting their customers to making revenue.

The meeting of these disparate actors and motivations invoke extraordinary situations. Technical vulnerability itself is a fickle thing, mutating through changes of environment and valuation. Demonstrations of exploitability was first required, then waived only to be practically required again later. The test set has died, while trivial vulnerabilities are reborn in new application areas.

I will present post-mortems on vulnerability coordination projects I have been involved with, including recent CERT-FI disclosures. Coordination is riddled with delays, communication overhead, leaks, miscommunication and arguments of principle. While the goal of a majority of the vulnerability scene is to protect the end users, their needs remain forgotten throughout most vulnerability disclosure processes. From a pragmatic point of view, protecting the society from the ill effects of vulnerabilities requires conclusion, collaboration and control.

We are mostly failing, and the problem of vulnerability extends far beyond the mere implementation level issues discussed in this presentation.

Juhani Eronen has explored the vulnerability scene both as a researcher at OUSPG and as a coordinator at CERT-FI. He now has a symmetric headache, and can state that the grass is greener on neither side of the fence.

USB Attacks: Fun with Plug & 0wn

Rafael Dominguez Vega @ MWR InfoSecurity

The era of serial port is far gone and now we have been invaded by USB, the Plug and Play and the mini USB storage devices. The use of USB technology has become part of our daily routine. We are frequently handed USB devices and asked to copy a presentation or spreadsheet onto it and we never hesitate to do so. Often our biggest concern is around whether the device will be lost along with our company projections or takeover proposals. However, should we be more concerned about whether the device itself can be used to attack us and gain access to our system?

In the past USB security has often focused on the contents of the devices themselves. When considering the information that has been lost on unsecured devices it is quite understandable that this has received so much attention. However, in all this excitement have we lost perspective on where the real danger lies?

The presentation will cover a wide range of security considerations for USB devices. However, it will specifically focus on the evolution of an attack that can be delivered through a malicious USB device. The talk will also include discussion about the methods that can be used to identify and exploit vulnerabilities in USB drivers and their advantages and disadvantages.

To highlight the reasons for conducting this research the presentation will include the implementation of a Linux USB device driver exploit in a USB hardware device. And it will also show how that can be exploited by simply plugging the malicious device into the system.

Rafa works in the UK as a Security Consultant and Security Researcher for MWR InfoSecurity. He is particularly interested in embedded devices and hardware hacking and enjoys testing different aspect of security from social engineering and physical security to weird proprietary protocols.

Lightning talk: Discovering a New Class of Vulnerability Through Binary Analysis

Christien Rioux @ Veracode

Working on a deep binary analysis and decompilation system has resulted in the discovery of a few new types of vulnerabilities not currently being discussed. This is because these vulnerabilities are more obvious when you are trying to reconcile the 'meaning' of a program from its representation, and one finds curious discontinuities from one's the binary input. This quick presentation will discuss one of the types of flaws that we discovered when building support for a difficult-to-analyze customer program at Veracode. This will be a technical presentation with discussion of flaw identification, exploitation, and remediation.

Christien Rioux, co-founder and chief scientist of Veracode, is responsible for the technical vision and design of Veracode’s advanced security technology. Working with the engineering team, his primary role is the design of new algorithms and security analysis techniques.

Before founding Veracode, Mr. Rioux founded @stake, a security consultancy, as well as L0pht Heavy Industries, a renowned security think tank. Mr. Rioux was a research scientist at @stake, where he was responsible for developing new software analysis techniques and for applying cutting edge research to solve difficult security problems. He also led and managed the development for a new enterprise security product in 2000 known as the SmartRisk Analyzer (SRA), a binary analysis tool and its patented algorithms, and has been responsible for its growth and development for the past five years.

