Speakers (preliminary) - DeepSec IDSC 2014 Europe

Getting the most out of your Pineapple

Robin Wood, Darren Kitchen, Seb Kinne (Hak5)

Master the WiFi Pineapple with hands on training from the creators. This practical approach to WiFi hacking begins with the fundamentals of 802.11 networks and protocols, providing a core understanding of weaknesses and how the WiFi Pineapple can exploit them.

Each student will be given the latest generation WiFi Pineapple with instruction to confidently deploy, attack, monitor and manage. Further time will be spent on the 'infusion' app ecosystem, updates and development.

As a bonus, a Human Interface Device hacking breakout session, with included USB Rubber Duckies, will be offered.

Students are encouraged to ask question and make improvement suggestions towards these ever growing project. A modern laptop with USB and Ethernet ports are required.

Between the three of us we represent the beginning, current and future of the WiFi Pineapple.

Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more

Dawid Czagan (Silesia Security Lab / Future Processing)

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning bugs identified in some of the greatest companies? If that sounds like fun, join this workshop!

I will discuss bugs that I have found together with Michał Bentkowski in a number of bug bounty programs (including Google, Yahoo, Mozilla and others). This is a two-day BYOL workshop, so make sure to have your laptop with you.

You will be given a VMware image with a specially prepared environment to play with the bugs. What’s more, after the workshop is over, you are free to take it home and hack again, at whatever pace is best for you.

To get the most of this workshop basic knowledge of web application security is needed. You should also have ever used a proxy, such as Burp, or similar, to analyse or modify the traffic.

You will need a laptop with at least 4 GB RAM, 20 GB free hard drive space, USB and Ethernet ports, administrative access, ability to turn off AV/firewall and VMware Player installed.

Dawid Czagan has found security vulnerabilities in Google, Yahoo,
Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the
severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers
specialized security auditing services with a results-driven approach.
He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled
"Hacking web applications - case studies of award-winning bugs in
Google, Yahoo, Mozilla and more". To find out about the latest in
Dawid’s work, you are invited to visit his blog
(https://silesiasecuritylab.com/blog) and follow him on Twitter
(@dawidczagan).

IPv6 Attacks and Defenses - A Hands-on Workshop

Enno Rey (ERNW GmbH)

IPv6 deployment is rising every single day; Specifically, according to the statistics and the trends of the Internet Society, “2013 marked the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years.” At the same time, ARIN states that they are currently in phase four of their “IPv4 Countdown Plan”, while RIPE has reached its last /8 IPv4 address space quite some time ago. So, “this time it is for real”. Moreover, most of the Operating Systems, network and security devices (like firewalls, IDS, etc.) come with IPv6 pre-enabled. However, are we ready for the IPv6 era from a security perspective?
In this workshop, various attack methods that “exploit” IPv6 design and implementation security issues will be discussed. These issues, due to their nature, affect several modern and prestigious Operating Systems as well as network and security devices. Specifically, it will be explained and demonstrated how you can exploit IPv6-specific features for pen-testing IPv6 systems and networks. To this end, first, all the required theory regarding the changes that IPv6 brings with it and affects security will be presented. Then, it will be explained and demonstrated how to launch most of the known IPv6 attacks. Furthermore, some more advanced attacks will be presented, as well as ways of fuzzing the protocol implementation against various systems and security devices. For accomplishing our goals, a specific IPv6 pen-testing and security assessment tool written by the instructors will be provided. Finally, mitigation techniques to protect your IPv6 infrastructure from these attacks will also be discussed. At the end, two IPv6 Security challenges will be given to the attendees of the workshop to practice their IPv6 security skills: One for blue team members to get the experience of analysing real IPv6 attacks, and one for red team members to practice their IPv6 penetration testing skills.
Only by knowing the potential IPv6 security issues we shall be able to protect it effectively. The acquired knowledge will be valuable both to penetration testers who want to test IPv6 networks as well as to network and security engineers who want to protect effectively their IPv6 networks.

Enno (@Enno_Insinuator) is a long-time network security geek who likes to explore devices and protocols, and to break flawed ones. He has been involved with IPv6 since 1999 and blogs about IPv6 security in all its flavors at http://www.insinuator.net/tag/ipv6/.

Co-instructor:
Antonios Atlasis (MPhil, PhD) has been an IT engineer for more than 20 years, developer and instructor in several Computer Science and Computer Security related fields. The last years he has been specialised in IT Security, working mainly as a penetration tester, incident handler and intrusion analyst. His latest security researches focuses on IPv6 and some of his work has been presented at BlackHat Europe 2012, BlackHat Abu Dhabi 2012, at the IPv6 Security Summit of Troopers 13 and Troopers 14, while the newest one will be presented at BlackHat US 2014.

Understanding x86-64 Assembly for Reverse Engineering and Exploits

Xeno Kovah (MITRE)

This two-day class helps you bootstrap into the areas of reverse engineering, vulnerability exploitation, operating system design, code optimization, and compiler design. It’s extremely rare to see any security conference where assembly language isn’t mentioned in someone’s slides. If you don’t known assembly, you’re missing out on a full understanding of what people are trying to tell you!

Once you’ve taken this class, it will open the door to all the other specialty areas that depend on assembly knowledge. And this is the first time this class is being offered focusing on 64 bit rather than 32 bit assembly! Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis. This distribution is partially due to Windows’ dominance of the marketplace, but also because the tools on Windows are more user-friendly than those on Linux, allowing for a more gradual introduction for the student.

Xeno is currently the team lead for the 5-person BIOS Analysis for Detection of Advanced System Subversion (B.A.D.A.S.S.) project. This project has been responsible for finding and disclosing multiple BIOS exploits, bypassing signed BIOS update requirements, defeating Windows 8 and UEFI SecureBoot, and bypassing other security mechanisms such as the Trusted Computing Group “Static Root of Trust for Measurement.” On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno has presented at conferences such as BlackHat USA, ACM CCS, CanSecWest, IEEE S&P, PacSec, ToorCon, Hack.lu, NoSuchCon, SummerCon, and others. Xeno is also the founder of OpenSecurityTraining.info, and current leading contributor, having posted 8 days of classes on deep system security, with an additional 2 day class on Intel TXT (Trusted Execution Technology) to be added soon.

XSS & PHP: A Happily Married Couple

Ashar Javed (Ruhr University Bochum)

Cross-Site Scripting (XSS) attacks are at number one in Open Source Vulnerability Database (OSVDB) and according to a recent report by WhiteHat, 53% of web applications are vulnerable to XSS flaws. During our research on mobile applications, we found 81% popular mobile sites are vulnerable to an XSS.

Hypertext Preprocessor (PHP) is by far the most popular server-side web programming language. One recent statistics shows that 81.7% of the web application servers are using PHP. At the same time, PHP has been recognized as "Server-side Programming Language" of the Year 2013.

This hands-on workshop is designed for students who are interested in XSS and PHP, security-unaware developers who wish to secure their applications against XSS and at the same time pen-testers who want to find XSSes in an elite applications. I will share some stories of finding XSSes in top sites or how I start looking at the web application for XSSes. During workshop, attendees will first learn a ``systematic, easy to grasp, context-aware attack methodology'' and then apply attack methodology on 40+ test-beds. For example, the attack methodology related to a URL context is a five step process.

a) What are these five-steps?
b) Why only five-steps?
c) What one can conclude after applying these five-steps?

You will learn in the workshop...

The test-beds simulates PHP-based XSS protections powering hundreds of thousands of sites in the wild. The attendees will learn a ``specific lesson'' from each test-bed. The test-beds consists of:

i) common ways of PHP built-in functions that developers are using in the wild

ii) PHP-based customized or home grown XSS protection solutions

iii) Top-Notch PHP web application frameworks including CodeIgniter, Laravel-Security, CakePHP, HTMLawed, Nette, PHP Input Filter and PEAR's HTML Safe etc

iv) XSS protections from Alexa's top 100 sites

After breaking all the PHP-based XSS protections in at least one or more contexts, attendees will learn how to fix them and I will show how easy is to fix this mess. I will also share contexts-specific best practices that I had found during a survey of Alexa top 100 sites.

Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

Mobile Application – Scan, Attack and Exploit

Hemil Shah (eSphere Security Solutions Pvt Ltd)

Mobile application hacking and its security is becoming a major concern in today’s world specially with BYOD and user’s jailbreaking/rooting their devices. In the last few years we have seen a range of new attack vectors and methods of exploitation for these devices. Mobile applications are vulnerable to various sets of different attacks like local storage, user data harvesting, activity spying, unauthorized event injection, UI Jacking, Tab Jacking, Traffic redirection, Logical attacks, hard coded keys and a few other. It is imperative to scan these applications before loading and launching for different platforms. Scanning and vulnerabilities detections are two major areas for mobile applications in current state. Attacking techniques and exploit delivery on different platform are evolving, protection is even tougher as code base are different. With all mobile platforms supporting HTML5 application, there is significant increase in the hybrid applications.
At the same time Mobile applications are communicating with server side over HTTP/HTTPS, it opens up few possible attacks on Web Services, APIs, OAuth, REST etc. The server side applications can be attacked with Injections and critical logical exploitations. New technology stacks are evolving over Mobile like HTML5 and Silverlight, which opens up new attack surface. In this context it is imperative for IT professional and corporate application owners to understand these attack vectors to protect mobile infrastructure, user’s privacy, security and company’s intellectual property. The class features detail hands on for mobile attacks for different platforms, real life cases, live demos, scanning techniques, code analysis and defensive controls. The following topics will be covered during the class.

