|Thursday Oct 24, 2013|
|08:30||Registration and Morning Coffee: Powered by Stonesoft|
|09:15||Opening Words, Tomi Tuominen|
|10:45||Hack the Gibson - Exploiting Supercomputers
John Fitzpatrick and Luke Jennings
|13:00||Cracking Historical Ciphers
|My quest into FM-RDS
|14:15||Going deeper on aviation security
|<3 Ruby on Rails <3
|15:30||"Information Assurance for your business" or "Why your security products suck"
The Toolcrypt Group
|16:30||Closing Words for the 1st day, Tomi Tuominen|
|17:00||Cocktails & Networking: Powered by Nixu|
|18:30||Cocktails & Networking ends|
|19:00||Afterparty: Powered by nSense|
|Friday Oct 25, 2013|
|10:00||Future Proof Integrated Circuits Analysis Techniques
|11:15||Speeding up exploit development with Moneyshot
|13:15||Don't Pay Money for Someone Else's Calls - A Practical Analysis of VoIP based Toll Fraud Cases
|Hacking Government - Crowdsourcing System Development
|14:30||Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface.
Inverse Path S.r.l.
|Fun ways to kill time in Finland
|15:45||Solving the t2'13 Challenge
|16:45||Closing Words, Tomi Tuominen|
Mikko Hypponen @ F-Secure
It's a keynote.
Mikko Hypponen has been analysing computer viruses for more than 20 years. He has written on his research for publications such as Scientific American, New York Times and CNN.com. He's also the oldest child genius on the planet. And every time he swims, dolphins appear.
Hack the Gibson - Exploiting Supercomputers
John Fitzpatrick and Luke Jennings @ MWR InfoSecurity
Enter a massively parallel world where systems performance is measured in petaflops, storage in petabytes and network latency in microseconds. A world where having hundreds of thousands of cores consuming megawatts of power is the norm. This is the world of High Performance Computing (HPC), or Supercomputers to you and me. Whilst traditionally being mostly used in the specialist scientific, military and intelligence worlds, the development of large cloud services has seen them increasingly enter the mainstream commercial sector.
This presentation will cover our research and demonstrate some of the most interesting and significant vulnerabilities we have uncovered so far. We will also be demonstrating 0-day exploits and previously undocumented attack techniques live so you can see how to get root on 20,000 nodes all at once. There are many ways to hack the Gibson.
This presentation introduces the audience to the world of HPC, some of the most common technologies, how they work and of course the security implications of them. We will demonstrate a number of vulnerabilities we have identified in some of the most fundamental and widespread HPC technologies, some of these related to the usage environment, others being 0-days in the design or implementation of certain technology. Areas we will look at, and demonstrate significant vulnerabilities in, include:
* Workload Managers
* Resource Managers
* Distributed file systems
* Message Passing Interface (MPI)
* Cluster management
* General OS privilege escalation
Together, these areas cover most of the key areas specific to HPC that you would encounter in any HPC environment.
This will allow those who work with HPCs can make to improve the security of their systems and those who perform security testing to do so effectively. Those who have never touched HPC will also be surprised by how accessible and familiar some of these technologies are. Even if you never expect to see an HPC environment, the UNIX crowd among you will enjoy seeing interesting exploits against large UNIX environments. At the end of the day this is awesome kit, whether you use it or not it is hugely interesting.
John Fitzpatrick heads up MWR InfoSecurity’s consultancy team in the UK. With over 7 years experience in the industry he has had the opportunity to play around with and hack a whole bunch of different technologies. Currently settled on supercomputers for now, past interests include VMware, BlackBerry, IPv6 and anything with a network interface.
Cracking Historical Ciphers
Beata Megyesi @ Uppsala University
Thousands of encrypted, still undeciphered manuscripts are found in libraries and archives all over Europe. Examples of such material are diplomatic correspondences and intelligence reports, private letters and diaries as well as manuscripts related to secret societies. In the talk, we show some historical ciphers and various methods used to encipher those. We then look at various algorithms to decipher them, and illustrate how modern computational technology with philological methods can be used to decipher an old hand-written manuscript from the mid-eighteenth century, the Copiale cipher. We will describe the book, the features of the text, the method by which we deciphered it and will give a brief description about its content and the society that was hiding behind the cipher. The manuscript is digitized, transcribed, decoded and translated to English, and is available from the Copiale webpage: http://stp.lingfil.uu.se/~bea/copiale. In the end, we will point to future directions f or developing computer-aided tools for automatic and semi-automatic analysis of historical ciphers, thereby creating new insights into our history and contributing to historical cryptology as a flourishing research area.