At L0pht, Mr. Rioux was a senior developer. He co-authored the best-selling Windows password auditing tool @stake LC (L0phtCrack) and the AntiSniff network intrusion detection system. His other activities with L0pht included significant security research, publication work and public speaking engagements. Mr. Rioux is also responsible for numerous security advisories in many applications, operating systems and environments. He is recognized as an authority in the areas of Windows product vulnerability assessment, application optimization and program analysis.

His background includes 23 years of computer programming and software engineering experience on a wide range of platforms and for numerous companies, including financial institutions, mechanical engineering firms, educational institutions and multimedia groups.

He graduated from the Massachusetts Institute of Technology in 1998, with a Bachelor’s Degree in Computer Science.

Keynote: Security FAIL - We're doing it wrong

Scott McIntyre @ XS4ALL Internet B.V. / KPN-CERT / FIRST

Working as the Chief Security Officer at an ISP and member of a national telco's CERT for the better part of a decade, as well as serving on the Board of Directors for the globally focussed Forum of Incident Response and Security Teams brings with it many adventures, challenges, laughs, tears, and hair loss to someone who can't afford it.

Reflections on how we as a IT security community are handling recent threats, the role of "disclosure", governance, FUD and the ever present (and increasing) threat of government over-regulation stifling innovation are just some of the topics which will be covered during this keynote.

We all suffer the fallout from IT security failures, and understanding the far-reaching consequences to our actions is critical if we're ever going to have a safer Internet experience for the masses.

If you have ever wondered how an ISP copes with all the threats passing through their network (including at layer-8), yet still manages to love the technology they provide to you -- this talk is for you!

Scott A. McIntyre currently sits on the Board of Directors and Steering Committee of the Forum of Incident Response and Security Teams, the longest established community for computer security incident handlers. For the last 9 years he's served as Chief Security Officer for XS4ALL Internet, the oldest ISP in The Netherlands and also serves as one of the 5 kernel members for the KPN (Royal Dutch Telecom) Computer Emergency Response Team.

In 2007 Scott was appointed to the ITU's High Level Expert Group to help provide input into computer security initiatives from the Incident Response and ISP communities to the ITU's ongoing efforts in this area. A frequent speaker at computer security events around the world, Scott's often humorous insight into operational computer security events provide glimpses into the darker side of the Internet whilst reminding us that the Good Guys are still out there doing their best to keep the Internet safe.

Don't Do This At Home: 0wning Botnets

Felix Leder and Tillmann Werner @ University of Bonn

The threat posed by botnets consisting of thousands of interconnected, remote-controlled computers is one of the major challenges at present. Such malicious infrastructures are getting more and more involved in commercially driven or even politically motivated attacks.

This new dimension requires reconsideration of possible actions as classical countermeasures are mostly reactive and conducted as part of incident response. This is often not sufficient. We argue that proactive measures are necessary to mitigate the botnet threat and demonstrate techniques based on different botnet infrastructures.

This talk will cover a structured botnet mitigation approach and discuss several case studies on recent sophisticated malware like Storm, Waledac, and Conficker and discuss prototypes to demonstrate the applicability (live demos included). In all cases mitigation or even takeover was possible. However, while being technically feasible, such actions raise ethical points like disclosure policies. We conclude that many botnets contain weak points that allow for counter-attacks on a technical level.

Felix Leder is a PhD student at the University of Bonn. After working for Nokia he turned to his favourite field of research: IT-Security. His current research interests are botnet mitigation tactics and new methodologies for executable and malware analysis. A lot of hispare-time is spent on involvement in the Honeynet Project.

Tillmann Werner used to work as an incident handler at the German national CERT and is currently employed as a computer scientist at the University of Bonn. He is a member of the Honeynet Project and has been doing research in the area of network-based attacks for more than 5 years.

Virtually (un)breakable?

Mark Debenham @ Microsoft UK

With the increased attention being paid to virtualization over the last couple of years Mark will take the audience through some of the risks associated with the reliance on virtualization from a security perspective with a demo or two along the way. The audience will be able to see how the same team who provide Microsoft customers with security updates have been busy driving Microsoft Security Development Lifecycle changes into products that may not have previously been considered.

