Speakers (preliminary) - DeepSec IDSC 2011 Europe

360 Degree Security Management using BMIS

Rolf von Roessing (Forfa AG Holding / ISACA / BCI)

The workshop will demonstrate how the Business Model for Information Security (BMIS) is used to create integrated infosec. It then takes security to the next level by introducing systemic solutions for security culture, human factors, emergence phenomena and governance. Using BMIS ensures seamless alignment with traditional management frameworks such as COBIT, ISO 27000 etc.

International Vice President Rolf von Roessing, CISA, CISM, CGEIT, is president of Forfa AG, a Swiss consulting network, and a retired partner at KPMG Germany where he headed the Global BCM Group and the German Information Security Practice. In addition to working at KPMG, he has many years of experience in consulting with large international banks and insurance companies, responsible for international projects in business continuity management and information security. Prior to entering the consulting sector, he was Head of IT for the EMEA region in a leading global security firm. He is a former member of the Board of Directors at the Business Continuity Institute (BCI), where he served from 2001-2008 and where he served as chair of the Audit Committee from 2003-2008. Von Roessing joined ISACA’s Security Management Committee in 2005. He chaired the working group for ITGI’s "IT Control Objectives for Basel II" publication and is currently a member of ISACA’s Framework Committee. He has published extensively on business continuity management, disaster recovery, crisis management and security matters. Most recently, he authored the "Business Model for Information Security" published by ISACA.

Hacking IPv6 networks

Fernando Gont (SI6 Networks)

** Overview **

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. The imminent exhaustion of the IPv4 address space has resulted in the deployment of IPv6 in a number of production environments, with many other organizations planning to deploy IPv6 in the short or near term.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways.

The imminent global deployment of IPv6 has created a global need for security professionals with expertise in the field of IPv6 security, such that the aforementioned security issues can be mitigated.

While there exist a number of courses and trainings about IPv6 security, they either limit themselves to a high-level overview of IPv6 security, and/or fail to cover a number of key IPv6 technologies (such as transition/co-existence mechanisms) that are vital in all real IPv6 deployment scenarios.

** Learning Objectives **

This course will provide the attendee with an in-depth training on IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments.

The attendee will be given an in-depth explanation of each topic covered in this course, and will learn how each feature can be exploited for malicious purposes. Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities.

This course will employ both existing and previously-unreleased tools to evaluate the security of IPv6 networks, and to provide live demos of many IPv6 vulnerabilities. Additionally, the attendee will be given the chance to experiment with these tools in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises.

** Who Should Attend **

Network Engineers, Network Administrators, Security Administrators, Penetration Testers, and Security Professionals in general.

** Participants Are Required To **

Participants are required to have a good understanding of the IPv4 protocol suite (IPv4, ICMP, etc.) and of related components (routers, firewalls, etc.). Additionally, the attendee is expected to knowledge about basic IPv4 troubleshooting tools, such as: ping, traceroute, and network protocol analyzers (e.g., tcpdump)

** Topics covered by this course **

Introduction to IPv6
IPv6 Addressing Architecture
IPv6 Header Fields
IPv6 Extension Headers
IPv6 Options
Internet Control Message Protocol version 6 (ICMPv6)
Neighbor Discovery for IPv6
Multicast Listener Discovery
Stateless Address Auto-configuration (SLAAC)
Dynamic Host Configuration Protocol version 6 (DHCPv6)
DNS support for IPv6
IPv6 firewalls
Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.)
Network reconnaissance in IPv6
Security Implications of IPv6 on IPv4-only networks
IPv6 deployment considerations

Fernando Gont specializes in the field of communications protocols
security, working for private and governmental organizations.

Gont has worked on a number of projects for the UK National
Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite.

Gont is currently working for SI6 Networks in the area of network
security and engineering. Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica
Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published a number of IETF RFCs (Request For Comments) and Internet-Drafts. Gont has also recently joined the <a href="http://trac.tools.ietf.org/area/tsv/trac/wiki/TSV-Directorate">Transport Directorate of the IETF</a>.

Gont has been a speaker at a number of conferences and technical
meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, BSDCan 2005, BSDCan 2009, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, ekoparty 2007, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, IETF 64, IETF 67, IETF 73, IETF 76, LACNIC X, LACNIC XI, LACNIC XII, LACNOG 2010.

More information about Fernando Gont is available at his <a href="http://www.gont.com.ar/">web site</a>.


Juan Pablo Perez Etchegoyen (Onapsis)

Have you ever wondered whether your business-critical SAP implementation was secure? Do you know how to check it? Have you imagined which could be the impact of an attack to your core business platform? Do you know how to prevent it? This training is the answer to these questions.

For many years, SAP security has been a synonym of "segregation of duties" or "securing roles and profiles". While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked and are even more dangerous, such as the possibility of taking remote control of the entire SAP landscape without having any user in any system.

This training will help you to fill this knowledge gap, allowing you to understand the involved threats and risks and how to mitigate them. You will review the whole picture, from the security of the Environment and the SAP application-level gateways (SAProuter, Webdispatcher), through the assessment and hardening of the Operating Systems and Databases and their interaction with the SAP systems up to the security of the SAP Application Layer: Authentication, User security, Password Policies, Authorization subsystem, Interface Security, Web applications Security, Backdoors, ABAP (in)security, Auditing, Monitoring and more!

The training is organized with many hands-on exercises, which will help you grasp practical knowledge quickly. You will learn how to assess the security of an SAP implementation and then secure the critical security gaps you discovered. You will be able to learn how to use different SAP security tools, as well as Bizploit, the first opensource ERP Penetration Testing framework, developed by the instructor.

The training also provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly.

Juan Pablo Perez Etchegoyen is the CTO at Onapsis. His consulting experience comprise working in security assessments for world-wide companies in Europe, US and Latin America. In the research field, he is specialized in SAP, Oracle and JD Edwards platforms, having discovered several security vulnerabilities in them. Juan Pablo is also the Product Manager of Onapsis X1, being actively involved in its development. He also held several trainings regarding Penetration Testing, Database security and SAP security (BlackHat, HITB and Ekoparty).

Social Engineering for IT Security Professionals

Sharon Conheady and Martin Law (First Defence Information Security Ltd)

Social engineering is the use of deception or impersonation to gain unauthorised access to sensitive information or facilities. Because computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation.

Social engineering attacks can have disastrous consequences, both financially and reputationally. You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometrics, but they will not protect you from a social engineering attack. In any security programme people are the weakest link. Social engineering tests can be used to evaluate and strengthen this link.

Like any penetration test, social engineering tests can help to identify security weaknesses that could allow your IT systems to be compromised. Such tests can:
• Give a good indication of and even improve your staff’s level of security awareness
• Teach your staff how to identify and deal with social engineering situations
• Provide valuable recommendations on both security awareness and physical security
However, it can be difficult to know how to conduct a social engineering test. This training course will teach participants how to conduct an ethical social engineering test as well as giving recommendations on how to defend against social engineers. The two-day training course is split into four parts and will include practical exercises:
Part 1: Social engineering theory
- What is social engineering? The evolution of social engineering
- Why social engineering works? The principles on which social engineering is based
- Who are the social engineers?
- The legal and ethical aspects of social engineering tests
Part 2: Practical social engineering
- Common social engineering techniques (eg, mumble attack, road apples, 10 attack, phishing)
- Analysis of social engineering attacks:
o personal experience
o media case studies
- How to practice social engineering techniques
Part 3: The social engineering test
- The ‘get out of jail free’ card
- How to conduct a social engineering test:
o Target identification
o Reconnaissance (passive information gathering and physical reconnaissance)
o Pretexting/scenario creation
o Attack execution
- Evidence collection
- How to create a social engineering report
- Specific scenarios:
o Offices
o Data centres
o Call centres
Part 4: Defending against social engineering
- Logical security controls
- Physical security
- Security policies
- Education and awareness

Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has presented on social engineering at security conferences including Deepsec, Recon, CONFidence,Brucon, ISSE, ISF and SANS Secure Europe.

