Responsiveness and Responsibility
Author: Marc "van Hauser" Heuse
Marc "van Hauser" Heuse has performed security research since 1993, found vulnerabilities in numerous products and is the author of various famous security and pentest tools like hydra, amap, thc-ipv6, THC-Scan, SuSEFirewall and many more.
In 1995 he founded the renowned security research group "The Hacker's Choice", which was the first group to, e.g., crack A5 GSM in 2006 within a minute. Since 1997 he works as a security consultant in one of the top-5 enterprise consultant companies, since 2007 works as an independent security consultant.
If You Can Write a Webserver, You Can Write a Thumb Drive
Author: Travis Goodspeed
Think back to that moment when you first realized a bit of ASCII and a socket were all that it took to make an HTTP server in your favorite scripting language. Using the open source Facedancer framework, emulators have been written in userland Python for Mass Storage, Human Interface, FTDI, and Device Firmware Update protocols. The sockets work a bit differently, and the protocols aren't ASCII, but the principles and the libraries are no more difficult than HTTP.
Practical examples of this technique include a tool for catching firmware updates by impersonating the DFU protocol and a prototype of a hard disk that actively defends itself against forensics tools and imaging.
Travis Goodspeed is a neighborly reverse engineer from Southern Appalachia. His recent hacks include the Facedancer project for emulating USB devices, the GoodFET project for exposing embedded buses to host control, and the Packet-in-Packet attack for remotely injecting PHY-layer radio frames without a software bug. In his spare time, he is attempting to add USB Host support to the Elektronika BK.
Cyber War of a Chinese Hacker, Black Economy, and Trojan Tool
Author: Tao Wan
In the past, Chinese hackers have been spurred into action by geopolitical controversies. But today many of the China hackers are turning away from the darker side of the security field and instead looking for opportunities in building legitimate businesses. China's billion-plus population means that proportionally, there are a lot of hackers in China. China also has an active cyber police system, but the country is large. Nonetheless, you can't say enforcement is non-existent in China.
What happened to China hackers in the last ten years? Who are they and what do they want? Eagle Wan, the leader of the China Eagle Union will give you the truth.
Founder of Intelligence Defense Friends Laboratory (China Eagle Union), IBM GCG Cloud Tiger Team Security Managing Consultant.
In 1993 finished the Beijing Jiaotong University with a bachelor's degree in economics.
Has more than 20 years' information security experience, worked for PricewaterhouseCoopers, CA Technologies and IBM.
In 2001 founded the China Eagle Union hacker group.
Now works for an operator of a community cloud to support Chinese NGOs and open source for hacker culture.
Faster Secure Software Development with Continuous Deployment
Author: Nick Galbreath
Why don't developers care about security issues? Why isn't security training effective? Why do basic application security problems continue to exist? One reason is that long release cycles disenfranchise developers from caring or even knowing about security or operational issues. Continuous Deployment helps address this by small, but frequent, changes to the production environment. At first, this would seem less stable and less secure; however, continuous deployment is a lot more than "pushing code". When done well, it can be transformative to your software lifecycle and change your security group from a reactive organization into an "in-house security consultancy" that developers come to for questions and assistance. This session will discuss how to get started with continuous deployment and the tools and process needed to make it a security success.
Nick Galbreath is the Vice President of Engineering at IPONWEB, based in Moscow, Russia, which handles tens of billions of online advertising transactions per day. Prior to this, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in a number of social and e-commerce companies, including Right Media, Upromise, Friendster, and OpenMarket. He is the author of "Cryptography for Internet and Database Applications", several patents, and has spoken at Black Hat, Defcon, RSA, Microsoft and OWASP events.
SCADA Strangelove: How to Build Your Own Stuxnet
Author: Positive Technologies
A lot of time has passed since the Stuxnet incident. While one is looking for lacking elements of the cyberweapon evolution, Positive Technologies experts want to get a glimpse of the future. The near future where to create a full-fledged SCADA worm one will only need up-to-date Metasploit and a little skill of VBScript programming.
Based on the research regarding the security of Siemens SIMATIC (TIA Portal/ WinCC /S7 PLC) series, the talk will cover the vulnerabilities which can be used to hack into ICS. The speakers will also demonstrate the ways of the worm propagation and its malicious impact on the system, ranging from the network level (S7/Profinet) to the web control interfaces, to the WinCC project files.
