Thursday Oct 25, 2012
08:30 Registration and Morning Coffee
09:15 Opening Words, Tomi Tuominen
09:30 Keynote: Changing the world by refusing to understand you can't
Rick Falkvinge
10:30 Coffee
10:45 Hacking Huawei VRP
Felix FX Lindner
Recurity Labs GmbH
11:45 Lunch
13:00 AbuseHelper: Fighting botnets with botnets
Jussi Eronen
Secure Exploit Payload Staging
Georg Wicherski
14:00 Break
14:15 Game of Lies
Olli-Pekka Niemi
Protecting against computerized corporate espionage
Jarno Niemelä
15:15 Coffee
15:30 PinPadPwn
MWR InfoSecurity
16:30 Closing Words for the 1st day, Tomi Tuominen
17:00 Cocktails & Networking: Powered by Stonesoft
18:30 Cocktails & Networking ends
19:00 Afterparty: Powered by RSA
21:00 Afterparty ends

Friday Oct 26, 2012
09:30 Morning Coffee
10:00 Draw Me A Trojan
Yuval Vadim Polevoy
11:00 Coffee
11:15 Finding Flame
Costin Raiu
12:15 Lunch: Powered by Point
13:15 Fuzzing at scale and in style
Michelle Aubizere and Atte Kettunen
SAP Slapping - A pentesters guide
Dave Hartley
MWR InfoSecurity
14:15 Break
14:30 How to root your USB-device
Olle Segerdahl
Swedish Armed Forces NCSA
Burping up the serialized communication
Miika Turkia
15:30 Coffee
15:45 Solving the t2'12 Challenge
Timo Hirvonen
16:45 Closing Words, Tomi Tuominen
17:00 Conference Ends

Keynote: Changing the world by refusing to understand you can't

Rick Falkvinge @ Piratpartiet

Keynote with the message that we all have the power to change the world. The keynote starts out with the political message of "protest", puts it in historical perspective, then recounts my personal journey from posting a few lines in a chat channel to having put people in parliaments and founded a movement present in 50-plus countries. Summarizing, the audience learns that each and every one of us feel a passion to change the world for the better in some aspect, and each of us have the power to make it happen.

Rick Falkvinge is the founder of the first Pirate Party and a campaigner for next-generation civil liberties and sensible information policy. In particular, he stresses how the copyright industries work in collusion with Big Brother hawks to erode or eliminate the parts of Internet that guarantee our civil liberties.

On this platform, one of privacy and digital rights, his party became the largest in the below-30 demographic in the 2009 European Elections. When not doing politics or exploring technical subjects in detail, Mr. Falkvinge can usually be seen cooking, sampling a scotch whisky, or riding a fast motorcycle.

Hacking Huawei VRP

Felix FX Lindner @ Recurity Labs GmbH

Huawei routers are no longer devices only seen in China. Entire countries run their Internet infrastructure exclusively on these products and established tier 1 ISPs make increasing use of them.

However, very little is known of Huawei's Software Platform and its security. This presentation will introduce the architecture, special properties of configurations and services as well as how to reverse engineer the OS. Obviously, this is done only to ensure compatibility with router products of other vendors ;) Routers might be still hurt in the process.

FX is the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at around fifteen years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.

In his day life, Felix 'FX' Lindner runs Recurity Labs GmbH, a security consulting and research company in Berlin, Germany.

AbuseHelper: Fighting botnets with botnets

Jussi Eronen @ CERT-FI

AbuseHelper is a framework for working with key-value data real-time in an asynchronous, decentralised manner. Its first goal was to replace CERT-EE:s Abuse Killer and CERT-FI:s Autoreporter as next-generation, country-wide automated incident reporting systems. Now we use it as a flexible glue logic in various security-related monitoring and reporting systems.

In this presentation, I show how you can use AbuseHelper to:

- Gather public data on badness relevant to your networks
- Utilise your own sensors to gain further indications of compromise
- Remediate threats infiltrated to your systems
- Investigate successful breaches using automated tools
- Use the residual data to mitigate incoming attacks
- Visualise gathered data real-time according to your needs
- Share threat data with your peers

Juhani Eronen is an Information Security Analyst at CERT-FI, where his responsibilities include vulnerability co-ordination, automation of the handling of security incidents and information assurance. Formerly, he worked for OUSPG researching protocol vulnerabilities and dependencies of the critical information infrastructure, among other things. He is a postgraduate student at the Oulu University Secure Programming Group, OUSPG.

