Schedule

 

(Related Pages :: BSidesLasVegas2010)

 

	TRACK 1 On The Keys			TRACK 2 AFK
7/28/2010
10:00 AM	David Rook	Injecting Simplicity not SQL		Daniel Molina	Top 10 Things IT is Doing to Enable CyberCrime
11:00 AM	Ryan Linn	Multi-Player MetaSploit		Will Gragido	Through the rabbit hole: An Expose of Darknets and the Onion Routed Underground
12:00 PM	Christopher E. Pogue	Sniper Forensics		Gene Kim	Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)
01:00 PM	Chris Lytle, Leigh Hollowell	CCDC		Andrew Hay, Chris Nickerson	Building Bridges -  Forcing Hackers and Business to Hug it Out
02:00 PM	Sean-Paul Correll, Luis Corrons	Catch That Butterfly: Stopping Mariposa in its Tracks and Revealing a Growing Underground Network of Amateur Hackers		Vik Phatak	ExploitHub: Arming the Pen Testers to Plug the Holes
03:00 PM	Dave Kennedy (Rel1K)	SET 0.6 release with special PHUKD Key		Paul Judge, David Maynor	The Dark side of Twitter, Measuring and Analyzing Malicious Activity on Twitter
04:00 PM	frank^2	Fuck Tools, Do It Yourself Jerk		Grecs	Infosec Communities for Career Success: Understanding, Participating, and Cooking One Up
05:00 PM	Joshua "Jabra" Abraham	Fierce v2		Joseph Sokoly	Infosec Young and Restless
06:00 PM	Jim MacLeod	Stupid IP Tables Tricks		INFOSEC Mentoring, Mentee-ing Panel	INFOSEC Mentoring, Mentee-ing Panel
7/29/2010
10:00 AM	Jimmy Shah	Mobile Hackery		Josh Corman, Dennis Fisher, HD Moore, Jack Daniel	InfoSec Speed Debates
11:00 AM	Egyp7	Beyond r57		Chris Sumner	Social Network Special Ops
12:00 PM	HDM	Fun with VxWorks		Frank Breedijk, Ian Southam	The road to hell is paved with best practices
01:00 PM	Davi Ottenheimer	KeyPad Bypass Hacks		Bruce Potter	How to Make Network Diagrams that Don't Suck
02:00 PM	Zach Lanier	It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications		Eric Smith	Roman Profiles : The 6 Mistakes of
03:00 PM	Ray Kelly	A mechanics view of SQL injection		ValSmith	Social Engineering the CFP Process
04:00 PM	Moxie Marlinspike	How technology killed my heroes, and why they will never be born again		Chris Roberts	Planes, Trains and Automobiles: (OK, Cars and Buses)
05:00 PM	Jason Ross	Who Owns the Internet? AKA: Where did all that cyberspace go?		Andre Gironda	App Assessments Reloaded

 

Bruce Potter, How to Make Network Diagrams that Don't Suck

Bruce Potter is the founder of the Shmoo Group of security, crypto, and privacy professionals. He is also the co-founder and CTO of Ponte Technologies, a company focused on developing and deploying advanced IT defensive technologies. His areas of expertise include wireless security, network analysis, trusted computing, pirate songs, reusing bios, and restoring hopeless vehicles. Mr. Potter has co-authored several books and periodically writes for periodicals.

 

We've all been there.  You walk in to a network blind and the first thing you ask for is a network diagram.  What gets handed to you has apparently fallen out of a bowl of ramen and on to the page.  Overlapping lines, big arrows, and host names in print so small that only insects can read it.  When you ask for someone to explain it, they just end up drawing something on a whiteboard rather than walk you through The Diagram (tm).

But really, what makes a good network diagram?  It's easy to find examples of bad ones; making good ones is much harder.  Having a useful network diagram can make vulnerability assessments go better, aid in incident response, and making planning the location of security devices much easier.  Unfortunately creating a good network diagram is a dark art.  This talk will shed some light on the situation and help you make better diagrams.  I will examine the traits of a good network diagram including graphical elements, proper use of fonts and colors, and the overall intent of the map.  I will go over examples of good and bad diagrams in a structured fashion and point out what works and what doesn't.  Finally, I will provide concrete guidelines to help when you're creating your next network masterpiece.

 

Christopher E. Pogue: Sniper Forensics - One Shot, One Kill

Chris is a Senior Security Analyst for the Spiderlabs Incident Response and Digital Forensics team at Trustwave. He as over ten years of administrative and security experience including three years on the IBM ISS X-Force Emergency Response Services Team, five years with IBM’s Ethical Hacking Team, and 13 years of Active Military service in the US Army Signal Corps. Chris also has worked with local, state, and federal law enforcement agencies such as the New York Police Department, the Royal Canadian Mounted Police, the Federal Bureau of Investigation, and The United States Secret Service to help pursue the digital evidence left behind by criminals of all types.  His efforts have lead to arrests and convictions in Oklahoma, New York, Florida, Albania, and Germany.  Chris holds a Bachelor's Degree in Business Management, a Master’s degree in Information Security, is a Certified Information Systems Security Professional, (CISSP), a Certified Ethical Hacker (CEH), a Certified Reverse Engineering Analyst (CREA), a GIAC Certified Forensics Analyst (GCFA), and a VISA PCI DSS Qualified Security Assessor (QSA).

