Black Hat USA 2011 //briefings Speaker List – Caesars Palace Las Vegas, NV August 3 – August 4

Black Hat USA 2011 //briefings
Caesars Palace Las Vegas, NV August 3 – August 4

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow’s information security landscape.
List of Speakers

Link to biographies

Alessandro Acquisti
Faces Of Facebook – Or, How The Largest Real ID Database In The World Came To Be

Have online social networks created one of the largest databases of identities in the world? We investigate the technical feasibility and privacy implications of combining publicly available Web 2.0 images with off-the-shelf face recognition technology, for the purpose of large-scale, automated individual re-identification. Two experiments demonstrate a high degree of success in identifying strangers online (e.g., on websites where individuals use pseudonyms, such as dating sites) and offline (e.g., in public spaces), based on the profile pictures they posted on a popular online social network. One additional experiment demonstrates the feasibility of inferring in real time sensitive information about a stranger, merely by combining face recognition algorithms with access to online resources on a mobile device (such as a smart phone). The results highlight the technological and legal implications of the convergence of face recognition technologies and online social networks, and the future of privacy in an augmented reality world.

Marco Balduzzi
Automated Detection of HPP Vulnerabilities in Web Applications

HTTP Parameter Pollution (HPP) is a recent class of web vulnerabilities that consists of injecting encoded query string delimiters into other existing HTTP parameters. When a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks.

In this talk, firstly, I introduce HTTP Parameter Pollution by analyzing different real attacking scenarios and discussing the problems that may face. Then, I will present the first automated system, called PAPAS that we designed for the detection of HPP flaws in real web applications. PAPAS combines a modified version of Firefox with a crawler and two scanners in order to analyze web pages efficiently for the presence of vulnerable parameters that can be injected with arbitrary HPP payloads.

PAPAS has been used to conduct a large-scale experiment of the Internet by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Facebook, Google and Paypal.

The talk features a live demo of PAPAS, which has been made available as a free-to-use service recently. I will conclude the talk by discussing the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.

Dillon Beresford
Exploiting Siemens Simatic S7 PLCs

During this presentation we will cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities. I plan to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.

Ravishankar Borgaonkar
Femtocells: A poisonous needle in the operator’s hay stack

Femtocells are an emerging technology deployed by the operators around the world to enhance 3G connectivity. These secured devices are installed in the customers home and connect the mobile phone to the mobile network operator’s core network using an existing broadband connection.

While various researchers (including us) have shown in the past that these devices are not secure and can be hacked, nobody has actually further utilized the device. In this presentation, we will give a short introduction to femtocell technology and show different attacks based on a femtocell targeting both end-users and network operators.

Karsten Nohl + Chris Tarnovsky
Reviving Smart Card Analysis

Free Whitepaper – Best Practices for Protecting Laptop Data

Smart cards chips — originally invented as a protection for cryptographic keys — are increasingly used to keep protocols secret. This talk challenges the chips’ security measures to unlock the protocols for public analysis.

Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults.

The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems.

We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.

Dino Dai Zovi
Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

As the popular smartphone platforms have increased in popularity with consumers, many enterprises and businesses are considering broadening their support beyond their traditionally support platforms. These new smartphone platforms such as iOS and Android, however, come with a lack of detailed understanding of their security features and shortcomings. This presentation is the result of an extended assessment of the security mechanisms and features of Apple’s iOS with an emphasis on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices.

iOS 4 implements several key security mechanisms: Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization. Each of these mechanisms’ precise operation is documented in detail as revealed through static and dynamic binary analysis, as well as their strengths and any identified weaknesses.

We examine and document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail. Finally, based on the strengths and weaknesses identified, concrete recommendations will be made on what compensating measures an organization can and should take when deploying iOS-based devices for business use.

Stefan Esser
Exploiting the iOS Kernel

The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled “Targeting the iOS Kernel” already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.

This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.

Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.

Data Gram
Tamper Evident Seals – Design and Security

Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. Defcon 18 (2010) held the first ever “Tamper Evident” contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be “tamper proof.” All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, the security of many of these devices are over-represented and it is difficult for the average person to compare different technologies.

This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We’ll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices.