Introduction to Mobile Applications
• General Overview
• Case studies of Vulnerable and old AppStore applications
• Evaluation of Applications
• Trend in Mobile application Security
• Mobile Application Fundamental – What, Why, How and Where
iOS
Deep dive into iOS
• Sand boxing
• iOS Application Architecture
• Understanding iOS platforms
• iOS Structure
• Application Structure
• Application Distribution
• Permissions
• Installing application from IPA
• Objective-C Basics for penetration testing
• Cocoa/Cocoa touch Framework
• Introduction to xCode
• Running application in simulator
• JailBreaking
o What
o Why
o How
o Who
Set up Attack environment
• Intercepting traffic
o Configuring simulators to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
iOS Application Attacks & Reverse engineering
• Attacking Insecure storage
• Insecure network Communication
• Unauthorized dialing, SMS using rootkit
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive/Private data leakage
• Hardcoded passwords/keys
• Language issues
• Jail breaking/Physical device theft
• KeyBoard cache/ClipBoard issue in iPhone
• Reading information from SQLite database
• Insecure Protocol Handler implementation
• Parsing client side binary files to get session cookie
• Business Logical attacks
• Using debugger to analyze iOS applications
• Interesting things to look for after reverse engineering
Securing iOS Applications and source code analyzer
• Secure coding for iOS Application
• How to incorporate secure design and coding principles for developing iOS applications
• Safe/Unsafe APIs
• Avoiding Buffer Overflows And Underflows
• Validating Input And Inter process Communication
• Race Conditions and Secure File Operations
• Designing Secure User Interfaces
• Static Code Analyzer for iOS
Other Mobile/Smart TV Platforms
Windows Phone
• Understanding Windows Phone platforms (Windows phone 7 & Windows phone 8)
o Windows file System
o Application Distribution
o Permission model
• Windows phone development environment
• Running windows phone binary in simulator
• Intercepting traffic
BlackBerry
• Blackberry file System
• Application Distribution
• Permission model
• Intercepting traffic
Samsung smart TV applications
• Architecture
• Key component and browser stack
• Application model and structure
Android – Hacker friendly platform
Understanding Android platforms
• Android file System/Dalvik
• Application Distribution
• Permissions
• Introduction to android SDK and useful files
• Understanding android application key components
• Running application in Android emulator
• Key ADB commands to play with android emulator
Set up Attack environment
• Intercepting traffic
o Configuring emulator to use proxy
o Configuring device to use proxy
o Overcoming SSL traffic interception challenges
o DNS Kung fu
• Analysis tools
• Monitoring tools
• Reverse engineering tools
Attacking android applications
• Insecure storage
o Internal storage
o External storage
o Shared secret
• Insecure network Communication – Carriers network security & WiFi network attacks
• Unauthorized dialing, SMS
• UI Impersonation/Spoofing
• Activity monitoring and data retrieval
• Sensitive data leakage
• Hardcoded passwords/keys
• KeyBoard cache/ClipBoard issue
• Reading information from SQLite database
• Attacking Manifest file permission
• Analyzing local storage with file system monitoring
• Business Logical attacks
• Using AFE to create malicious APK
• Sending signals over wifi/mobile network
• Decompiling Android Application
• Attacking intellectual property by attacking android binaries
Secure coding for Android Applications and source code analyzer
• Secure coding for Android Application
• Using randomization
• Safe/Unsafe APIs
• Validating Input And Inter process Communication
• Controlling access with manifest
• Static Code Analyzer for Android
• Protecting intellectual property in android application
HTML 5 Applications on Mobile stack
Working with HTML5 applications on Mobile
• HTML5 specs for mobile
• Touch/Moving in mobile applications using HTMl5
• Hybrid applications and its permission model
• HTML5 tags supported with mobile platforms
HTML5 Attacks on Mobile
• LocalStorage stealing
• SQLite injections
• Click/Tap Jacking
• Business Logical attacks
• JavaScript reverse engineering
Advance Review techniques
• Pentesting using automated tool – iAppliScan
• Reviewing iOS application without jailbreaking device
• Leveraging monitoring in android to review android application
• Exploiting XSS on WebView
• Modifying binary cookie file to steal session
• Leveraging AFE for the android exploitation
Hands-on:
All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies. Mobile applications running on iPhone, Android and Hybrid will be provided for testing. Also, participants will be building a small application to capture important concepts of development as well.

Hemil Shah, CISSP, CSSLP, ACP is the founder and Director of eSphere Security, company that provides Professional services in Security Arena. He has worked with HBO, KPMG, IL&FS and Net-Square in security space. He has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.

Powershell for Penetration Testers

Nikhil Mittal (Hacker)

PowerShell has changed the way how Windows is used, secured and also the way Windows is 0wned. It is an automation platform for everybody; developers, defenders and attackers. PowerShell provides easy access to almost everything in a Windows machine and network. It comes installed by default in modern versions of Windows. During a penetration test, it could be really helpful to use this powerful shell and scripting language for further attacks.
This training would help anyone who wants to know more about powershell from a security perspective. If you are a defender, you could learn how this attack vector can be used against a corporate environment. If you are a pen tester you would learn how to use powershell for pen testing in a windows environment. You will learn various techniques like privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, in-memory code execution, using top sites as C&C, web shells, bots... the list goes on.
Learning how to use a target environment for your purpose is crucial in pen tests. Open source tools which help in achieving this would also be discussed including those written by the trainer. The training aims to bring PowerShell goodness to security professionals and includes hands-on in a lab environment and CTF like exercises. You would be able to write your own scripts for security testing after this training. This training aims to forever change how you pen test a Windows based environment.

Course Content
1. Introduction to PowerShell
2. Using ISE, help system, cmdlets and syntax of PowerShell
3. Writing simple PowerShell scripts
4. Functions, Objects, Pipeline, Jobs and Modules
5. Recon, Information Gathering and the likes - Tools written/integrated in powershell
6. Vulnerability Scanning and Analysis – Tools written/integrated in powershell
7. Exploitation – Usage with Metasploit
8. Post-Exploitation – What powershell is actually made for
9. Pivoting to other machines
10. Poshing the hashes™
11. PowerShell with Human Interface Devices
12. PowerShell for Web App Pen testing
13. Achieving Persistence
14. Owning other MS products – SQL Server, Exchange, AD etc.
15. Clearing Tracks
16. Quick System Audits with Powershell
17. Security controls available with PowerShell

Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Human Interface Devices in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil likes to do some vulnerability research and works on his projects.

SAP Security In-Depth

Juan Perez-Etchegoyen (Onapsis, Inc.)

Your SAP platform contains the business crown jewels of your company. However, while leading organizations are protecting their systems from new types of SAP threats, still many are prone to SAP-specific vulnerabilities that are exposing their business to espionage, sabotage and financial fraud risks. This course empowers Security Managers, Internal/External Auditors and InfoSec Professionals to assess their SAP platforms for platform-specific vulnerabilities, exploit them to better understand the involved business risk and mitigate them holistically.

This course provides the latest information on SAP-specific attacks and protection techniques. After an introduction to the SAP world (previous SAP expertise is NOT required), you will learn through several hands-on exercises how to perform your own vulnerability assessments and penetration tests of your SAP platform to identify existing security gaps.

You will understand why even strict user roles and profiles are not enough to protect an SAP system, and how malicious attackers could break into the systems anonymously, even without having a valid user. With a strong focus on the SAP application layer, you will learn they key security aspects of several proprietary components and technologies, such as the SAProuter, SAP Web Dispatcher, SAP Gateway, SAP Message Server, SAP Web Applications (Enterprise Portal, Web Application Server), the SAP RFC and P4 interfaces, SAP Solution Manager, SAP Management Console, SAP-specific backdoors and rootkits, SAP forensics, SAP malware, ABAP vulnerabilities and much more!

You will watch numerous live demonstrations of the most critical attack vectors, and even replicate them yourself in our labs using opensource and free tools, such as Bizploit - the first opensource ERP Penetration Testing framework.

After this intense training, you will be very well equipped to understand the critical risks your SAP platform may be facing and how to assess them. More importantly, you will know which are the best-practices to effectively mitigate them, proactively protecting your business-critical platform. Previous SAP expertise is NOT required!

