Speakers

snare

SNARE

De Mysteriis Dom Jobsivs: Mac EFI Rootkits

beef

TY MILLER & MICHELE ORRU

Exploiting Internal Network Vulns via the Browser Using BeEF Bind

li

HERMES LI

Android Malware Detection in the Cloud

default6

MATT J

Thar' be Vuln. ID's Here - A Data Mining Case Study

eldar

ELDAR MARCUSSEN

Practical Attacks on Payment Gateways

ruxconjgrunzweigrmerritt

JOSH GRUNZWEIG & RYAN MERRITT

Targeted Malware – Sophisticated Criminals or Babytown Frolics?

trainhack

TRAINHACK

Reverse Engineering a Mass Transit Ticketing System

paultheriault

PAUL THERIAULT

Firefox OS Application Security

silvio_gray_150x190.jpg

SILVIO CESARE

FooCodeChu for Software Analysis, Malware Detection, & Vuln Research

mimeframe

MIMEFRAME

Homebrew Defensive Security - Take Matters Into Your Own Hands

markg

MARK GOUDIE

The 3 Rings of the Data Breach Circus

benn

BEN NAGY

Windows Kernel Fuzzing For Beginners

adam

ADAM DANIEL

The Impacts of Advancing Technology on Computer Forensics and E-Discovery

louis1

LOUIS NYFFENEGGER

Monitoring repositories for Fun and Profit

AlexChapman

ALEX CHAPMAN

Examination of the VMWARE ESXi Binary Protocol Using Canape

saty

DAVID JORM

Tracking vulnerable JARs

MichaelB150x190

MICHAEL BAKER

Finding Needles in Haystacks (The Size of Countries)

StevenSeeley

STEVEN SEELEY

How To Catch a Chameleon: Its All In Your Heap

travis_gray_139x180.jpg

TRAVIS GOODSPEED

PiP: Remotely Injecting PHY-Layer Packets without a Bug or your Radio

wily

GRAEME BELL

Dr Strangelock ...or: How I Learned to Stop Worrying and Love the Key

DominicSpill

DOMINIC SPILL

Bluetooth Packet Sniffing Using Project Ubertooth

default5

MEDER KYDYRALIEV

Defibrillating Web Security

puhleybw

PELEUS UHLEY

Advanced Persistent Response

dan.gif

DANIEL CABEZAS

Detecting Source Code Re-use through Metadata and Context Partial Hashing

JonathanBrossard150x190

JONATHAN BROSSARD

Hardware Backdooring is Practical

default1

ALEX TILLEY

Operation Damara & Operation Craft

default2

COLLIN MULLINER

Binary Instrumentation for Android

fionn

FIONNBHARR DAVIES

A Tale of Two Firefox Bugs

jon

JON OLIVER

The Blackhole Exploit Kit Spam Runs

snare

SNARE

De Mysteriis Dom Jobsivs: Mac EFI Rootkits

The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers. This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will not require a detailed understanding of EFI, and will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.

SNARE BIO

Once upon a time, snare was a code-monkey, cranking out everything from pre-press automation apps to firmware for Big F***ing Laser Machines. Upon discovering that "information security" was actually a somewhat legitimate industry, and not just hacking stuff for fun, he got himself a job as a penetration tester. He now works as the Principal Consultant for Assurance in Melbourne, Australia.

Having been a Mac fanboy since around 1987, snare spends most of his free time messing with Mac OS X -from firmware to kernel rootkits to writing actual useful applications. When he's not playing with computers he enjoys hoppy pale ales, guitars, metal \m/, and building robots.

beef

TY MILLER & MICHELE ORRU

Exploiting Internal Network Vulns via the Browser Using BeEF Bind

Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?

The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.

This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.

So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.

Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.

Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.

Come and see our live demonstration of this new attack technique in action!

TY MILLER & MICHELE ORRU BIO

Ty Miller

Ty is the instructor for his Black Hat training course "The Shellcode Lab". He performs independent security research, some of which he presented at Black Hat USA 2008 on his development of Reverse DNS Tunneling Shellcode. He is also a co-author of the book Hacking Exposed Linux 3rd Edition. Ty runs the popular shellcoding site Project Shellcode (www.projectshellcode.com) and was also involved in the design of the bootable CHAOS Linux cluster distribution.

Ty Miller is the Chief Technology Officer at Pure Hacking in Sydney Australia. He leads their specialist security team to ensure that his team is at the forefront of specialist information security services. Ty has been in the IT security area for around ten years and has run numerous training courses to clients around the world and at various security conferences. These courses include web application penetration testing, web application secure coding, and infrastructure penetration testing.