Matt Johansen
Hacking Google Chrome OS

Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What’s different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking – everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS’s security protections and exposing all the users data.

Two members of the WhiteHat Security’s Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google’s Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

Exposing of all user email, contacts, and saved documents.
Conduct high speed scans their intranet work and revealing active host IP addresses.
Spoofing messaging in their Google Voice account.
Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain — including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations. A sample demonstration video of some of these attacks can be seen here:

Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven’t kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don’t work properly, are poorly designed or don’t fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.

In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.

Anthony Lineberry
Don’t Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle

A new Android vulnerability is discovered today. When will the phone in your pocket be patched? We studied firmware update events across millions of Android devices around the world, to answer this question and many more. As it turns out, updating mobile devices is significantly more complex than the desktop world.

Android has become a top player in the smartphone explosion. Its success is due in no small part to its openness and flexibility, enabling an entire ecosystem of unique devices built on an open-source core. This proliferation has not been without the challenge of fragmentation. In this talk, we survey what it takes to push a security update in the Android ecosystem, study prominent vulnerabilities that have affected the platform, and examine the patch history and current state of prominent devices to answer the question: What is the half-life of a vulnerability on Android?

Moxie Marlinspike
SSL And The Future Of Authenticity

In the early 90’s, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it’s amazing that SSL has endured for as long as it has, some parts of it — particularly those concerning Certificate Authorities — have always caused some friction, and have recently started to cause real problems.

This talk will examine authenticity in SSL, discuss what’s happening now, and cover some potential strategies for the future.

Jon McCoy
Hacking .Net Applications: The Black Arts

This presentation will cover the Black Arts of Cracks, KeyGens, Malware on .NET Framework applications. The information in this presentation will show how a .NET programmer can do unspeakable things to .NET applications. I will cover the life cycle of developing such attacks and overcoming common countermeasures.

– This presentation will focus on C# but applies to any application based on the .NET framework.

AUTOMATE your data protection. HP StorageWorks D2D Backup Systems powered by Intel Xeon processor 5500 series & StoreOnce technology

Robert McGrew
Covert Post-Exploitation Forensics With Metasploit

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the”subject” (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.

In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.

Charlie Miller
Battery Firmware Hacking

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.

Thomas Ptacek
Crypto for Pentesters

Some people, when confronted with a problem, think “I know, I’ll use cryptography.” Now they have two hundred problems.

People test cryptography and think about the wrong things. How often are keys rotated? How big should the RSA keys be? Is it safe to use SHA-1 or do they need to use SHA-256? In the real world, these questions don’t matter. They’re like looking at 1995-era C code and asking whether it’s const-correct. It’s 1995 out there for crypto. Everything is wide open.

Think of a crypto primitive, like AES or SHA-1. Key exchange. Signatures. I’d like to show you something that goes wrong with it. Something so bad you can break a cryptosystem in seconds inside a Ruby interpreter. The slow kind of Ruby interpreter. Then I’d like to show you how to use simple tools, like that interpreter and Webscarab, to test for those flaws in real apps. Without knowing anything about the crypto they’re using. I think you might be surprised. Especially if you thought you needed a math degree to break real-world crypto.

I’m going to demonstrate testing techniques and explain and then generalize real-world flaws, so you can reuse the ideas behind them on applications you come into contact with. This talk comes with code, and with a sandbox app to try the attacks out on. This is the coolest stuff I’ve learned in the past several years. Picking these tricks up feels like it did to learn stack overflows in ’95. I’m psyched to share it.

Chris Rohlf
Attacking Clientside JIT Compilers

Just-In-Time (JIT) compilers help power most modern web browsers and are prevalent in interpreted virtual machines such as the JVM and .NET runtimes. JITs postpone deriving machine code from an intermediate format until execution time and can substantially increase performance of interpreted code. Since JITs are optimized for execution speed and generate machine code in memory by design, they raise a number of security issues. Our research surveys competing JIT designs to evaluate their comparative maturity and deep dives on the Mozilla Javascript and LLVM JITs. We wrote grammar fuzzers for ECMAScript/Javascript and LLVM IR to expose security vulnerabilities, focusing on memory corruption and information leaks. We evaluate how JIT engines may be used to bypass memory protections such as DEP and ASLR.

