Off-Shore Development and Outsourcing - Information Security in Plato’s Cave

Frank Ackermann, CISSP, Security Researcher
Within the last ten years, many companies all over the world thought about outsourcing, off-shore development or other possibilities to focus on their non-IT core business. Others worked out new markets and offered services based on this model. IT and information security is mostly an aspect which is not in focus when this topic is discussed by senior management. The talk describes the benefits, risks and problems within this topic and points out critical aspects to think about. The topic is discussed in combination with an allegory to offer different viewpoints. Mitigation’s to reduce the risks will be presented followed by a conclusion. The talk is non-technical and does not contain any script/shell-code/proof-of-concept hack or other in-depth technical detail.
Frank Ackermann is an IT- and Information Security Specialist, focused on security management and architecture. He studied Computer Science and is working since a decade in the banking- and financial environment. There he has foreseen the necessity of implementing security in virtualised environments and has increased security in queuing products needed for EAI (Enterprise Architecture Infrastructure) solutions. During the last 1 1⁄2 years he is involved in writing and implementing security processes, guidelines and compliance checks to increase security within offsite development and outsourcing of IT. After all the years, he is not tired of pointing out risks in professional landscapes and processes. He is living in Düsseldorf, Germany.

Advanced PHP Hacking

Laurent Oudot, TEHTRI-Security
Advanced PHP Hacking... Lot of people think they already know everything related to PHP and IT Security, because tons of tiny papers/exploits were released everywhere those years. Some just think that PHP should not be used, but the reality shows that it's a worldwide web language used either by individuals or by corporate teams (Facebook...). Trying to cover large scale knowledge related to PHP and hacking is not that easy, because it deals with networks, systems, services, applications, code, end-users... Thanks to this training, you'll learn every needed concepts to become a master at PHP Security thanks to the lectures, and you'll also master practical issues thanks to the lab hands-on exercises. After this session, you will really know how attackers work and move through PHP hax0ring so that they can jump downto your networks. Pentesters or security staff will be able to improve their tools and methods. Sysadmins and network staff will be able to help at protecting their information system and at detecting evil behaviors. Of course, developers will avoid errors that might cost a lot. Complete program of this workshop is available here: http://www.tehtri-security.com/Advanced_PHP_Hacking.pdf This training will end with a final exercice through a live step by step real hack simulation. It will help students at +coming back to hands-on exercices seen during the whole day, thanks to this complete action.
Laurent is a French senior IT Security consultant, who founded TEHTRI-Security (link: http://www.tehtri-security.com) in 2010. Last 15 years, he has been hired as a security expert to protect and pentest networks and systems of highly sensitive places like the French Nuclear Warhead Program, the French Ministry of Defense, the United Nations, etc. He has been doing research on defensive technologies and underground activities with numerous security projects handled, and he was a member of team RstAck and of the Steering Committee of the Honeynet Research Alliance. Laurent has been a frequent presenter or instructor at computer security and academic conferences.

All your baseband are belong to us

Ralf Philipp Weinmann, University of Luxembourg
Attack scenarios against mobile phones have thus far concentrated on the application processor. While code running on these processors are getting hardened by vendors as can be seen in the case of Apple's iPhoneOS -- the current release uses data execution prevention and code signing, the GSM stack running on the baseband processor is neglected. The advent of several open-source solutions for running GSM base stations is a game-changer: Malicious base stations are not within the attack model that was assumed assumed by the GSM MoU and baseband vendors. This paper explores the viability of attacks against the baseband processor of GSM cellular phones and shows first practical results that enable code exeuction on them. It will include a demo of a practical exploitation of a remote memory corruption on the iPhone4.
Ralf-Philipp Weinmann is a cryptologist at day, and a reverse-engineer at night. He has studied and obtained his Ph.D. at the Technical University of Darmstadt and currently is a postdoctoral researcher in the LACS laboratory of the University of Luxembourg.

Android: Reverse Engineering and Forensics

Raphaël Rigo, French Network and Information Security Agency (ANSSI)
While Android security architecture is now well understood and has been presented over and over, the details of actually reversing software running on it are scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth.
Raphaël Rigo has been doing reverse engineering and computer security for about 10 years. He used to work for France Telecom R&D (until 2008), in the computer security research lab where his work mainly focused on embedded systems and operating systems security. This included reverse engineering and security analysis of embedded DSL routers, exploit writing and pentesting. He is now doing security pentests and security research (designing new tools or techniques) at ANSSI.

Application Security and Cloud Computing

Lucas von Stockhausen, Fortify Software
Cloud Computing does not take away the burden of programming secure software. In fact, it magnifies the risk for Applications. Therefore it is even more important to put special emphasis on the Application Layer, as you are suddenly in a situation, where you are not fully control the network or infrastructure any more. Due to this it is very important to put special focus on the security during the development lifecycle of these Application. BSIMM and OpenSAMM can help to establish a secure development lifecycle by adopting, what industry experts advise and execute.
Lucas von Stockhausen is Software Security Consultant at Fortify Software. He is responsible for planning and executing Software Security Assurance (SSA) initiatives for Fortify customers. Fortify’s Software Security Assurance solutions protect companies and organizations from today’s greatest security risk: the software that runs their businesses.

Attacking SAP Users Using sapsploit extended

Alexander Polyakov, Digital Security
Business applications like ERP, CRM, SRM and others are one of the major topics within the field of computer security as these applications store business data and any vulnerability in these applications will cause a significant monetary loss. Nowadays SAP platform is the most widespread platform used for enterprise system management and the most critical data storage. Nonetheless people still do not give much attention to the technical side of SAP security. As for SAP server security there you can get information from Mariano presentations on BlackHat 2007 and Blackhat 2009 and you can see how insecure SAP servers. But what if we found out SAP server fully hardened? Usually when it is hard to attack a server we try to attack a client because in real companies there are thousands of user workstations that use SAP and they are less secure. SAP security is becoming a popular topic and clientside security of ERP systems is not well described in Internet So methodology and tools for assessing SAP frontend security must be known for security community.
Alexander Polyakov is the CTO of The Digital Security Company. His expertise covers enterprise applications and database security. He found a lot of vulnerabilities in the products of such vendors as SAP and Oracle, and has made a lot of projects focused on special applications security in oil and gas, retail and banking sphere. He is the author of a book titled \Oracle Security from the Eye of the Auditor. Attack and Defense (in Russian). He is also the head of Digital Security Research Group (dsecrg.com), Expert Council member of PCIDSS.RU association, QSA and PA-QSA auditor.