Information on new vulnerabilities in Siemens SIMATIC series will be presented, as well as tools which can be used to analyze security and to find new vulnerabilities in ICSs.
ICS Security Team of Positive Technologies (www.ptsecurity.com).
Catching the Uncatchable: Investigating Malicious Activity Incidents in Corporate Networks
Author: Fyodor Yarochkin, Vladimir Kropotov, Vitaliy Chetvertakov
Vladimir, Fyodor and Vitaliy spend their daily time as security analysts detecting malicious activity outbreaks in large corporate networks. In this presentation they summarize their experience in detecting large, cross-continental mass-infection activities. The presentation will cover both, financially-oriented online crime activities as well as targeted attacks, which recently gained larger exposure due to some high profile network compromises (e. g., recent New York Times compromise incident). The presenters will thoroughly discuss mechanisms of malware dissimulation, primary attack and spreading vectors and attack details, specific to each particular campaign observed. Fyodor will also demonstrate a novel approach of detecting targeted attack compromises within enterprise networks through methods of statistical traffic analysis.
Fyodor Yarochkin is a Security Analyst at P1 Security, Academia Sinica.
Vladimir Kropotov is an information security analyst and independent researcher.
Vitaliy Chetvertakov is a security analyst and independent researcher.
Lockpicking & Physical Security
Author: Deviant Ollam, Babak Javadi, Keith Howell
Physical security is an oft-overlooked component of data and system security in the technology world. While frequently forgotten, it is no less critical than timely patches, appropriate password policies, and proper user permissions. You can have the most hardened servers and network but that doesn’t make the slightest difference if someone can gain direct access to a keyboard or, worse yet, march your hardware right out the door. Those who attend this session will leave with a full awareness of how to best protect buildings and grounds from unauthorized access. Discussion as well as direct example will be used to demonstrate the grave failings of low-grade hardware... much of which can be opened by audience members with no prior training. What features to look for in locks and safes will be covered, and how to invest in systems that are easiest to manage in large environments will be discussed.
While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also
member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.
Babak Javadi is a hardware hacker with a wayward sprit. His first foray into the world of physical security was in the third grade, where he received detention for describing to another student in words alone how to disassemble the doorknob on the classroom door. After years of immersion in electronics and computer hardware hacking, he found his passion in the puzzling and mysterious world of high security locks and safes. After serving as a driving force within the locksport community for almost a decade and helping found the US division of The Open Organisation of Lockpickers, he has recently re-embraced the beauty of the baud and resumed hardware hacking with a vengeance. He currently serves as the President of the US group of The Open Organisation of Lockpickers (TOOOL) and is the founder of The CORE Group, a security research and consulting firm.
Trained as an Electronics Engineer by the British Army, Keith Howell became interested in computers and began his learning path with a TRS-80 and has owned most Intel based processors since then. After joining UUNET Technologies in 1995, he started to get interested in the security of networks and computers and in 1998 joined the UUNET InfoSec team.
Underground Market 101: Pricing Stats and Schemas
Author: Max Goncharov
Online fraud has long since moved from being a mere hobby to a means for cybercriminals to earn a living. Daily we see lots of activity in social networks, blogs and forums, but this is the part of the internet visible to everyone.
There is another side to the internet however — its criminal underbelly — and here, just like on the blogs and forums, communication is key. In this talk we will cover the principles of underground information exchange, ways to secure money/goods in underground transactions and basic cyber hierarchy.
The speaker will also talk about underground products and services. Crypt services, DDoS attacks, traffic resale, bulletproof servers, SMS fraud, spam services and credit card hijack — these topics will be covered with pricing comparisons shown over the last 2 or 3 years. The speaker will go through the typical pricing steps of a criminals attack — from buying software, all the way to monetizing the volumes of infected victims.
Senior Threat Analyst at Trend Micro, responsible for security consulting to business partners (internal, external), creation of security frameworks, designing technical security architecture, overseeing the build out of an enterprise incident response process, and creation of the enterprise risk management program.
Spoke at various conferences and training seminars (BlackHat, DeepSec, VB, APWG, etc.) on the topic of cybercrime and related issues, such as cyberterrorism, cybersecurity and underground economy.
