From - wiki

Jump to: navigation, search


Eric Filiol

Opening Speech: Malware of the future - When mathematics work for the dark side.

Computer security deals with the essential problem of the sword against shield issue. Attackers aim at defeating security enforced systems while defenders try to prevent and resist to attacks. But most of the users are mistaken since they are convinced that computer security defense aim at preventing and forbidding attacks. That is completely wrong. Computer security just must be able to detect that an attack is under way or worse has already been realized and must organize to recover from the attack, learn one's lessons for the future, waiting for the next innovation of the attackers. Unfortunately, nowadays, marketing messages claim with such a high self-assurance about the 100 % possibility to pro-activily detect any attack and to protect 100 % any system. The case of computer virology -- which will be considered throughout the talk as an illustrative case -- is probably the most symptomatic one. How many vendors claim that their product 100 % detect any malware, including the unknown ones. The consequence is that users, in the broadest sense, ar ecompletly fooled and misbehave in terms of computer security policy.

In this talk we will show that 100 % protection is a lie and that it is always possible to design attacks that are impossible to not only proactively detect and prevent but also to detect once they are under way. The use of sophisticated mathematics enable to design malware (and more generally attacks when considering computer security) that cannot be managed in due time to prevent any damage. By suitably using complexity theory and computability theory results, any detection can be defeated, especially in the context of targeted attacks, whose number is bound to increase. We will give numerous example drawn from experiments in laboratory or real cases.

The last part of the talk will stress on the critical necessity to develop an extensive research activity -- both theoretical and applied -- very quickly and especially why the proactive research in malware, including design of unknown attacks -- under a strict control -- is of the highest importance.

Eric Filiol is the Head Scientist Officer of the Operational Cryptology and Operational Computer Virology Lab at the French Army Signals Academy in Rennes and at the ESIEA Engineer Academy in Laval, France. He holds a PhD in Applied Mathematics and Computer Science, a Habilitation Thesis in computer science, as well as an engineer diploma in cryptology. His main research interests are operational cryptanalysis of symmetric cryptosystems, malware and antimalware modelization and proactive research (e.g. with the attacker's view in mind) in both fields. He is married, is father of a 12 years old boy, plays bass guitar (jazz and blues) and is fond of long distance running (half-marathons and marathons)

Saumil Shah

Browser Exploits - A new model for Browser Security

Browser exploits have taken centre stage as the next wave of practical exploitation of systems. Browsers are quite different in design and offer great flexibility as compared to other binaries, be they client binaries or server binaries. Why have mechanisms such as stack space randomization, non-execute flags, compiler generated protection mechanisms, etc. not been successful in thwarting browser exploits? The answer lies within the design and functionality of browsers in general. This talk touches upon the fundamentals of browser exploitation and how certain concepts can be leveraged to prevent practical exploitation of browsers.

SAUMIL UDAYAN SHAH, Founder and CEO, Net-Square Solutions Pvt. Ltd.

Saumil continues to lead the efforts in security research at Net-Square. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil has been a regular speaker and trainer at conferences such as Blackhat, RSA, Hack-in-the-Box, IT Underground, CanSecWest, EUSecWest, Hack.LU, etc.

Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)

Roelof Temmingh

Investigating individuals and groups using open source intelligence

In this presentation we will show how the abundance of information on the Internet (using the 'surface web' as well as the deep web) can be used to create a comprehensive profile of a person or a group / organization. The presentation will include a real world, live demo of the Maltego framework for data collection and correlation. The demo will cover collection and visualization of both open source (surface web and deep web) and internal data sources and will show how n-th order relationships can be found and analyzed using the tool.

Furthermore we will discuss (with live examples) how the lack of true identity on the net (think websites, social networks, email, IM) can result in the creation of virtual communities which can be used for anything from stock market manipulation to political gain. Finally we will discuss possible solutions to the problem and ways to detect and protect yourself.