At one time, computer forensics consisted of pulling the plug, imaging everything in sight, and loading those images into a massive forensics program for "analysis".  As computer hackers became more resourceful, the complexity of computer forensics increased exponentially.  Add to that the growing size of data storage devices, and it becomes infeasible to even consider imaging tens or hundreds of terabytes, let alone loading those images into some forensic software.  So what's the answer?  How can incident responders hope to remain relevant in today's operating environment?  With Sniper Forensics!
Live Analysis tools and techniques have exploded onto the incident response scene in the last two years.  By gathering and reviewing volatile data and RAM dumps, incident responders can use time proven theories like, "Locard's Exchange Principle", "Occam's Razor", and "The Alexiou Principle" to target only the systems, and specific files that are part of the breach.  What used to take hours of analysis can now be done is minutes!  What used to take weeks, can now take days!
By using sound logic and data reduction based on forensic evidence extracted from Sniper Forensics, incident responders can introduce accuracy and efficiency into their case work at a level not available through any other means.  This is truly the cutting edge of modern computer forensics, and not something to be taken lightly!  Don't miss the opportunity to learn tips, tools, and hear real world examples of how Sniper Forensics is literally changing the landscape of modern forensics!

 

Chris Roberts: Planes, Trains and Automobiles: (OK, Cars and Buses)

Taking the old ideas of bluetooth wardriving to a whole new playing field, not just "messing" with the phone/stereo etc, but now actually being able to influence the adaptive cruise control, parking systems, engine management and (in the case of [SOME US CITY]) being able to shut the buses down that use Cummings Diesel engines. Basically old dog, new tricks, methodology of bringing mass transit to a standstill etc (let alone annoying heck out of Audi/BMW/Mercedes/Chrysler etc).  This is demonstrable, repeatable and can be done easily and discreetly, it's fun, and has both old school (wireless/bluetooth) as well as some engine (petrol heads) stuff. It's capability to influence single vehicle, or if well executed a whole city centre (bus/transit) or greater is an attraction.

 

Daniel Molina: Top 10 Things IT is Doing to Enable Cyber-Crime

Daniel J. Molina, CISSP, is a Field Marketing Manager for Kaspersky Lab, and is considered a thought leader in the security arena.  Mr. Molina has been called to speak on issues such as the state of the security industry, ?Security Best Practices?, ?The Business Aspects to Information Security, Operational Efficiency in IT Security and The Myth of ROI in Security, and Capabilities Maturity Models in Security? at various industry forums worldwide.  His view on security maturity has made him a sought-after resource to help explain and justify, in business terms, what users, businesses, and government entities require.

Today's IT departments, sometimes unbeknownst to themselves, are empowering cybercrime by their own actions.  I will highlight the Top 10 Things that your IT department is doing, that enables cybercrime in your own company.

 

David Kennedy (ReL1K): The Social-Engineer Toolkit - Putting the cool back into SE - Social-Engineering

David Kennedy (ReL1K) is a security ninja that likes to write code, break things, and develop exploits when he has spare time. Heavily involved with BackTrack and the Social-Engineer Framework, David continues (and strives) to contribute to a variety of open-source projects. David had the privilege in speaking at some of the nations largest conferences including Defcon and Shmoocon. David is the creator of the Social-Engineer Toolkit (SET), Fast-Track, modules/attacks for Metasploit, and has (responsibly) released a number of public exploits, including attacks that affect some of the largest software vendors in the world. David heavily co-authored the Metasploit Unleashed course available online and has a number of security related white-papers in the field of exploitation.  Currently David is a Director and Regional Security for an international multi-billion dollar Fortune 1000 organization and is in charge of ensuring that security is maintained in over 77 different countries.

Social-Engineering attacks are on the rise from hackers across the world, and we are still failing as security professionals to use these in penetration tests. With the increased security around web applications, firewalls, HIPS, and everything else trying to prevent us, Social-Engineering allows an effective way for us to bypass security mechanisms and compromise the network. This talk will go over the different attack methods to consider when performing social-engineering attacks during a penetration test and how to drastically increase the success rate of compromise during an attack. In addition, a new version of the Social-Engineering Toolkit (SET) will be dropping at the same time. If your not familiar with SET, its a social-engineers swiss army knife for performing multiple methods of Social-Engineering attacks.  This is the largest release of SET yet, and you don't want to miss it!

 

Eric Smith

Highly qualified, trained, and certified Ethical Hacker with over 13 years of experience in the IT/IS industry. In depth focus on helping companies to design, implement, and improve their security controls resulting in better protection of their critical information assets. Well versed in a variety of Risk Assessment services enabling clients to meet compliance with local laws, government regulations, and corporate initiatives. Experienced in network and application level vulnerability assessments, penetration testing, threat assessments, social engineering, wireless audits, architecture review, system hardening, and policy/ procedural development.

The purpose of this presentation is to discuss the current state of security assessments and how their success is inhibited by improper scoping due to poor regulations, loose controls, misinterpretations of them and most importantly, consulting firms not acting as experienced and trusted advisors. Scoping is something that is learned throughout one's career and should be an open dialogue between the client and the consultant. It is truly an "art form" that must be learned and practiced.
Too often an engagement is driven by the wrong means and consultants don?t take the opportunity to educate their prospective client on where improvements could be made. In the end, a lackluster service is executed and the client is left with a false sense of security. This is either because the consultant lacked the experience to effectively perform one, or the client doesn?t understand the benefits of having an improved approach. This discussion will review some of those common pitfalls in consulting and provide solutions on how to improve project scopes, overall security services, and reporting. This will not only develop stronger relationships between the client and the consultants, but start to weed out those commodity based firms and begin to highlight those that stand out as pioneers in today's Infosec market.