Attacks on GSM Networks

Karsten Nohl & Harald Welte, Security Research Labs & HMW-Consulting
Recent years saw a significant increase of research in GSM attacks: The weaknesses of A5/1 encryption have been shown practical, rainbow tables were distributed widely on the internet, and open-source baseband software is being developed. This software allows for fine-grained control over all information sent to the GSM infrastructure, enabling protocol fuzzing and flooding.
Despite the availability of attack methods, the tools are often hard to use for pen-testers due to their limited documentation. The published attacks are often difficult to reimplement when assessing the vulnerability of GSM networks.
This two-day workshop will re-visit GSM's security features and their publicly known weaknesses. It will then introduce and demonstrate the various publicly available attack tools.
After extensive hands-on sessions performing the various attacks, counter-measures will be presented, followed by a discussion of the current best practices for securing GSM networks. The target audience of this workshop are GSM network operators and IT security professionals.
Karsten is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them. Systems that could not withstand curiosity include the Mifare and Legic RFID cards, DECT and GSM cell phones, and Hitag2 car keys.
Harald Welte is a freelancer, consultant, enthusiast, freedom fighter and hacker who is working with Free Software (and particularly the Linux kernel) since 1995. His first major code contribution to the kernel was within the netfilter/iptables packet filter. He has started a number of other Free Software and Free Hardware projects, mainly related to RFID such as librfid, OpenMRTD, OpenBeacon, OpenPCD,OpenPICC. During 2006 and 2007 Harald became the co-founder of OpenMoko, where he served as Lead System Architect for the worlds first 100% Open Free Software based mobile phone. Aside from his technical contributions, Harald has been pioneering the legal enforcement of the GNU GPL license as part of his gpl-violations.org project. More than 150 inappropriate use of GPL licensed code by commercial companies have been resolved as part of this effort, both in court and out of court. He has received the 2007 --FSF Award for the Advancement of Free Software-- and the --2008 Google/O’Reilly Open Source award: Defender of Rights--. In 2008, Harald started to work on Free Software on the GSM protocol side, both for passive sniffing and protocol analysis, as well as an actual network-side GSM stack implementation called OpenBSC. He is currently in the early design phase for the hardware and software design of a Free Software based GSM baseband side. He continues to operate his consulting business hmw-consulting.

Circumventing common Pitfalls when auditing sourcecode for Security vulnerabilities

Aljosha Judmaier & David White, SEC Consult
There comes the time where a true security expert has to look at some source code. Everybody knows that ----real men---- use vi, find, grep, and hair-raising Perl and shell scripts to analyze complex software projects. However, at some point, it makes sense to trade in stone knives and bearskins for tools that are more modern. While security tools continue to become more sophisticated and capable the pain of security source code audits doesn’t seem to decrease. This presentation describes the technologies behind advanced static and dynamic vulnerability analysis tools. New algorithms that precisely model the behavior of so-called ----sanitization---- routines help static analysis tools reduce both false positive and also false negative results. A novel approach to finding logical errors using a dynamic and static analysis tool recognizes the assumptions made during development and tries to find a code flow path that invalidates them. Live demonstrations will show that these new approaches are no longer purely theoretical. In practice, even the best tools won’t make security problems go away. The risks of the traditional rush to market are becoming increasingly apparent, and regulators and standardization organizations are beginning to put pressure on companies to fix problems before they arise. Auditors need to put results in context and communicate with their colleagues, developers, and management in a timely and efficient manner in order to implement pro-active security. We conclude with a discussion of new ways to ensure that bugs get fixed before it’s too late.
Security Consultant for SEC Consult and Lead Developer for the SECoverer Code analyses framewirk

Cognitive approach for social engineering

Dr. Mario Andrea Valori, IRIDe (Interdisciplinary Research and Intervention on Decision) Center - Università di Milano
Currently mobile phone are the most common communication devices in the world (5 billion SIM active - Ericsson Observatory, July 2010) and according to the International Telecommunication Union (ITU, an agency of the United Nations) this year the number of internet connections from mobile devices bypassed the number of fixed connections. The request of permanent connection is a constant in today’s world; connections to communicate, to learn and to trade. Privacy, security and identification of the interlocutor are three priorities in the development of mobile communications in the new millennium. But the mobile phones are instruments of high personal impact; their diffusion, portability and ease of use have established a sort of trust-relationship with the users. Informatics threats are generally underestimated by average users; and the phone, wrongly, is regarded as the safest media. The study, conducted in cooperation with the IRIDe Center (Universit` degli Studi di Milano) and a CEFRIEL (Polytechnic of Milan), has explored the phenomenon of the responses to vishing and smishing attacks in an industrial context. The cognitive approach proven to be very helpful not only to create very effective phishing tests, but also to understand the relevance of the positive results we got (being positive the successful attacks) and generally speaking to evaluate the behavioral issues. We analyzed and monitored 820 managers of different international corporations based in Italy since january 2010 until today. Subjects were tested against vishing and smishing attacks; in addition were analyzed different training procedures and approaches to reduce failure rates. The main results of the research were: - the experimental confirm of the low attention to the human-related risks of the information security, even inside big corporates; - the importance of cognitive factors in the prevention of errors (especially against vishing and smishing); - the development and test of an alternative educational strategy to counter attacks; - the team whom performed this study was composed by cognitive scientists and security experts, the resulting cross-fertilization of competences was a great experience on its own. Our aim is to underline on the one hand the methodology we used and the results we god, but also the great importance of the cognitive approach, often underestimated. Each person responds differently to the attacks; behavioral profiling could develop better strategies for defending and teaching. A well-known human behavior is the --sensation of being secure--: the user’s attention decreases as much as the system is perceived secure (secure either technically or due to a presence of an expert nearby, whom competence is --felt-- by the user). What we did is to stress this sensation and proof which weakness it implies, measure the behavioral and study the underlying cognitive processes to define some countermeasure.
Born in 1983. Msc in Law in 2006-2007, advanced course on international law at University of Milano-Bicocca, PhD course on TLC engineering, post degree courses at Massachusetts Institute of Techonology. In December 2010 he will take a second MSc in Cognitive Science and Decision Making. In 2008 he worked at the university of Milano-Bicocca and then for the Government of Regione Lombardia. Now provides consulting for major corporations (Alcatel-Lucent,...) and public structures (European Commission, IRIDe ,...) in the field of cybernetics, cognitive science and new technologies.

Cyber Security in High-Speed Networks

Pavel Celeda, Jiri Novotny & Radek Krejci, Masaryk University Brno
These days the problem of cyber security is of utmost importance. Massive cyber attacks targeting government and mission critical servers can swiftly become an issue of national security. Various approaches for cyber defence and cyber security used to date have been based on software solutions without hardware acceleration. With the increasing number of network users, services and the current generation of multi-gigabit network links, the amount of transferred data has increased significantly. These facts have rendered many current solutions for network security obsolete. This presentation describes hardware-accelerated monitoring system. The time and performance critical parts are processed in hardware and only the relevant traffic parts are processed in software. Such approach allows us to use current security tools in multi-gigabit networks under worst-case scenarios like a distributed denial-of-service attacks. We present various deployment use cases for network security monitoring.
Jiri Novotny graduated at Radio Communications from Technical University Brno in 1981. Since 1983 he has worked with the Institute of Computer Science at the Masaryk University Brno. He works on hardware development of new generation of PCI cards based on FPGA technology and leads the team developing high-speed network monitoring adapters - www.liberouter.org. He and his team participated on several network security related projects.

Cyber War on the Horizon?

Stefan Schumacher, www.kaishakunin.com
Cyber War has been defined by Richard A. Clarke as --actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption.-- The Economist describes cyber war as --the fifth domain of warfare, after land, sea, air and space--. Barack Obama declared America’s digital infrastructure to be a --strategic national asset,-- and in May 2010 the Pentagon set up its new Cyber Command to defend American military networks and attack other countries’ systems. In 2008, the DDos Attacks on Estonia and Case Studies from Estonia and Georgia have been discussed at DeepSec from a technical PoV. This Talk will show how Cyber War is discussed in Political Science and the Military and if a Cyber World War is possible. Additonally I will also discuss possible Threats through Technology used by enemy Countries and Insurgent Groups and how Politics, Society and Technology have to cooperate to avoid Cyber War.
Stefan Schumacher is a freelance security consultant with focus on Social-Engineering, Security-Awareness and Counter-Intelligence. He has been active in Open Source and Hacker scene for abaout 15 yrs. He is a NetBSD developer and is interested in operating systems, cryptography and backup technology. He also writes technical articles and documentation. Since 2007 he is studying Educational Science and Psychology at Otto-von-Guericke-University Magdeburg/Germany and does research in the security field from a social science point of view. Since 2010 he is the President of the Magdeburg Academic Society for Foreign and Security Policy Studies.