Born in South Africa, Roelof studied at the University of Pretoria and completed his Electronic Engineering degree in 1995. He worked as developer, and later system architect at an information security engineering firm from 1995 to 2000. Early in 2000 he started the security assessment and consulting firm SensePost along with some of the leading thinkers in the field. During his time at SensePost he was the Technical Director in charge of the assessment team and later headed the Innovation Centre for the company. Roelof spoke at various international conferences such as Blackhat, Defcon, Cansecwest, RSA, Ruxcon, Hack-in-the-box, govCERT and FIRST. He also contributed to books such as "Stealing the network: How to own a continent", "Penetration Tester's Open Source Toolkit" and was one of the lead trainers in the "Hacking by Numbers" training course. Roelof also authored several well known security testing applications like Wikto, Crowbar, BiDiBLAH and Suru. At the start of 2007 Roelof founded Paterva in order to pursue R&D in his own capacity. During 2007 Roelof created the information collection, correlation and visualization tool known as Maltego.

Paul Craig

Hacking Internet Kiosks

Internet Kiosk's have become common place in today's internet centric society. Public internet Kiosk's can be found everywhere, from Airports, Train stations, Libraries and Hotels to corporate lobbies and street corners. Kiosk's are used by thousands of users daily from all different walks of life, creed, and social status. Internet kiosk terminals often implement custom browser software which rely on proprietary security mechanisms and access controls. Kiosk's are designed to limit the level of access a user has to the internet kiosk, and attempt to thwart malicious activity. Kiosk users are prohibited from accessing the Kiosk's local file system, or the surrounding local network attached to the Kiosk.

This talk will cover Internet Kiosk software exploitation techniques, and demonstrate live methods of compromising commercial internet Kiosk terminals. An online service dubbed 'iKAT' will also be officially released to the public. iKAT (Interactive Kiosk Attack Tool) enables a user to access a suite of online resources design to aid successful Kiosk exploitation. This presentation will demonstrate how iKAT can be used to compromise a Kiosk terminal in under five minutes. Walk up to a Kiosk, load iKAT, pop shell, it does not get much easier than that.

After this talk you will never look at an Internet Kiosk the same way again.

Paul Craig is a principal security consultant at in Auckland New Zealand. Paul specializes in application penetration testing, security research and exploit development. In the past Paul has released multiple critical advisories from major project vendors, co-authored several best-selling books on security, and spoken at various security conferences around the globe (including Syscan, Kiwicon, VNSec, RuxCon). Paul is an avid hacker with a passion for shell and privilege escalation

Eric Leblond, Vincent Deffontaines, Sébastien Tricaud

User Authentication at the Firewall level

This talk focuses on how firewalls can work at the TCP/IP network layer and handle a user authentication where the IP address is not considered at all. We will first explain the common weaknesses of existing identity-based filtering systems, detail what exists in Netfilter internals to respond to it, and propose a user friendly implementation through the NuFW [13] project. We will conclude with some usage example of latest Netfilter features.

Adrian Pastor

Cracking into embedded devices and beyond!

The presentation covers cracking into embedded devices by exploiting vulnerabilities present on default software running on the target device with a focus on vulnerabilities that can be exploited remotely.

Personal discoveries will be covered, including vulnerabilities found in home/SOHO devices and also corporate appliances. Some interesting vulnerabilities found on embedded devices by other peers such as Kevin Devine will also be explained.

The types of vulnerabilities discussed include, but are not limited to:

UPnP and HTTP CSRF VoIP call jacking SNMP injection Phishing via Dynamic DNS poisoning Prediction of default WEP/WPA encryption keys Password leaks over SNMP Insecure default SNMP settings Authentication bypass Privilege escalaton Persistent HTML injection on admin consoles

Not only will *real attacks* be explored, but also the *consequences* of cracking into embedded devices. How nasty can it get after an embedded device has been exploited? How far does the rabbit hole go?

Adrian 'pagvac' Pastor, BSc (Hons) Computer Engineering, has contributed to the IT security community for several years, although he has been involved with the hacker/security scene as a hobbyist since an early age.