Attack Prelude: OSINT Practice and Automation
Author: Vladimir Styran
Collecting and analyzing public information on the target, aka Open Source Intelligence (OSINT), is a mandatory stage of a modern pentest. The value of such analysis is difficult to overestimate, however, only few people treat it with due attention. Some even skip this stage and start vulnerability scanning right away. It is a mistake, because collecting information on systems and personnel in the area of testing usually plays a crucial role in security audit and is essential for success of an audit conducted with the use of social engineering techniques.
Lead Consultant at BMS Consulting, head of information security testing section, former IT auditor, security specialist in the real sector and IT security implementor. Focuses on psychological aspects of Information security and human element of security systems. Cofounder of the Ukrainian Information Security Group (UISG). Blogger, podcaster, speaker and organizer of professional conferences. Holder of CISSP, CISA and other qualifications.
Abusing Browser User Interfaces for Fun and Profit
Author: Rosario Valotta
As social engineering has become the dominant method of malware distribution, browser makers started designing more robust and recognizable UIs in order to help end users make aware choices while surfing the Web. In this process, creating trusted notification mechanisms played a crucial role: nowadays any modern browser is able to identify potentially dangerous or sensitive action requested by a webpage (file downloading, plugin installation, granting privileges to websites) and prompt a dialog box or a notification bar to require explicit confirmation from the user.
Even though these improvements led to a greater degree of assurance, the notification mechanisms are far from being 100% safe: in this presentation the speaker will show how notification bars in major browsers (Chrome 24, IE9, IE10) can be abused with little (or even no) social engineering, leading to users security compromise and even to conducting trivial code execution on the victim's machine.
Rosario Valotta is an IT security professional with over 12 years’ experience. He has been actively finding vulnerabilities and exploits since 2007 and has released a bunch of advisories and new attack techniques, including:
- Nduja Fuzzer: an innovative fuzzer leveraging on DOM Levels 2 and 3 APIs that proved to be effective in discovering several 0-day vulnerabilities in major browsers
- Cookiejacking, a new attack technique to steal any cookie on Internet Explorer (presented at HITB2011AMS and Swiss Cyber Storm 2011)
- Nduja connection, the first cross webmail XSS worm
- Memova exploit, affecting over 40 million users worldwide
- Outlook web access for Exchange CSRF vulnerability
- Information gathering through Windows Media Player vulnerabilities
The complete list is on the blog: http://sites.google.com/site/tentacoloviola/.
Attacks Modeling, Security Metrics Calculation and Visualization in Perspective SIEM Systems
Author: Igor Kotenko
The report covers current research in the field of SIEM systems. The speaker will present new approach to analytical modeling of attacks and defense mechanisms based on the graphs of attacks and services relations, on security metrics calculation, and also on visualization of events and security metrics in promising SIEM systems. The author will outline the ways of practical application of the presented approach. The report includes aspects of software implementation for a new generation SIEM system, developed as a part of the integrated project of the Seventh Framework Programme (FP7).
Igor Kotenko is a Professor, Doctor of Technical Sciences, and Head of the SPIIRAS Laboratory of Information Security Issues.
He graduated with honors from the A. F. Mozhaisky Military Space Academy and the Military Academy of Communications. He has authored over 120 publications in peer-reviewed publications including 12 books and monographs. He has participated in various projects on developing new computer security technologies, including: project management in cooperation with the US Air Force Office of Scientific Research under the mediation of the European Office for Aerospace Research and Development; project management of framework programs of the European FP7 and FP6; projects commissioned by HP, Intel, F-Secure, etc. These projects resulted in development of innovative methods for detecting network intrusions, modeling of network attacks, network security assessment, development of security protocols, verification of security policies, etc.
Let the Hardware Do All the Work: Adding Programmable Logic to Your Toolbox
Author: Dmitry Nedospasov, Thorsten Schröder
In the world of embedded security, off-the-shelf solutions often fall short of what is necessary to perform hardware analysis. Common issues include coping with overwhelming amounts data and timing. Generic microcontroller-based tools usually lack performance where as high-end protocol analyzers usually offer great performance, but support only a handful of protocols. At the heart of most high-end tools for hardware debugging and analysis lies an FPGA, so why not build your tools around them?