Juan Perez-Etchegoyen is the CTO at Onapsis, leading the Research & Development teams that keep the company on the cutting-edge of the ERP security industry. As a renowned thought-leader in the SAP cyber security field, Juan is responsible for the architecture of the innovative software solutions Onapsis X1 and Onapsis IPS.

Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP and Oracle. He has discovered and helped SAP AG fix several critical vulnerabilities. Juan also held the first presentation on advanced threats affecting Oracle's JD Edwards applications.

As a result of his innovative research work, Juan has been invited to lecture at several of the most renowned security conferences in the world, such as Black Hat, SANS, OWASP AppSec, HackInTheBox, NoSuchCon and Ekoparty. He also holds private trainings for SAP AG and Global Fortune-100 organizations and is frequently quoted and interviewed by leading publications, such as IDG, DarkReading and PC World.

Suricata Training Event

Victor Julien (Open Information Security Foundation)

Suricata is a high performance Network IDS, IPS, and Network Security Monitoring engine.  Open-source and owned by a community Suricata is managed by the non-profit foundation; the Open Information Security Foundation (OISF).  We are excited to offer, exclusively for DeepSec attendees, a unique opportunity to learn Suricata from the Suricata developers.  By attending this dynamic, hands-on learning event you will walk away with a great proficiency in Suricata's core technology, tips on troubleshoot, and an chance to bring your questions directly to Suricata's lead developers.

Victor has been active as a software developer in the infosec community for many years. He is the creator of the Vuurmuur firewall project, has been one of the developers at the Snort_inline IPS project. Victor has spent the last years doing contract development on Open Source security software including significant additions to Snort. At the end of 2007 he started development on the OISF codebase on which he now leads the development effort. Victor maintains a blog at http://www.inliniac.net/blog/ and uses twitter at http://twitter.com/inliniac Victor resides in Amsterdam, The Netherlands.

Keynote: The Measured CSO

Alexander Hutton (IANS Research, "Systemically Important Financial Institution")

One of the most significant changes technology has wrought over the last decade is the current movement to use data and quantification as a means to better our everyday lives. In both our work life and leisure life, almost no aspect of modern life has escaped our desire to become better using evidence, data, and quantitative methods.

This talk discusses one method to help a Security Department build a better understanding of historically amorphous goals like "effectiveness, efficiency, secure, and risk" using data and models.

Alex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is a VP in Information Security for a "Systemically Important Financial Institution." A former principal for Research & Intelligence with the Verizon Business RISK Team, Alex also helped produce the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, was responsible for the VERIS data collection and analysis efforts, and developed information risk models for their Cybertrust services. Alex is the veteran of several security start-ups.

Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts (http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog (http://www.newschoolsecurity.com). Some of his earlier thoughts on risk can be found at the Riskanalys.is blog (http://www.riskanalys.is).

On the Effectiveness of Full-ASLR on 64-bit Linux

Hector Marco (Departamento de Informática de Sistemas y Computadores - Universitat Politècnica de València)

Address-Space Layout Randomization (ASLR) is a technique used to thwart attacks which relies on knowing the location of the target code or data. The effectiveness of ASLR hinges on the entirety of the address space layout remaining unknown to the attacker. Only executables compiled as Position Independent Executable (PIE) can
obtain the maximum protection from the ASLR technique since all the sections are loaded at random locations.

We have identified a security weakness on the implementation of the ASLR in GNU/Linux when the executable is PIE compiled. A PoC attack
is described to illustrate how the weakness can be exploited. Our attack bypasses the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). A remote shell is got in less than one second.

Finally, after analyzing different mitigation alternatives we
conclude that a new ASLR design is needed. We propose an alternative to the current ASLR implementation which increases the effective entropy and removes the discovered weakness.

http://hmarco.org/

CERT.at's Daily Business in a Nutshell

Christian Wojner (cert.at)

This talk provides exclusive insights in the daily business of the national computer emergency response team (CERT) of Austria - CERT.at. One learns about what a national CERT really does, how it's done, and provides answers to questions like what is nationally relevant and what is not, how to find the most appropriate point of contact, or even how many people it takes. Hence this talk dives deep into the specific details even explaining the actually used tools - publicly available ones as well as homebrewn software.

Christian Wojner is one of the core team members of the national and governmental computer emergency response team of Austria (CERT.at). In this respect he is responsible for malware analysis, reverse engineering and forensical investigations on Microsoft Windows boxes. Furthermore Christian is author of various articles, technical papers, software tools, and frequently gives talks specifically focusing malware analysis.

Java's SSLSocket: How Bad APIs Compromise Security

Dr. Georg Lukas (rt-solutions.de GmbH)

Internet security is hard. TLS is almost impossible. Implementing TLS correctly in Java is "Nightmare!". This talk will show how a badly designed security API introduced over 15 years ago, combined with misleading documentation and developers unaware of security challenges, causes modern smartphone applications to be left exposed to Man-in-the-Middle attacks.

Georg Lukas obtained his Ph.D. degree in 2012 in the context of wireless protocol design. Since then, he is working as an IT security consultant at rt-solutions.de GmbH, based in Cologne.

Addressing the Skills Gap

Colin McLean (Abertay University, Dundee, Scotland)

Mark Weatherford of the US Department of Homeland Security has stated “The lack of people with cyber security skills requires urgent attention. The DoHS can’t find enough people to hire”. The United Kingdom's National Audit Office has also stated “This shortage of ICT skills hampers the UK’s ability to protect itself in cyberspace and promote the use of the internet both now and in the future”.

It is evident that there is a world-wide cyber-security skills shortage but what can be done about it?

The University of Abertay Dundee in Scotland was the first university to offer an undergraduate “hacking” degree in the UK, starting in 2006. The course is now widely recognised in the UK as a vocational supplier of security testing graduates, with many of the graduates receiving several job offers before they've even completed the course.

This talk focuses on the experiences of running the course and examines how the cyber security skills shortage can be addressed. Some of the issues discussed will be: -

Academia; There are many degrees with titles sounding like they may be producing the correct graduates, however, does the content match the type of skills required?

Industry; What can the security industry do to influence the content of academic courses to enable the correct type of graduate to be produced?

Colin McLean is a lecturer in Computing at the University of Abertay Dundee in Scotland. In 2006, he developed a course what is believed to be the world’s first undergraduate degree with the word “Hacking” in the title. The B Sc in Ethical Hacking at Abertay University in Dundee, Scotland has since become one of the main providers of graduates to the security testing industry in the UK.
Colin has been a lecturer at Abertay University for 23 years and has taught Robotics, Mechatronics, Computer Networking, Computer Programming and now Ethical Hacking. On the non-academic side, he has worked with NCR, R&D Dundee, Scotland on ATM security projects since 2005 and with various UK companies on security issues since around that time. He has previously talked at various security events including BSides London in 2011 and 2012, BruCon 2012, E-Crime Scotland Summit 2013 and BSides Lisbon in October 2013.

A Myth or Reality – BIOS-based Hypervisor Threat

Information Security Specialist

The talk is a status report of BIOS-based hypervisor research.

Our guest information security scientist is known by original works on Information Security Management and investigative style articles and presentations. He has PhD in computer science and is certified information security professional.

Safer Six - IPv6 Security in a Nutshell

Johanna Ullrich (SBA Research)

The history of computers is full of underestimation: 640 kilobyte, 2-digit years, and 32-bit Internet addresses. IPv6 was invented to overcome the latter as well as to revise other drawbacks and security vulnerabilities of its predecessor IPv4. Initially considered the savior in terms of security because of its mandatory IPsec support, it turned out not to be the panacea it was thought to be. Outsourcing security to IPsec but eventually removing it as well as other design decisions led to a number of vulnerabilities. They range from the already known spoofing of answers to link-layer address requests to novel possibilities regarding node tracking. In an effort to fix them, a vast amount of updates have been introduced. This talks discusses security and privacy vulnerabilities with regard to IPv6 and their current countermeasures. Further, we focus on three remaining challenges for IPv6 security, namely address assignment and structure, securing local network discovery, and address selection for reconnaissance.

I received a BSc in electrical engineering and information technology in 2010, and an MSc degree in automation engineering in 2013, both from Vienna University of Technology. My diploma thesis has already focused on IPv6 compression in power line communication. At this time, I gained various merits for outstanding academic achievements. Currently, I am pursuing my Ph.D. at Vienna UT. Further, I am working for the research center for IT security SBA Research and teach students of different ages. My main research interests include network security, security in clouds, cyber-physical system security and any combination thereof.

Reliable EMET Exploitation

René Freingruber (SEC Consult Unternehmensberatung GmbH)

The Enhanced Mitigation Experience Toolkit (EMET) is an application developed
by Microsoft which adds an additional layer of security to applications to
prevent attackers exploiting vulnerabilities in them.