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Martin has over 20 years security expertise and has been performing social engineering tests since 1994. He specialises in accessing data centres by using social engineering techniques and bypassing physical security like a geeky James Bond.
Martin also undertakes investigations into actual or suspected security breaches, and specialises in the area of Information Warfare. He attempts to breach not only the logical security of systems and networks, but also the physical security of the infrastructure and buildings, including the use of social engineering when engaged in an “All-Out-Attack” against an enterprise.
Having a considerable depth of technical experience in open and distributed systems, as well as networking, in multi-vendor environments, Martin has spent nearly 22 years in the UNIX and TCP/IP arena, having started his career as a developer of UNIX systems.

Web Hacking - Attacks, Exploits and Defense (Training)

Shreeraj Shah & Vimal Patel (Blueinfy Solutions Pvt. Ltd.)


Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Web Hacking and Security. We are witnessing new ways of hacking and exploiting web based applications and it needs better understanding of technologies to perform penetration testing and assessment of web security. The course is designed by the author of “Web Hacking: Attacks and Defense”, “Hacking Web Services” and “Web 2.0 Security – Defending Ajax, RIA and SOA” bringing his experience in application security and research as part of curriculum to address new challenges for pen-testers, consultants, auditors and QA teams. Web Hacking 2.0 is extensively hands-on class with real life challenges and lab exercises. Participants would be methodically exposed to various different attack vectors and exploits. The learning sessions feature real life cases, hands one exercises, new scanning tools and exploits.

Learning Objectives

• Web hacking landscape and attack surface analysis.
• Advanced protocol analysis and exploitation.
• Penetration testing methodologies and modeling techniques.
• Web application footprinting, discoveries and profiling.
• Fault injection and fuzzing for applications and error enumeration techniques.
• Abuse of functionalities, Denial of Services, Overflows and application traversal attack vectors and penetration.
• Advanced injections with SQL, LDAP, XPATH and OS command.
• Dealing with Blind injections across applications.
• Client Side Attacks and Exploits with XSS, CSRF, Open Redirects, Clickjacking and Browser hacking.
• Exploiting application with various tools and scripts.
• Web 2.0 attacks with Widgets, Mashups and JavaScripts.
• Hacking RIA components written in Flash and Silverlight.
• Reverse engineering Web based applications and tools for deep scanning and analysis.
• Hacking and exploiting cloud based APIs and SOAP structures.
• DOM based attack surface and mobile application pen-testing.
• Source code analysis and hybrid pen-testing approaches.
• Introduction to exploit tools for web hacking.
• Build your tool – writing your own tools for pen-testing.
• Understanding and exposure to scanners and their limitations.
• Live Hacking on sample .NET and J2EE applications.
• Advanced labs for Web 2.0 and RIA applications.
• WAF bypass and obfuscation techniques.
• Defense planning and report building for end users.

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class modules end with a challenge exercise. Working within a limited time period, participants are expected to analyze, scan, pen-test, identify loopholes, exploit vulnerabilities present in the applications on the basis of learnt concepts.

Class Prerequisites

• Basic knowledge on Web Application Architecture and Design.
• Basic understanding of web technologies and languages.
• Familiarity with application scanning tools and approaches would be handy.
• Script writing ability using perl, ruby or python would help in coding quick tools (Not a must)

Who Should Attend?

• Web Security analyst, auditors (PCI-DSS), consultants, pen-testers and security professionals who are looking to upgrade their skill-set on enterprise application security and hacking.
• QA and Developers who are looking for new tools and methodologies.
• Program managers and team leaders, responsible for securing SDLC in their enterprise environment.

Hardware / Software Requirements

To participate in hands-on exercises you will need to come with a windows-based laptop.

• OS : XP, Vista, Win7 or Server family
• Please install .NET and J2EE.
• 1 GB RAM
• All other tools will be provided

About Shreeraj Shah

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.

About Vimal Patel

Vimal Patel is founder of Blueinfy, a company that provides products and services for application security. Vimal leads research and product development efforts at Blueinfy.
Prior to founding Blueinfy, he held position of Vice President at Citigroup where he led architecture, design and development of various financial applications. Vimal holds Masters in Computer Science. Vimal has over a decade of experience and expertise in many technologies. His experience ranges from design of complex digital circuits and microcontroller based products to enterprise applications.

Attacks on GSM Networks

Dieter Spaar & Harald Welte (Independent Researcher & HMW-Consulting)

Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been demonstrated and exploited, several GPRS networks in Europe have been shown to be insecure, and an ever-growing number of Open Source projects in the area of GSM and GPRS are gaining significant attraction.

Despite the availability of attack methods, the tools are often hard to use for security professionals due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks.

This two-day workshop will spend about half the time re-visiting the key aspects of GSM's security features and their publicly known weaknesses.

During the other half, attention is being paid to the hands-on practical sessions, where attendees will be walked through how to use the various tools for GSM security analysis like OsmocomBB, OpenBSC, airprobe, SIMtrace and others.  All tools will be provided pre-compiled and pre-installed on a USB flash drive with a Linux-based live distribution.

The target audience of this workshop are GSM network operators and IT
security professionals.  As attendee, you should be familiar with
working on a Linux/Unix command line shell.  Prior knowledge of GSM/GPRS
network architecture is a plus, but not absolutely necessary.

Dieter Spaar is a self-employed software developer and consultant with more than 25 years of experience in system-level and embedded development on a variety of architectures.  In the last couple of years, he has been a key figure in the GSM research area.  In 2008, he first co-presented on the subject of running small independent GSM networks for research use.  At DeepSec 2009, he first demonstrated his implementation of the so-called RACH DoS attack.

Harald Welte is a freelancer, consultant, enthusiast, freedom fighter and hacker who is working with Free Software (and particularly the Linux kernel) since 1995.  After having worked extensively in the area of IP network security where he co-authored netfilter/iptables, he has been researching non-IP communications protocols and systems such as RFID, DECT, GSM and TETRA.  He is involved in the development of almost all the tools discussed in this workshop.

The Art of Exploiting Injection Flaws

Sumit Siddharth (7safe)

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1


This hands-on session will only focus on the injection flaws and the attendees will get an "in-depth" understanding of the flaws arising from this vulnerability. The topics covered in the class are:


  • SQL Injection           
  • XPATH Injection
  • LDAP Injection
  • Hibernate Query Language Injection
  • Direct OS Code Injection
  • XML Entity Injection

The workshop covers classical issues such as SQL Injection, which is an oldie yet very relevant in today's scenario as well as some lesser known injection flaws such as LDAP, XPATH and XML Injection.

During the 2 days course, the attendees will have access to a number of challenges for each flaw and they will learn a variety of exploitation techniques used by the attackers in the wild. Identify, extract, escalate, execute; we have got it all covered.


The key objectives of the class are: 


1.    Understand the problem of Injection Flaws

2.    Learn a variety of advanced exploitation techniques which hackers use.

3.    Understand how to fix the problem?

Sumit "sid" Siddharth works as Head of the Penetration Testing for 7Safe Limited in the UK. He has been a speaker/trainer at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T, IT-Underground etc. He has contributed a number of whitepapers, security tools, exploits and advisories to the industry. He also runs the popular IT security blog www.notsosecure.com.