Dmitry Nedospasov is a PhD student and researcher in the field of IC security at the Security in Telecommunications (SecT) research group at the Berlin University of Technology (TU Berlin) and the Telekom Innovation Laboratories. Dmitry's research interests include hardware and IC reverse-engineering as well as physical attacks against ICs and embedded systems. His academic research focuses on developing new and novel techniques for semi and fully-invasive IC analysis. Most recently, Dmitry was involved in identifying vulnerabilities in the most wide-spread Physically Unclonable Function (PUF) schemes.
Thorsten Schröder has been active as a technical consultant in the field of applied IT-Security for many years. His areas of expertise lie in the verification of software in either source or binary form. More recently, Thorsten's research has resulted in several open source hardware projects, most notably the "Keykeriki", an RF-analysis tool for sniffing and attacking 2.4GHz based radio devices such as wireless keyboards. Thorsten has also been involved in several software reverse-engineering projects such as the CCC's analysis of the German Federal Trojan known as "0zapftis". Thorsten is the co-founder of the Swiss modzero AG, established in 2011, as well as the German branch, modzero GmbH, established in January 2013.
Windows File Uploading Out of the Box
Author: Vyacheslav Yegoshin
The report will cover file uploading methods at the post exploitation stage using only out-of-the-box tools in Microsoft Windows environments, as well as security (antiviruses, firewalls, proxies, NATs) bypassing methods and nonstandard situations hindering exploitation.
Worked as a maintenance engineer and system administrator at Kaspersky Lab. Now is a specialist of the Penetration Testing Team at Positive Technologies.
Honeypot that Can Bite: Reverse Penetration
Author: Alexey Sintsov
This talk will consider the concept of aggressive honeypot, the main idea of which is that defense can be aggressive, and the options how it may work. The speaker will touch upon such topics as de-anonymizing attackers, filtering and detecting non-bot attacks, determining the attacker’s technical skill level, getting control of the attacker.
Alexey Sintsov will try to answer such questions as who can use these techniques, why they are useful, and how effective it can be. The audience will have a chance to take a look into real experiment, real samples of attacks, and results from the realization of this idea. The speaker will also discuss some more interesting things such as whether one can exploit vulnerabilities of third-party services or only client-side vulnerabilities (all of them can be leveraged, and the audience will be shown how it can be done with real examples).
Alexey graduated from Saint-Petersburg State Polytechnic University with a degree in Information Security of Computer Systems department (Russia). Since 2001 he has been working on practical questions in the field of security analysis and searching for vulnerabilities and exploit development. Now he works for Nokia as a Senior Security Engineer and also doing column in the ][akep magazine. Alexey is a co-founder of first Russian DEF CON group — DCG#7812, and is also a co-organizer of the Zeronights conference. Some fruits of his labor can be found here: http://www.exploit-db.com/author/?a=549.
Five Nightmares for a Telecom
Author: Dmitry Kurbatov
Five Nightmares for a Telecom are five stories on how to intrude into an operator’s network and perform an attack against packet services, how to gain control of the infrastructure, make money with VoIP and self-service portals. Some attacks already have precedents in the past, and others are just a fancy, which we hope will not become a reality.
Dmitry Kurbatov is an information security specialist at Positive Technologies, the Department for Network Devices Security Analysis of the Positive Research Center.
Vulnerabilities of Android Cryptographic Applications
Author: Pyotr Khenkin
The report will cover the most well-known mobile applications for Android (with the focus on the USA market), which deal with user information — text encoders, user credentials storages, messengers. The results of the performed research show that none of the considered applications complies with the stated characteristics. They include both indirect and direct security threats, which allow accessing confidential data.
System analyst at JSC Advanced Monitoring. Graduated from the Academy of Federal Security Service of Russia, has a wide experience in the cryptographic research of algorithms and their implementation in various operating systems. His area of interest also includes information system security analysis and software research in terms of information security.
Bitcoin: Lights and Shadows of Virtual Money
Author: Antonio Teti
For several decades, electronic money has been an illusion chased by all those who believed in the possibility of creating an instrument that can produce momentous upheavals in the field of economics and finance. We have come to the initial phase of this monetary revolution, but the consequences arising from use on a global scale could be particularly dangerous....