It can be used to globally enable system mitigation techniques such as Address
Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or
Structured Exception Handler Overwrite Protection (SEHOP). In addition special
per-process protections can be added such as various
Return-Oriented-Programming (ROP) protections (LoadLibrary, MemProt, Caller,
SimExecFlow, StackPivot), Export Address Table Access Filtering (EAF and EAF+)
to prevent execution of shellcode, pre-allocations to defeat heap spraying and
kernel exploitation, additional randomization (bottom-up randomization and
mandatory ASLR) and advanced mitigations (deep hooks, anti detours and banned
functions) to prevent different types of attacks.

If an application supports DEP together with full ASLR the difficulty to write
a reliable exploit increases dramatically. The typical approach to defeat DEP
is to use ROP to disable it. ROP builds on the idea to return (or jump) to
small so-called gadgets (which are equal to already existing code from the
code-section which end with a return or jump instruction) to chain these
gadgets together to build new logic (like logic to disable DEP). If ASLR is
supported by all modules of the application this approach can't be applied
because the address of such gadgets is randomized by ASLR and thus unknown by
the attacker. In such a case the vulnerability must be turned into an
information disclosure vulnerability to first disclose an address to defeat
ASLR. Techniques to accomplish this (e.g. partial overwrites, overwriting the
length field of strings, ...) have already been discussed in the past and thus
will not be focus of this talk.

Instead further techniques will be discussed which can be used to bypass the
additional per-process protections of EMET. To apply these techniques a
vulnerability which allows code execution as well as leaking information (to
bypass ASLR) is required. These requirements are satisfied per default because
otherwise writing an exploit for a not-EMET protected application would be
impossible.

The aim of this talk is to demonstrate new and more reliable exploitation
techniques as well as discussing in which situations already existing
techniques can be applied in a reliable way.

An important approach of exploit developers is to write bypasses in a way that
they can easily be ported to other exploits. For example, if a technique
requires jumping to already existing code a dumb approach would be to build it
application specific. Instead the technique can be built on top of the EMET
library which gets injected into all protected applications and thus is a good
target to minimize work load because the code for the bypass must only be
written one time. To apply such techniques various methods to identify the
presence, retrieving the imagebase as well as the version of EMET will be
shown.

EMET also supports none memory corruption related protection techniques (like
Attack Surface Reduction ASR and certificate pinning), however these will not
be discussed during the talk because the focus of the talk is on memory
corruption exploitation (e.g. buffer overflows, use-after-free bugs, type
confusion attacks and so on).

All techniques are implemented and demonstrated in a real-world Firefox
exploit. Even if the vulnerability is older (we at SEC Consult don't want to
publish reliable working exploit code for applications which are still in-use
these days) it is a very interesting vulnerability to study and together with
a highly configurable exploit it's easy to see the different techniques in
action. The exploit works reliable against any Windows operating system
(Windows XP, Windows Vista, Windows 7, Windows 8, Server 2003, Server 2008,
Server 2012, ...), on 32-bit as well as on 64-bit architectures and is able to
bypass EMET in all versions (including EMET 4.1 and EMET 5.0) with all
protections enabled.

Microsoft as well as other vendors typically suggest as a workaround for new
memory corruption vulnerabilities to install EMET to protect the application.
The aim of the presentation is to show the audience that attackers can still
exploit such protected applications by using one of the many existing
techniques.

We at SEC Consult do not believe in putting additional security layers like
EMET, DEP, ASLR, application firewalls and so on on top of applications.
Rather we demand from software developers and especially from the software
industry itself to focus on secure software development instead of forcing
their customers to create a chain of security layers to protect their software
product.

Protections such as EMET, DEP and ASLR are useful to add an additional hurdle
for attackers but are not unbreakable.

René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. During his bachelor thesis he developed more than 700 exploits to study different mitigation techniques implemented by modern operating systems and how they can be bypassed by attackers.

MLD Considered Harmful - Breaking Another IPv6 Subprotocol

Enno Rey, Antonios Atlasis & Jayson Salazar (ERNW GmbH)

Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era. There will be demos and a tool release. ;-)

Enno Rey (@Enno_Insinuator) is a long-term network security geek who loves to explore devices & protocols, and to break flawed ones. He has been involved with IPv6 since 1999.

Trusting Your Cloud Provider. Protecting Private Virtual Machines.

Armin Simma (Vorarlberg University of Applied Sciences, FHV)

SECRETS: My talk is first and foremost about secrets.
Most people refer to data at rest or data in motion by the term "secrets". When we talk about secrets usually we mean data at rest or data in motion. There are effective measures to protect these data, one of which is encryption. As you write in CfP 2013: "..uses encryption, access control…". Concerning (IaaS-)clouds we have data IN EXECUTION. That is, the virtual image / virtual machine (VM) sent to the cloud provider is the secret to be protected. The problem is: this secret must execute on someone else's system. Of course, we cannot simply encrypt the VM and send it to the provider. Homomorphic encryption would be a solution to this problem but at the time of writing it is academic i.e. it is not ready (and secure enough) to be used in real systems. In my talk (and our project) I want to show that it is possible to protect secrets (VM of the cloud customer) running on the providers host system using Trusted Computing technology.
FAILURES: Root users (superusers) usually have full control over and full access to a system. In our case the root user at the cloud providers site has full access to the provider's host system. Thus he has full access to the guest image (i.e. the VM of the customer). What if root is doing wrong or malicious action? He could gain insight or manipulate the guest image. Here is potential failure. In my talk I want to show how to keep root users from failures.
VISIONS: In our project we were building a prototype to show that it is possible to build the proposed system. But the technical system is not enough. We need an "ecosystem" to bring our idea to real life. This is my vision: We have a trusted third party (I call it TTT trusted third tester) that vouches for a trustworthy (in that case thoroughly tested) system and publishes reference hash values to compare with the running system. The cloud customer can use these reference values plus attestation technology to check that a trustworthy system is running on the provider's host. Using so-called sealing technology the VM will be decrypted on the provider's site only if the provider's system matches the reference hashes.

Studied computer science at University of Linz, Austria. After several stays abroad for gaining work experience I worked in two projects at CERN, Switzerland. Since 2001 lecturer at Vorarlberg University of Applied Sciences. Professor for IT Security since 2007. Research (and teaching) field is IT Security including the "surrounding" i.e. computer networking, operating systems, embedded systems.

A Tale of an Unbreakable, Context-specific XSS Sanitizer

Ashar Javed (Ruhr University Bochum)

Cross-Site Scripting - `An epidemic` nowadays, developers' nightmare, but my love. This talk will present an unbreakable, context-specific (supports five common contexts i.e., HTML, script, attribute, URL and style), practical and easy to use XSS sanitizer. For HTML, script, attribute and style context, I only control 11 meta characters and for URL context, 3 regular expressions and `JOB DONE`.

But before telling you that 78,000+ recorded XSS attack attempts were unable to bypass the sanitizer in five common contexts ... this talk will present context-aware XSS attack methodology and then I will show how I leverage the attack methodology for the development of an unbreakable sanitizer. In fact, I will demonstrate that by looking at the context-specific attack methodology (e.g., XSS attack methodology related to `style` context is a four step process), even a child can code this sanitizer. I will also share the logs of 78K+ XSS attack attempts. The timing, mutation, script-less, browser quirks and Unicode tricks fail here.

Ashar Javed is a research assistant in Ruhr University Bochum, Germany and working towards his PhD. He has been listed ten (`X`) times in Google Security Hall of Fame, Twitter/Microsoft/Ebay/Adobe/Etsy/AT&T Security Pages & Facebook White Hat. He spoke in the main security venues like Hack in the Box, DeepSec, OWASP Spain and OWASP Seminar@RSA Europe.

An innovative and comprehensive Framework for Social Vulnerability Assessment

Enrico Frumento (CEFRIEL Center of Excellence for Innovation, Research and Education in the field of ICT)

As anyone probably knows nowadays spear-phishing is probably the most effective threat, and it is often used as a first step of most attacks. Even recent JP Morgan latest Chase data breach seems to be originated by a single employee (just one was enough!) who was targeted by a contextualized mail.Into this new scenario it is hence of paramount importance to consider the human factor into companies' risk analysis. However, is any company potentially vulnerable to these kind attacks? How is it possible to evaluate this risk through a specific vulnerability assessment?
These are the questions that we will try to address. Since 2010, when we presented our study about Cognitive Approach for Social Engineering at the DeepSec conference (https://deepsec.net/docs/Slides/2010/DeepSec_2010_Cognitive_approach_for_Social_Engineering.pdf), we are working on the extension of traditional security assessment, going beyond the technology and including the "Social" context. In these years we had the opportunity to work on this topic with several European big enterprises, allowing us to face the difficulties related to the impact of this kind of activities on the relational issues between employees and employer both from the ethical and legal points of view.
This experience allowed us to develop a specific methodology for performing Social Vulnerability Assessment (SVA), ensuring ethical respect for employees and legal compliance with European work regulations and standards. The legal constraints, which shape the limits of what these assessments can investigate, are quite cumbersome to understand, but we developed a good experience, especially into the Italian legal framework, which allows the execution of these studies. We now regularly perform Social Vulnerability Assessments into the enterprises as an integrated service.Using our methodology during these years, we performed about 15 Social Vulnerability Assessments in big enterprises with thousands of employees (a gross number of 10.000 people): this gave us a relevant first-hand sight on the real vulnerability of the enterprises against modern non-conventional security threats.
In this talk, we will share our experience, describing of we do Social Vulnerability Assessment, and will present an overview of the results collected so far. These results may actually help to understand which is the risk level related to spear-phishing attacks inside companies and some conclusions may be unexpected. 