 

Gene Kim: Mobilizing the PCI Resistance: Lessons Learned From Fighting Prior Wars (SOX-404)

I have noticed that there is a growing wave of discontent from the information security and compliance movement around complying with the PCI DSS.  Josh Corman has been a tremendously effective voice, providing an intellectually honest and passionate analysis in his talk "Is PCI The No Child Left Behind Act For Infosec?"

For years, I have been studying the PCI DSS compliance problem, as well.  I have noticed many similarities to the "SOX-404 Is The Biggest IT Time Waster" wars in 2005.  I was part of the leadership team at the Institute of Internal Auditors (IIA) where we did something about the it. We identified scoping and substantiation as the root cause of the billions of dollars of wasted time and effort, while not reducing the risk of financial misstatements.
I propose to present the two year success story of the IIA GAIT team (http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/ [www.theiia.org]) and how we changed the state of the IT audit practice in support of SOX-404.  We defined the four GAIT Principles, which could be used to correctly scope the IT portions of SOX-404.  We mobilized over 100K internal auditors, the SEC and PCAOB regulatory and enforcement bodies, as well as the external auditors from the 8 CPA firms.  In short, we made a difference, in a highly political process that involved many constituencies.
I am attempting to do something similar with the PCI Security Standards Council, through my work as part one of the leaders of the PCI Scoping SIG (Special Interest Group).  My personal goal is to find a ?third way? to better enable correct scoping of the PCI Cardholder Data Environment, and create a risk-based approach of substantiating the effective controls to ensure that cardholder data breaches can be prevented, and quickly detected and corrected when they do occur.
My desired outcome is to find fellow travelers who also see the pile of dead bodies in PCI compliance efforts (e.g., tons of ambiguity, every QSA and consultant seeming to have a different approach, existing guidance either too prescriptive or too vague, overly broad scope and excessive testing costs, excessive subjectivity and inconsistency, poor use of scarce resources, no meaningful reduction in risk of data breaches), and catalyze a similar movement to achieve the spirit and intent of PCI DSS.

Grecs: Infosec Communities for Career Success: Understanding, Participating, and Cooking One Up

Grecs has over 15 years experience, undergraduate and graduate degrees in Electrical Engineering, and a really well known security certification. Even though his training was in Electrical Engineering, Grecs has always been more of a Computer Science person at heart going back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for 6 years, he discovered his love of infosec and has been pursuing this ever since. Being a generalist and too afraid to dive into one technology too deep, Grecs's current career passion involves fostering infosec efficiencies through community portals.

It is often said that the ability to network and your connections are two of the most important ingredients in determining career success. One of the best ways to incorporate these factors into your career is to join a community. The information security field is no different and in order to succeed it is important to understand what a community is, where this community concept relates to information security, and how leaders can form successful groups. Consultant Wally Bock defines a community as one that has the following three characteristics: common interest, frequent interaction, and identity. From an information security perspective, we are all interested in breaking technology, meet frequently either virtually or in person, and identify ourselves through a number of organizations. Leaders today can take advantage of various web technologies to cook up a successful community through a central portal where members can meet and exchange ideas. Similar to following a recipe in preparing a meal, the successful creation of a community portal involves preparation in terms of proper planning, choosing the right tools (i.e., utensils), populating the portal with the right content (i.e., ingredients), following the directions to combine everything together, and finally regularly advertising.

 

Hays & Nickerson -  Building Bridges: Forcing Hackers and Business to Hug it Out

Andrew Hay is a Senior Security Analyst with The 451 Group's Enterprise Security Practice. He is a veteran information security practitioner with more than 10 years of experience related to endpoint security, log management, vulnerability assessment, penetration testing, forensics, incident response and enterprise security information management (ESIM). Andrew has authored three books on network security topics, and in 2008 was honored with the title of 'Security Thought Leader' by the SANS Institute. He is a frequent speaker at security conferences and a frequent guest on many industry podcasts and webinars. Andrew maintains a topical security blog at www.andrewhay.ca [www.andrewhay.ca] and can be engaged on Twitter via http://twitter.com/andrewsmhay [twitter.com].

Chris Nickerson is a Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Red Team Testing and Social Engineering. In order to help companies better defend and protect their critical data and key information systems, he has created a blended methodology to assess, implement, and manage information security realistically and effectively. At Lares, Chris leads a team of security consultants who conduct Security Risk Assessments, Penetration Testing, Application Testing, Social Engineering, Red Team Testing and Regulatory compliance testing. Prior to starting Lares, Chris Worked on the IRM team at KPMG, Chief Security Architect at Sprint Corporate Security, and Sr Net Eng at SHB. Chris is a member of OWASP, ISACA Denver and is also a featured member of TruTV's Tiger Team. Oh yea.. and he is a liability from Exoticliability.com.

Hackers and business decision makers rarely see eye-to-eye. There has historically been a great chasm separating the views of business decision makers who pay the bills and the in-the-trenches security practitioners who perform the work. This epic battle has taken a toll on the security of many environments as businesses focus on operations and "hackers" focus on the symptomatic issues directly in front of them. This talk serves to open the dialogue between both groups in an attempt to find some common ground and understanding. Beginning with raising the "hackers" awareness to business concerns and how business guides the path to security, we hope to bring a fresh perspective on how to position their concerns. This alone may build a bridge and allow them to receive the support they have always craved. After we address this daunting task, we will turn light to the business aspect. In this section, we will give the business professionals a unique view into the mind of a security professional. Yes, the ones who throw a fit because a screen shot of some black and green screen with text on it is "bad".  We will give you a behind the scene connection explaining why they are reacting the way they are and how having that emotion is a massive benefit to the business (and not just a cost). At the end of the day, the business and the hacker have the same goals; we all want to secure the business. We may have different drivers and motivators but a common goal exists. We will extend the olive branch to both sides and hope that this talk will inspire others to do the same.