Born a few years ago, is being heralded as a Bitcoin virtual currency whose success is surrounded by numerous oddities. The first is its creator: Satoshi Nakamoto. In an article published in October 2011 by The New Yorker, journalist Joshua Davis, who for years have started searching for the elusive inventor of Bitcoin, asserts that "Satoshi Nakamoto" is nothing more than just a pseudonym behind which lurks a group consisting of hundreds of experts in cryptography, peer-to-peer systems and techniques for transaction banking network. Since bitcoins are routed through a peer-to-peer, it remains impossible to trace the movements of electronic money and to disclose the identity of those who carry out transactions.
Head of IT Technical Support at the Gabriele D’Annunzio University of Chieti-Pescara, Antonio Teti provides wide-ranging services of design and consultancy in the ICT sector. Former head of the ECDL/EUCIP (European Certification of Informatics Professionals) Centre of competence at the same university, Antonio provides high-level training in the IT sector. He is a professional member of the Association for Computing Machinery, the New York Academy of Sciences and the Italian Association for Information Technology and Automatic Calculation. A knight of the Order of Merit of the Italian Republic, Antonio Teti was awarded the title of Fellow of the Pontificia Accademia Tiberina and received the “Guglielmo Marconi” Scientific Academic Award of Honour. The author of many publications, Antonio’s most popular books have been adopted by various Italian universities, such as: EUCIP – Il manuale per l’informatico professionista (2005); Business and Information System Analyst – Il manuale per il Manager IT (2007); Network Manager – Il manuale per l’Amministratore di Reti e Sistemi (2007); Management dei servizi IT: dal modello ITIL all’ISO/IEC 20000 (2008); Manuale di investigazione criminale (2008); Sistemi Informativi per la sanità - ECDL Health (2009); and Il futuro dell'Information & Communication Technology – Tecnologie, timori e scenari futuri della global network revolution (2009).
Peculiarities of the National Hunt
Author: Aleksander Gostev
Answering the question "Who?" is more important for victims of a cyber-attack, than its technical details. Detecting attack sources is mainly based on artifacts in program code or control servers. How do security companies distinguish Chinese attacks from others? Why Red October is created by the Russians? What is the difference between the Persian Gulf and the Arabian one? The talk is based on real investigations by Global Research and Analysis Team of Kaspersky Lab.
Chief Security Expert, Global Research and Analysis Team, Kaspersky Lab
Find Them, Bind Them – Industrial Control Systems (ICS) on the Internet
Author: Johannes Klick, Daniel Marzin
People involved: Jan-Ole Malchow, Robert Fehrmann, Sascha Zinke, Prof. Dr. Roth
Many industrial control systems are remotely administrated and can be found on the Internet via search engines like SHODAN.
The authors of the research can show the distribution of SCADA/PLC systems over the world with their Industrial Risk Assessment Map (IRAM) using SHODAN. IRAM also shows vulnerabilities and possible exploits.
The speakers will compare the first results of their own SCADACS Search Engine (SSE) with SHODAN.
They are also going to discuss what happens if you combine IRAM, SSE and exploits into one application.
Johannes Klick is a co-founder and Project Manager of the project SCADA and Computer Security Group (SCADACS). Having obtained a Bachelor of Science degree from the Freie Universität Berlin, he went on to achieve his Master of Science degree, focusing on IT and ICS security. Previously, he lectured on Computer Science at his alma mater, and worked as a software engineer and tester at Innominate Security Technologies AG. He is also a winner of a scholarship from the Friedrich Naumann Foundation for Freedom.
Daniel Marzin is a co-founder and Reverse Engineer of SCADA and Computer Security Group (SCADACS). He is a Bachelor of Science of the Freie Universität Berlin, and is studying to achieve his Master of Science degree. Previously, he worked as a software developer at ImmobilienScout 24 and took an internship at Beta Systems Software.
Protecting Organizations from Security Breaches by Persistent Threats, with Examples from RSA
Author: Michel Oosterhof
Each enterprise is serious about protecting its resources, brand and intellectual property. Despite this, incidents happen because attackers also have huge resources to develop the means and methods of attack. The author of the report knows this first hand, because RSA is constantly under the gun attacks. As part of the report, the speaker would like to share his experience and expertise in the prevention, detection and minimize the effects of high profile APT-attacks on corporate and government infrastructure. Based on some use cases (Lockheed Martin and others) he will talk about Cyber Kill Chain concept, discuss typical patterns of attack and methods of reducing the risks associated with industrial espionage and cyber attacks. Also the speaker shares some cases and techniques based on his own experience on running internal EMC CIRC (Critical Incident Response Center).