His research activity started at CEFRIEL (www.cefriel.com) in the field of e-health service and telemedicine systems where he contributed with most of his scientific production. Since 1998, he moved his research interests towards wearable electronic systems and unconventional security. Thanks to his participation to several European projects and specialized task forces, he gained a strong experience in the area of cyber-crime and unconventional security. He is actually working as a member of the CEFRIEL’s security research team, which is continuing the innovation mission of the centre in the security area (bridge the research to the enterprises to help their innovation needs). He actually contributes with his research on Secure Code Development, hacking/cracking techniques (Reverse Code Engineering and Code Hardening) and social engineering evolutions. Moreover, in collaboration with the CEFRIEL security team, he conducted several on-field Social Vulnerability Assessments with big enterprises. He is also member of the DCC (Microsoft Digital Crime Community) and participates to the EECTF (European Electronic Crime Task Force).

Bending and Twisting Networks

Paul Coggin (Dynetics, Inc)

Learn about network attack vectors that an adversary can use to control, and influence network traffic flows and exfiltrate data by exploiting network devices and protocols in the LAN, WAN and Cloud. Defensive methods and techniques for monitoring and protecting against the outlined attack vectors will be discussed. This presentation explores advanced methods and techniques that penetration testers, network engineers and security auditors need to understand about network infrastructure and protocols.
Strategies for attacking network infrastructure
Undocumented method for tunneling IPv6
Layer 3 LAN based MITM attack
Methods for exfiltrating data from the core network infrastructure including MPLS core network infrastructure
Router tricks that penetration testers need to know
Often over looked network trust relationships, integration, dependencies and interdependencies
Features hackers know about routers that need to be understood by auditors and network administrators.
Switch security the Achilles heel of networks everywhere and what to do about it.
Ensure that you know when someone is twisting and bending your network infrastructure to suit their purposes
Advanced service provider technologies that be utilized by an attacker to enable data exfiltration and WAN based
MITM attack vectors, manipulate and override routing paths

Paul Coggin is an internetwork consulting solutions architect with Dynetics, a Huntsville, Ala.-based mid-tier company that provides complete lifecycle analysis, engineering, information technology and hardware solutions to support customer missions. Coggin is responsible for architecting and securing large complex tactical, critical infrastructure and service provider networks. His expertise includes tactical, service provider and ICS\SCADA network infrastructure hacker attacks, and defenses, as well as large complex network design and implementation. His experience includes leading network architecture reviews, vulnerability analysis, and penetration testing engagements for critical infrastructure and tactical networks. Coggin is a frequent speaker on cyber security offense and defense issues related to service provider and critical infrastructure. He has presented at conferences around the world.

He is a Cisco Systems Certified Instructor #32230, Certified EC-Council Instructor, and certified SCADA security architect. He has a bachelor’s degree in mathematics, a master’s in Computer Information Systems and second MS in information assurance and security. He is currently pursuing a masters degree in systems management In addition, he holds a wide array of certifications from Cisco, EC Council, ISC^2 and other computer security organizations.

Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Juraj Somorovsky (3curity / Ruhr University Bochum)

As a countermeasure against the famous Bleichenbacher attack on RSA based ciphersuites, all TLS RFCs starting
from RFC 2246 (TLS 1.0) propose “to treat incorrectly
formatted messages in a manner indistinguishable from
correctly formatted RSA blocks”. In this talk we show that this objective has not been achieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.

Dr.-Ing. Juraj Somorovsky finished his PhD in the area of XML Security in 2013. In his thesis „On the Insecurity of XML Security“ he analyzes various attacks on Web Services and presents practical countermeasures against these attacks, which were applied in XML Security specifications and in countless frameworks and applications. He presented his work at many scientific and industry conferences, including Usenix Security or OWASP Germany. Currently, he works as a Postdoc at the Chair for Network and Data Security, where he focuses his research on Web Security analysis and attacks, and teaches different security relevant subjects. In parallel, he works as a security specialist for his co-founded company 3curity GmbH.

Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT)

Benjamin Brown (Akamai Technologies)

When gathering open source data and transforming it into actionable intelligence, it is critical to recognize that humans are not objective observers. Conscious and unconscious assumptions drive analysts' choices about which data to analyze and how much importance to ascribe to each resource. Furthermore, analysts' personal conceptual frameworks about reality and how the world works can undermine the process of objectively translating data into intelligence. These implicit assumptions, otherwise known as cognitive biases, can lead to missed data, skewed intelligence, illogical conclusions, and poor decision making. In this presentation I will illustrate some of the cognitive biases relevant to OSINT and what can be done about them.

Benjamin Brown currently works on systems safety, adversarial resilience, and threat intelligence at Akamai Technologies. He has experience in non-profit, academia, and the corporate world as well as degrees in both Anthropology and International Studies. Research interests include the psychology, anthropology, and sociology of information security, threat actor profiling, and thinking about security as an ecology of complex systems.

Build Yourself a Risk Assessment Tool

Vlado Luknar (Orange Slovensko a.s. (France Telecom Orange Group))

Risk assessment should reflect the overall security knowledge and experience accumulated over the years in the company. This knowledge is company-specific, and applying it should not be dependent on/bound to any proprietary methodology, vendors and their products. Never-ending queset for the "best" tool or methodology is a futile exercise.
Existing commercial or free tools are (often) done by programmers, process/audit/compliance “gurus” and other people who were never managing security in a real company.
The consequence of which is that you'll spend 80% of your time on things which solve only 20% of your real security needs.

In the end it is you, the security specialist, who adds the most value to a risk assessment / threat modelling process for your company. The practical your risk management process supported with a custom-made tool is a vehicle through you can actually demostrate how to link security to business goals.

The presentation will demonstrate that it is quite easy to capture your overal security knowledge in a home-made, free-of-charge tool. The examples will be done by using a specific variant of open-source wiki.

for the last fifteeen years Chief Security Officer for Orange Slovakia, specializing in ISMS and risk assessment
before 1999 - at Digital Equipment, MBA in information systems, CISSP, CISM, CISA, ISO 27001 Lead Implementer, CSSLP (pending june 2014).

Social Engineering can kill me, but it can't make me care

Gavin 'Jac0byterebel' Ewan (Alba 13)

We are losing the battle, and quite frankly the war, against the conman, the trickster, but not the social engineer.

I have to hold my hand up and admit that I've been duped; I've been had; I've been scammed by the greatest con of all time, social engineering. No, this isn't where I tell you this talk is about the tricks we all fall for, to err is human, there's no patch for human stupidity and all that crap. You've heard all that before. No, the greatest con of all time is 'Social Engineering' itself, or at least how we as a collective whole view it. 'Social Engineers' are our construct, our hypothetical, nay, mythical bad guy/gal. We have all fallen for it, and I am more guilty than most having being typecast as a 'Social Engineer', and revelling in it. Well, enough is enough.

This talk is a journey, starting with why even the term 'Social Engineering' is wrong and moving on to how we have evolved as an industry to pick up (and implement) some very bad practices and viewpoints on the use of such ageless techniques. In my usual, Jac0byterebel trademark style, I will rant, I will swear, I will name and shame, I will piss many off, but win the hearts and minds of so many more. I will leave you, the attendee, the viewer, in no uncertain doubt as to the sins of our fathers.

All of the above would be an utterly useless venture without providing solutions, takeaways we can use right away, not in some hypothetical scenario or roleplay, but in real life. Starting with the most rudimentary of fixes, a simple name change, you will be taken along the final stages of this journey and shown that all is not lost. We have learned much over the years but do not apply the knowledge in the way we should. We have many fonts of inspiration that have brought us to where we are, but are missing many more, sources of far greater value that can change the game.

At the danger of sounding like the high school coach we all loved to hate, I ask you this 'Do you want to win the battle against the real enemy?'. Then come journey with me for an hour. Don't want to win? Get out of my talk, hell, get out of my industry!

Jac0byterebel is a ranty, shouty, sweary Scotsman, who is most certainly not your typical social engineering presenter. Out goes the snake oil sale of analysing the minutia of pop psychology and trying to squeeze out real answers to the questions asked during a real attack. In comes hard hitting accounts of attacks drawn from real sources but anonymised to protect the pwned.