Game of Lies

Olli-Pekka Niemi @ Stonesoft

How to verify that network intrusion detection and prevention systems do what they are supposed to do? How these are tested in the industry and what are the pitfalls in current testing processes. How the testing differs from what is been said and what is done? Is there weaknesses you should know?

Olli-Pekka Niemi has been working in the are of Internet security since 1996. He has been doing offensive security as a penetration tester and defensive security as system administrator. Since December 2000, he's been working for Stonesoft R&D developing intrusion prevention systems. He's currently heading Stonesoft's Vulnerability Analysis Group (VAG). His main R&D interests are among analysing network based threats as well as evasion research. In his free time he enjoys fishing, horseback riding and keyboard playing.


Nils @ MWR InfoSecurity

Pin Pads or Payment Terminals are widely used to accept payments from customers. These devices run Payment Applications on top of the device specific firmware. It shouldn't come as no surprise to anyone that these applications and operating systems are just as vulnerable as any other systems when it comes to handling user input.

As the use of Chip and Pin continues to replace the fairly basic magnetic stripe cards, these devices are handling more and more complex information from untrusted sources; namely the EMV protocol spoken by all major payment smart-cards. On top of this many of these terminals are connected through Ethernet, GPRS, WiFi or phone lines, which add to the overall attack surface.

We will demonstrate that memory corruption vulnerabilities in payment terminals and applications are a reality and that they can be used to gain code execution on the terminals. Furthermore we will demonstrate and discuss potential payloads and how these can profit an attacker.

Nils is heading the security research at MWR InfoSecurity. He likes to break and exploit stuff, which he demonstrated at pwn2own 2009 and 2010. He has spent most of 2010 and 2011 researching different mobile platforms and how to evade the exploitation mitigations techniques in place on these platforms. His current interest are embedded payment devices.

Secure Exploit Payload Staging

Georg Wicherski @ CrowdStrike

... or how we did not kill a 0day at Defcon.

Binary remote exploitation of an unprivileged service often requires an additional local exploit to elevate to root privileges. Even if your target is running as root already, you may want to preserve your exquisite backdoor from being analyzed.

This talk presents a case study of multiple shellcode stages to make sure your payload is not caught, even if the traffic is sniffed all the time and a disk dump is taken right after exploitation (we cannot avoid being caught in a physical memory dump, though). This is achieved by polymorphic obfuscation, proper public key cryptography and not touching the disk at all (while still being able to run any statically linked ELF payload).

The described code has been successfully used in the Defcon 2011 CTF to deliver a FreeBSD local 0day without disclosing it to the playing teams (or so we'd like to believe). A Honeynet Project Forensic Challenge was to analyze this code, now we can present the real code.

Georg Wicherski is a Senior Security Researcher with CrowdStrike, mostly analyzing advanced targeted threats but also putting himself in attackers’ shoes from time to time. He loves to work on a low level, abandoning all syntactic sugar that HLL offer and working on instructions or bytecode. Recently, he has developed an interest for the ARM architecture in addition to his old x86 adventures. He runs a sporadically updated blog

Protecting against computerized corporate espionage

Jarno Niemelä @ F-Secure

Corporate and Governmental espionage using malware as a tool for it is getting bigger every passing year. While cases like Stuxnet, Duqu and Flame grab a lot of headlines in news, they seem distant for most since they have targeted nuclear and other research activities in Iran, a very distant target compared to a typical company. However there is a lot of intelligence gathering activity that has much more mundane targets, targets like any typical company that has intellectual property worth of protecting.

This presentation gives an overview of typical corporate espionage attack, what methods and attack vectors the attackers use, what they want and how they leak the information. After covering the view from attackers point of view, we will cover tips and tricks to detect and prevent information from being stolen.

Jarno Niemelä has spent the past 12 years at F-Secure security lab working on mobile threats, scan engines and for past 4 years on analyzing and identifying malicious behavior and automatic malware handling. His current interest focuses on identifying patterns in malicious behavior and what can be done to break those patterns.