 

HD Moore:  Fun with VxWorks

This talk focuses on the VxWorks operating system, how it works, what devices use it, and how to compromise it. The content will include background information on VxWorks itself, a checklist of common vulnerabilities, mappings from these vulnerabilities to shipped products, and a live demo of gaining access to a widely deployed commercial product.

Why this is notable:
VxWorks was the predominate embedded operating system for most of the 2000's, and although its market share has been chipped away by Linux and Windows CE, millions of devices still use it today. Given the size of the installation, one would think there would be a copious amount of security research; however, that is not the case. There are 13 CVE entries that reference VxWorks, with only 2 of these mapping to flaws in the operating system itself. I believe this is the first time that any real effort has been spent on categorizing common vulnerabilities and exploiting them take full control of the OS.

NOTE: Portions of this presentation will not be streamed or recorded.

 

Jason Ross: Who Owns the Internet? AKA: Where did all that cyberspace go?  

Jason has been performing application, host, and network based attack and penetration testing for 6 years, and has more than 10 years experience hardening systems and IP networks. For the past 4 years he has been an active member in several vetted security groups which research malware and work to contain emerging internet threats. In his spare time, he runs the Rochester DefCon Group, DC585.

With all the talk about IPv4 address scarcity, and the resulting migration to IPv6, I thought it'd be interesting to see how the IP space was chopped up. Additionally, I figured it'd be interesting to see what organizations were responsible for various network blocks. So, I've started enumerating the whois space and am tracking that information. I plan to make the results of this categorization available to the public, since whois is public anyway, despite various NIC's attempts to claim the data contained therein as proprietary.
The end result of this effort will be a SHODAN-esque interface to WHOIS that allows interested folks to access the information without having to deal with pesky NIC formatting differences and hunting down referrals. A potentially useful side effect for pen testing is that one could query an organization's name and return a complete list of netblocks associated with that entity. There's likely a whole lot of other useful graphing and analysis that could be done with this, but I'm just working on getting the data populated and stored for the moment.
To my knowledge, such a thing does not currently exist in a central location, and a format that's dynamically queryable by the public. The closest thing to this I'm aware of is robtex, which doesn't permit mass lookup of IP space based on org name/description, and requires lookups to be per netblock/domain (as opposed to permitting a dump en masse of the entire ip address space).

 

Egyp7: Beyond r57

PHP is an easy language to learn and is among the most popular in the web development world. Because of this, many PHP applications are written by novice programmers with little knowledge of writing secure code. Combine that fact with a few poor design decisions and you end up with vulnerabilities in PHP applications being published daily. But once you've found a hole in a PHP app, what do you do? Web shells like r57 are fun, but they tend to focus solely on the web server without much thought about the network behind it. This talk will present the background for various Metasploit payloads in PHP followed by the unveiling of PHP meterpreter, the Windows payload you know and love ported to the scripting language you love to hate.

 

Jimmy Shah: Mobile Hackery

Jimmy Shah is a Mobile Antivirus Researcher for McAfee, specializing in analysis  of mobile threats on existing platforms (J2ME, SymbOS, Windows Mobile, iPhone OS, Android) and potential mobile malware and spyware. He works with a team of researchers that regularly provides analysis and research on mobile threats to McAfee clients.

Symbian Botnet? Mobile Linux Rootkits? iPhone Botnets? Millions of phones at risk? The press coverage on smartphone threats is at times  somewhat accurate, distant and occasionally(if unintentionally)  misleading.  They tend to raise questions such as:
-- how close to PC levels(100K+ to millions of nodes) mobile botnets have reached?
-- have mobile rootkits reached the complexity of that on the PC?
The talk will cover the state of rootkits and botnets on smartphones from the perspective of anti-malware researchers, including:
-- demystification of the threat from mobile rootkits and mobile botnets
-- the differences, if any, between mobile rootkits and mobile botnets vs. their PC counterparts
-- up close look[*] at how samples seen in the wild and researcher PoCs function
[*] Short of examining disassemblies or mentioning actual API calls

 

Joseph Sokoly: InfoSec Young and Restless

I have spoken at BSidesBOS and BSidesAustin on being "Young and Restless" in InfoSec. I focus on making a community impact, both for myself and encouragement for others to do the same. I'm a fairly regular blogger for the Security Catalyst blog, and I'm planning/coordinating BSidesDFW.

My talk will be continuing my talks from BSidesAustin and BSidesBoston. We are part of an industry that is often seen as hostile and cold. As a result, that mindset is often extended to our community. I'm standing up to show that this is not that case, and in fact, our community rocks out loud.

 

Chris Lytle and Leigh Hollowell: CCDC

Chris "t0ph" Lytle is a security researcher at Veracode. He was a student at DePaul University in the Information Assurance and Security Engineering program for three years and was a frequent presenter at DePaul's student security group meetings on topics ranging from introductions to Linux to cryptography and electrical engineering basics.

Leigh Hollowell is an Analyst with SpiderLabs and a Project Manager at MAD Security. She has also been a student at DePaul University in the Information Assurance and Security Engineering and IT Project Management programs for five years. At DePaul, she cofounded the student security group, the Security Daemons, and the Collegiate Cyber Defense Competition team.