Mobile SSL Failures

Tony Trummer & Tushar Dalvi (Linkedin)
  1. Mobile SSL Failures
  2. Failure to validate Certificate Authorities - Approximately 40 well-known apps
  3. Failure to validate Certificate Hostnames - Approximately 40 well-known apps
  4. Failure to encrypt at all - Tens of millions passwords and credit cards
  5. Recent FTC settlement related to this topic
  6. Review of why physical security isn't assured with mobile - Smudge attacks
    - No screen lock
    - Screen lock bypass - Creating invisible MitM attacks
    - Creating persistent MitM attacks
  7. SSL Session caching exploit
  8. A fool-proof defensive coding approach

We will discuss how prevalent SSL certificate validation failures are in very popular applications. We will show how some popular applications failed to encrypt traffic at all resulting in the leakage of tens of millions of users' data. We will cover recent U.S. Government penalties that companies who fail to protect data may be subject to. We will discuss a new attack, that is particular applicable to mobile and especially on the Android platform, which potentially allows for a persistent MitM attack that is undetectable on the device itself. Lastly, we will cover how organizations can implement a fool-proof method to protect themselves against this mistake.

Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he's not hacking, he enjoys thinking about astrophysics, playing devil's advocate and has been known to dust his skateboard off from time-to-time

Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.



Cyber Security Information Sharing

Oscar Serrano (NATO Communication and Information Agency)
Organizations operate increasingly in a coalition and federated environment and the necessity of relying on each other’s information systems in such an environment increases the need to exchange various types of cyber security information, such as data on vulnerabilities, threats and incidents at both the strategic and tactical levels. However, information sharing between partners remains a critical requirement that is only partly met by various approaches that do not deliver the required efficiency and effectiveness.
It is also becoming increasingly apparent that given the complexity of modern CIS and the speed at which cyber-attacks progress, there is a need to develop highly automated cyber security capabilities. The ideal responses in a number of current and future cyber-attack scenarios rely on the use of automated processes. Since automation is a function on a set of input data, the correctness of this input data is critical. Input data must therefore be both comprehensive and accurate. However, collecting and assuring the quality of the cyber security data required to support automation is a daunting task that few, if any, organisations can actually perform. In a coalition environment, it is necessary to pool expert resources in a burden-sharing arrangement to collect and assure cyber security data. It is also necessary to allow for the commercial outsourcing of this work.
 
This presentation introduces the main problems that organizations face when sharing Cyber Security information and propose solutions that once implemented would enable the development of a comprehensive platform for Cyber Security information sharing.
 
The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of NATO Communications and information Agency, nor does it represent an endorsement of any kind.
Oscar Serrano holds PhD, master and bachelor degrees in Computer Engineering. He has worked for more than 12 years as  consultant and researcher for large international companies, including Telefonica, Vodafone, the Austrian Institute of Technology, Siemens and Eurojust. In August 2012, he joined the North Atlantic Treaty Organization (NATO) as senior scientist in the field of Cyber Security, where he supports NATO efforts to improve the cyber defence capabilities of the alliance.
His research interests include Cyber Security information sharing, detection of advanced threats, risk analysis and management, policy and governance development and cyber Law.



Social Authentication: Vulnerabilities, Mitigations, and Redesign

Marco Lancini (CEFRIEL - Politecnico di Milano)

As social networks have become an integral part of online user activity, a massive amount of personal information is readily available to such services. In an effort to hinder malicious individuals from compromising user accounts, high-value services have introduced two-factor authentication to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication (SA), which requires users to identify some of their friends in randomly selected photos to be allowed access to their accounts.

In this thesis, we first studied the attack surface of social authentication, showing how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook. We have empirically calculated the probability of an attacker obtaining the information necessary to solve SA tests when relying on publicly accessible data as well as following a more active approach to gather restricted information, and we have then designed an automated attack able to break the SA, to demonstrate the feasibility of carrying out large-scale attacks against social authentication with minimal effort on behalf of an attacker.

We then revisited the Social Authentication concept and proposed reSA, a two-factor authentication scheme that can be easily solved by humans but is robust against face-recognition software. Our core concept is to select photos in which state-of-the-art face-recognition software detects human faces, but cannot identify them due to certain characteristics. We implemented a web application that recreates the SA mechanism and conducted a user study that sheds light on user behavior regarding photo tagging, and demonstrated the strength of our approach against automated attacks. 

Marco Lancini has recently obtained a M.Sc. degree in Engineering of Computing Systems at Politecnico di Milano, where he was a member of the Computer Security Group, under advice from Prof. Stefano Zanero.

Since May 2013 he is a Security Researcher and Consultant at CEFRIEL (ICT Center of Excellence For Research, Innovation, Education and Industrial Labs partnership), where he works across several aspects of computer security. His principal research interests are mobile security, privacy, and web applications' security.

TextSecure and RedPhone-bring them to iOS

Christine Corbett (Open WhisperSystems)

I will talk about Open WhisperSystems iOS efforts, including a general overview of the protocols as well as specifics of the challenges and rewards of managing an active repository for open source iOS development.

MIT educated, I'm an astrophysicist, software developer and cryptographer. Lead of iOS team at Open WhisperSystems.

Advanced Powershell Threat: Lethal Client Side Attacks using Powershell

Nikhil Mittal (Hacker)

APT - A buzzword which refuses to die. Lets have some fun with it, lets move it to powershell. This talk would focus on using powershell for Client Side Attacks.

Powershell is an ideal platform for client side attacks as it is available on all the Windows machines. We would see how easy and effective it is to use powershell for various client side attacks like drive-by-downloads, malicious attachments, Java applets, Human Interface Devices etc.

The payloads which would be used with these attacks include in-memory code execeution, dump passwords and system secretsin plain text, backdoors, keyloggers, moving to other systems, reverse shells etc.

The code used in the above talk will be released as open source. The talk would be full of live demonsrations.

Nikhil Mittal is a hacker, info sec researcher and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Devices in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Human Interface Devices in penetration tests and Nishang, a post exploitation framework in powershell. In his free time, Nikhil to do some vulnerability research and works on his projects. He has spoken/trained at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest and more.

SAP BusinessObjects Attacks: Espionage and Poisoning of Business Intelligence platforms

Juan Perez-Etchegoyen (Onapsis, Inc.)

Business executives make their strategic decisions and report on their performance based on the information provided by their Business Intelligence platforms. Therefore, how valuable could that information be for the company’s largest competitor? Even further, what if the consolidated, decision-making data has been compromised? What if an attacker has poisoned the system and changed the key indicators?
SAP BusinessObjects is used by thousands of companies world-wide and serves as the gold standard platform for Business Intelligence. In this presentation we will discuss our recent research on SAP BusinessObjects security.
Specifically, through several live demos, we will present techniques attackers may use to target and compromise an SAP BusinessObjects deployment and what you need to do in order to mitigate those risks.

Juan is the CTO of Onapsis, leading the Research & Development teams that keep the Company in the cutting-edge of the ERP security industry. Juan is responsible for the design, research and development of the innovative Onapsis' software solutions Onapsis X1 and Onapsis IPS, as well as the future Company's products.

Being the founder of the Onapsis Research Labs, Juan is actively involved in the coordination and research of critical security vulnerabilities in ERP systems and business-critical applications, such as SAP, Oracle and JD Edwards. He is also credited for being the first to present on advanced threats to Oracle JD Edwards applications, having discovered numerous critical vulnerabilities in this platform.

As a result of his innovative research work, Juan has been invited to lecture trainings and presentations in some of the most renowned security conferences of the world, such as BlackHat, OWASP and HackInTheBox, as well as to host private trainings for Global Fortune-100 organizations.

SENTER Sandman: Using Intel TXT to Attack BIOSes

Xeno Kovah (MITRE)

At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our “Smite’em the Stealthy” PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smite’em, to sleep.

But if you’ve been following our work (specifically “Defeating Signed BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”) you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC “Sandman” attack using the same infrastructure as Copernicus 2. We will also explain the caveats to both the secure function of Copernicus 2 and the ability of Sandman to attack a system. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you’re vulnerable, and what you may be able to do about it.

Xeno Kovah leads a team of 5 researchers focusing on low level PC firmware and BIOS security. His specialty area is stealth malware and its ability to hide from security software and force security software to lie and report the system is clean when it is not. To combat such attacks he researches trusted computing systems that can provide much stronger guarantees than normal COTS. He is also the founder and lead contributor to OpenSecurityTraining.info, where he has posted 8 days of material on x86 assembly, architecture, binary formats, and rootkits.

Why IT Security Is Fucked Up And What We Can Do About It

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

IT Security is in a miserable state. The problems have been discussed again and again without advancing IT Security.

Discussing the key length of AES is necessary, but not the peak of IT Security, as long as users chose weak passwords, developers implement buffer overflows and vendors deliver faulty banana software.