Michel Oosterhof (CISSP, CISM, CISA, GCIH), is a Senior Systems Engineer with RSA, The Security Division of EMC. He specializes in security analytics and network security monitoring, specifically RSA Security Analytics (formerly RSA NetWitness), and works with a wide variety of customers across Northern and Eastern Europe. His main areas of expertise include security information and event management, network security monitoring, network forensics and incident response. Before joining RSA, he worked for more than ten years at IBM, in various security roles at the Outsourcing, Global Services and Software departments.
Are ICS Models Needed to Ensure Information Security of Industrial Systems?
Author: Ruslan Stefanov
Specialists face a serious problem while ensuring information security of technological systems — a complete technical audit or testing and implementing of IS components are rarely possible in a production system because operators try to avoid its failures. The speaker will touch upon the problems that occur while simulating threats and testing security solutions: impossibility of threat simulating in production ICSs, problems with software updating, and compatibility of IS solutions with ICSs. He will describe the main approaches to ICS modeling, which allow solving the above mentioned problems, and will provide a short overview of the results obtained during creation of models in Russia and other countries.
Ruslan Stefanov graduated from the Moscow Institute of Physics and Technology, worked as an engineer in such companies as Siemens, Alfa Capital, Alfa Bank, Optima. Now he is the Head of the ICS Department at ELVIS-PLUS.
Zelenograd, Moscow, Russia
To Watch or to Be Watched? Turning Your Surveillance Camera Against You
Author: Sergey Shekyan, Artem Harutyunyan
Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan (www.shodanhq.com) shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the similar hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware.
Interestingly enough those cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application. This easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house. Last but not least it can be used to alter the video stream with an external stream or a still picture.
Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the company’s on demand web application vulnerability scanning service.
As a side interest, Sergey enjoys researching Application Layer DoS attacks and trying to fix Web browsers. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia. Sergey presented at BlackHat, H2HC, and other security conferences. Blog at http://shekyan.com.
Redwood City, CA, USA
Artem Harutyunyan is a Software Architect for Qualys. His responsibilities include design and development of distributed computing systems for storing and analyzing large volumes of data.
Prior to joining Qualys Artem spent several years at CERN where he worked on the development of geographically distributed large-scale Grid computing systems. Artem holds a PhD from State Engineering University of Armenia.
Redwood City, CA, USA
Lie to Me: Bypassing Modern Web Application Firewalls
Author: Vladimir Vorontsov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
Vladimir Vorontsov is the founder, head and leading expert of the company ONsec. He is engaged in researche in the field of web application security since 2004. The author of many studies in the field of web application security. Awarded by Google for identifying vulnerabilities of their browser Chrome; by the company Yandex for achievements in the competition "Vulnerability Scan Month”; by Trustwave for the achievements in ModSecurity SQLi Challenge, "1C Bitrix" for successful participation in the competition for the circumvention of proactive protection. At the present time he is actively engaged in the development of self-learning systems for detecting attacks on Web applications and heuristic analysis.
Evading Deep Inspection for Fun and Shell
Author: Olli-Pekka "Opi" Niemi
The Evader was released at Black Hat 2012. It is a freely available test and research tool for measuring middle-box security device’s protocol analysis capabilities. The Evader is an excellent tool for anyone doing defensive security to find weaknesses in defenses and it is suitable for penetration tests and security audits. In the presentation the speaker will go into technical details of the Evader and evasions and disclose evasions that still work with most of today’s security boxes.
Olli-Pekka "Opi" Niemi has been working in the area of Internet security since 1996. He has been doing offensive security as a penetration tester and defensive security as system administrator. Since December 2000, he has been working for Stonesoft R&D developing intrusion prevention systems. He is currently heading Stonesoft’s Vulnerability Analysis Group (VAG). His main R&D interests are analyzing network based threats as well as evasion research. In his free time the family comes first, but he also enjoys fishing, horseback riding and playing the piano. Opi has been giving presentations in various conferences such as T2, DeepSec and SIGCOMM.