Every year the Collegiate Cyber Defense Competition puts students in the shoes of network administrators under siege. Students fight to complete simulated business tasks and keep their network functional. But CCDC is like barbecue; everyone has their own "special sauce", and no one is willing to share it. But Leigh and Chris will. With a combined 17 competitions under their belts, including nationals, they've seen it all and want to help you learn how to be competitive. Let us show you what we?ve learned about this competition, how we believe it can become an even better learning tool, and even how you can help.

 

Joshua Corman, Marisa Fagan, Erin Jacobs, James Arlen, Dave Lewis, Leigh Honeywell, Rafal Los: INFOSEC Mentoring, Mentee-ing Panel

Mentoring, Mentee-ing (Telamachusing? Manatee-ing?) In Information Security: A How-To Panel. Come and learn how to get the most of out the Mentor/Protege relationship from our panel of experts including @joshcorman, @SecBarbie, @gattaca, @dewzi, @hypatiadotca, @myrcurial and @rafallos. Also learn about pitfalls to avoid including "mantoring". This should be a lively discussion and we expect a lot of audience participation.
* Being a good mentor/mentee
* the "internship experience"
* formal + informal mentoring
* paying your dues
* hostile to newcomers or not?
* certifications, education
* gender + race issues
* impostor syndrome
* charlatans / impostors
* perfectionism
* ablism
Sample Questions
- How did you get here? Who mentored you along the way?
- Who most influenced your career as it is today? ??What did you learn from him/her?
- Why do you think the InfoSec field is so hostile to new-comers?
- What 3 things would you suggest to anyone thinking of becoming a career security-focused?
- What 3 things make a good mentor?

 

Ray Kelly: A Mechanic’s View of SQL Injection

Ray Kelly currently serves as manager of client-side security technologies for Barracuda Networks Inc. He has been a developer for 16 years and has been in the Internet security space for the past eight years. Ray held several positions over the course of five years at SPI Dynamics, a Web application security startup that was purchased by HP in 2007, starting as the lead developer and product owner of the flagship product WebInspect.  Eventually he moved on to become the director of SPI Labs, leading the research division of SPI where new hacking techniques were explored and penetration tests took place. Ray moved on to become the functional architecture manager for the Application Security Center of HP when SPI was acquired.  In 2008, Ray left HP for award-winning Web security startup Purewire, which was acquired in 2009 by Barracuda Networks. Ray continues to lead the development and oversight of all client-side security applications, and conduct security research as part of Barracuda Labs global threat intelligence efforts.

 

Roll your eyes if you want, but even though SQL injection has been around for more than 10 years, this vulnerability is still one of the most rampant. So, why is that? With the advent of automated tools to detect vulnerabilities, most people assume SQL injections are either extinct or so hard to find that they are not worth an attacker’s time. This talk will reveal how a SQL injection that might be missed by an automated tool can easily be found by a manual process, and demonstrate how a single input in a simple Web application can expose an entire database. Specifically, this session will explore:
*Why SQL injection still exists
*Challenges around individual databases and Web applications
*SQL injection goes both ways: in and out of the database
     *Extraction of data from a backend database
     *Injection of content including malware
*Live demos:
     *Verbose SQL Injection
     *Blind SQL Injection
     *Simple manual checks for SQL Injection that evades automated tools – and how attackers are using them
*Validating the inputs and self defense
*What tools can be used to test applications
*Case studies of recent infections and exploits

 

Ryan Linn: Multi-Player Metasploit

Ryan Linn is an Information Security Engineer who has a passion for making security knowledge accessible. In addition to being a columnist with the Ethical Hacker Network, Ryan has contributed to open source tools including Metasploit and the Browser Exploitation Framework (BeEF).  Ryan has spoken at a number of regional and national security events including SecTor, B-Sides Las Vegas, ChicagoCon, CarolinaCon and ISSA events.

Sharing information during security engagements can be hard.  There are lots of disparate tools, and trying to determine real time what information which team members have in a group environment, especially if they are in disparate locations can be difficult.  Metasploit's database structure is now more feature rich allowing for real time collaboration and information sharing.  This talk will focus on how to use Metasploit in multi-player mode and share information from disparate systems such as Nmap, OpenVAS, Fierce, and BeEF into a central location to allow for multiple team members to have access to current information about testing in progress.

 

Jack Daniel, Josh Corman, Dennis Fisher, and HD Moore: InfoSec Speed Debates

An idea blatantly stolen from AusCert, but ours will be better, because we don't talk funny.  We will each have one minute to make our cases for or against a variety of incendiary topics, then we’ll give a couple of participants watching the spectacle a chance to add their opinions.  To make it more interesting, the panelists will be assigned pro or con positions, on the spot, by coin toss.  The goal is to solve all the problems of InfoSec in under an hour and move on.  OK, the real goals are to 1: have fun, and 2: encourage conversation.

 

Zach Lanier: It Melts In Your Hand: An Overview of Security (Failures) In Mobile Applications

This presentation will discuss the security of some of the most popular applications running on mainstream mobile platforms (such as Android, iPhone, Blackberry, and Windows Mobile), as well as observations on security issues affecting other mobile devices (such as mobile hot spots). Attendees will gain insight into the tools and methodologies used to explore, reverse engineer, and ultimately discover vulnerabilities, as the speakers will demonstrate man-in-the-middle tools and techniques use to analyze network communications, as well as cover common methodologies for the extraction and analysis of applications installed on mobile platforms.