Michele Orru

Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on web applications security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, OWASP and more we just can't disclose. Besides having a passion for hacking and being a Senior Spider (for Trustwave SpiderLabs), he enjoys leaving his Mac alone, whilst fishing on salted water and praying for Kubrick's resurrection.

li

HERMES LI

Android Malware Detection in the Cloud

In this presentation I will show 2 parts of a project I'm working on now:

Static Analysis

A classification service in the cloud will be introduced which can auto parse features from android app files and train machine learning engine to get correct category of each file.

Dynamic Analysis

Like Amazon's ‘Test Drive’ but different experience. Our dynamic analysis engine support nearly any Android application directly from your browser using some very interesting technology. Just upload the android apk file and click a button on a webpage, we will launch an emulated instance of Android on cloud, which you’ll be able to control directly from your browser and get a report of what the app has done and a result of whether the app is a malicious app.

HERMES LI BIO

Hermes(Lei) Li worked as a security researcher in Websense Security Lab since 2007, before that he was an employee in Symantec. He has more than 10 years working experience in the field of web security. Now, he is focus on threats discovery and analysis, publish findings to hundreds of security partners, vendors, media outlets, military, and other organizations around the world. He takes part in many research projects to implement new technology and find solutions to improve Websense products.

default6

MATT J

Thar' be Vuln. ID's Here - A Data Mining Case Study

This presentation will take a look at data mining social-media and version control systems for vulnerability references. There are two projects that will be demonstrated with three main goals with this work: 1. Leverage social media to help enrich public vulnerability feeds with valuable information and technical research, 2. Sift through day to day social-media activity from the security community and provide a data source for trending IT security data, and 3. Leverage version control data to build metrics and analytics capabilities for open-source bug hunters.

The social-media mining portion of the talk will demonstrate identifying vulnerabilities with heavy activity over the past 18 months, distinguishing between community hype and solid technical research, and demographic specific trends. There will then be a demo for leveraging this mined data to identify general trending IT security information that can act as a news feed for researchers.

The version control mining portion of the talk will demonstrate providing code analytics for bug-hunters, with test-case projects such as the linux kernel. Example functionality that will be discussed and demonstrated includes activity heat-maps, dormancy vs. code density analysis, and historical vulnerability tainting.

MATT J BIO

Matt is an Australian security researcher with current interests in vulnerability analysis, machine learning, and security visualisation. He runs Volvent Security performing code audits for major vendors to security assessments and consulting for a mix of organisations. On the side he helps out organising the Ruxcon and Breakpoint security conferences.

eldar

ELDAR MARCUSSEN

Practical Attacks on Payment Gateways

Payment gateways are a high value target as they store financial and private information. Despite the requirements placed on payment gateways by credit card companies and local government privacy regulations, most payment gateways suffer from security vulnerabilities. This presentation explores vulnerabilities found in payment gateways during penetration testing as well as new attacks with minimal focus on client side exploitation. Some examples of the vulnerabilities discussed within the presentation are the ability to man in the middle transactions, perform fraudulent transactions, attacks against "tamper proofing" of transactions and old fashioned web vulnerabilities in payment gateway applications or shopping carts.

ELDAR MARCUSSEN BIO

Eldar is a principal consultant and researcher at Stratsec, where he helps organisations test their security and protect intellectual property. He is a perl advocate and in his spare time works on several open source projects aimed at secure web application development and testing. Eldar has presented at OWASP Appsec Asia, Owasp Melbourne, AISA and Ruxmon. He has worked with some of Australia’s leading hosting, search engine optimization and domain parking service providers providing design and security guidance.

ruxconjgrunzweigrmerritt

JOSH GRUNZWEIG & RYAN MERRITT

Targeted Malware – Sophisticated Criminals or Babytown Frolics?

Over the past year, Trustwave’s SpiderLabs malware team has been continually reminded why we love our jobs-—we get to play with malware. But not just any malware. No, we get to reverse engineer and analyze malware from targeted incident response cases. This opportunity allows us to see what criminals are doing at a very intimate level. Now before you ask, no, I’m not saying we call them up and take them out to a romantic dinner. What I mean is that we get to see what actual criminals are doing at real businesses that have been compromised. In addition, these samples are often quite unknown, and in almost all cases, undetected by a large number of antivirus solutions.

This presentation hopes to inform others about some of the more interesting malware samples we’ve seen in the past year. Techniques regarding what data is being targeted, how this data is extracted, exfiltrated, and in many cases, encrypted will be discussed. Additionally, we'll take the information gleaned from these samples along with other data gathered to profile these attackers. Are these attacks really the result of state-sponsored super spies that everyone reads about in the news? Or, is it simply the result of people finding tools on local underground forums that get lucky while performing a scan against a public /8 ?

Since a number of confidential samples will be discussed, a number of precautions will be taken. Client names will not be discussed, and the samples themselves may be modified to “protect the innocent” and not tip off the guilty. While this is a necessary evil, the overall core concepts to the samples will remain intact, and you will leave the presentation knowing a bit more about the technical aspects of malware used in successful compromises, along with insight into the people running them.