Cyber[Crime—War] - Connecting the dots

Iftach Ian Amit, Security & Innovation
CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime’s best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.
With more than 10 years of experience in the information security industry, Ian (Iftach) Amit brings a mixture of software development, OS, network and Web security expertise as Managing Partner of the top-tier security consulting and research firm Security & Innovation. Prior to Security & Innovation, Ian was the Director of Security Research at Aladdin and Finjan, leading their security research while positioning them as leaders in the Web security market. Amit has also held leadership roles as founder and CTO of a security startup in the IDS/IPS arena, developing new techniques for attack interception, and a director at Datavantage, responsible for software development and information security, as well as designing and building a financial datacenter. Prior to Datavantage, he managed the Internet application and UNIX worldwide. Amit holds a Bachelor’s degree in Computer Science and Business Administration from the Interdisciplinary Center at Herzlya.

Debugging GSM

Dieter Spaar, Karsten Nohl, Security Research Labs, Berlin
The popular GSM cell phone standard uses outdated security and provides much less protection than its increasing use in security applications suggests. Our research aims to correct the disconnect between technical facts and security perception by creating a GSM tool that allows users to record and analyze GSM data to see what security features were really implemented by their operator. The talk discusses a GSM debugging tool that consists entirely of open source software and open radio hardware. We will demonstrate how to record and decode GSM calls, even encrypted ones.
Dieter reverse-engineers systems to an open source equivalents. Currently, his work focus is GSM where he contributed to the OpenBSC, OsmocomBB and Airprobe projects.

Designing Secure Protocols And Intercepting Secure Communication

Moxie Marlinspike, Institute For Disruptive Studies
This is a new and special training that covers both designing and attacking secure protocols. Attendees will learn the fundamentals of how to design a secure protocol, and be armed with the knowledge of how to evaluate the security of and discover weaknesses in existing protocols.
This training is both theoretical and practical, both academic and hacker-foo. The first day covers the design of secure protocols in depth, leaving students with a thorough understanding of how secure protocols are modeled, how the building blocks of cryptography can be combined to result in something secure, and how to look at secure protocols that others publish (from SSH to SSL to Tor to encrypted web cookies) with a critical eye. Concepts that are often tossed around such as IND-CCA, the birthday paradox, and authenticated encryption will be covered in detail.
The second day covers clever tricks for manipulating implementation vulnerabilities and holes in the glue between secure protocols. Participants will be able to practice different types of man-in-the-middle attacks, and different techniques for getting in the middle.
Moxie Marlinspike is a fellow at the Institute For Disruptive Studies with over thirteen years of experience in attacking networks. He is the author of sslsniff and sslstrip, the former of which was used by the MD5 Hash Collision team to deploy their rogue CA cert and the latter of which continues to implement Moxie's deadly --stripping-- technique for rendering communication insecure. His tools have been featured in many publications including Hacking Exposed, Forbes Magazine, The Wall Street Journal, the New York Times, and Security Focus as well as on international TV.

Detection of Hardware Keyloggers

Fabian Mihailowitsch, Independent Researcher
Hardware keyloggers are tiny devices that are plugged between a computer keyboard and a computer. They are available for PS/2 as well as USB keyboards. Once plugged, they are able to record all key strokes and store them using an internal memory. Current models have various megabytes of memory, store the recorded data encrypted, support timestamping of the keyboard events and some even can transfer the key strokes wireless. However the main focus of hardware keyloggers is to stay undetected. Most manufacturers promote their models cannot be detected by software and thus have an advantage over software based keyloggers. But not just the manufacturers’ claim hardware keyloggers to be undetectable, even the common belief is they cannot be detected. However that’s not correct. Hardware keyloggers make slight changes to the interaction between the keyboard and the computer. These changes can be detected by software and used to determine whether a hardware keylogger is present or not. For example some USB keyloggers change the USB signaling rate or act as USB hub. These changes are quite obvious and can be detected easily. When trying to detect PS/2 keyloggers, things gets more difficult. Nevertheless it is possible. For example whenever PS/2 keyloggers tap the wire actively (this means the data is redirected via the microcontroller of the keylogger), this influences the transfer rate between the keyboard controller (KBC) on the motherboard and the microprocessor of the keyboard. Measuring this time delay, PS/2 hardware keyloggers can be detected too. During the talk an introduction to hardware keyloggers will be given. This introduction covers their features, how they work and gives a short market overview. Afterwards various techniques will be described to detect hardware keyloggers. Some of them are theoretical as they didn’t work for the tested models. However others are practical and can be used in real case scenarios. For each technique a detailed presentation will be given, explaining the basic idea, the necessary technical background and the results in practice. Finally a proof of concept tool will be released, that implements some of the techniques to detect PS/2 and USB hardware keyloggers.
Fabian Mihailowitsch studied information technology with course specialization in software engineering and worked as a Java software developer for three years. However in 2008 he decided to make his hobby to his profession. He joined a German consulting company and works as IT security consultant since then. In his job he performs code review’s and does penetration tests of different kinds of applications and networks. In his free time (spent on IT-security) he likes to develop and play around with linux rootkits. Recently his private research led him to hardware based keyloggers…