IT Security research did not adapt well to the challenges of IT security. Instead of focusing on fields like man-machine interaction, perception of security by users and developers or political measures like producer's liability the same simple problems are discussed again and again.
This is not surprising, since Computer Science is a trivial science and only successful because it ignores hard problems like human behaviour.

This rant will give an overview about what's wrong in IT Security and Security Research. I will show you why cryptosystems really fail, what Psychology knows about security and what IT Sec has to do if it ever wants to break the current circle jerk and start generating more security.

Stefan Schumacher is head of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and currently running a research programme about the psychology of security. This includes social engineering, security awareness and qualitative research about the perception of security.

The prime Suspect is the Butler cause he holds all the “Keys”

Jesús Torres (CEO 11Paths) & Sergio de los Santos (Labs 11Paths)

In recent years many efforts have been invested in the detection of malicious mobile applications for Android operating systems. These efforts have been focused on dynamic analysis sandboxing based on complex, tedious and slow processes which explode the analysis of binary code. This research explores the potential of detecting malicious apps on Android platforms by analysing only the permissions of each apk. The key of the analysis introduced here is to improve the accuracy of detection by minimizing the ratio of false negative. This way it has been possible to propose a first stage approach that reduce the workload of traditional analysis by reducing the set of suspected applications. To obtain the results we have been working through a massive experimentation that has involved over 750 000 applications from different markets (Google Play, …). Exploding antimalware tools results, an automated analysis has allowed us to infer a very particular behavior in these malicious apps, modelled as a combination of specified permissions. This knowledge has allowed the usage of machine learning algorithms to determine if a given apps is suspected of being malicious or not. This preliminary analysis allows a significant reduction of the problem to be solved by traditional solutions, reducing, by extension, the time that runs until an apps is analyzed. In addition, the independence with code analysis permits to detect some malicious apps that cannot be detected by signature comparison.

Authors: Sergio de los Santos, Alfonso Muñoz y Chema Alonso

[Jesús Torres]

Currently is head of labs in Eleven Paths, responsible for creating new projects, tools and prototypes. In the past (2005-2013), he has been Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for several services in the company (antifraud, vulnerabilities alert... mostly bank industry oriented), and responsible for the most veteran security newsletter in Spanish. Since 2000 he has worked as an auditor and technical coordinator en G2Security and Forzis Security solution, and as network administrator for a big network. He has an informatics degree, former CISA, former PCI Qualified Security Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in conferences in Spain and teacher of different courses, masters and lectures in universities and private companies. 

 

[Sergio de los Santos]
Currently is head of labs in Eleven Paths, responsible for creating new projects, tools and prototypes. In the past (2005-2013), he has been Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for several services in the company (antifraud, vulnerabilities alert... mostly bank industry oriented), and responsible for the most veteran security newsletter in Spanish. Since 2000 he has worked as an auditor and technical coordinator en G2Security and Forzis Security solution, and as network administrator for a big network. He has an informatics degree, former CISA, former PCI Qualified Security Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in conferences in Spain and teacher of different courses, masters and lectures in universities and private companies.

 

 
Currently is head of labs in Eleven Paths, responsible for creating new
projects, tools and prototypes. In the past (2005-2013), he has been
Technical consultant in Hispasec (where VirusTotal was developed for 10
years), responsible for several services in the company (antifraud,
vulnerabilities alert... mostly bank industry oriented), and responsible
for the most veteran security newsletter in Spanish. Since 2000 he has
worked as an auditor and technical coordinator en G2Security and Forzis
Security solution, and as network administrator for a big network. He
has an informatics degree, former CISA, former PCI Qualified Security
Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in
conferences in Spain and teacher of different courses, masters and 
Currently is head of labs in Eleven Paths, responsible for creating new
projects, tools and prototypes. In the past (2005-2013), he has been
Technical consultant in Hispasec (where VirusTotal was developed for 10
years), responsible for several services in the company (antifraud,
vulnerabilities alert... mostly bank industry oriented), and responsible
for the most veteran security newsletter in Spanish. Since 2000 he has
worked as an auditor and technical coordinator en G2Security and Forzis
Security solution, and as network administrator for a big network. He
has an informatics degree, former CISA, former PCI Qualified Security
Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in
conferences in Spain and teacher of different courses, masters and 
Currently is head of labs in Eleven Paths, responsible for creating new
projects, tools and prototypes. In the past (2005-2013), he has been
Technical consultant in Hispasec (where VirusTotal was developed for 10
years), responsible for several services in the company (antifraud,
vulnerabilities alert... mostly bank industry oriented), and responsible
for the most veteran security newsletter in Spanish. Since 2000 he has
worked as an auditor and technical coordinator en G2Security and Forzis
Security solution, and as network administrator for a big network. He
has an informatics degree, former CISA, former PCI Qualified Security
Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in
conferences in Spain and teacher of different courses, masters and 
Currently is head of labs in Eleven Paths, responsible for creating new
projects, tools and prototypes. In the past (2005-2013), he has been
Technical consultant in Hispasec (where VirusTotal was developed for 10
years), responsible for several services in the company (antifraud,
vulnerabilities alert... mostly bank industry oriented), and responsible
for the most veteran security newsletter in Spanish. Since 2000 he has
worked as an auditor and technical coordinator en G2Security and Forzis
Security solution, and as network administrator for a big network. He
has an informatics degree, former CISA, former PCI Qualified Security
Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in
conferences in Spain and teacher of different courses, masters and 
Currently is head of labs in Eleven Paths, responsible for creating new
projects, tools and prototypes. In the past (2005-2013), he has been
Technical consultant in Hispasec (where VirusTotal was developed for 10
years), responsible for several services in the company (antifraud,
vulnerabilities alert... mostly bank industry oriented), and responsible
for the most veteran security newsletter in Spanish. Since 2000 he has
worked as an auditor and technical coordinator en G2Security and Forzis
Security solution, and as network administrator for a big network. He
has an informatics degree, former CISA, former PCI Qualified Security
Assesor, MVP Consumer security 2013 and 2014, and is an usual speaker in
conferences in Spain and teacher of different courses, masters and 

Trap a Spam-Bot for Fun and Profit

Attila Marosi (SophosLab, Senior Threat Researcher)

The most of honeypot systems pretend that they are vulnerable or badly confirured systems in other to gather information about unkonwn attackers and the techniques they using during the attacks. In my research, I chaged this approach a little bit.

In my lecture I will share the result of my research which is about how to trap a botnet variant to collect valuable information directly for the bad guys. It is a kind of honeypot where the malware is allowed to run in a dedicate and carefully separated network (network sandboxing) to do its dirty job. The infected machine can communicate with the Command and Control (C&C) servers but the other network connections are absolutely just simulated. As a result of this “cheat”: the C&C servers and the bot think they have the ability to spread the spam emails. In real, all the messages, and any other network actions, are just emulated (not threaten the world) and the only result of their activities is that we will have all the spams and all the malware variants they try to spread during the champagnes.

With observation and monitoring a working botnets you can gain more knowledge and information about it. We will get everythink, not just the spam samples they are trying to send but, the C&C network they are using, and you are able to collect information about other victims (tipically, infected sites) which are used by the botnets. With this intel you can easily eliminate the damage of the botnet, and you could help others in the world – if you share the information with others. ☺
Most of the cases, a spam message has a link to somewhere but these links usually points not to the destination address directly but to a legitimate and (!)infected site to make the detection harder and the reaction slower. The spammers also use URL-sorter services to hide the real destination of the link. With analysing the spam messages (extract the link, follow the destination) we can disclosure the final destination, thus we can easily collect all the victim server URLs and all the malicious sort-links. With this information we can alert the victims and we can bolck the malicious addresses as well.

During the presentation we also walk through a quick guide how to set up a trap like this, which free tools can be used to handle the problem of the network sandboxing and the network service emulation.
I will also share the statistic result of the uses of this trap which can provide a real life information about the spam botnets and the activities of them. As a sneak peek: only (!)one spam bot can spread almost 800K message a week and each of them are a little bit different, but if we had all the spam messages and all the new malware variants at the same minute as it would start to spread, I think, we would be in a good position. This is the purpose of this research.


Educational value of the topic:
The audience will see:
- how a typically spam-bot works
- how the bad guys spread spam (advertising) messages and malicious files as well through the botnet
- how they spread the malware to keep the network alive and growing
- how often release a new polimorf version and how often release a realy new one
- which is the relation with spams and infected sites
- I will demonstrate, how to set up a trap, which free tools can be used in this project
- I will share the collected and summarized statistic data with audience about the activities of the bot (the current dataset was generated in 10 days but it is still working and available so, it is still growing)

Technical level of the topic:
It is likely every IT security professional (technical expert and manager as well) will understand what I am speaking about. The logic of the trapping concept is quite simple and the gaming with virtual machines is nowadays a kind of ordinary thing. The network sandboxing is also easily understandable.

Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for almost a decade on special information security tasks occuring within the Special Service for National Security. After then he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he work for the SophosLab as a Senior Threat Researcher.
He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented on may security conferences including Hacker Halted, DeepSEC, AusCERT, Troopers, and Ethical Hacking.

Hadoop - When the only tool you have is a hammer, all problems looks like nails

Michael Boman (N/A)

Hadoop clusters are great and affordable, but is it a case of the tool deciding what problems you have instead of finding tools to solve your real problems?

Michael has been performing malware analysis as a hobby for "a while" now, constantly looking into improving his tools to increase the efficiency of the little time he has after work and family commitments. He doesn't see the lack of time as a big drawback, but as a motivator to find more efficient ways to do the work.

Cloud-based Data Validation patterns… We need a new approach!

Geoffrey Hill (Artis-Secure Ltd.)

Current methodology in nearly every organisation is to create data validation gates. But when an organisation implements a cloud-based strategy, these security-quality gates may inadvertently become bypassed or suppressed. This talk discusses a methodology to encapsulate the validation at the object level, thus allowing each object to have validated or sanitised data at any given point in time.

Two kinds of patterns will be discussed, a validated object pattern and a tokenised object pattern. Examples of use-cases will be detailed for the delegates.

Advantages and possible pitfalls of these patterns in security design will also be reviewed.

Examples will be given in several main programming languages.

Geoffrey Hill has been in the IT industry since 1990, when he developed and sold a C++ application to measure risk in the commodities markets in New York City.  Since then he has worked as a senior developer of quantitative finance applications in Nomura Finance (New York), Mitsukoshi Finance (Japan), Macquarie Finance (Australia) and NatWest Bank (UK).
 
From 2007 - 2011, Geoffrey was the custodian of the Security Development Lifecycle (SDL) initiative in the Services organization at Microsoft, with endorsement by the Microsoft Trustworthy Computing Initiative Group.  He was responsible for the Security Engineering of several high-profile Microsoft Services projects, including the British Telecom pay-per-view Vision service and the United Nations World Economic Forum Collaboration Service.
 
Geoffrey was recently employed by Cigital Inc., a company that specializes in incorporating secure engineering development frameworks into the software development lifecycles of client organizations.  He was leading the software security initiative at a major phone manufacturer and a major central European bank over the course of the last three years.

He is currently starting up his own security consulting company called Artis-Secure. It is focused on making security development frameworks better integrated with business processes.

As for hobbies… he's currently planning a massive fancy-dress gathering next year in an Irish castle.

Why Antivirus Software fails

Daniel Sauder (NTT Com Security (Germany) GmbH)

Based on my work about antivirus evasion techniques (see link below), I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these.

A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.
Further test techniques I developed are, for example:
- Windows API calls
- using enhanced CPU features, as FPU, MMX registers etc.
- 64bit payloads

At the time of this writing I developed 36 different techniques as proof of concept code and tested them against 8 different products. More techniques and engines are pending.
Together with documentation, papers and talks from other researchers, this gives a deeper understanding for the functionality of antivirus software and shows, where it is failing generally and in particular.

Daniel Sauder, OSCP, SLAE, CCNA, CompTIA Security+ and MCP has about 10 years experience in the IT business. Currently working as a penetration tester with a
focus to Web Application Testing, Mobile Application Testing and IT Infrastructure Testing, he also has a strong background in Windows, Linux and Network
Administration.

Creating a kewl and simple Cheating Platform on Android

Milan Gabor & Danijel Grah (Viris)

Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust
mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal
information to different servers. Sometimes when communication between mobile application and server is encrypted we
have hard time to decrypt it to understand how things actually work. So we need to find new method or even tools to make
our lives as security testers much easier and to achieve better results. In the presentation some runtime techniques will be
discussed and a tool will be presented that offers two approaches to analyze Android applications. Basic principle of first approach
is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods,
instantiate classes and create own scripts to automate work. This method is possible with little knowledge and it even works on
non-rooted Android devices. The second approach offers much the same functionality, but can be used without modifying an
application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. In this case
Android JNI is used to hook some methods and then to inject our code at runtime without modification of APK packages. And this
method is new method based on some research in this area lately. Tool is Java based and simple to use, but offers quite few new
possibilities for security engineers and pentesters and eases a process of analyzing mobile applications. It offers new possibilities to
see, evaluate or even change internal variables an in this way opens news horizon of evaluating security of mobile applications.
With help of this tool we can also create really simple cheating platform as a side effect and this will be demonstrated at the end.

Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security.
He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker
on information security. He has previously been invited to speak at various events at different
IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does
trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.

Memory Forensics and Security Analytics : Detecting Unknown Malware

Fahad Ehsan (UBS AG)

The main purpose of the presentation is to show the audience how open-source tools can be used to develop an in-house automated Memory Forensics Solution, which has the capability to detect 'unknown' malware. I will show a demo of this solution, and how it can be used to find 'unknown' malware. This solution is based on my personal research. The idea is to spend 20 mins on the presentation piece and 10-15 minutes on the demo. Leaving 5-10 minutes on the Q&A.

I will start with a quick introduction to the concept of Unknown Malware, followed by recent trends in malware detection. The 'On-Host Forensics' is latest development, with tools like Mandiant Redline, Carbon Black, Bromium becoming popular. These tools provide 'Host Based' malware detection capabilities relying on Memory Forensics techniques.

Memory Forensics has been a traditional Incident response technique. With latest tools many of the Manual steps involved in Memory Analysis can be automated. Malware can be detected based on intelligence feeds or statistical analysis by 'On-host Forensics' tools.

While each of these tools have their strengths, I would like to show how open source tools like 'Volatility' can be utilized to extract memory fragments automatically and feed this data to an analytics engine. My analytics engine is based on SQL server, capable of processing data from 100s of machines simultaneously. In this POC solution, the clients send their Memory Analysis from Volatility every 30 minutes and the analytics engine processes data through automated jobs.

Approach one - Traditional way of finding malware, using Threat Intelligence and IOCs : I will simulate a Threat Intelligence feed, and show how my solution can be used to detect malware based on data received from OpenIOC or Cybox.

Approach Two - Finding Malware by benchmarking your environment: I will perform analysis on Memory fragments to identify changes on the hosts using Security Analytics Engine. The engine keeps track of changes on the host and identifies anomalies by comparing against last known state.

This will be followed by suggestions how such a solution can be deployed in an enterprise environment with the pros and cons.

I will end the presentation with sharing where Memory Forensics sits within the Security Analytics space today. And what can we expected from it in the future as Security Analytics Solutions mature.

Fahad works with UBS AG, where he is a lead architect with the Security Analytics team. His other areas of expertise include Malware Reverse Engineering and Memory Forensics. He recently delivered a Vulnerability Management Platform, which is widely used within the Bank. Throughout his 7-year career, he has held various roles in Security Research & Engineering, Consultancy, SOC and C#/SQL dev teams.

Security Operations: Moving to a Narrative-Driven Model

Josh Goldfarb (FireEye)

The current security operations model is an alert-driven one. Alerts contain a snapshot of a moment in time and lack important context, making it difficult to qualify the true nature of an alert in a reasonable amount of time. On the other hand, narratives provide a more complete picture of what occurred and tell the story of what unfolded over a period of time. Ultimately, only the narrative provides the required context and detail to allow an organization to make an educated decision regarding whether or not incident response is required, and if so, at what level. This talk presents the Narrative-Driven Model for incident response.

Josh (Twitter: @ananalytical) is an experienced security analyst with over a decade of experience building, operating, and running Security Operations Centers (SOCs). Josh currently serves as the Chief Security Strategist of the Enterprise Forensics Group at FireEye. Until its acquisition by FireEye, Josh served as Chief Security Officer for nPulse Technologies. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Night Talk: IT Isn't Rocket Science

David Mortman (Chief Security Architect & Distinguished Enigeer at Dell Enstratius and also Contributing Analyst at Securosis)

Information security isn't rocket science and it doesn't have to cost as much as your typical space program either. Many of the problems in information security are fairly simple (Not necessarily easy, just not that complex. I'm going to talk about the range of security issues
that can be handled more easily while spending little to no additional money. Not only will this make your life easier, but it will free up time and money to work on the really hard and complex problems that we are also facing day to day.

David Mortman has been doing Information Security for well over 15
years and is currently the Chief Security Architect & Distinguished
Enigeer at Dell Enstratius and also Contributing Analyst at Securosis.
  Most recently, he was the Director of Security and Operations at C3.
Previously, David was the CISO at Siebel Systems and the Manager of
Global Security at Network Associates. David speaks regularly at
Blackhat, Defcon, RSA and other conferences. Additionally, he blogs at
emergentchaos.com, newschoolsecurity.com and securosis.com. David sits
on a variety of advisory boards, including Qualys and Virtuosi. David
holds a B.S. in Chemistry from the University of Chicago.