In addition to our destructive fuzzers we created a reusable toolchain, jitter, to help assist in our research. Our jitter tools are built on the dynamic debugging library Ragweed to track, disassemble and analyze JIT page allocations in real time. These tools are useful to both the developers of JIT engines and vulnerability researchers in generically analyzing JIT behavior. The security community has just begun to explore these complex components. We feel our ideas, tools and results will be applicable to other JIT compilers and help advance the state of security research of the modern web browsers and language runtimes that use them.

Thomas Roth
Analyzing SPDY: Getting to know the new web protocol

SPDY is Googles approach to a new standard-protocol for the web. As a replacement for HTTP it offers features like multiplexing multiple requests over a single TCP connection, header compression, flow-control (including prioritizing requests) and server-side push functionality. Because of the complexity that comes with such features, SPDY can also be attractive for attackers: For instance, hijacking server-side push functionality can lead to a whole new generation of XSS attacks.

This presentation is about an in-depth explanation of the upcoming standard and about the lessons learned during the implementation and testing of it.

The second half of the talk is about tools and methods for analyzing and intercepting SPDY traffic, like using a libspdy-based fork of mitmproxy for hijacking a SPDY session on the fly and pushing arbitary content to the client.

Tyler Shields
Owning Your Phone at Every Layer – A Mobile Security Panel

According to IDC, 100 million smartphones were shipped in the fourth quarter of 2010, compared to just 92 million computers. With smartphone growth rates continuing to rise, mobile security is a topic fresh on everyone’s mind. Security research in the area of mobile devices has also picked up over the last few years with a diversified attack portfolio targeting every level of the mobile security stack. But which of these attack models is the most dangerous to the enterprise? Which carries the most risk? When will the monetization of mobile attacks REALLY occur? What can an organization do to saves themselves?! These and other interesting mobile security questions will be posed to a panel of top mobile security experts in the world. See what happens when they are asked to defend their turf and attack models as the best.

Bryan Sullivan
Server-Side JavaScript Injection: Attacking NoSQL and Node.js

Fallout from the browser wars has given us blazingly fast JavaScript engines – engines so fast that they’re now being used for much more than just browsers. Server-side JavaScript (SSJS) is integral to many NoSQL databases such as MongoDB and Neo4j, and the web server framework Node.js is also built on SSJS. These projects score high benchmarks for speed and scalability, but does this speed come at the cost of security?

If you thought client-side JavaScript injection (better known as XSS) was dangerous, wait until you see what an attacker can do with server-side JavaScript injection (SSJI). In this talk, we’ll demonstrate SSJI exploits against NoSQL and Node.js applications that allow attackers to read, write, upload and execute arbitrary files anywhere on the server. We’ll also demonstrate that the programming errors that lead to these vulnerabilities are just as simple as the ones that lead to XSS. Finally, we’ll conclude the presentation with techniques you can use to find and fix SSJI vulnerabilities in your own applications.

Julia Wolf
The Rustock Botnet Takedown

The Rustock botnet operated for several years, and at several times was the largest operating botnet on Earth sending spam emails. This talk covers the history of the botnet, and the most recent shutdown of it instigated by researchers (Operation b107). The techniques used can be generalized to the takedown of other botnets.

Fabian Yamaguchi
Vulnerability Extrapolation or ‘Give me more Bugs like that, please!’

Security researchers and vendors alike know the situation: A vulnerability has been identified but it is unclear whether further vulnerabilities ‘just like that’ exist hidden somewhere in the code. Since application programming interfaces often dictate or induce programming patterns and simply because developers tend to copy & paste throughout the development process, it makes sense to ask whether it is possible to automatically identify functions sharing similar programming patterns in source-code to assist auditors in finding vulnerabilities similar to a known vulnerability.

To answer this question, we decided to study how other fields deal with the discovery and exploitation of patterns in data. We found that simple statistical methods from the field of machine-learning provide a promising set of tools for offensive security research and are in particular well suited to address the outlined problem of vulnerability extrapolation. To demonstrate that these methods are useful in practice despite their academic feel, we present a detailed case-study where a zero-day vulnerability is discovered based on a known vulnerability using our method. Since it is BlackHat, we will of course be presenting a working exploit as well.