Keynote: How Terrorists Encrypt -- LOCATION UPDATE: Riding School

Duncan Campbell (IPTV Ltd, Brighton and Edinburgh UK)

What do real modern terrorists do with encryption tools? Do they use them? Do they know how to communicate securely?

The spectre of international terrorism networks hiding behind “unbreakable” crypto communications was the war cry for security agencies lobbying for “key escrow” and inherently insecure encryption during the “Crypto Wars” of the 1990s. The agencies lost their campaign. Key escrow proposals hit the trash.

After 9/11, the zeitgeist changed. New laws compelling targets to hand over crypto keys were introduced globally. Were they needed? Do the laws work? Can they work?

The reality of terrorists’ communications and crypto is mundane, repeating classic centuries old errors – such as the wannabee airline bomber who told Al Qaeda’s new chief to reject AES and use insecure homebrew methods instead. (He was arrested within the week.)

Many exotic claims about terrorist encryption have been shown to be fantasy, and their competence exagguerated.

Duncan Campbell is an investigative journalist who now works as a computer forensic expert in major terrorism prosecutions. He has 35 years experience breaking major reports on communications intelligence on press and television. He revealed the Echelon satellite intereception system in 1988 and wrote the European Parliament reports on Echelon in 2000. He advised the UK civil rights organisation Liberty in a successful 2008 European Court of Human Rights challenge to the legality of communications trawling (Liberty v United Kingdom). Since 2002, he has been employed to examine terrorism suspects' computers in the UK's major terrorism cases. He is a Visiting Fellow at Bournemouth University, UK. He was formerly a senior research fellow at at the Electronic Privacy Information Center, Washington DC (EPIC).

UPDATE: This talk will be held in the Riding School.

Reassemble or GTFO! - IDS Evasion Strategies

Arron Finnon (iDappcom)

Intrusion Detection Systems or IDS for short have been sold for many years as a solution to stop attackers from both the "inside" of a network, and the "outside". There is little doubt that the capabilities of these devices have been over sold, and at their very heart is some implementation problems that have no simple fixes.

The talk looks at one of the underlying problems an IDS faces when conducting packet inspection, reassembly.

Reassembly evasion techniques aims is to confuse an IDS system during packet inspection, by either supplying data to an IDS that will never be factored in at the receiving end (insertion), or by confusing an IDSs very process of reconstructing the data stream. In essence Reassembly evasion techniques attack the very process of inspection.

From the insertion of rogue nulls, to over-lapping, and over-writing the contents of packets, mean that an IDS has very little chance of being able to catch all bad traffic. Many IDS systems are geared to dealing with a high traffic volume, and any reassembly is going to be both difficult and taxing on system resources, whilst slowing the network down. With very little enumeration a potential attacker can utilise a number of reassembly evasion techniques to aid in the escape of otherwise prohibited traffic.

The talk will look at a few of the known reassembly evasion, and some of the not so well known techniques.

With the aim of educating the attendees of the talk on what to look out for, and how to better understand the threat faced by IDSs. In short this talk looks at: Getting The Fragments Out

Arron M Finnon, aka "Finux" has just finished his full-time studies at the University of Abertay Dundee, on their Ethical Hacking and Countermeasures BSc course, and has been involved with ethical hacking for a little over 5 years, and now is an attack researcher. Specialising in IDS evasion techniques.

After spending sometime as an independent security consultant and researcher, in 2010 finux returned to university to resume his studies. During the past 5 years, finux has produced a number of talks and presentations which he has delivered throughout the UK, in addition to being a regular podcaster. During his podcasting career he has produced over 50 shows predominately focused on security concepts and its practitioners. In 2009 he was awarded the SICSA Student Open Source Award for his Advocacy of Free and Open Source software.

Finux, recently joined the NodeZero Pen Test Development Team. NodeZero is an Ubuntu Based installation designed to be a permanent part of a testers set up.

He know runs a weekly podcast show about technology, and security matters named; Finux Tech Weekly, which can be found at www.finux.co.uk

The management of IT threats. European Digital agenda's weakness

Mario Valori (Arkomenos)

The situation of severe economic crisis is surely known to all; the European Union to reduce the crisis has prepared an ambitious project, “Europe 2020”, defined as a “european strategy for smart, sustainable and inclusive growth". One of the key elements of this strategy is the Digital Agenda, a set of tools and strategies based on IT that will bring economic and social benefits in the short and long term. The Digital Agenda is Europes strategy for a flourishing digital economy by 2020 and, to achieve these goals, the European Commission will work closely with national governments, concerned organisations and companies.

A so wide strategy provides a strong coordination between public and private institutions, located in countries with different concepts and procedures relating to IT security.
In 2010 I have explored the phenomenon of responses to attack in an industrial context, in 2011 I extended my analysis to the political structures and countries involved in the Digital Agenda program of the European Commission.
The main focus of the research was directed towards two issues: the perception of security among the various types of attack and the communication with the various stakeholders.
To explore the first theme I simulated attacks against more than 40 agencies, located in 12 different countries, measuring performance and results. The simulations involved 1084 workers in six months.
The second issue has led to the analysis of security policies and simulations of communication for 78 agencies, located in 21 different countries, both in relation to external communication with its members, which with the press and other interested parties. This second analysis involved 2418 users, each with a different nationality and language and computer skills and communications.
Special attention was devoted to analyzing the transmission of knowledge and learning (training) as well as analysis of the form of social engineering used to overcome IT security systems.

The study does not want to criticize the digital agenda, which is one of the best strategies applicable to solve the economic crisis, but only to demonstrate the critical and weaknesses of computer security in the european public sector. a true digital economy will never take off without IT security.
And IT security means understanding the phenomenon and invest money in research, education and infrastructure.

Born in 1983. Msc in Law in 2006-2007, advanced course on international law at University of Milano-Bicocca, PhD course on TLC engineering, post degree courses at Massachusetts Institute of Techonology. Actually is a PhD student at Università IULM of Milano. In 2008 he worked at the university of Milano-Bicocca and in 2009 for the Government of Regione Lombardia. Now provides consulting for major corporations and public structures (Alcatel-Lucent, European Commission, UK Government) in the field of cybernetics, communication, cognitive science and new technologies.

Intelligent Bluetooth fuzzing - Why bother?

Tommi Mäkilä & Jukka Taimisto(Codenomicon)

Bluetooth robustness is wretched, no surprise there. Bluetooth test results from plugfests show 80% failure rate, eight out of ten tests end with a crash. It is not pretty, it is sad and frustrating. For a moment, few years back, there seemed to be light at the end of the tunnel: the failures were moving up the Bluetooth stack, and for example L2CAP robustness showed some improvement. Only for a moment though, as recent tests again show a steady decline in results.

In this session, will discuss Bluetooth vulnerabilities and the problems they may cause. We will share our test results from plugfests and car kit tests, including a few demos of actual test cases. That will basically demonstrate how easily everything crashes: we were unable to complete a single test run successfully. Sooner or later, usually sooner, every equipment failed.

Of course, presenting one failed test case after another is not very interesting in the long run. That is why the second part of the presentation consists of discussion on fuzzing techniques and creating intelligent fuzzers for Bluetooth systems. We will discuss attack vectors, different approaches and opportunities, and speculate the possibility to break the pairing requirement. We will also discuss how and why building intelligent fuzzers is basically a waste of time, since all the test targets will fail even with the less intelligent test suites.

Tommi Mäkilä has been working with Codenomicon since 2004, researching and developing robustness and security testing tools. His field of expertise is wireless technologies, including Bluetooth. He has been frequent contributor to Bluetooth SIG Unplugfest events, wreaking havoc to devices ranging from small handsfree devices to mediakits used in cars.