Java Everyday. System Analysis of Java 0-day Exploits
Author: Boris Ryutin
The report will cover the results of the system analysis of all zero-day vulnerabilities found in Java in 2012 and 2013 (CVE-2013-1493, CVE-2013-0431, CVE-2013-0422, CVE-2012-5076, CVE-2012-4681, CVE-2012-1723, CVE-2012-1507). The aim of the research was to find out regularities pointing out the same resource or the same method of vulnerability data search.
Boris Ryutin graduated from the Faculty of Aircraft and Rocket Engineering, BSTU "Voenmekh" in 2009 (speciality "Flight Dynamics and Aircraft Traffic Control"). He is an analytical engineer at Esage Lab, a regular author of the "Hacker" magazine. Teaches malware code analysis. He was awarded by Yandex for achievements in the Bug Bounty Program.
Attack Modeling. Artificial Intelligence Against Natural Errors
Author: Yevgeny Tumoyan
The talk covers the problem of attack modeling and the prospect of solving the problem in relation to security and risk assessment. The speaker will discuss main existing attack models and modeling tools, and also the problems of their implementation in the practical assessment of computer system security.
The talk considers the possibilities of applying artificial intelligence for computer attack modeling. The author of the research will present and analyze a new attack model based on neuron nets.
Yevgeny Tumoyan is a Master of Science, associate professor of the IT Security Department of the Southern Federal University, senior staff scientist of the Southern Russain Scientific and Educational Center for Information Security of the Southern Federal Univarsity.
Darya Kavchuk is a graduate student of the Southern Federal University (Taganrog, Russia).
HOWTO. High Packet Rate on x86-64: Clearing the Bar of 14.88 Mpps
Author: Alexander Lyamin
Since new tools like netmap и PF_RING DNA became available for intruders, attacks leveraging multiple packets of minimum size have been gaining greater popularity. What is the mechanism of such attacks and which vulnerabilities in the design of modern server platforms do they exploit? What to oppose them by, having a vanilla Linux kernel and standard Intel equipment in hand? How, with usual equipment, to reach the maximum packet rate for a 10GbE environment — 14.88 Mpps? What restrictions such a solution will have and how to overcome them?
Alexander Lyamin is the head of the Highload Lab. Previously he managed projects in the company Astrum Online Entertainment, dealt with web applications' platform IT-architecture, advised groups of external developers, launched a number of Russian Internet service providers (Comstar, Teleport-TP, Cityline), and worked on the creation of the first Russian multiservice ATM-network at Moscow State University. His research projects include Mirnet, Net Surveyor, IPv6 testing ground, RFBR IP QoS research grants, and participating in the development of ReiserFS (DARPA grant).
DIY Industrial IPS
Author: Dmitry Dudov
As ICS moves into TCP/IP, its security becomes a vital issue. Many protocols designed to control and monitor critical processes do not employ encryption or authentication system. This makes it easy for an attacker to hijack sessions, modify data and inject malicious packets. Security related solutions for protocols are entering the market. Are they really effective? And if not, is it possible to perform all the necessary functions using standard network equipment?
The speaker will examine attack scenarios at the application level and their impact, taking Modbus (Modbus TCP) as an example. He will demonstrate how to develop and test the signatures employed by most of the current intrusion prevention systems. In conclusion, the speaker will compare the final set of signatures for Modbus TCP security with the set from the leading information security vendors.
Dmitry Dudov has been engaged in information security since 2008. He has taken part in several projects related to the security of information systems, including creation of a complex protection system for the IT infrastructure of an international oil transport company, as well as a protection system for the technological networks of a large electric power holding company in Russia. Now he is a leading SCADA security engineer at AMT Group.
Who's Looking at You, Kid?
Author: Jeff Katz, aestetix
Do you carry a cell phone, an RFID badge, or do anything that could be tracked? Did you ever think about how that data could be used? This talk will explore findings from the OpenBeacon project, a real time location aware tracking system the speakers have deployed at several conferences. Jeff Katz and aestetix will show demos of visuals they have created, teach the technology behind their infrastructure, and show how easily an innocent gadget can be turned into a powerful tool.
aestetix has been involved in the OpenBeacon project since 2008, when he joined the deployment at The Last HOPE conference in New York City. Since then, he has been involved in several deployments, as well as working in privacy and names issues within NSTIC, an online identity organization.