Beata Megyesi is an Associate Professor in computational linguistics / language technology at the Department of Linguistics and Philology, Uppsala University where she is serving as the head of department. She received her PhD in speech communication from the Royal Institute of Technology (KTH) and a bachelor's degree in computational linguistics from Stockholm University. Professor Megyesi's research interests include natural language processing, corpus linguistics, and decipherment of historical manuscripts. She has published over 40 scientific papers on natural language processing focusing on the development of language resources and tools for different languages, including data-driven linguistic analysis of both modern and historical documents.
Going deeper on aviation security
Hugo Teso @ n.runs AG
This presentation will explain and show how to remotely attack and take control of some aircraft on-board systems, exposing some of the results of my five years research on the aviation security field.
Following the same approach of past presentations, and in order to present a feasible attack scenario, I will follow the full attack methodology against an aircraft by exploiting aviation protocols weaknesses and avionic systems vulnerabilities.
The complete attack will be accomplished remotely, without needing physical access to the target aircraft at any time, and real avionics systems (SW and sometimes HW) will be used.
As an improved version of my past presentations, more realistic demos will be shown, better research and attack environments presented and new attack vectors and target systems will be exposed that overcome most of the limitations of previous attacks.
Hugo Teso works as a security consultant at n.runs Professionals in Germany. He has been working on IT security for the last 11 years. Also being a commercial pilot, he soon focused his attention on aviation security. Together with the development of some open source projects, like Inguma and Bokken, he has spent a lot of time on aviation security research and has presented some of the results in conferences like RootedCon, HITB and CyCon.
"Information Assurance for your business" or "Why your security products suck"
olleB @ The Toolcrypt Group
From this talk you will learn the importance of testing products not only from a functional perspective (does it do what it claims to do?) but also from an assurance perspective (does it introduce any additional risks?). Using lulzworthy examples of recent IT-security product failz, you will be shown how important assurance testing is to businesses and how the very products you depend on to protect your information could actually be putting it at significant risk.
We will end by outlining how to create an information assurance framework for your business and how to integrate it into your IT process.
olleB is a core member of the Toolcrypt group, working on security testing tools by night and slaving in the Information Assurance coal mines by day. He loves to expound at length about both those things and at least one of the following subjects; fermented and/or distilled malt-based beverages, weaponizing hamsters and/or gerbils and computer systems with strictly text-based terminal interfaces.
My quest into FM-RDS
A look into my experiences with FM-RDS (Radio Data System), a digital subcarrier embedded in FM broadcast transmissions, and also cryptanalysis of traffic messages contained therein.
I originally found about the existence of such transmissions in a roundabout way, by using a spectrum analyzer program to examine intermodulation distortion in my radio’s Line Out audio. As it turned out, the inaudibly quiet distortion, probably caused by the radio’s stereo demuxer circuitry, contained all the information needed to decode all RDS data present in the transmission. I will demonstrate the journey I took and give a short introduction to how the data is actually encoded. Live acquisition of local RDS data depending on signal conditions in the premises.
A self-taught signals/electronics enthusiast from Helsinki, Finland. Spends free time with mysteries, codes and ciphers, and vintage tech. Works as a programmer.
<3 Ruby on Rails <3
joernchen @ Phenoelit
Ruby on Rails is that fancy Web application framework everybody loves. This talk will cover the various common and uncommon exploit techniques and nifty bug patterns in Ruby on Rails. Aim of this talk is that the audience will love Ruby on Rails afterwards for its diverse bug classes.
Techniques for proper exploitation of Ruby on Rails applications will be covered as well as payloads for e.g. successful data exfiltration.
The talk will however focus solely on serverside exploitable bugs (coz XSS is boring).
Besides exploring dancefloors by night joernchen also conquers a DJ booth from time to time. The special <3 for exploitation of Ruby on Rails apps came up in him a couple of years ago, since then he's been happily hacking Web 2.0 hipsters and the Ruby on Rails framework itself.
Future Proof Integrated Circuits Analysis Techniques
Dmitry Nedospasov @ TU Berlin
With the growing complexity and advanced countermeasures on modern secure ICs, analyzing has become a daunting task. Moreover, the equipment necessary to perform modern failure analysis costs hundreds of thousands if not millions of euros. However, current generation ICs only implement protection for the frontside of the IC. Attacks that instead target the IC backside are entirely unencumbered by any countermeasures implemented on modern devices. It is possible to perform all necessary steps to perform an attack entirely on the IC backside. Due to the lack of countermeasures, many of these attacks are even substantially more cost-effective than state-of-the-art frontside attacks.
Emission analysis, for example, does not require any expensive equipment. The setup requires little more than a standard NIR CCD camera. By taking emission images of a running IC an attacker can quickly find potential points of interest without reverse-engineering the entire device. Hardware countermeasures can be identified in this fashion as well. It is also possible to perform backside data exfiltration, where secret data stored on the device is extracted by milling a hole through the silicon substrate of the device. Similarly it is possible to invasively remove 97% of the IC without destroying it. Subsequently, an attacker can perform additional permanent modifications to the circuit to alter its behavior.