Mark has been to t2 several times before and, for those of you who are regular attendees, he last spoke in 2007 on working with MSRC. Working for MSRC Engineering he strives to protect Microsoft customers from a wide spectrum of threats, now spending most of his time dealing with technologies such cloud computing, virtualization, mobile security and even the occasional glimpse of a pace-maker.

Those of you who have seen Mark talk in any of his former guises will know that his presentations tend to be dynamic and sometimes even amusing, t2 2009 promises to be no different.

For more information on MSRC Engineering and the related teams please see the "Security Research and Defense" at

Technical Aspects of SAP Security

Alexander Polyakov @ Digital Security

Enterprise application security is one of the most important topics in computer security as nowadays corporate environment has became more secure. As a result, attack vectors shift from OS down to the applications. And mostly it is about Enterprise business applications like ERP, CRM, SRM and others because these are the applications that store business data and any vulnerability in these applications will cause a real monetary loss.

SAP has many security problems on all levels such as network, OS, database and application. This talk will cover common and some uncommon vulnerabilities on all these levels backed up with real world examples.

Among the more uncommon vulnerabilities is SAP client side exploitation. This talk will describe different ways to attack SAP clients and demonstrate how you can get access to the whole SAP environment just by exploiting a client side vulnerability.

Alexander Polyakov is a Chief IT Security Auditor at Digital Security company. His expertise covers enterprise applications and database security. He has found a lot of vulnerabilities in products of such vendors like SAP and Oracle. He is author of a book named Oracle Security from the Eye of the Auditor. Attack and Defense. (In Russian).

He is also the head of Digital Security Research Group (, Expert Council member of PCIDSS.RU association and one of the contributors of Oracle with Metasploit project.

Forensics on GSM phones

David Batanero

Mobile phones, have become essential devices in our personal and professional lives. Today, the ring tones and vibrations of mobile phones are everywhere. Removing a phone's SIM card doesn't remove the personal information, the internal memory, even communication exchanged between the phone and its server, remain. We will see what information can be useful and how to recover it without expensive hardware.

David Batanero is a security researcher. He has been involved with telecommunications equipment since he was a child. He has worked as coordinator of the telecommunications product line at a highly specialized toy-retail firm. He has been a speaker at some security conferences in Brazil, Spain, Colombia and Mexico.

Spying via Bluetooth

Jarno Niemelä @ F-Secure

We at F-Secure have from time to time received reports from people who think that their mobile phone is being spied on. And as we thought that mobile phone spying is issue that affects only smart phones we could not offer much help.

However on deeper look it turns out that it is possible to spy on any Bluetooth enabled phone, provided that spy gets his hands on the phone once to set his own phone or laptop as trusted device. Security oriented person can say that you should not ever set any unknown device as trusted, but that does help use whose phone has been taken over without him noticing it.

This presentation gives overview of just what is possible do over Bluetooth once the attacking device is trusted, what spy can do over Bluetooth and what can be done to prevent it.

Jarno Niemelä is Senior Security Researcher at F-Secure corporation. He has been working with mobile malware and other threat research since 2000 and was the first anti-virus researcher in the world to research mobile malware.

In addition of his day job at F-Secure Jarno teaches information security and other topics at Metropolia University of Applied sciences.

Advanced MySQL Exploitation

Muhaimin Dzulfakar @ Next Generation Security Software

Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.

Muhaimin Dzulfakar is a Security Consultant for Next Generation Security Software. His current research interests include fuzzing and post exploitation process.

Solving the t2'09 Challenge

Oliver Gruskovnjak @ Portcullis Computer Security Ltd

Abstract will be published after the challenge has been solved.

Oliver Gruskovnjak has been working in the security field for the past 8 years, where his responsibilities include penetration testing, incident response and having fun while breaking things. In his free time he likes to code and analyze malware.