JOSH GRUNZWEIG & RYAN MERRITT BIO

Josh is what you would call a jack of all trades when it comes to the security industry. Past jobs have included network administration, system administration, pentesting, and yes, the dreaded helpdesk position. These days he finds himself reversing malware as part of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. When he's not diving into a nice memory dumper from the far east, or digging into a little proxy Trojan from south of the border, he develops tools and scripts in Ruby. While he hasn't hit double digits, Josh still brings 6 years of information security experience.

Ryan Merritt is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has sixteen (16) years of industry experience and has performed security research and presented talks on security topics for the Chicago Fed, Illinois Bankers Association, and BGSU. Prior to Trustwave he was a Senior Security Consultant for a Chicago based firm focusing on penetration testing, social engineering, and security architecture assessments. Ryan holds a Bachelor of Science in Computer Science from Bowling Green State University and is a Certified Information Systems Security Professional (CISSP).

trainhack

TRAINHACK

Reverse Engineering a Mass Transit Ticketing System

This talk will look at different techniques used in black-box reverse engineering of data storage formats, focusing on a case study of an outdated mass transit ticketing system which employed custom cryptography. We'll discuss data gathering and collation and how we used small programs to analyse the data. This will include some basic statistics and cryptanalysis that can be used to break weak codes and ciphers. We'll also cover the dangers of custom cryptography and the difficulties of responsible disclosure.

TRAINHACK BIO

We're a group of security hobbyists currently studying computer science. We're relatively new to the security industry, but have varied interests including static binary analysis, cryptography, securing web applications and low level hardware implementation. We enjoy sunsets, French films, and coding in dark rooms while listening to repetitive electronic music.

paultheriault

PAUL THERIAULT

Firefox OS Application Security

Firefox OS is a new mobile operating system developed as part of the Mozilla project. It uses a Linux kernel and boots into a Gecko-based runtime engine, which lets users run applications developed entirely using HTML, JavaScript, and other open web application APIs. The goal of this presentation is to provide an introduction to the key components of Firefox OS, provide an overview of the Application security architecture and permission model and demonstrate how to get started hacking on the project to help push the mobile web forward.

PAUL THERIAULT BIO

Paul Theriault is an engineer with the Mozilla security assurance team, where he works on securing Firefox OS. He has a passion for all things web, and is a regular presenter and trainer at security conferences such as Hack in the Box KL, AusCERT, HK Information Security Summit and OWASP Asia Pacific. Prior to joining Mozilla, Paul was a security consultant in the areas of web application security, risk assessment and enterprise security.

silvio_gray_150x190.jpg

SILVIO CESARE

FooCodeChu for Software Analysis, Malware Detection, & Vuln Research

This talk explains the free web services provided by FooCodeChu - what they can be used for and how they work. Demos of three services will be shown. The first offering, Simseer, is a web service that performs software binary-level similarity detection and visualization of program relationships. This has applications in detecting software theft and plagiarism. It can also be applied to malware variant detection. The service performs automated unpacking using a 32-bit x86 application-level emulator written from scratch. The next service, Bugwise, can detect software bugs and vulnerabilities in executable binaries. It works using decompilation and data flow analysis. Finally, Clonewise is an open source service to identify code reuse in Linux using source-level analysis. Users of the service submit a tarball of their source tree and Clonewise reports if the code is shared with any packages in Debian and Ubuntu Linux. This system is planned to be integrated into the Debian Linux infrastructure.

SILVIO CESARE BIO

Silvio Cesare is a PhD student at Deakin University. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at conferences including Blackhat, Cansecwest, Ruxcon, and academic outlets. He is an author of the book Software Similarity and Classification, published by Springer and has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of the vulnerability management company, Qualys.

mimeframe

MIMEFRAME

Homebrew Defensive Security - Take Matters Into Your Own Hands

Finding new attack vectors is beneficial, but what about those of us that also have to defend against them? To detect and prevent attacks against our product and corporate infrastructure, Facebook deploys meaningful, scalable, homebrew solutions. On the product side, this talk will cover our strategies for detecting and preventing common attack classes,malware-like propagation, and keeping the site secure in light of our daily code pushes. On the corporate side, I will discuss our techniques on using logging to actually detect malice, effectively surfacing and correlating these IOCs and alerts, and enabling analysts to develop rules in a quick, maintainable fashion, with real world examples of what to look for. This talk will demonstrate simple, effective, deployable methods to detect "bad" once you have your logging infrastructure in place. (You do have it in place, right?)

MIMEFRAME BIO

mimeframe is a security engineer at Facebook. Originally a traditional developer, mimeframe moved on to greener pastures and started doing security work for a living.

markg

MARK GOUDIE

The 3 Rings of the Data Breach Circus

Data breaches continue to plague organizations worldwide. In 2011, 58% of the data stolen was attributed to hactivism, according to the annual 2012 Data Breach Investigations Report (DBIR) by Verizon. The new trend contrasts sharply with the data breach pattern of the past several years - during which the majority of attacks were carried out by cybercriminals whose primary motivation was financial gain. This change represents a significant change in the approach needed by defenders, as there are now three key groups we need to be prepared for.