Insight Into Russian Black Market

Alan Kakareka (Demyo, Inc)

Presentation gives insight into Russian black market pricing and revolves around available "products", means of payment, how these "products" ended up for sale, and most importantly how not to end up for sale yourselves.

Alan is a founder and CTO of Demyo, Inc. He has worked in IT Security field for the last 15 years and is focusing on data integrity, threat intelligence and penetration testing. Alan is a co-author of Computer and Information Security Handbook. His expertise are vulnerability assessments, and penetration testing. Alan has a Master of science degree in Computer Science from Florida International University and certifications such as CISSP, GSNA, GSEC, CEH.

Windows Pwn 7 OEM - Owned Every Mobile?

Alex Plaskett (MWR InfoSecurity)

The talk will aim to provide an introduction into the Windows Phone 7 (WP7) security model to allow security professionals and application developers understand the unique platform security features offered. Currently very little public information is available about Windows Phone 7 OS security preventing adequate determination of the risk exposed by WP7 devices.

The ever increasing challenges and stages of exploitation an attacker has to overcome to achieve full compromise will be discussed. The talk will outline the implementation of these security features and will demonstrate weaknesses and vulnerabilities an attacker could use to bypass the multiple levels of platform security.

A number of OEM manufacturer weaknesses, "features?" will be discussed and a demonstration of how these "features" can be abused in conjunction with conventional exploits to achieve full compromise of the phone will be performed. The talk will demonstrate how OEM phone manufacturers can weaken the security posture of an otherwise strong granular security model and also demonstrate how targeted attacks can be made which leverage this OEM "functionality" to compromise sensitive information.

Alex is a security consultant at MWR InfoSecurity and has a passion for bug hunting and exploit development. Alex has previously identified a number of serious vulnerabilities in IBM software (Lotus Domino, WebSphere MQ) and is currently interested in embedded systems security.

On Cyber-Peace: Towards an International Cyber Defense Strategy

Stefan Schumacher (Magdeburger Institut für Sicherheitsforschung)

Cyberwar and Cybercrime are currently heavily discussed topics even in the mainstream media. IT, and therefor IT security, spread almost everywhere, from automobiles to home automation, from main battle tanks to nuclear power plants and from desktop PCs to smart phones. This raises several security problems in different technical and non-technical domains.

I try to develop an international strategy for IT security, which shall give some answers regarding technical, psychological/social and political security problems. It will also outline some questions which have to be answered by security research in the near future. Those questions include Cyber Law and Cyber Law Enforcement, Security Awareness, Teaching Security, Operating Systems Security and Product Liability for Software Developers.

Stefan Schumacher is President of the Magdeburger Institut für Sicherheitsforschung (Magdeburg Institute for Security Research) and Editor of the Magdeburger Journal zur Sicherheitsforscher (Magdeburg Journal of Security Research).
He focusses on research regarding Social Engineering, Security Awareness and the ongoing Cyber War Debate in the Media.
He also works as a Security Consultant and Trainer for several companies in the named fields.
He also works

SMS Fuzzing - SIM Toolkit Attack

Bogdan Alecu (Independent security researcher)

In this talk I will show how to make a phone send an SMS message without the user’s consent and how to make the phone not to receive any message. The method used works on any phone, no matter if it’s a smartphone or not and also on any GSM/UMTS network. I will present how you can take advantage of sending a special crafted SIM Toolkit command message in order to achieve all that. Finally, I will present the results and their impact on the user and mobile networks security.

I am an independent security researcher who is interested in privacy and security themes, specially the ones that involve mobile communication. I first started with monitoring of the mobile networks monitoring, then continued with VoIP and GSM security. Given these interests, I have helped different public institutions and private business in securing their VoIP system. I am currently working as a System Administrator for a large company.

IT Security Compliance Management can be done right (and make sense when done right)

Adrian Wiesmann (SOMAP.org)

What kind of internal and external controls from regulations and other sources are there? What is IT-Risk and IT-Compliance management? Why and for whom does it matter? How can we handle it and how does compliance aggregation fit into the picture?

We will then look at the SOMAP.org project which is an Open Source project working on tools to handle IT-Compliance aggregation and IT Security compliance management in general. We will discuss why compliance management is not only about hot air but can make sense when done right.

Adrian is working as an IT Security Officer for a Swiss financial institute. His dayjob is to bother, to pester and to annoy. Every single day he works hard to bring these qualities of his to perfection. With a background in software engineering he focuses on application security and software demolition but enjoys a fine hardware hack or a well executed social engineering stunt as much as everybody else does. He is one of the founders of SOMAP.org, a non-profit organisation which is authoring and publishing documents and tools for analysing and managing IT security risk and compliance with regulations and standards. Adrian holds a masters degree in information security from the Royal Holloway, University of London.

Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks

Laurent 'kabel' Weber (Ruhr Uni Bochum)

This presentation describes the enhancement of scapy, the powerful interactive packet manipulation program, by the layer-3 of the Global System for Mobile Communications (GSM) protocol. Layer-3 of the GSM protocol is part of the UM-interface, which
is the air interface connecting the mobile devices to the operators network. In addition to the demonstration of the addon we will introduce
new attacks on the GSM baseband, targeting the logic of the baseband state-machine. Thus far attacks on GSM were mainly directed to vulnerable code running directly on the phone. Recently a totally new attack-vector was successfully used to exploit mobile stations over the air, attacks on
the baseband stack. Security researchers working on GSM baseband security lack of open-source tools to analyze the security of the baseband stack. This presentation introduces a scapy-addon allowing
users to create GSM layer 3 packets using simple python syntax. Furthermore, this presentation will continue the effort of security researchers to test
the security of the baseband stack, that has been, until now, neglected. This is done using and enhancing already existing open-source tools. In
addition, possible scenarios of novel attacks on the GSM baseband stack are discussed. This presentation demonstrates attacks and tests on the
logic of the GSM state-machine using our newly created addon. One of our results are that
classical attacks, found in the literature have been successfully rebuild using our tool. Furthermore, possibly vulnerable parts of the GSM state-machine are explored and discussed in this talk. To the best knowledge of the author there is no prior work presenting a tool allowing to build the whole layer 3 of the GSM specification on the
command line, as well as there is no work presenting attacks on the state-machine of the
GSM baseband stack, so far.
In a nutshell, while one focus is to introduce the new part of scapy, another focus is put on classical as well as on novel

Technology freak, cryptography and more generally IT-Security enthusiast. A Hacker, as they would name a person who always wants to understand how stuff works, check out the clockwork of this planet and how things are actually working. Interested in current affairs, and always trying to figure out what of the news you can believe. Open-Source fan, *NIX user for quite a while now, he believes in this idea and he lives it!

Human Factors Engineering for IT Security

Peter Wolkerstorfer (CURE – Center of Usability Research and Engineering)

By using practical Web 2.0 examples our talk highlights the design challenges for modern IT-security systems, which are used by a mass of end-users. It is based on the fact that the number of (IT security-) untrained end-users results in security-challenges that are mainly caused by human factors instead of technical problems. Based on “Personas” from the EC funded project uTRUSTit we will highlight the challenges in modern IT-security system design. By comparing the cognitive nature of end-users and developers we will show usability challenges and attempt to provide processes for the solution of current problems and misunderstandings. We will show how a user centric design process (based on ISO/TR16982) can be adopted to tackle the challenges in IT-security system design. The user is the weakest link in the chain and this has to be understood when designing IT security systems.

Peter Wolkerstorfer holds a diploma of the College for Multimedia and has been working for various projects as a freelance Web-Developer since 1997. He is studying communication theory and a combination of psychology and education at the University of Vienna. At CURE, Peter is working on web usability issues, mobile usability issues and usability engineering tools. His research emphasis is on Knowledge management systems, HCI Security & Privacy, Information Architecture, Open Source Usability, GUI Design, and Usability-Engineering-Tools.