Developers are from Mars, Compliance Auditors are from Venus

Neelay S. Shah, Rudolph Araujo, Foundstone Inc., A Division of McAfee
In this day and age multitudes of regulations exist and many of them have a direct impact on the applications developed and used within organizations. These regulations are often written by lawyers and people with not a whole lot of software development experience. What’s perhaps worse is that often the people who assess compliance have little to no such experience either. Unfortunately all of this leads to a difficult situation wherein the expectations of software development teams are often vague and unclear. In working with numerous developers over the years we have found that in spite of spending countless hours trying to comprehend them, developers still end up misinterpreting them and designing and developing their applications in a non-compliant manner. And while the requirements maybe ambiguous, the consequences of failing to comply { ranging from fines to public relations disasters and even jail time { are crystal clear. No developer wants to be in a position where their code is responsible for the company being out of compliance. In this talk, the primary focus is to provide developers, testers, project managers and software security personnel with a best practice based framework to think about compliance with major regulations such as the PCI-DSS, HIPAA, SOX and GLBA. We focus on key considerations both from a longer term strategic software engineering perspective but also from a more tactical day-to-day basis. Our goal is to enable a development team to quickly understand when specific regulations are applicable; the underlying intent of the regulatory requirement as well as what processes / technologies the developers can leverage to ensure that their applications are in compliance. While we will provide examples based on the current regulatory environment, the lessons we include are intended to help the development community apply the same analysis framework to any regulations that might come in the future as well.
Neelay is a Senior Software Security Consultant and a lead instructor at Foundstone, where he specializes in performing threat modeling and security code reviews for a variety of enterprise products ranging from user mode applications to complex hardware virtualization software, file system device drivers and custom kernels. Neelay developed the Writing Secure Code { C++ class and is responsible for delivering the class as well as maintaining current content for it. Neelay is the author of multiple software and network security tools and whitepapers such as Foundstone Socket Security Auditor, DIRE, CredDigger and the HacmeTravel. Neelay was awarded the Microsoft Most Valuable Professional (MVP) - Developer Security Award in 2009 in recognition of his technical leadership and significant contributions to the developer community. Neelay also holds the Payment Card Industry { Data Security Standard (PCI-DSS) Qualified Security Assessors (QSA) certification.
Rudolph serves as a Technical Director responsible for leading the software and application security service lines. He also leads the content creation and training delivery for Foundstone’s software security classes. Rudolph’s experience at Foundstone is varied and includes helping secure custom operating system kernels, hardware virtualization layers, device drivers as well as user-mode standalone, client / server and web applications. Rudolph is an experienced C / C++ and C\#/.NET developer and the author of a number of Foundstone’s free tools. He is also a contributor to MSDN’s webcast series and to multiple industry journals such as Software Magazine, where he writes a column on secure software engineering. Rudolph has been honored for the last five years in a row with the Microsoft Visual Developer { Security MVP Award in recognition of his thought leadership and contributions to the security and developer communities. He has also written the foreword for the Microsoft Patterns and Practices Group’s Web Services Security Guide and is a contributing author to the book Developing More-Secure Microsoft ASP.NET 2.0 Applications. Rudolph is a speaker at security and developer conferences such as OWASP, Microsoft Tech-Ed, SD West and SD Best Practices.

DYI malware analysis with Minibis

Aaron Kaplan & Christian Wojner, CERT.at
This talk will show people how to use Minibis - the "mini Anubis" - massmalware analyzer. Since most malware is still easily run-time analyzable via virtualization, we can extract a wealth of knowledge via mass malware analysis. Participants will learn how to crunch through large numbers of malware samples and extract any information they seek such as resolved domain names, the top registry changes, etc.
L. Aaron Kaplan and Christian Wojner work at CERT.at, the national CERT of Austria.

Electronic Locks - are really secure?!

Babak Javadi & Deviant Ollam, TOOOL
Many people are familiar with the ways in which mechanical locks can be attacked, compromised, and bypassed. Indeed, the hands-on workshops and the availability of pick tools at the Lockpick Village is an enduring part of the fun at DeepSec and other popular security conferences around the world. Often, attendees will ask questions like, "So, this is really great... but what if someone is using an electronic lock? How hard is it to open the door, then?" Unfortunately, due to time and space constraints, our answer is typically, "Well... that's a very complicated question. Sometimes they're good, and sometimes they're weak." We often promise greater detail another day, another time... but until now that time has not come. Finally now, however, TOOOL will describe some of the most popular electronic locks and show examples of how they can sometimes be attacked.
Babak Javadi is a noted member of the physical security community, well-recognized among both professional circles (due to the work of his consulting firm, The CORE Group) as well as in the hacker world (where he can often be seen at events hosted by TOOOL, The Open Organisation Of Lockpickers.) His first foray into the world of physical security was in the third grade, where he received was sent to detention for describing to another student how to disassemble the doorknob on the classroom door. Babak is an integral part of the numerous lockpicking workshops, training sessions, and games that are seen at annual events like DEFCON, ShmooCon, NotACon, QuahogCon, HOPE, and Maker Faires across the country. He likes spicy food and lead-free small arms ammunition.

While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year Deviant runs the Lockpicking Village at DEFCON, ShmooCon, HackCon, ekoparty, and and he has conducted physical security training sessions at Black Hat, ToorCon, HackCon, ShakaCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, and 10th.

Identicate and Authentify: Improving future implementations to address real security challenges

Jennifer Jabbusch, Carolina Advanced Digital, Inc.
Identification and authentication are two fundamental concepts of security frequently confused and obscured. Without a proper grounding, addressing current and future challenges becomes more cumbersome and costly. This talk lays the foundation for effective identification and authentication, outlining current practical applications and guiding a though-provoking theoretical discussion of future considerations for these essential concepts. Participate in the discussion that will drive the future of identification, trust models, national IDs and the use (or misuse) of biometrics and other identifying attributes.
Jennifer Jabbusch is an infrastructure security specialist and consultant with Carolina Advanced Digital, Inc. Jennifer has more than 15 years experience working in various areas of the technology industry. Most recently, Ms. Jabbusch has focused in specialized areas of infrastructure security, including Network Access Control, 802.1X and Wireless Security technologies.
Jennifer has consulted for a variety of government agencies, educational institutions and Fortune 100 and 500 corporations. In addition to her regular duties, she participates in a variety of courseware and exam writings and reviews, including acting as subject matter expert on Access Control, Business Continuity and Telecommunications, and lead subject matter expert in the Cryptography domains of the official (ISC)2 CISSP courseware (v9). You can find more security topics and musings on her security blog.

Log Visualization in the Cloud

Raffael Marty, Founder @ Loggly
Over the recent years, organizations have collected more and more data and log files within their networks, systems, and cloud environments. Oftentimes, the data ends up being stored and archived without ever being used. This can be attributed to a lack of tools that help process and analyze all the data, but also to the lack of knowledge around data analysis. Especially in the era of cloud computing, it becomes increasingly important to stay atop of log analysis and to understand visualization.
In this presentation we will explore how we can leverage visualization to uncover hidden problems. We will see how cloud services can assist us with log management and support an effective visualization environment. We will discuss common visualization libraries and have a look at how they can be deployed to solve security and IT problems. We will look at a number of visualization examples that show how security data benefits from visual representations. For example, how can network traffic, firewall data, or IDS data be visualized effectively?
Raffael Marty is the founder of Loggly - a log management in the cloud company. He is a seasoned IT security professional with a passion for data analysis and visualization. Raffy used to hold various positions in the log management space at companies like Splunk, ArcSight, and IBM research, where he also earned his masters in computer science.
A security geek at heart, Raffy spends a ton of time analyzing and visualizing logs. To help visualize the data, he co-wrote the AfterGlow visualization tool and started the Data Analysis and Visualization Linux (DAVIX), a visualization live CD.
Raffy has been instrumental in building and defining the security visualization space. The SecViz portal, DAVIX, and his book, Applied Security Visualization, are the prime resources for information related to security visualization.
Raffy loves public speaking, and presents regularly at security and hacker conferences around the world. He was the founding member of the common event expression (CEE) standard that is concerned with standardizing machine interoperability. In his spare time, Raffy surfs the California waves and finds peace in meditation. Raffy lives and works in San Francisco.

LTE Radio Interface structure and its security mechanism

Herbert Koblmiller, T.B.A.
LTE is using complete different Radio Architecture than GSM and UMTS and tries to simplify its Procedure- and Layer structure in order to improve data throughput and latency. Getting rid of the signalling overhead of UMTS but being comparable robust to GSM will possibly the path for LTE to become the successor for the next centuries. This could mean that security mechanism in the radio interface have to be flexible to future developments like LTE advanced.