Key findings included:

  • 79% of the attacks represented in the report were opportunistic;
  • 96% were not highly difficult, meaning they did not require advanced skills or extensive resources; and
  • 97% of the attacks were avoidable, without the need for organisations to resort to difficult or expensive countermeasures.

The presentation will be a combination of statistics coloured by real world war stories from APAC and overseas to illustrate key points.

There are three main categories of agents (Organised Crime, Hacktivists, and Nation States) that steal data. The presentation will dissect the actions, methods and targets that these three agents are using as well as demonstrate some of the recent techniques used to steal data.

 

MARK GOUDIE BIO

Mark Goudie is the Verizon Business managing principal for Investigative Response in Asia-Pacific and brings more than 20 years experience in IT to this role. He specializes in computer forensics, incident response, and e-Discovery. Goudie is a joint author of the Verizon Business Data Breach Investigations Report and is a regular speaker at industry conferences including AusCERT, OWASP, PCI DSS, Ruxcon, and the INTERPOL Information Security Conference.

benn

BEN NAGY

Windows Kernel Fuzzing For Beginners

Kernel bugs are cool, and like with all bug classes, there is low hanging fruit that can be hit with fuzzing, but the initial knowledge barrier represents class warfare waged by smart people like @kernelpool against people like me. To help honest, hard working fuzzers who prefer a 'low intellectual investment' strategy to bugs, this talk will cover how we take The Fuzzing Canon and apply it to the Windows Kernel. What can we fuzz? How do we instrument? How do we deliver the tests? And, most importantly, in my view - How do we scale that? Theory will be restricted to what's absolutely essential, I promise - no filling up time with IRP structure diagrams and boring 'knowledge', with a sincere effort to locate relevant, funny pictures of cats and otters and stuff.

BEN NAGY BIO

Ben Nagy is a senior security researcher with COSEINC, currently working from Kathmandu, Nepal - braving 14 hours per day of scheduled power cuts, wild dog packs and amusing diseases such as typhoid and cholera. For several years, he has been exploring and presenting ways to improve fuzzing scalability, using clusters and clouds to automate and distribute many 'fuzzing related' tasks. Ben is a one-eyed Ruby zealot and a firm believer in Not Invented Here, Beer and Enraged Ranting.

adam

ADAM DANIEL

The Impacts of Advancing Technology on Computer Forensics and E-Discovery

With the advancement of technology, Computer forensic examiners an eDiscovery professionals are constantly facing new challenges in locating, recovering, examining and producing electronic evidence. This talk will take a look at how things like growing data sets, encryption, advancing OS’s, cloud computing and new storage technologies all effect IT based forensic investigations and discovery, discuss some of the emerging advancements in forensic and discovery tools and techniques to try address these problems and provide some (Hopefully interesting) case study.

ADAM DANIEL BIO

Adam is a Manager with Ernst & Young’s Forensic Technology & Discovery Services team with over 18 years of experience in fields of data recovery,data conversion, computer forensics and electronic discovery. In his day to day job he specialises in client engagements that involve the identification, collection, analysis and reporting of computer forensic evidence for investigations, disputes, litigation and regulatory matters.

He also specialises in computer based expert witness and testimony as well as Electronic Discovery and litigation readiness consulting. He also loves smoking cuban cigars and listening rap music.

louis1

LOUIS NYFFENEGGER

Monitoring repositories for Fun and Profit

Most of today's tools perform code review as a capture of the current state of an application. However with new development methodologies aka "agile", this methodology is less and less effective. Monitoring repository as an alive thing, can allow a security team to get a better idea of what is being fixed and what vulnerabilities are being created. We will see how some simple techniques can be used to quickly detect patches and new vulnerabilities.

Furthermore, the opensource community provides a huge number of projects that can potentially have new vulnerabilities, silent patches and any other dirty secrets. We will see how it's possible to monitor a large number of projects and see what metrics and information we can get from projects.

This talk will mainly focus on web projects regarding the detection of issues and patches but the methodologies can easily be used for any projects.

LOUIS NYFFENEGGER BIO

Louis (@snyff) is a security consultant saving the Internet on a daily basis. In his spare time, he works on his two side projects Pentesterlab (training material - pentesterlab.com) and pntstr (easy interview system - pntstr.com). Louis enjoys long walks on the beach, data mining, good beers and bypassing WAFs (not necessarily in that order).