Draw Me A Trojan

Yuval Vadim Polevoy @ RSA

In this talk I will be presenting a recent research of Malware which really goes out of its way to disguise its true malevolent intentions, utilizing techniques of masquarding and steganography not commonly seen in the Malware world. In a sense - a true Trojan Horse.

I will walk you step by step through the research performed, pealing off a layer of disguise at a time, to reveal the core of the modular and extensible Malware which lays beneath it all.

For the grand finale, I will show a demo of how a seamingly innocent picture placed on a web server can contain malicious instructions for this Malware.

Yuval is a Senior Security Researcher with RSA Security, where he leads a team of three Reverse Engineers. Together with them, Yuval works on unlocking the secrets of Malware which threatens Financial Institutions worldwide, as well as doing independent Security Research. Prior to joining RSA Security, Yuval worked as Software Engineer at Radware, focusing on solving tricky bugs in a Real Time Embedded Device

Finding Flame

Costin Raiu @ Kaspersky

When Stuxnet was discovered in 2010, everyone wondered if it was one of a kind, or, if there are others like it out there. We suspected there were others, but we had no proof. Every single anti-malware company in the world scoured their collections for samples similar to Stuxnet - without success. The theory was confirmed in September 2011, when the Duqu malware was discovered and announced by the Hungarian CrySyS lab and Symantec.

For sure, Duqu and Stuxnet raised the stakes for cyberwar -- but with the discovery of Flame in May 2012, new bars have been raised. The Flame cyber-espionage worm came to the attention of the experts at Kaspersky Lab after the United Nation’s International Telecommunication Union asked for help finding an unknown piece of malware nicknamed Wiper. While searching for Wiper, Kaspersky Lab discovered Worm.Win32.Flame.

Flame is a sophisticated attack toolkit that is a lot more complex than Duqu. It is a backdoor, a Trojan, and has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its controller.

For instance, to replicate in local networks, Flame uses a unique “God mode” technique, which has long been feared and talked about -- hijacking Windows Update connections and presenting itself as a legitimate, Microsoft-signed update to the victim. To pull off this trick, the Flame operators performed an extraordinary collision attack on MD5, which currently remains unknown.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting keyboard strokes. All this data is available to the operators through the link to Flame’s command-and-control servers. Later, the operators can choose to upload further modules, which extend Flame’s functionality. We have so far seen about 20 modules and the purpose of some of these is still being investigated.

Once again, the security industry wondered - Stuxnet, Duqu, Flame - are these all, or there are more military-grade malware out there? With the recent discovery of Gauss, we can confirm yet another spy trojan created in the same ‘factory’ as Flame, Duqu and Stuxnet. We are only seeing just a small picture of all the nation-state sponsored malware attacks that are crawling in the wild.

In this presentation, we will look closely at Flame, how it infects and steals data from systems, how the data is sent to its C2 servers and how it is processed on the C2 side. We will show its links with Stuxnet, Duqu and Gauss - which allowed us to discover it in the first place.

Finally, we will talk about the future of cyber-weapons and the challenges and dangers they pose to civilians, researchers, anti-malware companies and nation-states.

Costin G. Raiu has extensive experience in antivirus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO), and a reporter for Wildlist Organization International. Prior to joining Kaspersky Lab, Costin worked for GeCAD as one of their chief researchers and as a data security expert with the RAV antivirus developers group.

His hobbies include playing chess, high precision arithmetic, cryptography, chemistry, photography and science fiction literature.

Fuzzing at scale and in style

Michelle Aubizere and Atte Kettunen

Heating your house is important, but it helps being smart about it. We will show you:

1. who we are, what bugs we've found and where

- why we are qualified to present on browser bug hunting in 2012

2. where are the memory corruption bugs of modern browsers

- bitflipping, in .gif, in 2012, really
- how we evolve our fuzzers once a particular minefield has been cleared
- stareability really helps

3. tools - how we manage 10 concurrently open bugs, how do we tell the bugs apart, minimize repros, report bugs, track fixes, and step on each others toes

- asan, asan, asan
- rsync, for loops, grep, sed
- git, redis, node.js, radamsa
- vi, inotifywait

Atte Kettunen is a security researcher at the Oulu University Secure Programming Group (OUSPG). In 2011 and 2012 he has successfully fuzzed Firefox and Chromium and found dozens of vulnerabilities in them. Atte has quickly become one of the top reporters in both browsers' bug bounty programs.