Malware goes to the Movies

Dr. Aleksandr Yampolskiy, Gilt Groupe
As the criminals adapt, they look for new ways to distribute malware. This talk will examine new types of malware that spread through online videos, music files, and images. We begin by analyzing media malware trends, and discover that many of the attacks are not targetted and that they are usually reliant on social engineering and blackhat search engine optimization. Next, we provide a taxonomy of different attack vectors. We show that music and video files are commonly infected via URLANDEXIT script injection or DRM licensing abuse, where a user is tricked into downloading a malware posing as a --fake codec--. We analyze a growing trend of fake Youtube sites, covering the latest news events. These sites are often advertised through social networking sites, such as Facebook. We demonstrate how easy it is to set up such sites, via a YTFakeCreator toolkit. We then discuss how images of Angelina Jolie have been used to exploit JPEG GDI buffer overflow vulnerability in the past, and how it’s still prevalent nowadays. Finally, we discuss some protection mechanisms, ranging from OS configuration changes to disable URLANDEXIT commands, to a custom tool (that will be open-sourced after the talk), which can help easily detect the malware before downloading the entire video. Our tool uses some innovative ideas, such as sequential downloads of the media file, and entropy analysis to detect injected script commands.
Dr. Aleksandr Yampolskiy heads Security and Compliance team in the Gilt Groupe. He is reponsible for all aspects of security: application security, protecting the company through penetration testing and auditing of network infrastructure, establishing IT security controls, conducting security awareness training, fraud detection, and overseeing PCI compliance efforts. Prior to this position, Aleksandr Yampolskiy worked at Goldman Sachs, Oracle, and Microsoft in various capacities. He has been a lead technologist for SSO, entitlement, IDM, and identity federation solutions. Aleksandr Yampolskiy has advised various businesses on best practices for integrating security into their products, while complying with internal/external policies and regulations. Aleksandr has been cited in the NY Times, Yale Scientific, and published half a dozen articles in top security conferences. In 2006, he was awarded the Best Paper Award in Public Key Cryptography conference for discovering the most efficient Verifiable Random Function to-date. He has a B.A. in Mathematics/Computer Science from New York University, and a Ph.D. in Cryptography from Yale University.

Malware World 2010 - Beware the Predators

Toralv Dirro, McAfee Labs
Malware is still on the rise, numbers are growing, but everyone knows that. So we try to take a look behind the obvious to find the reasons for this development. And 2010 has been an interesting year with regard to large scale targeted attacks that were openly talked about in the media (Aurora, Stuxnet), how are those different from your everyday botnet zombie stuff? We'll compare the attack vectors those operations were using with the attacks that millions of home PC fall prey. So the attackers are getting better, what has the defense side been up to? This section looks back upon the effectiveness of "cloud based" security after 3 years in the field and what's happening next.
Toralv Dirro works for McAfee as McAfee Labs EMEA Security Strategist. Working in in Virus Research for many years since 1994 at McAfee (Dr Solomon's Software back then) after analysing viruses at the University of Hamburg before that, he got finally got bored with debugging things and focused on Network IPS and Vulnerability Assessment / Management. He rejoined the research team in 2006, focusing on trojans, Fake-AV/Scareware and cyber crime related topics. Toralv Dirro is a well reputed expert on next generation AV Technology and Network Intrusion Prevention and is a frequent speaker on those topics.
No academic papers but frequent speaker on events and conferences, contributor to nearly all McAfee Labs Quarterly Threat Reports, many short articles for a range of publications.

Mobile privacy: Tor on the iPhone and other unusual devices

Marco Bonetti, CutAway s.r.l.
Mobile phones are still a proving ground for keeping the users’ privacy safe. This presentation will describe the problems which are arising around the use of these technologies and how they can affect mobile users. It will propose Tor as a possible solution for some of these problems, describing its own strengths and weaknesses and the efforts developers put to implement a working port of the program on different devices, from the Chumby One to my own port for the iPhone platform. Finally, it will also describe where the development is going to protect mobile phone users privacy and let them survive their own devices.
Marco Bonetti is a Computer Science engineer with a lot of passion for free and open source operating systems. Interested in privacy and security themes, he’s following the emerging platforms for the protection of privacy in hostile enviroments. As he didn’t find any suitable distribution for his PowerBook, he created Slackintosh: the unofficial PowerPC port of the famous Slackware Linux distribution. He’s currently working as a security consultant for CutAway.

Mobile VoIP Steganography: From Framework to Implementation

Rainer Poisel & Marcus Nutzinger, Institute of IT Security Research, St. Polten University of Applied Sciences, Austria
The need for steganography has arisen from scenarios that forbid the application of cryptographic algorithms for secure communications. Countries that made secret message exchange a delict are an example for such scenarios. This talk describes the development and implementation of a framework based on a novel layered model for auditive steganography. Focus of this presentation is a description of the implementation for mobile devices which include a version for commodity hardware, e.g. WLAN routers, using the OpenWRT SDK. Further the integration into mobile or satellite phones is discussed. Our approach is based on algorithms that use the analogous representation of the digital cover media, hence making the covert channel more resistant against transmission errors.
The author studied Telecommunications and Media at the University of Applied Sciences in St. Pölten and Informatik Management at the Vienna University of Technology. He is working as a scientific researcher at the Institute of IT Security Resarch at the University of Applied Sciences in St. Pölten.

Night Talk: Security Awareness

Stefan Schumacher, www.kaishakunin.com
Stefan Schumacher is a freelance security consultant with focus on Social-Engineering, Security-Awareness and Counter-Intelligence. He has been active in Open Source and Hacker scene for abaout 15 yrs. He is a NetBSD developer and is interested in operating systems, cryptography and backup technology. He also writes technical articles and documentation. Since 2007 he is studying Educational Science and Psychology at Otto-von-Guericke-University Magdeburg/Germany and does research in the security field from a social science point of view. Since 2010 he is the President of the Magdeburg Academic Society for Foreign and Security Policy Studies.

OsmocomBB: A tool for GSM protocol level security analysis of GSM networks

Harald Welte, hmw-consulting
The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network. Well-known and established techniques like protocol fuzzing can finally be used in GSM networks and reveal how reliable and fault tolerant the equipment used in the GSM networks really is.
Harald Welte is a freelancer, consultant, enthusiast, freedom fighter and hacker who is working with Free Software (and particularly the Linux kernel) since 1995. His first major code contribution to the kernel was within the netfilter/iptables packet filter. He has started a number of other Free Software and Free Hardware projects, mainly related to RFID such as librfid, OpenMRTD, OpenBeacon, OpenPCD,OpenPICC. During 2006 and 2007 Harald became the co-founder of OpenMoko, where he served as Lead System Architect for the worlds first 100% Open Free Software based mobile phone. Aside from his technical contributions, Harald has been pioneering the legal enforcement of the GNU GPL license as part of his gpl-violations.org project. More than 150 inappropriate use of GPL licensed code by commercial companies have been resolved as part of this effort, both in court and out of court. He has received the 2007 --FSF Award for the Advancement of Free Software-- and the --2008 Google/O’Reilly Open Source award: Defender of Rights--. In 2008, Harald started to work on Free Software on the GSM protocol side, both for passive sniffing and protocol analysis, as well as an actual network-side GSM stack implementation called OpenBSC. He is currently in the early design phase for the hardware and software design of a Free Software based GSM baseband side. He continues to operate his consulting business hmw-consulting.

Passwords in the wild: What kind of passwords do people use, and how do we crack them?