Adrian is a recognized member of the hacker and IT security community who's authored several papers, numerous vulnerability advisories and has spoken at events such as Hack in the Box, OWASP, Defcon and many more.

His published research covers exciting topics such as cracking into embedded devices, web hacking, eavesdropping techniques, magstripes, and credit card security. Adrian's work has been featured in established magazines and information portals such as BBC, The Washington Post, Wired, Slashdot, PC Pro, The Register, PC World, CNET and many others.

Adrian currently works as a Senior White-hat Hacker at GNUCITIZEN where he specializes in vulnerability research, tiger team operations, cutting edge security training, and finding simple solutions to complex problems.


"The end of the internet" aka "Self replicating malware on home routers"

This talk is about devices that close to everybody has in their homes and offices. So called Soho (Small home and office) routers have become extremely popular in the last few years. While the good guys where busy trying to prevent malware from infiltrating their desktop systems, the bad guys had gone one step ahead of the game and started to experiment with these devices. Close to nobody pays attention to the security of their routers and why should they. These mystical devices have always been protected through security by obscurity. This Talk is not about how to reverse engineer routers, or how to get the best possible security out of the original firmware. This is the real stuff. Participants will learn the fundamental basics how routers can be taken over. After a few practical examples we will then move into the field of malware. -- Self spreading of course. This talk will give the participants not only a fundamental knowledge of soho router hacking, but also a idea about future threats and the ongoing research in this very interesting field of IT security.

Philippe Langlois

Immersed network discovery and attacks, specifics of telecom Core Network (CN SS7/SIGTRAN) insider attacks

The number of security perimeters is increasing for every companies thanks to new vectors such as WiFi, Extranet, VoIP, Bluetooth for any company and GPRS networks, 3G / 3G+, EDGE, IMS, IN services, mobile-payment are even more perimeters specific to telecom operators. At the same time, the internal segmentation is increasing and making penetration progress more and more difficult to the core of the business of any company, specifically new telecom operators who are able to develop a sound network distribution from day 1. We'll present here how new tools may help penetration testing, especially when in environments where multiple protocols, segregation and huge address space may be a problem.

Philippe Langlois Sr. Security Researcher, TSTF - Telecom Security Task Force. Philippe Langlois is a founder and Senior Security Consultant for Telecom Security Task Force, a research and consultancy outfit. He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF). He founded Qualys in 1999 and led the R&D for this world-leading vulnerability assessment service. He founded Intrinsec, a pioneering network security company in 1995, as well as Worldnet, France's first public Internet service provider, in 1993. He has proven expertise in network security, from Internet to less well known networks - X25 and other legacy systems mostly used in banking, travel and finance. Philippe was also lead designer for Payline, one of the first e-commerce payment gateways on Internet. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (RSA, COMDEX, Interop). Philippe Langlois is a regular contributor of french-speaking security portal and a writer for ITaudit, the magazine of the International Association of Internal Auditors. Samples of the missions he has been involved with are Penetration Testing contract on multi-million live users infrastructures such as Telecom operators GSM backbone, due diligence for M&A, security architecture audits, product security analysis and advisory.

Joffrey Czarny

Going outside Citrix context

Citrix is a Remote Desktop application that is very popular and is often used between a company and an affiliate. It is similar to Microsoft's Terminal Services, RDP (Remote Desktop Protocol).Microsoft Terminal Services uses RDP, whereas Citrix uses ICA (Independent Computing Architecture). Unlike Terminal Services, the Citrix products allow the administrator to specify certain applications to be run on the server in a restricted mode. This allows them to control which programs they want to allow the end user to execute. In fact the restriction can be bypassed and a remote desktop can be obtained.

This presentation will show how it's possible to go outside the citrix context by abusing of Microsofts' products features

Since 2001, Joffrey is pentester, he has released advisories on VoIP Cisco products and spoken at various security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at 2005, VoIP af 2007 and ITunderground 2008).On his site,, he maintains Elsenot project ("")and posts video tutorials and tools on security aspect.