AlexChapman

ALEX CHAPMAN

Examination of the VMWARE ESXi Binary Protocol Using Canape

This presentation will cover a demonstration of the new version of the Canape protocol analysis tool being released for Ruxcon. During the course of the presentation various attack scenarios against the VMWare ESXi binary protocol will be demonstrated using Canape.

The VMWare ESXi protocol is a complex multi-layered protocol which transitions between many protocol states throughout a connection lifetime. The protocol uses multiplexed frames, compression and encryption all over a single TCP connection. The talk will discuss and outline serious weaknesses within the ESXi protocol and how these can be leveraged from within Canape.

During the talk, new features of Canape will be demonstrated live to show the audience how the tool can be used from traffic interception and initial protocol dissection through data injection and fuzzing and finally demonstrating full PoC exploitation all within Canape.

Presentation outline:

  • What is Canape
  • Examining the VMWare ESXi protocol
  • Demonstrating ESXi protocol interception
  • Intercepting the ESXi encryption
  • Data injection to brute force user credentials
  • Fuzzing ESXi
  • 0day demonstration

Canape

Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the target traffic.

Canape is a network protocol analysis tool which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to network protocol testing. Canape provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.

Rather than creating a complete bespoke program to proxy and manipulate protocol traffic, Canape can be used to provide the networking, parsing and fuzzing infrastructure to significantly reduce assessment effort.

ALEX CHAPMAN BIO

Alex Chapman is a Senior Security Consultant at Context Information Security who has 5 years experience in hands on, down in the trenches, security work. Alex is heavily involved in security research including bespoke protocol analysis and binary reverse engineering, and has contributed security advisories for a number of major software products.

saty

DAVID JORM

Tracking vulnerable JARs

Java projects typically include and package their own set of JAR files, often using build systems such as maven to accomplish this. This means the operating system's package manager cannot be relied upon to update dependencies with security patches; each project must ensure it is including secure versions independently. Unsurprisingly, most projects do an appalling job of this. When a security patch is released for an upstream dependency, projects using it can take many months to start including it. That's for open source projects - who knows about proprietary or in-house projects, it is probably even worse. To combat this, I'm currently working on three initiatives that will be outlined by this talk:

 

  • jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs
  • victims database: a canonical database of known-vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs
  • maven-victims: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database

DAVID JORM BIO

David is the lead security response engineer for Red Hat's middleware division. He has worked on security response, documentation, hotel reservation systems, climate forecasting, OCR, AI and mental health. He studies math and geography part time.

MichaelB150x190

MICHAEL BAKER

Finding Needles in Haystacks (The Size of Countries)

The lament of security analysts is often a limitation in the amount of data they can process, and the ensuing loss of data fidelity as size increases. As data sets grow they become unwieldy, making it difficult to add context through correlating security event data with other relevant data sets.
Full packet capture provides a method for maintaining a forensic copy of all network conversations. However the reality up until now is that full packet capture and analysis has been bounded by the size of the data, the time to process it and the ability of applications and tools to encode key attack, deviations, mis-use and anomaly data into visualizations.
When you can store all of your network data the issue then becomes how do you analyze it. How do you find the single conversation you are looking for in trillions of conversations?
Big Data has supplied both a method for parallel computation and at the same time the cost of storing all network data (full packet capture) is within reach of all organizations. At the same time threats are becoming more blended, complex and difficult to find. Big Data tools such as Apache Hadoop, PIG and NoSQL databases provide the ability to perform complex network traffic analysis at petabyte scale. These tools can be leveraged using the Amazon Cloud (Elastic Map Reduce) to process, query and persist packet capture data.
With these tools there is no time-cost trade off to analyzing every single conversation on a network, enriching the data, intersecting data sets and sharing anonymised data sets.
Allowing you to answer questions that not many tools can:
How can I find Zero Day attacks in past traffic?
* How can I better detect attacks at greater confidence?
* What is normal?
* What is new (never seen before)?
* What attackers are similar to other attacks?
* What is the operating system and patch level of my attackers?
* What protocols are strongly correlated in relation to sessions, bandwidth and payloads?
* What sessions are tunnels?
* After each attack how did the victim's sessions and protocols change?
* What is a normal HTTP payload for each of my web servers? - - How does an attack differ?
* What are attackers doing within HTTPS sessions to my websites.
* How can I intersect white and blacklists with my network packet captures?

The lament of security analysts is often a limitation in the amount of data they can process, and the ensuing loss of data fidelity as size increases. As data sets grow they become unwieldy, making it difficult to add context through correlating security event data with other relevant data sets.

Full packet capture provides a method for maintaining a forensic copy of all network conversations. However the reality up until now is that full packet capture and analysis has been bounded by the size of the data, the time to process it and the ability of applications and tools to encode key attack, deviations, mis-use and anomaly data into visualizations.

When you can store all of your network data the issue then becomes how do you analyze it. How do you find the single conversation you are looking for in trillions of conversations?