Ron Bowes, SkullSecurity.org
Recent years have been a golden age for password research; between breaches of Rockyou, MySpace, PHPBB, Carders.cc (which is currently unreleased) and countless other sites, tens of millions of passwords, both plaintext and hashed, have been released onto the Internet. In-depth analysis of these breaches provides valuable insight into the psychology of users, and a clear understanding how they were lost, found, and cracked will help protect you from suffering the same loss. We will also look at how the passwords were cracked; from old techniques like bruteforce to new techniques like Markov chains, from intelligence to raw horsepower, and from leaked password lists to exposed Facebook names, what is the ideal way to crack passwords? And, with these techniques in hand, what does this mean for security professionals?
Ron Bowes entered the security industry during highschool when he taught himself assembly and reverse engineered the login sequences for several popular Blizzard titles (including Starcraft and Warcraft 3). Since then, he obtained a Bachelor of Computer Science at the University of Manitoba, and worked several jobs in the private industry before becoming a Security Analyst for the Province of Manitoba. After several years of government work, he started work as a researcher and reverse engineer for Tenable Network Security in 2010 and is there today. Outside of his day job, he runs a security consulting company (Dash9 Security), he is an active Nmap developer, he compiles and disseminates research data on leaked or cracked passwords, and he currently maintains and developers dnscat, which implements reverse shells over DNS in new and clever ways.

Payload already inside: data re-use for ROP exploits

Long Le & Thanh Nguyen, Intel Corporation / VNSECURITY
Return-oriented programming (ROP) is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhoneOS to bypass DEP and code signing but no any practical ROP work for modern Linux distributions so far. Main issues for ROP exploitations on Linux x86 include ASCII-Armor address protection which maps libc address starting with NULL byte and Address Space Layout Randomization (ASLR). In this presentation we will show how we can extend an old return-into-libc technique to a stage-0 loader that can bypass ASCII-Armor protection and make ROP on Linux x86 become a reality. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection.
Long Le, CISA, is a security manager at one of the largest software outsourcing companies in Vietnam. He has been actively involved in computer security for more than 10 years since he and his friends founded the pioneer Vietnamese security research group VNSECURITY (http://vnsecurity.net). Described as neither a researcher nor a hacker, he loves playing wargames and Capture-The-Flag with the CLGT team in his spare time. In 2007 he was an organizing and technical committee member of VNSECON -the first international security conference in VN.

Thanh Nguyen is a member of Security Center of Excellence at Intel Corporation where he focuses on (in)security analysis and hacking of various Intel next generation technologies/components in firmware, chipset and processor. Thanh has 15 years of hacking experience in a wide range of technologies from high scalability web architecture to low level OS development, chipset and uArch. His current interests are finding bug on PC/mobile phone platform, high scalability architecture, rootkit, reverse engineering and hacking proprietary algorithms/protocols. Thanh is a founder of VNSECURITY and member of The Hacker's Choice (thc.org) security research groups.

Pentesting and Securing IPv6 Networks

Marc "van Hauser" Heuse, Baseline Security
This is the only workshop in the world which shows you how to perform on IPv6 networks - in theory and hands-on, as this is the only workshop which supplies you with the necessary tools which are nowhere else available.
Today IPv6 is available on every desktop and every server, as all operating systems since Windows XP and Linux Kernel 2.2 support IPv6. Hosting providers start to offer IPv6 addresses and networking. IPv6 is already available in corporations, e.g. all major mobile providers already support it on their backbones.
This training explains the IPv6 issues, concentrating on the security vulnerabilities inherent in the protocol as well as configuration issues and implementation problems. All so far known vulnerabilities are presented and students will be able to try them out themselves with supplied tools on the test network.
Then - switching sides - it is explained how to secure IPv6 systems (Windows, Solaris, Linux) and especially large networks including routing and how to solve the difficult firewalling questions which arise with IPv6. New advances like SEND, new DHCP6 developments and ISATAP etc. are included.
Trainees will not only receive the current unpublished version of the thc-ipv6 protocol attack suite (which has more than twice the functionality of the current public release) but also receive direct development source code access for the future. Some of the code will begin to be published in 2011 only.
Marc "van Hauser" Heuse is performing security research since 1993, having found vulnerabilities in software like firewalls, DNS servers, SAP middleware, etc. and is the author of various famous security and pentest tools like hydra, amap, THC-Scan, secure_delete, SuSEFirewall and many more.
He is performing security research on IPv6 since 2005 and has spoken on many conferences on this topic since then, among these are the CCC congress (Germany), Cansecwest (Canada), PacSec (Japan) and many more international conferences, and additionally has programmed the solely available pentest toolkit for ipv6: the thc-ipv6 protocol attack suite.
In 1995 he founded the renowned security research group "The Hacker's Choice", which was the first group to e.g. crack A5 GSM in 2006 within a minute. Since 1997 he is working as a security consultant in the top-5 enterprise consultant companies, since 2007 he is working as an independant security consultant.

Physical Security

Thomas Hackner, OpenLocks.at
Security has to be effective and efficient. To reach every security aspect of a company has to be analysed and integrated into a holistic view derived from the company's goals. An often overseen part is the security of physical premises and computing centres. Thousands of Euros spent on electronic defence mechanisms are useless, if an attacker is able to easily gain physical access and to steal backup tapes.
This workshop is designed to help the attendees to understand the basic physical security concepts, possible threats and vulnerabilities and which concepts to apply to better secure their company's assets. Attendees will be introduced in attackers' methods of operation theoretically and practically to foster better understanding and find the correct security measures to prevent those.
First the participants will get an overview over attackers and their modus operandi by reviewing some publicly recognised statistics. In the next step, general security concepts for securing companies' premises and their buildings are provided. From then on, the attendees will directly address specific components of an overall security system in form of information blocks, composed of a theoretical introduction, a practical part on how attackers work and a solution to the threats and vulnerabilities discussed before. These information blocks are: Windows Security (Tilted Windows, Closed Windiws), Closed but not locked doors (Attacks on the door latch), Destructive entry on doors and security measures, Non-destructive entry on door locks and what to think about when installing locking systems. By attending this workshop, participants will gain enough knowledge to basically assess the physical security of their own company and assist in finding the correct security measures to better secure their company's assets.
Thomas Hackner is founder of the Austrian lockpicking group OpenLocks.at and has 4 years of experience in practically opening locks and locking systems. Since 2003 he is administrator of the Austrian security portal Defense.at. In 2005 he founded the Hacking Group Hagenberg, to support students to learn IT security from a practical point of view. Since 2007 Thomas Hackner is lecturer of "Physical Security" at the University of Applied Sciences Hagenberg in Upper Austria. Since September, he is self-employed and runs his own business dedicated to auditing companies electronically and physically to provide a holistic view on the company's security state. Thomas Hackner holds a Masters of Science degree from the University of Applied Sciences in Hagenberg and is working together with the Edith Cowan University, Western Australia to assess the security of building management system (BMS).

Recent advances in IPv6 Insecurities

Marc Heuse, Baseline Security Consulting
Five years have past since my initial talk on IPv6 insecurities 2005 and 2006. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not - they had enough time. All accompanied with GPL'ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.
Marc "van Hauser" Heuse is performing security research since 1993, having found vulnerabilities in software like firewalls, DNS servers, SAP middleware, etc. and is the author of various famous security and pentest tools like hydra, amap, THC-Scan, secure_delete, SuSEFirewall and many more. He is performing security research on IPv6 since 2005 and has spoken on many conferences on this topic since then, among these are the CCC congress (Germany), Cansecwest (Canada), PacSec (Japan) and many more international conferences, and additionally has programmed the solely available pentest toolkit for ipv6: the thc-ipv6 protocol attack suite. In 1995 he founded the renowned security research group "The Hacker's Choice", which was the first group to e.g. crack A5 GSM in 2006 within a minute. Since 1997 he is working as a security consultant in the top-5 enterprise consultant companies, since 2007 he is working as an independant security consultant.