Jeff Katz has been involved in the OpenBeacon project since 2011, when he joined to aid the deployment at BruCon in Brussels. He is a full-stack guy, but his main contributions for OpenBeacon are the development of new hardware platforms and visualization software.
SAP Attacks Methodology
Author: Dmitry Gutsko, Oleg Klyuchnikov
The report will cover methods of conducting typical attacks against SAP systems and necessary tools. These methods have been successfully tested on real systems. They use both well-known and absolutely new hacking mechanisms. The report will touch upon such topics as direct database access, password hijacking via a network, hash hacking, bypassing clients security, bypassing systems security, hiding evidence of presence in a system, hacking with the transport directory. Moreover, it will expose new attack methods that have not been published yet.
The report is primarily aimed at SAP technical specialists and information security specialists.
Dmitry Gutsko and Oleg Klyuchnikov are information security experts at Positive Technologies.
(In)security of Appliances
Author: Alexander Antukh
It is not news that software can be insecure. Numerous security advisories posted each day illustrate this fact.
But for security software this picture ought to be different. Its purpose is to offer secure access to our network, it protects us from malware threats, protects our emails and our crown jewels.
Such systems are supposed to be designed and developed with security in mind and should not be filled with vulnerabilities.
Let us take you on a journey into the mists of security products. Follow us while we unveil the mystery and demonstrate how security products suddenly can become the weakest link in your defense; how attackers can abuse security products in order to gain access to your network and your crown jewels.
Whilst this journey, the speaker will disclose some impressive vulnerabilities in products by F5 Networks, Symantec, and others.
Alexander Antukh is a graduate of the Bauman Moscow State Technical University, works as an information security expert at the company "Monitor Bezopasnosty". Previously worked as a Malware Analyst and Vulnerability Researcher at Kaspersky Lab. Organized Defcon Moscow (DCG #4919).
Industrial Protocols for Pentesters
Author: Alexander Timorin, Dmitry Yefanov
The report includes a general overview of the current situation with SCADA — the largest vendors, vulnerability statistics. The analysis of the main industrial protocols (Modbus, DNP3, S7, PROFINET) is described in details. Some interesting features and vulnerabilities of the protocols are analyzed from the point of view of a pentester. The authors of the report will speak about a protocol analysis technology and about used tools. They will also demonstrate software, developed in the course of their researches.
Alexander Timorin graduated from the Mathematics and Mechanics Department of the Ural State University in 2004 (specializing in System Programming). He was engaged in the development of applications for Oracle, of the web configurator of an IP telephony system, and of IBM WebSphere. Now he is the Lead Specialist of the Security Assessment Department at Positive Technologies.
Dmitry Yefanov graduated from the Institute of Cryptography, Communications and Informatics, Academy of Federal Security Service of Russia in 2006 (specializing in Information Security). Now he is the Head of the Network Application Security Analysis Team at Positive Technologies.
One More Weakness in Modern Client-Server Applications
Author: Anton Sapozhnikov
The speaker will present a post-exploitation technique which allows you to hack your favorite application server and get sensitive information through pwned client and at the same time bypass firewall restrictions, leave no trace in logs and bypass many-factor authentication to exfiltrate a lot of private data.
Did you hear about modern techniques utilized by Caberp or Zeus to hijack banking apps and bypass two-factor authentications and other security features? The speaker will raise them to the level of enterprise applications such as Oracle DBMS or similar.
Anton Sapozhnikov has more than 6 years of experience in penetration testing. He worked with many companies from Fortune Global 500 list. In his spare time he participates in CTFs with More Smocked Leet Chicken.
Building a GRC System for SAP
Author: Alexey Yudin
The report will cover the issue of GRC systems. The speaker will describe the solutions existing on the market and explain why they are hardly suited for business. He will use the SAP ERP system to exemplify creation of a self-developed GRC system. The author will touch upon such processes as access control and fraud management, as well as segregation of duties by means of SAP, will consider typical fraud schemes and their detection methods in terms of SAP HCM and SAP MM.
Alexey Yudin is the Head of the Database and Business Applications Security Department at Positive Technologies.