Since 2001, Joffrey is pen-tester for the Security Research Centre of Telindus He also spoke at security-focused conferences (Wireless Conference at Infosec Paris and Wireless Workshop at 2005, VoIP af 2007 and ITunderground 2008)

Philippe Teuwen

How to make smartcards resistant to hackers' lightsabers?

Cracking smartcards has always been a prized hobby, for the academic glory , for fun (ha, breaking the self-claimed unbreakable...) and for profit (ask the mafia). State-of-the-art techniques include laser blasts that inject various transient or permanent faults in a program execution, potentially making the smartcard do whatever the attacker wants. After a brief recap of the attack tools and their effects, we'll see how the programmer can protect his code with software techniques ranging from cookbook recipes to tool chain automation and how he can evaluate the robustness of his code by means of fault injection simulators.

Philippe is a senior engineer of the Security Research Team of NXP Semiconductors Leuven, involved in various fields such as standardization (WPS & NFC), specification, prototyping, pentesting, forensics etc.

Damien Aumaître

A little journey inside Windows memory

In 2005 and 2006, two security researchers, Maximilian Dornseif and Adam Boileau, showed an offensive use of the FireWire bus. They demonstrated how to take control of a computer equipped with a FireWire port. This work has been continued.

After a brief summary of how memory works on modern OS, we will explain how the FireWire bus works, and it can be used to access physical memory. Since modern operating system and processors use virtual addresses (and not physical ones), we rebuild the virtual space of each process in order to retrieve and understand kernel structures.

Thus, we now have an instant view of the operating system without being submitted to the security protections provided by the processor or the kernel.

We will demonstrate several uses for this. First we will show what can be done only with an interpretation of kernel structures (read access). For example, we can have the list of all processes, access to the registry with no control even for protected keys like the SAM ones. This is used to dump credentials.

Then, we see what can be done when one modifies the memory (write access). As an example, we show a 2 bytes patch to unlock a workstation without knowing the password.

Last but not least, code execution is not supposed to happen through FireWire since it is only a bus providing read/write access to the memory. However, slightly modifying the running kernel let us do whatever we want. We will explain how to have a shell with SYSTEM privileges before any authentication.

Bio to follow

Julien Lenoir, Christophe Devaux

Browser Rootkits

For a few years now, people have learnt to configure firewalls. Very few ports are allowed to exit the network. One found very commonly in the web (HTTP and HTTPS). Hence, all applications are now configured to run over HTTP(S). These changes in behaviors have made the web browser a central piece of information systems in a user's day to day work. They are therefore present on most machines and are, by definition, allowed to access networks (the internet but also specific applications on the Intranet). Hence, a typical browser sees a great deal of critical data, like username/password credentials for applications, webmails, and even bank accounts.

In order to support all the needed new features (plug-ins / extension, virtual machines / interpreters, ...), web browsers have become more and more complex, thus less and less secure. They are often prone to important flaws allowing arbitrary code execution on the host system or a necessary vector for human based attacks like phishing.

As such, browsers are now a critical target for malicious attackers, and we thus designed specific rootkits. A "browser rootkit" is malicious code that targets a web browser instead of the operating system. In this way, post-exploitation steps of a flaw in made with very few assumption, e.g. we will not need more privileges than the ones given by the browser itself.

Frank Boldewin

Rustock.C - When a myth comes true

Todays top notch spambots have one in common - next to the ability to send billions of spam mails each day, they are well protected from being easily analyzed or detected by AV-Scanners, HIPS or other security products. Reacting fully from kernelmode they use strong poly/metamorphic engines or anti-debugging features. Outside connections are usually encrypted and can't be easily sniffed. In the end of september 2007 rumours made the rounds that a new super rootkit was seen in the wild called "Rustock.C aka Ntldrbot", a successor of its well-known former versions. Some voices even alleged this malware uses so advanced tricks that no AV-scanner or rootkit-detector would be able to detect it with its currently implemented technologies. It is fairly comprehensible that the whole industry was really curious if this is really the case and started hunting for it. As after some weeks still nobody found samples of it, everyone in the industry came to the conclusion the whole story is just a myth... Until May 2008! A russian AV-company called DrWeb published some basic information of this rootkit, to prove it really exists and that it uses very powerful tricks to stay undetected.