Miaubiz is a software developer and independent security researcher who has found over 50 security vulnerabilities in WebKit in the past two years.

How to root your USB-device

Olle Segerdahl @ Swedish Armed Forces NCSA

While a fair amount of public research on USB host stacks (i.e. in operating systems) has been done, very little has been shared about fuzzing USB device implementations. The published research so far has been mostly limited to the USB control transfer mechanism which is a pretty small part of the attack surface of most USB devices.

This talk will present a step by step guide to building your own fuzzing tools both for USB control transfers and the common device class protocols that are used to provide the functionality of USB devices. A ready-to-run tool for fuzzing common USB device classes will be presented and released as open source in order to advance the industry standard in USB device security testing.

Finally some war stories will be shared, including exploiting a code execution bug in the USB device stack of a "secure" USB memory stick with complete compromise of the claimed security features as a result.

Olle has had a long career in the IT-security industry and has tried his hand at most of the challenges it has to offer. His latest challenge is in the employ of His Majesty's armed forces where he does Information Assurance work for the Swedish National COMSEC and Security Accreditation Authority. Having just acclimatized to working in the public sector, he is getting up to speed breaking all manner of security products before they sneak into production systems.

Solving the t2'12 Challenge

Timo Hirvonen

Not available.

Timo Hirvonen has been working for F-Secure Corporation as an Anti-Malware Analyst since July 2010. Winning the t2'09 challenge started a chain of events that led Timo to the job that he had previously only dreamed of. He is passionate about exploit analysis, especially malicious Flash and PDF files.

Timo enjoys keeping the good guys safe by studying the latest tricks the bad guys use. Timo is the creator of t2'10, t2'11 and t2'12 challenge. In addition to his long-standing hobby of keyboard playing, Timo challenges himself in free time by training for his first half marathon.

SAP Slapping - A pentesters guide

Dave Hartley @ MWR InfoSecurity

SAP is one of the world's largest software companies. SAP offers approx. 40 products in the categories of "Business Solutions", "Industry Solutions" and "Solutions for Small and Midsize Enterprises" as well as approx. 8 interactive platforms and frameworks. The latest offering is "Business ByDesign" - a software as a service (SaaS) offering. SAP basically has an incomprehensibly massive attack surface, is a core component of many, many business operations and yet when talking with other 'pentesters', I have found many shy away from assessing these systems for fear of the unknown.

There are also very few open source assessment tool kits and/or methodologies available to pentesters. In reality SAP is no different than any other interconnected business system. Traditional network and application testing tool sets/methodologies are just as applicable and; network and application security best practices/principals are just as relevant.

This talk will not provide a deep understanding of SAP, nor will it provide you with the abilities to perform in depth, effective and comprehensive security assessments of SAP landscapes (did I mention massive attack surface?). The audience will however leave with just enough information to go from zer0 to her0 in as short a time as is possible when encountering SAP systems during engagements.

Several Metasploit modules will be demoed during the presentation that can be used to form the base of an open source SAP assessment toolkit. The modules can be used to achieve complete compromise of insecure and misconfigured SAP environments. Its all just pushing buttons really ;)

Dave is a Principal Security Consultant for MWR InfoSecurity operating as a CHECK and CREST Certified Consultant (Application and Infrastructure). Dave also sits on the CREST assessors’ and NBISE advisory panels, where he invigilates examinations and collaboratively develops new CREST examination modules. Dave is a published author and regular contributor to many information security periodicals and is also the author of the Bobcat SQL injection exploitation tool and several Metasploit modules.

Burping up the serialized communication

Miika Turkia @ Nixu

In this presentation, we will look at techniques for penetration testing applications that utilize serialized objects for communication. This is a common technique with thick clients or Java applets for communicating with servers and it is often seen in mobile applications as well. The binary blob that is being transmitted over the network is dissected and presented in human readable format in Burp Suite allowing an easy way to test business logic and common application vulnerabilities.

The toolkit will be released to the attendees.

Miika has worked as a technical security consultant in Nixu for well over ten years. During the last couple of years a title of lead security consultant has not hindered his passionate drive to make different systems from vegetable scales to VOIP networks do his bidding.