Big Data has supplied both a method for parallel computation and at the same time the cost of storing all network data (full packet capture) is within reach of all organizations. At the same time threats are becoming more blended, complex and difficult to find. Big Data tools such as Apache Hadoop, PIG and NoSQL databases provide the ability to perform complex network traffic analysis at petabyte scale. These tools can be leveraged using the Amazon Cloud (Elastic Map Reduce) to process, query and persist packet capture data.

With these tools there is no time-cost trade off to analyzing every single conversation on a network, enriching the data, intersecting data sets and sharing anonymised data sets.

Allowing you to answer questions that not many tools can:

 

  • How can I find Zero Day attacks in past traffic?
  • How can I better detect attacks at greater confidence?
  • What is normal?
  • What is new (never seen before)?
  • What attackers are similar to other attacks?
  • What is the operating system and patch level of my attackers?
  • What protocols are strongly correlated in relation to sessions, bandwidth and payloads?
  • What sessions are tunnels?
  • After each attack how did the victim's sessions and protocols change?
  • What is a normal HTTP payload for each of my web servers? - - How does an attack differ?
  • What are attackers doing within HTTPS sessions to my websites.
  • How can I intersect white and blacklists with my network packet captures?

MICHAEL BAKER BIO

Michael Baker is a technologist focused on information security and pushing the boundaries of software. Recently he has been using Big Data and NoSQL tools to pioneer new ways to collect, analyse and make security decisions on network data. A devotee of Network Security Monitoring (NSM) he looks to deliver on real potential of NSM using parallel processing, map/reduce and alternative databases.

Michael is a noted expert in Perimeter Security Architecture and Implementation having spent the majority of his 15 year security career designing and implementing Banking perimeters in Australia and Asia.

Michael has built and sold a security consulting company and designed and built a Managed Security Provider and Private Cloud platform. As the leader of an application development team he also built a construction collaboration platform that manages around $40 Billion AUD of construction projects.

Michael is currently CTO of Packetloop, a cloud-based security analytics and analysis platform and leading the security consulting firm, Black Foundry.

StevenSeeley

STEVEN SEELEY

How To Catch a Chameleon: Its All In Your Heap

The detection of heap based buffer overflows have always been difficult due to the use of the corrupted memory happening often much later after the overwrite occurs during an execution process. Add to that the difficulty in the classification and exploitation of these vulnerabilities and you are doomed for eternity.

Meet Heaper. Heaper is an evolving Immunity Debugger plugin designed to not only detect corrupted heap memory during a dynamic assessment, but also to use a number of heuristics to detect exploitable conditions. Once a condition is triggered, it will hopefully guide you on how you should 'massage' the heap. Additionally, it introduces the ability to graph and analysis the heap state and performs other important heap tasks.

Come and learn how Steve failed, succeeded, what functionality was developed and why and the future direction of the project.

STEVEN SEELEY BIO

Steven Seeley is a security researcher for Immunity Inc where he performs penetration tests for a number of large national and international organizations. He practices the ancient art of persistence and focuses his research efforts on the application of offensive security. He is a member of the Corelan security team and has authored the tutorial series "Heap Overflows for Humans".

travis_gray_139x180.jpg

TRAVIS GOODSPEED

PiP: Remotely Injecting PHY-Layer Packets without a Bug or your Radio

The Packet-in-Packet (PIP) vulnerability exists in most unencrypted digital radios of variable frame length, including Wifi and Zigbee. Sometimes a packet is damaged in a way that the receiver does not know the packet has begun, in which case a carefully crafted string inside of the packet is mistaken for being a packet. The interior packet is entirely controlled by whomever crafted it, including all header fields and the checksum. No software vulnerability is needed to allow for this injection, and there is no known fix without breaking backward compatibility or mandating encryption.

TRAVIS GOODSPEED BIO

Travis Goodspeed is a neighborly expat from Southern Appalachia who wanders the world as a circuit preacher of strange exploits and weird machines. At Breakpoint, you might have seen his presentation on emulating the USB Device Firmware Update protocol in order to record, patch, and replay firmware updates.

wily

GRAEME BELL

Dr Strangelock ...or: How I Learned to Stop Worrying and Love the Key

"Gentlemen, you can't fight in here. This is the War Room!" Wily Kubrick discusses the arms race that is physical security. Through an analysis of patents from 1865 to the present day, some very cool physical security advancements -- and how we can go about defeating them -- are discussed.

GRAEME BELL BIO

Graeme "wily" Bell is a Senior Consultant at Assurance Pty Ltd, mostly performing infrastructure and application penetration testing. In his spare time Graeme enjoys photography and self-indulgent piano solos. He has presented at a few security conferences and run physical security workshops. He once got caught in a set of (seized) handcuffs trying to show off to a pretty girl.