This talk presents the results brought to light while a deep analysis.

Frank Boldewin is a reverse engineer from germany with long experience in security & malware research. By day he works as a security analyst for a large german datacenter in the finance field. His private interests are mainly focused on malware analysis and he loves everything that belongs to assembly, anti-/debugging and systemprogramming. On his site, he frequently posts papers, video tutorials and tools regarding this research field.

Mihai Chiriac

Anti-virus 2.0 - "Compilers in disguise"

Early viruses were easily detected using simple pattern matching algorithms, but quickly evolved.

Techniques such as encryption, polymorphism and even metamorphism were widely used to evade detection. Anti-virus programs fought back by using cryptanalysis (plain-text attack against the encrypted body), dedicated decryption routines and emulation.

Emulation, seen as the anti-virus silver bullet for many years, works by executing a possibly malicious program in a virtual environment and analyzing its behavior. While code emulators evolved (notably, the transition to 32-bits, simulation of the Windows OS, etc) the basic approach remained unchanged: fetch instructions from memory, decode and then simulate them. Unfortunately, for very complex malware, emulation has been proven to be unacceptably slow.

Recently, top-class antivirus programs tried to solve the above problem by using a technique called "dynamic translation" which involves analyzing the input program and generating functionally-equivalent code that is to be executed on the target CPU.

Virus authors didn't give up and, in their quest to evade detection, started to employ new tricks. Garbage, do-nothing code not only makes manual analysis more difficult, but also increases the required emulation time. The most recent pieces of malware go into even greater complexity levels, by generating code fragments that require billions of iterations. Even with dynamic translation, analysis of these samples would be unreasonably slow.

During this presentation we will describe a new technique, a hybrid between conventional emulation and compiler technology. The approach consists in three steps: translating the input code into a custom Intermediate Language (IL), applying optimizations to the IL, and finally generating code specifically tailored for the target CPU.

We will demonstrate that a custom designed IL not only allows simple optimizations like dead code removal, but also helps with more complex optimizations (code re-ordering, branch prediction, etc). Some powerful optimization opportunities, not available to static compilers because they present themselves only at runtime, will also be described.

We will continue our presentation by showcasing the behavior of our engine against a set of relevant malicious programs and we will conclude by trying to think like an attacker, and provide plausible scenarios for future attacks.

Mihai Chiriac is Head of Research and Development, BitDefender Headquarters, Bucharest

Patrick Hof, Jens Liebchen

Bridging the Gap between the Enterprise and You - or - Who's the JBoss now?

The JBoss Application Server (JBoss AS) is a widely used open source Java application server. It is one part of the JBoss Enterprise Middleware Suite (JEMS), often used in rich enterprise solutions.

The security of a JBoss AS installation is directly related to its configuration before deploying it in production. Because of the size and complexity of JBoss and its components, securing against all possible attack vectors is a hard job. If you look at JBoss installations on the internet, you will find a lot of insecurely configured deployments. Did you ever want to have a remote code execution on a .gov enterprise site? This is due to the fact that first, earlier JBoss default installations did not provide any kind of secure configuration (which is even stated in the manuals) and secondly, many of the installation instructions found on the internet only deal with getting JBoss to run, but not how to secure it properly.

Besides JBoss having a large attack surface, one does not find a lot of information on how to exploit these installations. The talk will fill this gap and demonstrate typical examples of insecurities, which lead to remote code execution on the involved hosts and which can be easily found in the real world.