Design and Implementation of a Secure Encryption-Layer for Skype Voice-Calls

Felix Schuster (SEC Consult)

Without doubt, Skype is the most famous and widely used service for voice and video-chats over the internet.

Philippe Biondi and Fabrice Desclaux already described in their BlackHat 2006 talk "Silver Needle in the Skype" how Skype Ltd., as the operator of the CA of the Skype network, is virtually capable of easily eavesdropping on every single call made in the Skype-Network.

Though it is unclear, whether this capability is really made use of or is maybe even sold to governmental organisations.

To mitigate these severe privacy issues, a tool was developed, that extends the latest Skype-Clients for Windows with functionality for making verifiable secure and eavesdrop-safe P2P calls over the Skype-Network. The security-gain arises from an authenticated key-exchange that is performed for each new call between the involved extended Skype-Clients. The securely exchanged key is then used to establish an additional cryptographic layer that covers every IP-packet that is exchanged between the involved parties of a call. At it's cryptographic heart the developed tool uses the proven Off-The-Record Library (libOTR) as well as Microsoft's Cryptography API.

This way Skype-users do neither need to rely any longer on the trustworthiness of Skype Ltd.'s central CA nor on the correctness and effectiveness of the Skype-Clients' own cryptographic implementations.


The planned presentation will describe the major challenges that had to be taken during the implementation of the tool and give an overview on its architectural details. Besides that, a short insight will be given on how parts of the Skype-Client for Windows were reverse engineered.

The development of the described tool was part of the composition of the author's Diploma Thesis "Konzeption und Implementierung einer zusätzlichen Verschlüsselungsschicht für Skype" that will be handed in at the Ruhr-Universität Bochum within the next weeks.

Felix currently works as security consultant for Vienna-based company SEC Consult. Before that he studied IT-Security and worked part-time for zynamics (now part of Google), where he among other things programmed debugging modules for the reverse engineering tool BinNavi. He is an active member of the internationally successful CTF-team FluxFingers and especially enjoys reverse engineering and other low-level challenge

Behavioral Security: 10 steps forward 5 steps backward

Sourabh Satish (Symantec)

Rule-based behavioral security has been talked about for decades BUT is it really the silver bullet solution to the malware problem? We don’t think so. In this talk, we’ll discuss the pros and cons of rule-based behavioral systems, using real-world threats as case studies to showcase the approach’s strengths and weaknesses. Next we will discuss how techniques such as supervised and unsupervised machine learning can address many of the inherent limitations in legacy behavioral systems. We will demonstrate how to implement such a machine learning-based behavioral system using freely available tools like WEKA, and provide the attendee with sufficient information to further investigate this area on their own. Finally, we will discuss their limitations of these machine learning-based solutions and propose several potentially fruitful areas of research. The talk will use real world threat examples to illustrate points.

Here is the outline of the talk:

Motivation behind behavioral security
Malware space data analytics
Rule-based Behavioral Security Overview
Explanation of rule-based behavior blocking
Pros and cons of the rule-based model
Malware case studies
New cutting edge approaches
Machine Learning: Supervised & Unsupervised
How to build a machine learning-based behavioral system
Practical Application, Limitations and Challenges
Challenges of real-world deployment
Requirements of real-world behavioral solutions
Real-world case study review
All the things that can and will go wrong
Final review of the solution
Strengths and weaknesses

Sourabh Satish is a Distinguished Engineer and Chief Architect at Symantec. He has worked in the security industry for more than 17 years on myriad of security products (endpoint and gateway) and technologies including shell code analysis/detection, BOT detection, network IPS engine, behavioral security, malware analysis automation technologies and is recently involved in large scale data mining for security intelligence.

Sourabh earned his Bachelor’s degree in Computer Science and Engineering from India.

Attack vectors on mobile devices

Tam Hanna (Tamoggemon Limited)

Mobile devices are everywhere - and they get smarter by the minute.

But are mobile devices safe? This talk looks at physical and psychological aspects of mobile device security, and also covers the various types of software attacks!

Please see CV.doc, sent via email

FakeAntiVirus - Journey from Trojan to a Persisent Threat

JagadeeshChandraiah (Sophos)

FakeAntivirus or Rogue malware is a common threat seen by most computer users today. They are penetrating into mobile and mac world too. I would like to give a brief picture of different types of Fakeantivirus , how they were born and evolved , what they do and how industry is tackling this threat. I would also like delve deep into how they are sold/created in underground forums and introduce about packers used for producing fakeav and also investigate how their business network work.

I'm working on Malware analysis and computer security industry for last 5 years. I've degree in Msc computer systems security from University of Glamorgan, UK. I was a software developer before entering this industry. Now a days i spend my time researching emerging malware , threats and vulnerablity analysis.

The security of non-executable files

Daniel Pistelli (Cerbero UG)

An overview of the security risks in non-executable files such as PDF, rich media and office documents. The extent and the roots of the issues (not only in terms of infection). The approaches to store and hide, in order to avoid detection, malicious data inside these file formats and what can be done in terms of prevention. Also, ramifications for the embedded sector. The talk aims to range from global considerations to individual cases.

Daniel Pistelli has been studying and working in the RCE/Security field for over a decade. He's been the author of many popular publications and utilities. He is the author of the CFF Explorer (Explorer Suite) and of the new IDA Pro interface.

His research include topics such as: system internals, code/file analysis, malware, rootkits and .NET.

Armageddon Redux: The Changing Face of the Infocalypse

Morgan Marquis-Boire (Google)

Three years ago, I gave a talk at DeepSec called Fear, Uncertainty and the Digital Armageddon on the subject of critical infrastructure compromise. At the time, there was significant worry about the danger that digital sabotage posed to the systems that run our everyday lives. It appears that our threat landscape has changed considerably since then and that the Internet (and by proxy the world?) is a significantly more dangerous place. Cyberwar, Stuxnet, and APT have become common industry buzzwords. Malware has become prevalent on platforms other than windows, and it seems like every month or so another security company suffers a high profile compromise or data leak. Are we really hurtling towards the Infocalypse? An age where the Internet is mainly a conduit for espionage and organised crime? Or is this simply hype in a industry obsessed with $$$$??? This talk will examine aspects of the security arms race occurring today, one that is both digital and ideological.

Morgan enjoys big kit, forgotten networks, and LED-lit strolls in non-IP networks. Prior to his present incarnation as a corporate security guy for a little known search engine, hes been known to dabble in cluster computing, critical infrastructure, open-source security, and doomed Japanese start-ups. In addition to talking about himself in the 3rd person and presenting at security conferences, time has been spent moon-lighting in such diverse fields as journalism, environmentalism and academia. He finds writing bios difficult and enjoys a drink and a chat about philosophy.

Identity X.0 - Securing the Insecure

Khash Kiani (ThinkSec)

There are a number of protocols and standards designed to deliver mechanisms for enabling the identity attributes of users to be shared between different web sites. Identity technologies such as OAuth and OpenID are being adopted by small and large size organizations to share or consume user resources across the web.

This presentation is a focuses study of some of these emerging user-centric Identity technologies and their key security implications. We will present scenarios of how insecure implementations of these protocols can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and focus on secure application implementation and countermeasures against attacks.

The talk starts with an introduction to OAuth and OpenID which will set the foundation for the upcoming attack vectors and countermeasures.  The majority of the presentation will be spent on attacks and remediation techniques. We will cover real-world examples of insecure implementations by presenting code snippets and design flaws. 