Remote Binary Planting – An Overlooked Vulnerability Affair

Mitja Kolsek, ACROS Security
The binary planting vulnerability, although documented for over a decade, remained overlooked by researchers and developers alike - until now. Our research hopes to put it in its rightful place on the top 10 lists where it seems to belong. Binary planting is an attack method where an attacker places a malicious executable on a local or network drive, possibly on the Internet, from where a vulnerable user’s application will load and execute it. The main enabler for this attack is the fact that Windows include the current working directory in the search order when loading executables. In order to perform the research, we developed a tool for monitoring how applications set their current working directory and how they load their binaries. We launched the tool against more than 200 leading Windows applications. The results were surprising: almost every one of them was vulnerable to remote attacks. More than 520 vulnerabilities we discovered in these applications amount to roughly 100,000.000,000 (yes, that’s a hundred billion!) holes in existing computers worldwide. In many cases, the malicious binary is loaded immediately after a user double-clicks a remote document, which we dubbed a \double-click-bang" effect. (Such bugs can easily be turned into worms.) Live attack demonstrations for various types of these vulnerabilities will show how easily exploitable many of them are. We will show how Windows Explorer and most of the leading file management alternatives make it easier to exploit these bugs, and explain why Microsoft can’t implement any quick fixes to eliminate them without breaking many existing applications. Apart from collecting binary planting bugs, our research aimed to discover the root causes of their existence. We will show the common mistakes developers make to introduce binary planting vulnerabilities in their products, and try to explain why they make them. We will also see how an application can become vulnerable when ported to another Windows platform. Finally, developers in the audience will get tips for avoiding or fixing binary planting bugs in their code, and users will learn what they can do to protect themselves.
In over 12 years of security addiction, Mitja has perforated an array of business-critical products, computer systems and protocols by leading software vendors, searching for atypical vulnerabilities and effective ways of fixing them. His passion is security research, discovering new types of security problems, such as "session fixation", and new twists on the known ones, such as "binary planting".

SAP Security In-Depth

Mariano Nuñez Di Croce, Onapsis
Have you ever wondered whether your business-critical SAP implementation was secure? Do you know how to check it? Have you imagined which could be the impact of an attack to your core business platform? Do you know how to prevent it? This training is the answer to these questions.
For many years, SAP security has been a synonym of "segregation of duties" or "securing roles and profiles". While this kind of security is mandatory and of absolute importance, there are many threats that have been so far overlooked and are even more dangerous, such as the possibility of taking remote control of the entire SAP landscape without having any user in any system.
This training will help you to fill this knowledge gap, allowing you to understand the involved threats and risks and how to mitigate them. You will review the whole picture, from the security of the Environment and the SAP application-level gateways (SAProuter, Webdispatcher), through the assessment and hardening of the Operating Systems and Databases and their interaction with the SAP systems up to the security of the SAP Application Layer: Authentication, User security, Password Policies, Authorization subsystem, Interface Security, ABAP security concepts, Component Security, Backdoors, Auditing, Monitoring and more!
The training is organized with many hands-on exercises, which will help you grasp practical knowledge quickly. You will learn how to assess the security of an SAP implementation and then secure the critical security gaps you discovered. You will be able to learn how to use different SAP security tools, as well as Onapsis Bizploit, the first opensource ERP Penetration Testing Framework.
The training also provides a quick introduction to basic SAP concepts, which allows non-SAP security professionals to follow the course smoothly.
Mariano Nuñez Di Croce is the Director of Research and Development at Onapsis. Mariano has a long experience as a Senior Security Consultant, mainly involved in security assessments and vulnerability research. He has discovered critical vulnerabilities in SAP, Microsoft, Oracle and IBM applications.
Mariano leads the SAP Security Team at Onapsis, where he works hardening and assessing the security of critical SAP implementations in world-wide organizations. He is the author and developer of the first open-source SAP & ERP Penetration Testing Frameworks and has discovered more than 50 vulnerabilities in SAP applications. Mariano is also the lead author of the "SAP Security In-Depth" publication and founding member of BIZEC, the Business Security community.
Mariano has been invited to hold presentations and trainings in many international security conferences such as BlackHat USA/EU, HITB Dubai/EU/Malaysia, DeepSec, Sec-T, Hack.lu, Ekoparty and Seacure.it as well as to host private trainings for Fortune-100 companies and defense contractors. Mariano has a degree in Computer Science Engineering from the UTN.

Social Engineering Training for IT Security Professionals

Sharon Conheady & Martin Law, First Defence Information Security Ltd.
Social engineering is the use of deception or impersonation to gain unauthorised access to sensitive information or facilities. Because computer security is becoming more sophisticated, hackers are combining their technical expertise with social engineering to gain access to sensitive information or valuable resources in your organisation. Social engineering attacks can have disastrous consequences, both financially and reputationally. You can have the best technical security controls in the world, from the most expensive firewall to the most sophisticated biometrics, but they will not protect you from a social engineering attack. In any security programme people are the weakest link. Social engineering tests can be used to evaluate and strengthen this link. Like any penetration test, social engineering tests can help to identify security weaknesses that could allow your IT systems to be compromised. Such tests can:
  • Give a good indication of and even improve your staff’s level of security awareness
  • Teach your staff how to identify and deal with social engineering situations
  • Provide valuable recommendations on both security awareness and physical security
However, it can be difficult to know how to conduct a social engineering test. This training course will teach participants how to conduct an ethical social engineering test as well as giving recommendations on how to defend against social engineers. The two-day training course is split into four parts and will include practical exercises:
  • Part 1: Social engineering theory
    What is social engineering? The evolution of social engineering
    Why social engineering works? The principles on which social engineering is based
    Who are the social engineers? The legal and ethical aspects of social engineering tests
  • Part 2: Practical social engineering
    Common social engineering techniques (eg, mumble attack, road apples, 10 attack, phishing)
    Analysis of social engineering attacks: personal experience, media case studies
    How to practice social engineering techniques
  • Part 3: The social engineering test
    The ‘get out of jail free’ card
    How to conduct a social engineering test: Target identification, Reconnaissance (passive information gathering and physical reconnaissance), Pretexting/scenario creation, Attack execution
    Evidence collection
    How to create a social engineering report
    Specific scenarios: Offices, Data centres, Call centres
  • Part 4:
    Defending against social engineering
    Logical security controls
    Physical security
    Security policies
    Education and awareness
Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has presented on social engineering at security conferences including Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe.

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Martin Law has over 19 years security expertise and has been performing social engineering tests since 1994. He specialises in accessing data centres by using social engineering techniques and bypassing physical security like a geeky James Bond.
Martin also undertakes investigations into actual or suspected security breaches, and specialises in the area of Information Warfare. He attempts to breach not only the logical security of systems and networks, but also the physical security of the infrastructure and buildings, including the use of social engineering when engaged in an \All-Out-Attack" against an enterprise. Having a considerable depth of technical experience in open and distributed systems, as well as networking, in multi-vendor environments, Martin has spent nearly 23 years in the UNIX and TCP/IP arena, having started his career as a developer of UNIX systems.