 

David Rook: Secure Development

David works as a Security Analyst for Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at national and international conferences including DEFCON, SecurityBSides Las Vegas and OWASP Ireland. David is a member of the Irish Internet Association Web Development Working Group helping to publicise web application security within Ireland. In addition to his work with OWASP and the IIA David has created a security resource website and blog which can be found here: http://www.securityninja.co.uk David's work has been published in industry magazines such as (in)secure magazine.

This presentation will demonstrate a simplified approach to secure web application development called The Principles of Secure Web Development. The Principles of Secure Web Development remove the confusion often associated with other secure development approaches by taking a positive approach and focusing on what developers should do instead of what hackers might do. To demonstrate the strength of the principles approach the presentation will also detail how some of the biggest web application security incidents could have been prevented if the principles approach had been used.

 

Sean-Paul Correll and Luis Corrons: Catch That Butterfly: Stopping Mariposa in its Tracks and Revealing a Growing Underground Network of Amateur Hackers

Sean-Paul Correll is a threat researcher at PandaLabs, the malware analysis and detection laboratory for Panda Security. Correll is credited with discovering the Twitter trending topics attacks, as well as for leading groundbreaking research on social networking cybercrime and Blackhat SEO. Correll serves as a frequent resource for national and security press, including USA Today, PC World, Computerworld, InformationWeek and many others.
Luis Corrons is technical director of PandaLabs, the malware analysis and detection laboratory for Panda Security, where he has worked since 1999. Luis started in Panda's technical support department, helping both consumer and corporate users with virus incidents. A year later, he joined the international technical support team providing tech support for Panda's partners, distributed in more than 50 countries around the world. In 2002, he became PandaLabs' director as well as malware alerts coordinator in worldwide infection situations, dealing with worms such as Klez, SQLSlammer, Sobig, Blaster, Sasser and Mydoom.

 

In December 2009, Mariposa, the largest recorded botnet in history, was stopped dead in its tracks by the collaborative effort of international law enforcement officials and two leading security vendors. With more than 50% of the world?s Fortune 1000 companies and almost 13 million total computers compromised worldwide, Mariposa brought threat awareness to an entirely new level.
What's more troubling with this trend is that the malware perpetrators are changing, too. Hacking used to be limited to an elite group of sophisticated and savvy IT experts, but has now become mainstream and populated with amateur hackers. In fact, it was inexperienced hackers who masterminded Mariposa and succeeded in compromising millions of computers around the world. With myriad resources available online, hacking has become a skill that can be quickly learned by anyone with a computer.

 

frank^2: Fuck Tools, Do It Yourself Jerk

For over twenty years, frank^2 has worked in the legal department of LIGATT Security International at his role of spin doctor. He obviously fucking sucks at it, though. But I mean, even Karl Rove couldn't spin this company out of the bog of plagiarist shit its gotten itself into. You can't get blood out of a stone, much in the same regard the World's Number One Hacker couldn't pop a shell on an MS08-067 vulnerability. I mean, what the fuck: "to completely hack a machine you must get passwords associated with usernames and increase permission level." How the fuck do you spin that into something intelligent? Dollars to donuts if Karl Rove actually worked for these guys he would probably just spin them out of their finances and run away laughing, sacks full of cash clad with cartoonish dollar signs and all.

Abstract: Tools are fucking arrogant. By their rigid nature, they say you're only supposed to do X, Y and Z. But you can't do A, B or C-- that's just not what the tool was designed for, man! You can't do that! "Go find another tool that does that," the tool says, dismissively brushing you off to go find some other guy that wrote some other tool that does some other thing that puts you in some other box that still doesn't accomplish some of what you're trying to do-- at least some of the time.
This isn't to say that tools are completely useless-- there are common tools that we just can't live without when we go about our daily routines of penetration testing, reverse engineering and even programming. Tools solve problems. Without tools, we'd be collectively going at a slower pace than LIGATT's hacking lessons. However, the ease of use of a given tool abstracts you from potentially necessary concepts that will make you a better Whatever That Tool is Trying to Make You Better At. This talk aims to present an argument as to why you should (and shouldn't) learn to write tools yourself and how the process of doing so benefits you more than simply learning to use the tool.

 

Wayne Huang: Drivesploit: Circumventing both automated AND manual drive-by-download detection

Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005).  Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.

 

This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google?s compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google?s) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that is almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on one particular technique supported by Drivesploit?javascript obfuscation based on behavior-based fingerprinting. We will have live demos to show how this technique easily defeats both automated AND manual detection.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.

 

Jim MacLeod: Stupid IPTables Tricks

Jim MacLeod (@shewfig) retrofits security onto NMS appliances for a large networking vendor.  His personal goal is to keep 80% of you from cracking his department's product within the first week of its release, and to convince his team to make his job unnecessary by writing code that's secure.

IPtables isn't just a stateful firewall - it's a firewall with userland-accessible state tables.  Using multiple tables, it is possible to add and remove policies for individual IP addresses programmatically.  Don't just think IP Masquerading - think Masquerading to different addresses based on web app auth, or redirecting through different proxy servers based on username.  Don't just think stateful packet filtering, think building finite state machines to allow or block traffic based on specific connections (port knocking, reverse port knocking, and ghetto IDS).  Even if iptables isn't new, some of its capabilities may be new to some of you.