Khash Kiani is a principal security consultant and researcher with over 13 years of experience in building and securing software applications for large defense, insurance, retail, technology, and health care organizations. He specializes in application security integration, penetration testing, and social-engineering assessments. Khash currently holds the GIAC GWAPT, GCIH, and GSNA certifications, has published papers and articles on various application security concerns and spoken at Blackhat US. He can be reached at khash@thinksec.com

US experience - laws, compliance and real life - when everything seems right but does not work

Mikhail Utin (Rubos, Inc.)

While information security can be improved in a number of ways, one powerful approach is continually overlooked by security researchers. This approach constitutes a collective effort by masses of computer users, where each individual has a very limited understanding of information security and is frequently forced to improve security by various laws and regulations. Pressure coming from both government side and cybercriminals affects small businesses capability of conducting business as usual. It is questionable whether in such situation adequate security level to protect information could be achieved.
This presentation is our attempt to address such gap and to analyze current status of information security processes in masses based on the situation in the US, and to identify our ability to protect personal information through government regulatory affairs and regulations implementation. We recognize that the US has a specific form of government, laws and business organization. However, since information security and protection of personal information is a growing global concern, the hope is that our analysis will help international security community at large to avoid some pitfalls discussed below.
While the US has numerous laws protecting personal information, two of the regulations are most pertinent. They are the federal HIPAA/HITECH and state of Massachusetts MGL c.93H/201 CMR 17.00. This paper considers obstacles in achieving compliance with both regulations. In particular, the compliance process affects small and mid-size businesses. Those types of businesses, by and large, do not have sufficient resources to be compliant. The situation is made even more difficult by virtue of government not providing any help to start the compliance process. The second problem is that US government doesn’t take the appropriate measures to enforce the compliance. Authors consider degradation in security as a result of the deficiencies in the enforcement process. Such uncertain and grim security situation can be significantly improved if government and businesses worked together as a part of one process. Authors recommend certain measures for achieving a better security posture, including automation of compliance process phases.

I was born in Russia in 1948.
Finished basic engineering education in 1975 and got MA in Computer Science and Electrical Engineering. My career in Russia includes working for research and engineering organizations. I got Ph.D. in Computer Science in 1988 from then Academy of Science of the USSR. I was one of first entrepreneurs in Russia forming a private company. From 1988 to 1990 we successfully worked in emerging Russia private sector as Information Technology company.
I had several USSR patents and published numerous articles.
I emigrated in the US in 1990 to continue my professional career and to escape from political turmoil. Here, in the US I worked in information technology and information security fields for numerous companies and organizations including contracting for US government. I formed my own company for IT and IT security consulting in 1998.
I am (ISC)2 certified professional, and participate in ISSA as well. I publish articles on Internet and professional journals, and proud reviewer of articles submitted to (ISC)2 Information Security Journal: A Global Perspective.
My current area of IT security interest is security governance, regulations and management.

Advances in IDS and Suricata

Matt Jonkman & Victor Julien (Open Information Security Foundation)

This talk give you an update on the new things in Suricata, the next-gen IDS engine! Suricata is being developed by the Open Information Security Foundation (OISF) and has been released with a stable version in July 2010.

Matt Jonkman has been involved in Information Technology since the late 1980s. He has a strong background in banking and network security, network engineering, incident response, and Intrusion Detection. He is the president of OISF and founder of Emerging Threats.

How To Rob An Online Bank And Get Away With It

Mitja Kolsek (ACROS Security (ACROS d.o.o.))

We’ve all heard of - or have even been a victim of - attacks against online banking users where malware on their computers stole their identities and transferred their money to offshore mules’ accounts. While such attacks are still possible and will probably remain a viable threat, they suffer from severe limitations: the loot is limited by the amount of money on victims’ accounts, attacks only work against more gullible people and banks are employing security measures that make identity theft increasingly difficult.

These factors create incentive for criminals to focus on online banking servers. Incidentally, that’s where - as famous bank robber Willie Sutton might say – all the money is. Now, Mr. Sutton lived in the times of physical currency and had to rob the banks the old fashioned way with guns and actual physical presence, risking his life and endangering lives of others. Today, 90% of all money is in a digital form inside banking databases. It therefore shouldn’t surprise us if tomorrow’s Suttons will break into banks disguised in malicious server requests that sneak past the predictable e-guards and force the compliable bank e-tellers to hand over the money or send it to a foreign account.

An online banking server application is an implementation of the business logic that provides online banking services to remote users on PCs or mobile devices. Security requirements are plenty and diverse, for instance: making sure who the user is, preventing users from accessing data or funds from another user (unless authorized) and limiting payments to available funds and preventing unauthorized overdrafts. And stakes are very high: a single error in such application can potentially provide a way to steal large sums of money from personal or corporate users, to instantly borrow an unlimited amount without authorization, to enter a maliciously-doctored legally binding agreement with the bank or even to create new money out of thin air.

This presentation will reveal future attacks against online banks, which we continually find possible in our security reviews. We’ll show how e-bank robbers of tomorrow will approach the targets, hide their reconnaissance and attacks, cloak their identities and retrieve the stolen funds. You will also see how a frequent error in online banking applications allows users to make serious profits on simple automated operations – without ever breaking the law.

The bankers in the audience will have a rare opportunity to get a heads up about future attacks before these are mounted against their systems, and those developing online banking systems will get a list of most critical security flaws they absolutely have to avoid. The attacks presented will be a mix of surprising triviality and devious cleverness, leaving the audience slightly worried about the fragility and vulnerability of today’s financial systems.

Bank robbers are kindly asked not to attend.

In over 12 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as “session fixation”, and new twists on the known ones, such as “binary planting”.

Ground BeEF: Cutting, devouring and digesting the legs off a browser

Michele Orru (Royal Bank of Scotland)

Browser security is still one of the trickiest challenges to afford
nowadays. A lot of efforts has been spent on mitigating browser
exploitation from heap and stack overflows, pointers dereference and other
memory corruption bugs. On the other hand there is still an almost
unexplored landscape.

X-Frame-Options, X-XSS-Protection, Content Security Policy, DOM sandboxing
are good starting points to mitigate the XSS plague, but they are still
not widely implemented.

We will see how a framework like BeEF can be used to abuse the security
context of a browser. As we are able to manipulate the DOM for fun and
profit in 95% of web applications, a trivial reflected or DOM-based XSS is
enough to hook a victim browser to BeEF and control it completely.

The presentation will cover the following main areas, between the many:
Cutting: stealth activities, target enumeration and analysis, comman
module autorun.
Devouring: internal network fingerprint via JS, exploiting internal
services through the browser, keylogging, browser pwnage, autopwn.
Digesting: persistence, tunneling sqlmap/Burp through BeEF proxy, XSS Rays

Michele Orru’ a.k.a. antisnatchor is an IT and ITalian security guy who works as a Penetration Tester for The Royal Bank of Scotland Group in Warsaw, Poland. He mainly focus his research on web application security. Besides his nasty passion about black, gray, white hat hacking and BeEF (being an active committer since the Ruby port started), he enjoys to leave alone his Mac while fishing on salted water and preys for Kubrick resurrection.

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Fernando Gont (project carried out on behalf of UK Centre for the Protection of National Infrastructure (CPNI))

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when they are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness can be compared to that of the existing IPv4 implementations. Thirdly, there is much less implementation experience with the IPv6 protocols than with their IPv4 counterpart, and “best current practices” for their implementation are not available. Fourthly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts.

While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols.

During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out a comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols.

Fernando Gont will discuss the results of the aforementioned project, highlighting the most important aspects of IPv6 security, providing advice on how to deploy the IPv6 protocols securely, and explaining a number of vulnerabilities that were found in IPv6 implementations (together with possible strategies to mitigate them). Additionally, he will demonstrate the use of some attack/assessment tools developed as part of this project (yet unreleased).