First, we will cover the basics. What is this jmx-console, which you can easily find with a google search on so many sites? Why is an open jmx-console often like a "Please execute your code here"-sign for an attacker? Secondly, we go a bit deeper. What can we do if the jmx-console is password protected, or only reachable from internal hosts, which oftentimes means localhost? What are those ominous ports JBoss AS opens, and what can you use them for? Can we persuade the Application Server to deploy an application coming from some host on the internet? And finally, what can we do if the JBoss AS is placed in a DMZ behind a firewall, not allowing any outbound connections, besides established ones? Can we still have remote code execution?

Although the talk is about an enterprise solution full of features, we will not go too deeply into the realm of JBoss (and therefore Java) enterprise development. No previous knowledge about JBoss is needed to follow the talk. There will be a lot of live demos, showing real world implications of the vulnerabilities we present.

Patrick Hof and Jens Liebchen are working as penetration testers for the RedTeam Pentesting GmbH. RedTeam Pentesting is a company specialised in pentests. Members of RedTeam Pentesting have spoken on various security conferences on different topics, including 2006 and 2007. More information about RedTeam Pentesting can be found at

Dumitru Codreanu

Server-side Virus scanning

Long are the days when antiviruses featured as little as few hundreds of virus signatures in their databases with vendors literarily begging for samples or trading with other vendors. The signature databases have exploded since then reaching 1-3 millions of signatures depending on vendor. No wonder this happens, since most of the signature creation is automated loads of signatures are created for polymorphic viruses, malware packed with different packers, server generated viruses, etc. Vendors are having hard time getting enough human resources to analyze in detail all the samples coming into the labs daily, so quite a lot of the signatures have to be trusted to automatic systems. While proactive detection is a good way to go through heuristics, emulation or other techniques developed and implemented recently, the truth is that signatures will keep coming at even higher rates. All in one, this flow of signatures puts heavy load on the internet traffic to deliver the updates to the clients. With this in mind, many vendors feel that this might become a problem soon. "In the Cloud" scanning could solve some of these problems - the process of scanning files on servers rather than the client's machine. The concept is not new, and in spite of the several obvious benefits such as additional information to monitor virus activity and point of origin, better response time to new threats, instant signature updates, etc, the internet traffic issues renders this method inapplicable for even the basic purposes. We have analyzed a modified version of this concept, one in witch both the client and servers participate to perform the scan. While the servers keeps the heavy parts, such as the signatures as well as a very large database of checksums of clean and infected items, the client does some of the scanning steps himself, leaving the other ones to the server. This reduces the traffic between the client and the server since the files are not sent to the server, and the client doesn't need the signature database. Now that only very little information is being sent to the Cloud for every file, the last and decisive factor that comes in play is the number of scanned files vs number of signatures, for only when the number of scanned files is low in comparison to the number of signatures does it prove to be more efficient to use the server's database than to download the signatures on the client. In this presentation we will focus on one application of this approach available today. We analyzed the possibility of dropping a very light component on the client's machine that will scan only the running processes to perform a very fast assessment of whether there are any active threads to the system. The key argument is that a system has far less processes actively running than signatures; hence downloading them just for this purpose would be a tremendous waste of internet traffic. We will show that, in spite of some drawbacks, there are also some nice benefits such as not needing unpacking code on the client at all and zero day packers no longer being a great of an issue, and a total of just 10Kb traffic for the whole scan of a typical home computer done in hardly ever more than a minute sure sounds appealing.