DominicSpill

DOMINIC SPILL

Bluetooth Packet Sniffing Using Project Ubertooth

Bluetooth traffic analysis is hard. Whilst other radio communications technologies (802.11, Zigbee) support promiscuous mode, Bluetooth dongles cannot monitor all traffic due to a pseudo-random frequency hopping system. Until recently the only way to monitor Bluetooth traffic was to use expensive software radio peripherals. Project Ubertooth is an open hardware device that has opened up new opportunities to capture Bluetooth traffic between devices, even in non-discoverable mode.

As part of this presentation I will demonstrate the latest frequency hopping functionality that allows us to follow a connection as it changes frequency 1600 times per second and capture the packet data for analysis. The talk will also explain the technical challenges that have been overcome while attempting to implement Bluetooth protocol analysis on affordable hardware, such as the obscure error correction methods that many manufacturers have chosen not to implement in their products.

The demonstrations will include tools written to work with the Ubertooth device as well as integration with both Kismet and Wireshark. Additionally some of the tools will also work with the GnuRadio platform and the USRP hardware, this will be demonstrated if time allows.

DOMINIC SPILL BIO

Dominic Spill has been investigating Bluetooth security using software radio since 2007. In that time he has built the first promiscuous Bluetooth packet sniffer based on software radio and collaborated with other researchers to produce open source Bluetooth traffic analysis tools. He is currently working as a developer and security researcher in Melbourne.

default5

MEDER KYDYRALIEV

Defibrillating Web Security

Whether you are a consultant or a software engineer, you have probably realized by now that we're not really making a lot of progress on server-side web security. Consultants benefit from the resulting job security and developers want to focus on building awesome technology without spending a lot of time and energy building reusable security solutions, which are hard. Come and hear about the fallacies of the current approaches and a couple of ideas no how to address some of them.

 

MEDER KYDYRALIEV BIO

Meder has been working in the area of application security for nearly a decade. He's poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few). Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier.

puhleybw

PELEUS UHLEY

Advanced Persistent Response

The past few years have been interesting for the Flash Player team to say the least. With a change in the threat landscape, multiple zero-day attacks and increasing scrutiny from the security community and the public, we have had to rapidly scale our security efforts to adjust to the new challenges. In the process, we have been provided with a unique insight into the targets and methodologies of malicious hackers. This presentation will discuss the different types of attacks we have seen, our analysis of what the attacks say about the threat landscape, and how the technical analysis influenced our security strategy. We will also share the lessons that we've learned in the process of responding to these threats.

PELEUS UHLEY BIO

Peleus Uhley is the Platform Security Strategist within Adobe's Secure Software Engineering Team (ASSET). His primary focus is advancing Adobe's Secure Product Lifecycle (SPLC) within Adobe platform technologies, including Flash Player and AIR. Prior to joining Adobe, Peleus started in the security industry as a developer for Anonymizer, Inc., and went on to be a security consultant for @stake and Symantec.

dan.gif

DANIEL CABEZAS

Detecting Source Code Re-use through Metadata and Context Partial Hashing

Often, digital investigations have to deal with the theft of intellectual property in the form of source code copied and re-used without permission. In order to investigate source code infringement, there are two main family techniques: plaintext source code comparison and binary analysis. Both kinds of analysis can give very accurate results when comparing identical or very similar datasets. Nevertheless, they fail very easily in case any kind of source code obfuscation, data hiding or simple scrambling techniques are applied to one of the compared datasets. In this paper, we present a novel hybrid approach, merging both plain-text, binary and cryptographic comparison analysis techniques by taking advantage of several common features shared across the most common computer binary executable formats.Often, digital investigations have to deal with the theft of intellectual
property in the form of source code copied and re-used without  permission.
In order to investigate source code infringement, there are  two main
family techniques: plaintext source code comparison and binary  analysis.
Both kinds of analysis can give very accurate results when comparing
identical or very similar datasets. Nevertheless, they fail very easily  in
case any kind of source code obfuscation, data hiding or simple  scrambling
techniques are applied to one of the compared datasets.
In this paper, we present a novel hybrid approach, merging both
plain-text, binary and cryptographic comparison analysis techniques by
taking advantage of several common features shared across the most  common
computer binary executable formats.

Often, digital investigations have to deal with the theft of intellectual property in the form of source code copied and re-used without permission. In order to investigate source code infringement, there are two main family techniques: plaintext source code comparison and binary analysis. Both kinds of analysis can give very accurate results when comparing identical or very similar datasets. Nevertheless, they fail very easily in case any kind of source code obfuscation, data hiding or simple scrambling techniques are applied to one of the compared datasets. In this paper, we present a novel hybrid approach, merging both plain-text, binary and cryptographic comparison analysis techniques by taking advantage of several common features shared across the most common computer binary executable formats.