Further information can be provided if requested by the Program Commitee.

Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations.

Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite.

Gont is currently working on a security assessment of the IPv6 protocol suite on behalf of the United Kingdoms Centre for the Protection of National Infrastructure. Additionally, he is a member of the Centro de Estudios de Informatica at Universidad Tecnológica Nacional/Facultad Regional Haedo of Argentina, where he works in the field of Internet engineering. As part of his work, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published a number of IETF RFCs (Request For Comments) and Internet-Drafts. Gont has also recently joined the Transport Directorate of the IETF.

Gont has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, BSDCan 2005, BSDCan 2009, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, IETF 73, IETF 76, LACNIC XV, LACNOG 2011, and Hack In Paris 2011.

More information about Fernando Gont is available at his web site: http://www.gont.com.ar

Why the software we use is designed to violate our privacy

Christopher Soghoian (Center for Applied Cybersecurity Research, Indiana University)

Through the adoption of Web 2.0 and cloud based services, we have increasingly come to rely upon free services provided by commercial entities. Web mail, online backup, social networking, photo sharing, web browsers, pdf readers, anti virus software, etc.

Some of these products collect our data directly. In such cases, the exchange of user data for free services is well known, at least to many savvy users.

However, many other products do not collect our private data. Instead, they quietly facilitate and enable data collection by other parties.

Unsurprisingly, the default values for many of the tools we use have been selected to guarantee that most consumers will be tracked, and their personal data analyzed. Privacy does not come first.

This talk combines behavioral economics, awareness of Internet business models, and a healthy dose of paranoia to analyze one of the primary reasons we have so little privacy online - because it would limit the profits of those whose free products and services we use.

Christopher Soghoian is a Washington, DC based Graduate Fellow at the Center for Applied Cybersecurity Research, and a Ph.D. Candidate in the School of Informatics and Computing at Indiana University. His research is focused on the intersection of online privacy, law and public policy.

Although a computer scientist by training, he has used the Freedom of Information Act and several other investigative techniques to expose the methods and scale of law enforcement surveillance of Internet communications and mobile telephones.

He was the first ever in-house privacy technologist at the Federal Trade Commission, and has worked at Berkman Center for Internet & Society at Harvard University, the American Civil Liberties Union (ACLU) of Northern California, NTT DoCoMo Euro Labs, Google, Apple and IBM Research Zurich.

Your crown jewels online: Further Attacks to SAP Web Applications

Mariano Nunez Di Croce (Onapsis)

"SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organizations SAP platform in order to perform espionage, sabotage and fraud attacks.

SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals.

Through many live demos, this talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed.

Update: New attacks not presented in previous conferences will be also demonstrated. You will see how the content of your SAP Enterprise Portal may be accessed by anonymous attackers from the Internet, abusing default weak configurations. Well also talk about a misconfiguration in default SAP Java Application Servers that may allow access to sensitive features, bypassing authentication and authorization capabilities. As usual, you will learn which are the protection measures that you need to implement before your business crown jewels are gone.

Mariano Nunez Di Croce is the CEO at Onapsis, leading the company's technical and business development strategies. He has a deep experience in the ERP
& SAP security fields, being the first to present on real-world security threats to SAP platforms. Since then, he has been invited to hold
presentations and trainings in some of the most important security conferences in the world, such as BlackHat DC/USA/EU, SAP, HITB Dubai/EU,
HackerHalted, DeepSec, Troopers, Ekoparty, Sec-T, Hack.lu and Seacure.it, as well as in Fortune-100 companies and military organizations.

Having discovered several critical vulnerabilities in SAP applications, he also developed the first opensource SAP & ERP Penetration Testing
frameworks and leads the "SAP Security In-Depth" publication. He is also a founding member of BIZEC. Because of his research work, Mariano has been
interviewed and featured in mainstream media such as CNN, Reuters, IDG, New York Times, eWeek, PCWorld and others.

Bond Tech - I Want More Than Movie Props

Kizz MyAnthia (Rapid7)

James Bond has the coolest tools in the world, but when do we get to play with them?

Almost everyone out there wants to have the coolest gadgets from the movies, but when do you we get them. This talk will look into the advancements of technology and the ability
for todays tech toys to be tomorrows super gadget. The talk will walk the participants through a number of historical advances touching on espionage and security subvergence
and the relation of what is real and what is only available in the movies. Once the participants have an understanding of how normal every day devices can be leveraged to be more
than they appear Kizz will dive into how the relation of this can be applied to the thought process of every organizations security policy and procedures.

The acceptance and integration of technicologically advanced devices, into our everyday life has allowed for them to penetrate deep into secure areas. In particular, the ability
to have your phone along with you at any moment of the day feeds our needs for social media, email, business, and pleasure. Smartphones and tablets have only just begun to enter
our environments and most dont understand the security risks when allowing their use.

Having developed "The WMD Package" as a penetration testing platform it allows users leverage over a number of security controls. This presentation will provide participants
with the ability to view the applications of such a device and provide an understanding as to how to approach securing an organization against most of the attack vectors. At the
end of the presentation the audience will take part in a live demonstration of how "The WMD Package" works and have a chance for some question and answer time.

Infosec specialist whose qualifications include an indepth understanding of security principals and practices; C|EH, MCSE+Security designations; and detailed knowledge of security tools, technologies and development. Seven years of security experience in the creation and deployment of solutions protecting networks, systems and information assets for diverse companies and organizations, with over 10 years overall in the industry.


* C|EH
* Hacking By Numbers: Combat Edition

Key Skills:

* Network & System Security
* Risk Management
* Vulnerability Assessments
* Reverse Engineering
* Social Engineering
* Penetration Testing
* Application Development
* Physical Security
* Policy and Procedure Development and Review
* Mobile Phone / Smartphone Security and Develeopment

Do They Deliver - Practical Security and Load Testing of Cloud Service Providers

Matthias Luft (ERNW GmbH)

The rapid evolution of cloud based computing is often used to illustrate
a possible paradigm shift in computing. The centralized processing and
storing of data allows the development of new architectural approaches
as well as completely new usage experiences. The implementation of these
architectural models is a critical requirement to profit from a shift in
computing to this new model.
To provide a toolset for measuring potential profits for performing this
shift, we want to introduce "skyscraper": It is a framework für load
testing cloud based applications including a specially developed demo
application for major cloud platforms. Using skyscraper, the results of
several load tests are illustrated to show possibilities and caveats of
the scalability of cloud based infrastructures. The evaluations were
performed against the platforms of several major cloud service providers
hosting the demo application of skyscraper. This demo application is
utilizing all possibilities to improve scalability and security of
cloudified applications, so a guide to the security and scalability
features and limitations of cloud platforms is presented in addition.

Matthias Luft works as a Security Consultant at ERNW GmbH, Heidelberg, Germany. He is about to finish his master thesis at the University of Mannheim about scalability and security aspects of cloud computing. He is a seasoned pentesters with vast experience in corporate
environments. Over the years, he developed his own approach in evaluating,
reviewing, and assessing all kinds of network technologies, applications, or processes. He was also one of the first researcher who revealed security flaws in DLP solutions.
He is a regular speaker at international security conferences and contributes actively to the international security community. He will
happily share his knowledge with the audience.

An online game trojan framework from China underground market

Hermes Li (Websense)

After a long time I have been researching for the whole way for a popular game trojan steal password from network game players. The research include:
How to install a trojan into user’s system
The workflow for a game trojan
How it pass AV detection
How to steal user information
The underground market
Part 2 is the main part for this topic, it include the technology of inject a dll file under Ring3, packer encryption, and so on.