Stop complaining and solve a security problem instead!

Ivan Ristić, Qualys, Director of Engineering
Stop complaining and solve a security problem instead!
We have failed. Decades of ignorance have brought us to this point, right now, where software is universally insecure. It's tempting to hope that someone else will make things better, but letting things slide is exactly what got us here. Pointing to problems is not enough, either. We must pick ourselves up, dust ourselves off, and start fixing things. We must each take a problem -- no matter how small -- and fix, or help fix, the root cause.
Ivan Ristić is a respected security expert and author, known especially for his contribution to the web application firewall field and the development of ModSecurity, the open source web application firewall. He is also the author of Apache Security, a comprehensive security guide for the Apache web server, and ModSecurity Handbook. He founded SSL Labs, a research effort focused on the analysis of the real-life usage of SSL and the related technologies. A frequent speaker at computer security conferences, Ivan is a member of the Open Web Application Security Project (OWASP), and an officer of the Web Application Security Consortium (WASC). He works for Qualys as Director of Engineering, WAF and SSL services.

Targeted DOS Attack and various fun with GSM Um

Sylvain Munaut, Independent Researcher
Recent years have seen a dramatic drop in the barrier to entry into GSM research. A couple of years ago, tools like OpenBTS & OpenBSC have appeared, allowing anyone to run an experimental GSM network with a relatively low budget. Much more recently, Osmocom-BB bringed MS-side experimentation at an even lower budget. This talk presents an exploit discovered while working on those projects that allows to perform a DOS on a specific target: from its first inception to its actual implementation on a TI Calypso based phone with a custom firmware. This talk will also cover other interesting tricks possible with modified phones, like using them as a cheap alternative to USRP for passive listening for instance.
Sylvain Munaut is a Computer Science and Electrical engineer with a lot of interest for free and open source software. He’s been involved in a wide range of projects, both hardware and software, such as: porting and maintaining Linux 2.6 to new platforms (MPC5200), image signal processing on FPGA (JPEG2k), embedded systems hadware design or even work on web-applications. A little less than 2 years ago, he turned his interest to GSM and progressively became involved with projects such as OpenBSC, OpenBTS, airprobe, and more recently Osmocom-BB.

The Future of Social Engineering

Sharon Conheady, First Defence Information Security Ltd
Social engineering is hitting the headlines more than ever. As computer security becomes more sophisticated, hackers are combining their technical expertise with social engineering to gain access to IT infrastructures and critical information. In any security programme people are the weakest link. It can often be easier and quicker to target the end user than using technical hacking techniques. When you combine both social engineering and traditional hacking techniques, you have an extremely dangerous attack. So what’s next on the social engineering agenda? What are the emerging trends and what social engineering techniques might we expect to see in the future? In this talk, I will give an overview of the types of social engineering attacks people have used throughout the ages, from tricks used by the classic conmen of the past to the phishing attacks that are at an all time high, and the proliferation of social networking and how useful this is to social engineers. I will describe some of the new social engineering techniques and trends that are emerging and discuss war stories from my experience of social engineering, describing techniques I have used to gain access to sensitive information.
Sharon Conheady is a director at First Defence Information Security in the UK where she specialises in social engineering. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. She has presented on social engineering at security conferences including Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe.
After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Threat Intelligence

Anchises M. G. De Paula, VeriSign
This workshop will present a new approach for security organizations. Intelligence of the security and threat landscape can provide a more flexible response compared to a reactive posture and formal procedures.

Traffic Direction System and Sourcing challenges

Max Goncharov, TREND MICRO Inc.
People say that INTERNET traffic is just traffic, but what exactly does traffic mean. For home users traffic means photos, music, live streaming TV, radio and Internet calls. All these INTERNET activities create traffic. There exists different types of traffic, such as traffic between end point users (P2P), traffic from server to server and also exist more traditional traffic between users with web sites. This final type of traffic is most interesting for us today in this paper and we will talk about it greater detail. When I type google.com into the browser, I expect to end up somewhere on Google’s cluster of machines and typically the Google search form will be available for me. But how is it decided whether my request ends up on Google Server A, but not on Google Server B? This is a magic of, let’s call it, "referral collaterals\. Technically it’s just a form of Google traffic load balancer which helps to trace the referral information of the user and direct the request to the proper Google server. However these same intelligent redirection techniques are also being used by gray hat, black hat and adult entertainment businesses today, but for much more malicious and profitable purposes { in this talk we will delve in great detail into these attacks and techniques, the revenue models behind these system, and the challenges they pose to modern web crawlers trying to track these gangs.
Master Applied Mathematics and Informatics of the Voronezh State Univesity. Russia Master Transcultural Communications of the Voronezh State University. Russia Working in TREND MICRO since 2001

Tripoux: Reverse Engineering of malware packers for dummies!

Joan Calvet, Nancy University - LORIA
In front of us stands a malware’s protection layer with millions of assembly instructions and our goal is to understand what’s going on. Developing a comprehensive understanding will allow us to unpack the original code, to build detection mechanisms for the malware family or to find interesting pieces of code. The purpose of this talk is to present a solution when one wants to understand a heavily obfuscated code containing a big amount of information. We first need to note that, when we speak of packer understanding, looking at system events like API calls is not enough: in most malwares’ protection layers they represent only a small part of the code (and they are sometimes useless). One needs to play at assembly level, which is a hard and time-consuming task. We have thus built some tools to help. These tools come in two parts: 1. A program execution monitor using dynamic binary instrumentation associated with static information that provides two outputs: - an improved trace, containing a very detailed view of the program execution (memory access, time...), using a format which is easy to parse. - an events file, showing a high level view of the execution by displaying only some specific events, e.g. the loops, the API calls, the exceptions or the dynamic layers of code. Moreover, as we are dynamically monitoring the program execution, we can do better than just detect these events and we actually collect information about them, e.g. the arguments to API calls, the memory access made inside a loop, the exception error code, etc. 2. Some tools to rapidly exploit the previously collected information: - Two visualization tools: -> a --timeline-- based on the events previously detected: the user can navigate through the execution and see what kind of events happens. We also allow the user to define its own events on the execution trace and we display them on the timeline. Moreover the user can choose the abstraction level he wants to represent the execution. -> a --memory profile--, that is a memory view totally independent from the code itself, we only see its --effects--. It helps to diagnosis the code behaviour more easily than by reading millions of assembly instructions. - An inferring engine that uses rules defined either on the execution trace or on the memory profile (thus independent from the code in this case). It should be understood that we are not claiming to have built a --silver bullet-- for malware analysis, our tool is not the replacement of IDA Pro or OllyDbg. Its goal is to provide something that helps the standard RE work by providing ways to divide it in easier sub-parts, to bring some points where begin the investigation of new binaries or to rapidly recognize already seen behaviours. During the presentation we are going to apply our framework on some recent malware families and show its usefulness. We will also release the source code and we plan to set up a kind of sandbox analysis.
Joan Calvet is a Ph.D. student at the High Security Lab in LORIA (Nancy, France) and the SecSI Lab at the Ecole Polytechnique of Montreal. His main interests lie in malware analysis, reverse engineering, and software security.

Welcome & Introduction

DeepSec Organisation Team, DeepSec.net
Welcome to the fourth DeepSec conference!