Dumitru Codreanu is Software Engineer, Research & Development Team, BitDefender

Jean-Baptiste Bédrune

Analysis of an undocumented network protocol

This presentation deals with a methodology used during the analysis of an undocumented and encrypted protocol. In such a situation, it is rather hard to asset the security of a software since it is usually really big (lots of files), undocumented (no public specifications for the protocol) and the developers are not willing to cooperate. Whereas programming mistakes are "easy" to spot and patch, design flaws are much more difficult to notice and almost impossible to fix. Most of the time, these flaws are a bigger problem as they mean the behavior of the software can be tricked to perform deadly operations, not expected by the developers. Such flaws become really valuable nowadays, as it is quite difficult to exploit programming flaws thanks to defenses provided by the operating systems (randomization, NX bit, canary, and so on). Due to the amount of code present in such softwares, not all the client and server features could be examined: in the example we will detail, the server is composed of more than 200 binaries, for a total of 240Mb. We explain how we quickly sorted them to focus on interesting parts. Big softwares often have a debug mode that helps developers. This mode, documented or not, will help our analysis. One of our goals is to be able to speak the same protocol as the original software. In this way, we might be able to perform actions not expected by either the client or the server. So, packets exchanged between the server and the clients have been analyzed, and enough information has been retrieved to guess a basic packet format. A new client has then been developed, and has been modified all along the analysis process when new features were discovered, or errors were fixed. As a focus, we will show how we reverse engineered the authentication routines and some cryptographic algorithms. During the protocol comprehension, several classic vulnerabilities have been discovered, leading to denials of service or code execution. More interesting, a design error which allows any authenticated user to take a full control of the server will be explained. This error comes from the design of the server architecture. Its exploitation uses only the features provided by the protocol. As a conclusion, a demo based on a homemade Trojan will be shown.

Bio to follow

F.W.J Geelkerken

Egregious use of TOR servers

From the early nineties of last century onward the importance of information and communication technology has grown significantly. Not only has the reliance on ICT by most western countries exponentially grown, ICT is also used increasingly to commit criminal acts. To refute the notion that anyone can do anything with a computer, many countries have adopted specific legislation to penalise computer crimes. In the United States these measures did however not have the wanted deterrent effects on criminals committing e.g. computer fraud. Up to 2001, the emphasis of the legislation in the United States was on the prevention of, and holding perpetrators accountable for, computer crimes. However, the emphasis changed to also incorporate the preparatory acts for serious crimes after the attacks on September 11th, soon many European countries followed suit. In July 2005, the European Commission made a draft proposal for a directive on data retention, which would make it impossible to be anonymous on-line This proposal caused widespread indignation and many groups started petitions against such a directive. These actions were however to no avail because March 15th 2006 the data retention directive was adopted. On the other hand, Tor, software using a technology called onion routing, enables its users to communicate at various levels of anonymity on the Internet, which goes directly against the objectives of the aforementioned directive. This situation gives rise to the following central question of this paper:How can and should the European Union and its member states address the problem that the use of Tor poses considering the objectives of the data retention, taking into account the legitimate uses of Tor in current information society?

F.W.J. van Geelkerken (Frank) is currently taking part in the abbreviated MPhil program in law, and is junior researcher - at the Tilburg Institute for Law, Technology and Society (TILT). His primary interests lie in the interaction between law, technology, and society. He is currently conducting research in the field of criminal procedural law and ICT.

Next to his studies he is (co-)founder and moderator of;

Ezequiel David Gutesman

gFuzz: An Instrumented Web Application Fuzzing Environment

Web application fuzzers have traditionally been used by security experts as a first step in a security assessment. They typically produce false positive alerts and all the vulnerability reports must be carefully studied. We introduce a new fuzzing solution for PHP web applications that improves the detection accuracy and enriches the information provided in vulnerability reports. We use dynamic character-grained taint analysis and grammar-based analysis in order to analyze the anatomy of each executed SQL query and determine which resulted in successful attacks. A vulnerability report is then accompanied by the offending lines of source code and the fuzz vector (with attacker-controlled characters individualized). As a result, the usage of the tool is not restricted to security experts, but the tool becomes usable for developers. The prototype is available as open source software.

Ezequiel is Senior researcher at Corelabs, The research unit of Core Security Technologies

Adam Laurie

RFIDIOts!!! Practical RFID hacking (without soldering irons).

RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....