Hermes(Lei) Li, Chinese, 8 years working experience in the field of web security. Former employee of Symantec and now working at Websense Security Lab as a security researcher for more than 4 years.

Rootkits and Trojans on Your SAP Landscape

Ertunga Arsal (ESNC GmbH)

SAP systems are the heart of many enterprises. Most critical business functions run on SAP Applications and the complexity of these systems makes it very difficult to protect against attackers. Default setups, forgotten/unimplemented security configurations, weak password management and change processes that apply to one ‘unimportant’ system can result in complete compromise of the SAP landscape. The legal consequences, lost/damaged business and reputation can be disastrous depending on the type of the attack. While companies invest a lot to secure SAP systems at business process level for example by designing authorization concepts, implementing separation of duties or by using GRC (Governance Risk and Compliance) tools, the security at technical level mostly lacks attention. In this paper, I present several attack paths exploiting configuration weaknesses at technical level, leading to attack potential to single systems, to whole SAP landscapes, and finally the whole enterprise network. By demonstrating creative exploit variants of configuration weaknesses, I motivate the necessity to safeguard a SAP system at technical level.

Ertunga Arsal is the founder of ESNC, a company specialized in SAP security. ESNC develops software for security audits and forensic examinations of SAP systems. Previously, he worked with Tech Data (Nasdaq: TECD) for five years as a security consultant and was responsible of SAP and applications security of the EMEA region. Being part of the incident response team, he took lead on several investigations. Ertunga has reported numerous security vulnerabilities in SAP systems ranging from medium to extremely critical. He currently lectures Systems and Network Security at Sabanci University grad school.

Malware Trends 2011 - from Cybercrime to nation-sponsored Espionage

Toralv Dirro (McAfee GmbH)


Toralv Dirro works for McAfee as McAfee Labs EMEA Security Strategist. Working in in Virus Research for many years since 1994 at McAfee (Dr Solomon's Software back then) after analysing viruses at the University of Hamburg before that, he got finally got bored with debugging things and focused on Network IPS and Vulnerability Assessment / Management. He rejoined the research team in 2006, focusing on trojans, Fake-AV/Scareware and cyber crime related topics. Toralv Dirro is a well reputed expert on next generation AV Technology and Network Intrusion Prevention and is a frequent speaker on those topics.
No academic papers but frequent speaker on events and conferences, contributor to nearly all McAfee Labs Quarterly Threat Reports, many short articles for a range of publications.

Patching vehicle insecurity

Constantinos Patsakis, Kleanthis Dellios (Department of Informatics, University of Piraeus)

Current trends in automotive industry are changing the car more and more from mechanic engineering towards electric engineering. The car is starting to resemble more to a computer with mechanical peripherals, yet the same does not seem to happen on its security. One big step towards securing cars was of course the introduction of immobilizer, yet as everyday living shows, new vehicles are still being stolen. Immobilizers can be bypassed by one of the following methods:
• Disable the immobilizer by replacing factorys’ ICM that contains and controls data, with a new masquerading unit, thus the immobilizer can’t be activated.
• By attaching an electronic device between the computer unit and the OBD. We are able to decode the immobilizer, allowing the deletion of existing system.
• Copy the e-keys of the immobilizer units.
• Tapping the transmitted signal-code.
• Accessories Attacks (MP3 players, infotainment system).
• DoS from RFID Zapper. Immobilizers use RFID authentication.
Of course there’s always the possibility of using after-market audible alarm device, yet this usually does not prevent stealing, but rather deters, moreover if not properly installed, it may create new entry points.
In order to patch some of these security breaches and create a more extensible in-vehicle computer system, we propose the use of a TTP entity inside the vehicle, which sends the ignite signal to the engine only if the main parts of the vehicle have properly been authenticated. The vehicle’s MCU takes the role of the TTP, therefore applying a “Deny all” policy towards any possible malicious hardware injection. In order to secure the MCU from software attacks, the MCU resides inside an application firewall which filters incoming traffic.
Moreover, we apply a role based approach towards possible vehicle users, which are authenticated by appropriate credentials. Finally we categorize vehicle parts enabling the vehicle to be usable if certain secondary parts fail to function, something that is very usual in vehicles, due to severe use.

Dr Constantinos Patsakis is born in 1979 at Marousi, Athens, currently he has been elected as Lecturer at the Department of Informatics, University of Piraeus. He received his first degree from Mathematics Department, University of Athens, with specialization in both theoretical and applied mathematics. Dr Patsakis then made his MSc at Royal Holloway, University of London in Information security and his PhD at the Department of Informatics, University of Piraeus, where his thesis title was "Cryptanalysis and Applications of Cryptography in Malware". His main areas of interest are cryptography, cryptanalysis, cryptovirology, computer security, code theory and computational number theory.
Dr Patsakis has a very solid background in programming and development, participating in several research and development programs as well as individual projects in knowledge certification and webpage development.
Dr Patsakis has been teaching undergraduate and postgraduate course since 2004 at the University of Piraeus and the current academic year at the Technical Institute of Kalamata. The courses that he has been teaching are: information and code theory, cryptography, computer security, calculus, decision mathematics, and game theory. Moreover, he is the author of three books, two in cryptography and one in information and code theory, which are the main textbooks of several courses in universities in Greece.

Solving Social Engineering Attacks

Toby Foster (University of York/First Defence Information Security)

Social Engineering threatens many businesses around the world and it seems that the best solution to date is employee training. This doesn't stop the attacks; it just makes it harder for the attacker. My final year project at university is to model social engineering attacks and then draw upon computer security principles to determine a solution to the problem.

The ultimate objective is to find a single (or at least a small number) of solutions that solve all (or the vast majority) of social engineering attacks. If the project is successful it could revolutionise how we defend against social engineering attacks.

Toby Foster is a 20 year old student in his final year at the University of York studying Computer Science. He is also an intern at First Defence Information Security. He has a passion for Social Engineering and Penetration Testing. This will be his first conference presentation!

Alerting, Reminding, Reminding, Reminding and Releasing Vulnerability

Thomas Mackenzie (Trustwave Spiderlabs)

When it comes down to releasing vulnerabilities there are no right or wrong ways to do it. The process of responsible disclosure and releasing an advisory has not been agreed upon despite efforts to the contrary, and because of this, they are handled in a number of ways. Add unexpected third parties, uncooperative vendors, and potentially lawyers into the mix and youve got quite the party. This talk aims to educate individuals about the process of responsible disclosure, commons pitfalls and mistakes, and various techniques to make your lives easier if you ever find yourself in a situation where you just made calc.exe pop up on your friends box using a previously unknown technique. A number of various personal stories from the presenter will also be included to enlighten, educate, and hopefully humor the audience about the experience of the chess game that is responsible disclosure. I will talking about an online gateway that I plan to develop and to help researchers and teams find security contacts and develop their own security policies in house. I will also briefly mention third parties like VUPEN, ZDI, upSploit etc. and how they can help to manage your vulnerabilities.

Tom Mackenzie is a Security Consultant at Trustwave. He is a member of Trustwaves SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. Tom has spoken at a number of events including local OWASP chapter meetings, BSidesChicago, a lightning talk at BruCON 2010 and guest lectured at Abertay Dundee University. Tom is the founder of upSploit Advisory Management - an automated system that aims to help security researchers alert vendors to vulnerabilities in their products and services in the most responsible way possible. He probably is known mostly for podcasting. He has co-hosted TracSec, DisasterProtocol, Student Hacker Information Technology Podcast, a vulnerability segment on the Finux Tech Weekly show and now co-hosts the SpiderLabs Radio Podcast.