 

Will Gragido: An Expose of Darknets and the Onion Routed Underground

An information security and risk management professional with over 15 year’s professional industry experience, Will Gragido brings a wealth of knowledge and experience to bear.  Working in a variety of roles, Will has deep expertise and knowledge in operations, vulnerability and threat analysis, management, professional services & consultancy, pre-­-sales / architecture and business development within the information security industry.   Mr.Gragido is currently authoring a book for Syngress Press on Cybercrime and Espionage due out in autumn with John Pirc.

The Internet and cyberspace are far from what they appear to be.  For years an evolution revolution has been underway.  This evolution revolution has seen advancement, growth, adaptation and change occur in order to both propagate and defend against new and advanced threat vectors, many of which do not traditionally reside in the realm of the information security warrior but are swiftly becoming more a part of it.  Among these, the onion routed anonymous network is playing a greater and greater role.   These networks leverage cryptographic ciphers to aid in concealing routing instruction information thus preventing detection by intermediary nodes.   They take on many forms some being embraced and celebrated as voices of free press and expression, while others are used for the trafficking and trade of goods and services within the cyber-­-criminal sub-­-ecosystem.
During this presentation you will gain an insight into the realities of these networks, their owner / operators, the conventional wisdom employed by these parties, their clientele and an informed look glimpse of the type of data which is trafficked within these environments.

 

Breedijk & Southhan: The road to hell is paved with Best Practices

Frank Breedijk (@Seccubus) is employed as a Security Engineer at Schuberg Philis since 2006. He is responsible for the technical information security of Schuberg Philis Mission Critical outsourcing services. This including, Security Awareness, Vulnerability management, Internal security consultancyand technical audits and Seccubus development.  Frank Breedijk has been active in IT Security for over 10 years. Before joining Schuberg Philis he worked as a Security Consultant for INS/BT and Security Officer for Interxion. He managed the European Security Operations Center (SOC) for Unisys' managed security services. During this period Gartner labeled Unisys leader in the magic quadrant for Managed Security Services in Europe.  Besides his day job Frank Breedijk develops Seccubus, is an active on Twitter and writes blog entries for CupFighter.net. He has also written magazine articles about Seccubus and security awareness.

Ian Southam has been in IT for over 25 year, in these 25 years he has filled various roles ranging from programmer, director of datacenter development and currently as mission critical engineer at Schuberg Philis where his is responsible for a broad range of mission critical application infrastructures.  He mainly enjoys doing the work rather then talk about the work, but in this case he likes to make an exception because these so called "best practices" are getting too much in the way of getting the work done in a secure manner.

This light talk will try to address the "unaskable" question "will best practices make use more secure?" in a light and entertaining manner.  Will a strong password policy result in stronger passwords? When are there too many admins on the system?  In good cop/bad cop style Frank Breedijk and Ian Southam will address this topic from the firm believe that IT Security should actually make IT more secure.
As obvious as that statement seems, security measures often do not achieve this goal but sometimes hurt it. E.g. enforcing "very strong" password policies will often result in people not being able to remember their passwords and writing them down, or reverting to passwords like Password01, Password02, etc.  In the process the hope to plant the seed for some of the serious self reflection that is required from the IT Security industry.

 

Paul Judge & David Maynor: The Dark side of Twitter, Measuring and Analyzing Malicious Activity on Twitter

Dr. Paul Q. Judge serves as chief research officer and vice president of cloud services at Barracuda Networks. In this role, he leads the Barracuda Labs threat intelligence team and is responsible for application security, Web threat, intrusion and anti-spam intelligence for over 100,000 appliances deployed worldwide. He was co-founder and chief technology officer at Purewire, a Web security SaaS vendor acquired by Barracuda Networks in October 2009. Previously he served as chief technology officer of CipherTrust and Secure Computing. Dr. Judge is a recognized authority on Internet security, having won numerous honors including InfoWorld Top 25 CTOs, Atlanta Power 30 under 30 and MIT Technology Review Magazine's 100 Top Innovators under 35. He regularly presents at leading conferences and is quoted by national business and technology trade press, and has been awarded 10 patents and has over 20 patents pending. Dr. Judge earned a Ph.D. in Computer Science from Georgia Tech.

David Maynor is a research scientist with Barracuda Labs. He is also co-founder and CTO of Errata Security. Prior to founding Errata Security, he has held positions for both security vendors and organizations in industries such as education and media. Maynor contributes heavily to the ProtoDev program with both proof-of?concept software and newly discovered vulnerabilities. He is an author and sought-after speaker delivering cutting-edge research talks to audiences at conferences including Blackhat, Defcon, ToorCon, Microsoft?s Bluehat and CanSecWest. Maynor has been quoted in technology articles for international news outlets such as The New York Times, CNN and the Fox News Channel. As an author, Maynor has several books to his credit on information security and regularly contributes to Dark Reading, a leading information security news outlet.

Twitter obviously is a popular platform for communicating and exchanging information. Its popularity, as well as the open API and platform, makes it easy for attackers to exploit and use as a means for efficient distribution of malicious activity. Barracuda Labs has been collecting Twitter data for more than two years and has analyzed more than 20 million user accounts. In this talk, we discuss our findings about the scale and history of malicious activity on Twitter. We measure the Twitter Crime Rate from its inception in 2006 to present day, and then demonstrate how attackers respond rapidly to the large increases of users driven by celebrity attention on Twitter. We also review types of attacks that have been used on Twitter ranging from trending topics poisoning to URL shortener-based attacks. The session then presents work towards building a user-reputation system to statistically identify accounts that resemble fake attacker accounts.