This talk will look at the underlying technology, what it's being used for, how it works and why it's sometimes a BadIdea(tm) to rely on it for secure applications, and, more worryingly, how this off-the-shelf technology can be used against itself... Software and Hardware tools and techniques will be discussed and demonstrated, and a range of exploits examined in detail.

Adam Laurie is a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own—'Apache-SSL'—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Adam Laurie is member of the Bluetooth SIG Security Experts Group.

The Grugq

How the Leopard Hides his Spots: OS X Anti-Forensic Techniques

Anti-Forensics is the new buzzword within forensic circles. Despite significant interest, no significant new information on anti-forensic tools, techniques or methodologies has emerged from the info sec community on this critical topic.

For the first time since 2004, the grugq will be presenting a paper on anti-forensics, revealing new techniques for effective data hiding.

This talk will retrace the core anti-forensic techniques and methodologies, and show how they can be applied to defeat forensic analysis of OS X systems. More importantly, this talk will examine how an anti-forensic attacker can move beyond the file system and where anti-forensic data hiding attacks will move in the future.

This talk will include attacks against the OS X file system (HFS+), as well as attacks beyond the file system. There will be 0-day OS X bugs as well as previously unreleased attacks against Microsoft file systems.

If you are a hacker, you'll discover a new world of data storage, and if you're a forensic investigator... be prepared to never discover anything again.

The Grugqhas been professionally involved in information security since 1999. He pioneered the field of anti-forensics by publishing an article and source code in Phrack magazine [1]. He also worked with reverse engineering and defeating Host Intrusion Prevention Systems [2], [3].

Since 2003 the grugq has presented at numerous of conferences world wide, including Blackhat, Hack in the Box, and dozens of others. His topics have been anti-forensics, VoIP security and most recently a tool called HaSH, which helps automate interaction with the command line for penetration testing. In the coming months he is scheduled to talk on Anti-Forensics on OSX at Hack in the Box and PoC, and he is preparing a paper on mobile financial systems security for BCS in Jakarta.

Over the last decade, the grugq has focussed on infosec research on the following topics:

  • Anti Forensics
  • Voice over IP
  • Reverse Engineering
  • Penetration Testing

The grugq has conducted training sessions on VoIP Security [4], and digital forensic analysis.

Currently the grugq is working on security issues related to mobile financial systems. He is actively involved in several mobile wallet rollout implementations, as well as conducting security audits for mobile banking applications. This is a particularly interesting area of research, combining his extensive experience with Telcos and Financial Institutes.





Halvar Flake, Sebastian Porst

Various Ways of Classifying Malware

This talk will give an introduction and comparison of the different methods that have been proposed for the automated classification of unknown malware.

The sheer quantity of "new" (by MD5-hash) discovered malware implies that the vast majority of all discovered samples are derived from a comparatively small number of independent source-codebases. These "originators" are mutated using a number of different methods to make detection via classical byte-based signatures difficult.

In order to combat this flood of not-really-new malware, a number of different approaches for classification have been proposed, chiefly falling into four categories: Approaches based on instruction N-Perms as feature vectors, approaches based on behavior, approaches based on basic block bloom filters, and structural comparison of the flowgraph/callgraph structure. Each approach has distinct advantages and disadvantages, and each approach can be fooled using different levels of obfuscation.

An introduction to the different approaches for classification will be given, their main technical ideas discussed, and methods on how/where these methods fail will be discussed.

Halvar Flake, CEO, zynamics. Halvar has been working on topics related to reverse engineering (and vulnerability research) for the last 9 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA). Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors. Halvar founded zynamics in 2004 in order to further research into automation of reverse engineering and code analysis.

Sebastian Porst, Lead Developer (BinNavi), zynamics. Sebastian has thrown himself right into the development of BinNavi. Having done his diploma thesis on our upcoming type reconstruction engine, he brings extensive development knowledge and a fresh breeze into the team. Sebastian certainly contributes a lot to the technical as well as scientific discussion in the office. He is taking BinNavi a step further.