Dmitry Nedospasov is a PhD student and researcher in the field of IC security at the Security in Telecommunications (SECT) research group at the Berlin University of Technology (TU Berlin) and the Telekom Innovation Laboratories. Dmitry's research interests include hardware and IC reverse-engineering as well as physical attacks against ICs and embedded systems. His academic research focuses on developing new and novel techniques for semi and fully-invasive IC analysis. Most recently, Dmitry has been involved in identifying vulnerabilities in up-and-coming IC protection mechanisms, particularly Phyiscally Unclonable Functions (PUF).
Speeding up exploit development with Moneyshot
Peter Geissler @ Haxxin
Weaponization of vulnerabilities based on memory corruption bugs is alive and kicking. Mitigations for this family of bugs are more prominent than ever, but skilled attackers are adapting their techniques as well. This talk will introduce you to a tool set that speeds up development of exploits and payloads. During this presentation we'll show you how to quickly and reliably exploit various (classic) classes of bugs live on stage.
Peter “blasty” Geissler // @bl4sty is an independent security researcher/programmer and an avid CTF Player. Known for facilitating code execution on Nintendo Wii and other platforms. Has a strange fascination for exploits.
Don't Pay Money for Someone Else's Calls - A Practical Analysis of VoIP based Toll Fraud Cases
Christopher Werny @ ERNW
While more and more organizations migrate their traditional telephony systems to the IP world, security is often optional and gets overlooked. When your mail server get hacked, the confidentiality is lost. If your VoIP system gets hacked, big $$$ are lost, and your management won't be amused. This talk focuses on real life case studies of large organizations, and how they failed to implement proper security controls for their VoIP systems, leaving the systems open and, more or less, invited everyone to own them. The case studies will outline a technical analysis what caused the incidents, how much money it had cost them, and what could have been done to prevent these incidents.
Christopher Werny is a security analyst and head of the network security team of ERNW based in Germany. His primary focus lies on network security. He describes himself as a network geek who loves to break network devices and exploit vulnerabilities in all sort of protocols, especially those in the VoIP world and IPv6.
Fully arbitrary 802.3 packet injection: maximizing the Ethernet attack surface.
Andrea Barisani @ Inverse Path S.r.l.
It is generally assumed that sending and sniffing arbitrary Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) has historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released.
This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored.
We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.
Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.
He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.
Solving the t2'13 Challenge
Timo Teräs @ Alpine Linux
Hacking Government - Crowdsourcing System Development
Ville Korhonen @ Ylioppilastutkintolautakunta
The Matriculation Examination Board of Finland organised hacking contest in August 2013. Goal was to find vulnerabilities from a custom Live-Linux distribution, which is still in pre-alpha state.
In this presentation we will tell about our experiences in running hacking contest - what did it take from us, how it was received in media, and maybe the most interesting part - was it worth it, what did we get from it? Should everyone crowdsource their system development? We will also reveal some of the competition entries.
The Matriculation Examination Board of Finland arranges two examinations for students finishing their upper secondary school annually. The most popular subjects may have as many as 30.000 students attending simultaneously. The exams take place in 450 schools around Finland. Organising the exams is funded by the government (~33%) and students (~66%).
Currently, the exams are carried out with paper and pencil. Most questions take the form of small essays, while some utilise multiple-choice questions. The former are evaluated in a two-phase process where the students’ teachers and the board censors both assess the students’ work. The multiple-choice questions are evaluated by OCR. The students are not allowed to use any material other than what is given on the day of the examination.
The Matriculation Examination Board of Finland started the Digabi project in early spring 2013. The objective of Digabi is to organise the application of IT in the assessments of the Matriculation Examination Board. The complete process of organising the exams with IT will gradually take place in 2016-2019. After the switch, the students will formulate their answers using some kind of device – probably a laptop or a tablet. Due to financial reasons, the students will be allowed to bring their own devices to the exam. However, we do not expect the nature of the exam to change in the first few years. Consequently, we have to prevent collaboration between students and access to the Internet.
Ville Korhonen is information systems science student at the University of Jyväskylä, currently working as a (technical) coordinator in project Digabi at The Matriculation Examination Board of Finland. Current job consists of creating various proof-of-concept systems to present new ideas to non-technical people. Open Source and Open Data enthusiast.
Fun ways to kill time in Finland
Probably hard to believe nowadays, but 20 years ago, some widely used dedicated hardwares were so well protected that no one ever patched a single instruction successfully, not to say able to hack the hardware or pirate it.
This also mean that no internal documentation ever leaked.... until the manufacturer did some mistakes, that is... and someone was ready to spend years on it...
Here is the story of the hack of such a hardware: mostly wanted, yet unscathed for years.