 

Chris Summer: Social Network Special Ops: Extending data visualization tools for faster Pwnage

Chris has been directly involved in Corporate Information Security since 1999 and has maintained a passion for security since seeing Wargames when it first came out.  After a lengthy stint as a Pivot Chart creating, PowerPoint wielding, Security Manager for a business division that alone would make the Fortune100, he has turned his attention to a more geeky pursuit and is currently focused on Security in the Development Lifecycle.  Outside the corporate world, Chris is a data mining, analysis and visualization geek at heart and also enjoys hiding skateboards in the UK for Tony Hawk.

If you’re ever in a position when you need to pwn criminals via social networks or see where Tony Hawk likes to hide skateboards around the world, this talk is for you.  The talk is delivered in two parts, both of which are intended to shine a fun light on visual social network analysis.  The first part introduces how you can extend the powerful data visualization tool, Maltego to speed up and automate the data mining and analysis of social networks. I’ll show how I analyzed skateboard legend, Tony Hawk’s twitter hunt and highlight how you could use the same techniques to set up your very own backyard miniature ECHELON.  I focus specifically on Twitter and Facebook, demonstrating how you can map and analyze social relationships using the Twitter API's, publicly available Facebook profiles, screen scraping and some clunky regex.  The second part chronicles my adventures in using these techniques to enumerate a 419 scam, exposing deeper more sinister links to organized crime resulting in the scammers making an offer to payback some money.

 

Val Smith: Social Engineering the CFP Process

 

Vik Phatak: ExploitHub: Arming the Pen Testers to Plug the Holes

Vik Phatak serves as Chairman and CTO of NSS Labs. He most recently served as CTO for Ambiron Trustwave (ATW), the world’s largest PCI assessor. Vik joined ATW following its acquisition of Lucid Security Corporation, a company founded by Mr. Phatak in 2002. Mr. Phatak is an intrusion prevention pioneer and one of the Information Security industry’s foremost thought leaders on vulnerability management and threat protection. Prior to Lucid, Phatak served as Global Manager of Enterprise Internet and Security Services at Teleflex, a publicly-traded global manufacturing company, and served as a co-founder of Intermedia Sciences Group, Inc., a security consulting firm.

The black hats have a significant advantage over the good guys. They have better knowledge of the vulnerabilities in our systems than the defenders do. How? Because they develop exploits and continually test them for efficacy before releasing them in the wild. But 0-day exploits are the least of our problems from a volumetric perspective. There’s much more ‘low hanging fruit’ for the picking, with over 14,000 known vulnerabilities (non-0day) with a CVSS rating of 7 or higher. But how will we know where these holes exist when current penetration testing tools support only about 10% of the vulnerabilities. This is an asymmetrical advantage for the bad guys.
Together, we can level the playing field, and more. Details to be announced here.

 

Moxie Marlinspike: How technology killed my heroes, and why they will never be born again

In this talk I'll tell some stories about my favorite historical weirdos, maniacs, mystics, and criminals, along with some tenuous thoughts about how technology has effected the emergence and development of individuals and groups like these.  While ever-increasing global connectedness is almost always positioned in a positive light, I'd like to ask what else might be happening as a result.

 

Andre "dre" Gironda:  App Assessments Reloaded

Andre got his start on Unix-TCP/IP hacking before the September that never ended. Bored of embedded platform research by the time the dot-Bomb happened, he joined the largest online auction company, worked as an appsec consultant for many years, and recently joined a large online gaming company. He is known for his quirky mailing-listposts and blog comments -- and at one time wrote for tssci-security.com.

Penetration-testing was announced dead over a year ago, but it's still the number one choice of application security professionals when starting out. Can the activities from penetration-testing be re-used and turned into something innovative?
At Toorcamp, Andre presented on "Why appsec tools suck", describing the gap between what the vendors are pushing on appsec professionals, and what we really want and need to do our jobs. This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies (HTTP, SQL, Classic XML/HTML, Javascript, Flash) but also updated to today's standards (RESTful transactions, NoSQL, HTML5, Ajax/Json, Flex2).

 

Davi Ottenheimer: KeyPad Bypass Hacks

Davi Ottenheimer has over 16 years experience managing security and assessments for diverse global environments, including a decade of leading incident response and digital forensics and assessing payment card infrastructure and applications. He recently served on the Board for the Payment Card Security Alliance and the Silicon Valley chapters of ISACA and OWASP.

Keypad boxes and telephone entry panels are nearly everywhere in urban and even rural environments. Incident response after a series of break-ins uncovered several shockingly simple bypass techniques currently in use by criminals. This presentation shows how a common keypad box will grant open access to a building in under ten seconds with nothing more than a very basic tool. The presentation will also give details on a series of countermeasures that can significantly reduce the vulnerability of assets protected by a keypad box.

 

Joshua "Jabra" Abraham: Fierce v2

Joshua "Jabra" Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. He has spoken at BlackHat, DefCon, ShmooCon, Infosec World, CSI, OWASP Conferences, the SANS Pentest Summit, LinuxWorld, and Comdex. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, BeEF, Nikto, Fierce, and PBNJ.

 

This talk will cover the newest version of Fierce, a network reconnaissance tool used to identify IPs that are controlled by a specific organization. The purpose of the talk is to demonstrate (live demos) and explain the techniques (code walk-thru) that Fierce v2 uses. Also, we will discuss all of the changes that have been made since version 1. Finally, we will release Fierce v2 for everyone to enjoy!

There will be no slides for this talk. The plan is to explain the techniques, walk thru the code and demonstrate everything with live demos. Hecklers are welcome, as long as they code in Perl!