DANIEL CABEZAS BIO

Daniel is a Manager within Ernst & Young’s Security Advanced Security Centre (ASC). with more than 10 years of industry experience in IT Security spanning across the Banking, Insurance, Financial Services, Manufacturing, and Telecommunications sectors. Daniel tries to combine his passions for hacking and travelling, and has filled up already three passports travelling around the world performing penetration testing projects in 5 of the 6 continents, from Paraguay to Australia, and he's looking forward for an opportunity to hack with the penguins in Antarctica.

JonathanBrossard150x190

JONATHAN BROSSARD

Hardware Backdooring is Practical

This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.

Outline:

  • Coreboot & x86 architecture
  • Flashing Coreboot on a motherboard
  • State of the art in rootkitting, romkitting
  • Introducing Rakshasa
  • Evil remote carnal pwnage (of death)
  • Why cryptography (Truecrypt/Bitlocker/TPM) won't save us...

JONATHAN BROSSARD BIO

Jonathan is a security research engineer holding an Engineering degree and a Master in Artificial Intelligence. Born in France, he’s been living in Brazil and India, before currently working in Australia. With about 15 years of practice of assembly, he is specialised in low level security, from raw sockets to cryptography and memory corruption bugs.

Jonathan is also the co-organiser of the Hackito Ergo Sum conference (HES2011) in France. Jonathan has been a speaker at a number of great international conferences including Blackhat, Defcon, HITB (Amsterdam & Kuala Lumpur), Ruxcon (Australia), Hackito Ergo Sum (France), and is a recurrent speaker at H2HC (Brazil & Mexico).

default1

ALEX TILLEY

Operation Damara & Operation Craft

This presentation will cover 2 Australian Federal Police CCO Operations:

Operation Damara, the investigation into the hacker known as “evil”.

Operation Craft, an investigation into a conspiracy to compromise state government infrastructure.

ALEX TILLEY BIO

Alex Tilley is a Senior Technical Analyst with the AFP's Cybercrime Operations team. Alex has been in IT security for almost 12 years, his background is in (legitimate) online casino's and Banking IT security.

default2

COLLIN MULLINER

Binary Instrumentation for Android

Bug hunting on Android becomes more and more challenging. Analyzing more interesting targets require more then logcat and the debugger, sometimes you really want to change the target process. This talk will present an simple and easy way to do binary instrumentation on Android (ARM). We will do a full walk through of the instrumentation tool and show a few examples of what we did with it.

COLLIN MULLINER BIO

Collin Mulliner is a researcher in the Systems Security Lab at Northeastern University. Collin's main interest is the security and privacy of mobile and embedded devices with an emphasis on mobile and smart phones. Since 1997 Collin has developed software and did security work for Palm OS, J2ME, Linux, Symbian OS, Windows Mobile, Android, and the iPhone. In 2006 he p0wnd Windows Mobile using MMS and broke iOS, Android, and Windows Mobile with SMS in 2009. Collin's specifically interested in the areas of vulnerability analysis and offensive security.

fionn

FIONNBHARR DAVIES

A Tale of Two Firefox Bugs

This talk will discuss 100% reliable exploitation of CVE-2011-2371 (found by Chris Rohlf) by turning it into an infoleak and no heap spraying techniques. There won't be any spamming the address space and relying on the sayonara ROP chain - this will instead go over how exploit writers are supposed to ball to produce quality and reliable exploits. A second, very different, bug will have the same work over as the first. All relevant Firefox internals will be discussed.

FIONNBHARR DAVIES BIO

Fionnbharr Davies / thoth is a professional accountant by day and whitehat security evangelist by night. When Fionnbharr isn't spending his free time going through personal receipts (a receipt a day keeps the tax man away!), he can be found mountaineering, whitewater rafting or practising kegels.

jon

JON OLIVER

The Blackhole Exploit Kit Spam Runs

We will describe our ongoing research into the high-volume spam runs that send users to websites that host the Blackhole Exploit Kit. The spam in these outbreaks claim to be from high profile companies such as Intuit, LinkedIn, Facebook, and PayPal, among others. There has been discussion of the technical details of the exploit kits (such as Jason Jones’ presentation at BlackHat). Beyond describing the technical details of the tools used, it is important for security researchers to describe the overall attack. This talk will cover patterns in the behaviour of these attacks – including how they are designed to get through spam filters, evade web reputation systems and infect users. The issues raised lead to the need for the security industry (and organizations in general) to update how we deal with these campaigns.

JON OLIVER BIO

Jon Oliver leads the Board of Architect at Trend Micro. He has worked in the computer security area for 10 years working on award winning antispam and web reputation systems. Before joining Trend Micro in 2006, he was Chief Spam-fighter at Mailfrontier, an antispam startup.

Jon holds a Ph.D. in machine learning from Monash University. Prior to entering the computer security area, he performed postdoctoral research in Australia and the U.K. and acted as a data-mining consultant in the Silicon Valley doing a range of contracts NASA (data analysis for the Mars rover), the FAA and eBay.