Andrew Case
WORKSHOP – Investigating Live CDs using Volatility and Physical Memory Analysis

Traditional digital forensics encompasses the examination of data from an offline or “dead” source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations.

During this workshop we will perform a hands-on investigation of a live CD memory capture. This will include using newly developed Volatility functionality that allows for complete recovery of the in-memory filesystem. After we have recovered the filesystem, we will then gather traditional in-memory information such as process listings, memory maps, open files, and network connections. We will finish the investigation by correlating recovered data to solve the case and formulate our final results. Throughout the workshop there will be illustrations of the in-memory data structures being recovered as well as numerous source code examples, both from the Linux kernel as well as the Volatility scripts being used.

Upon conclusion of the workshop, attendees will have an understanding of the power of memory analysis, the unique issues presented by live CDs, and will be able to use Volatility in real forensics investigations. To participate, attendees only need to bring a laptop with Python installed. The live demonstrations will be done using Linux, but Windows and Mac users will also be able to fully participate. All workshop-specific materials will be provided by the instructor.

Cesar Cerrudo
WORKSHOP – Easy and quick vulnerability hunting in Windows

This short workshop will teach attendees how to easily and quickly find vulnerabilities in Windows applications by using some easy to use tools. I will detail step by step some simple techniques that can be used by experts and non experts. While the techniques are simple the results can be great. Learning these easy and fast techniques will allow attendees to do quick audits on Windows applications to determine how secure they are. I will show how to spot vulnerabilities with just a couple of clicks or with very simple and short debugging sessions. The techniques I will be showing are the same that allowed me to find dozen of vulnerabilities in Windows applications, I’m sure that after the workshop attendees will be able to do the same.

Gal Diskin
WORKSHOP – Binary Instrumentation Workshop for Security Experts

“Binary instrumentation, in particular dynamic binary instrumentation (DBI), is a valuable tool for hackers and security experts. Most hackers / security experts use different forms of it without knowing they belong in the general category. Recently Instrumentation and DBI in particular started getting more attention in the security community (see SourceFire at BH’10 and many others) but it is still relatively unknown and not widely used. The aim of this workshop is to help people get started on using DBI by teaching them how to write instrumentation programs using the Pin DBI engine. During the workshop simple instrumentation programs for security usages will be taught and analyzed and some will be demonstrated live. The source code will be provided under the Intel open source license. At the end of the workshop you will have an understanding of what you can use DBI for and be able to begin developing your own instrumentation programs.”

Lee Kushner
WORKSHOP – Infosec 2021 – A Career Odyssey

“There is no doubt that the future looks promising for Information Security professionals. Slowly but surely, the world is waking up to the importance of having competent information security professionals as respected members of their organization. However, with the surge in popularity, attractive compensation, and professional respect, comes increased competition.

If your future career plans include a role as an Information Security Leader, you will need to begin preparation now, so that you will be able to successfully compete for these desired opportunities.

The Information Security Career Management workshop will offer the Black Hat attendee a departure from the technical tracks, and enable them to learn how to better manage their information security careers and more effectively pursue their individual career goals. The “Career Management” workshop will be broken up into four (4) sessions – linked by a common theme – Differentiation through Targeted Skill Development. The format will allow the Black Hat Attendee to stay through the full workshop – or select specific sessions that appeal to their personal career development efforts.”

Vivek Ramachandran
WORKSHOP – Advanced Wi-Fi Security Penetration Testing

This workshop will provide a highly technical and in-depth treatment of Wi-Fi security. The emphasis will be to provide the participants with a deep understanding of the principles behind various attacks and not just a quick how-to guide on publicly available tools. We will start our journey with the very basics by dissecting WLAN packet headers with Wireshark, then graduate to the next level by cracking WEP, WPA/WPA2 and then move on to real life challenges like orchestrating Man-in-the-Middle attacks, creating Wi-Fi Backdoors and solving some live CTF style challenges together!

A non-exhaustive list of topics to be covered include:

WLAN Protocol Basics using Wireshark
Bypassing WLAN Authentication – Shared Key, MAC Filtering, Hidden SSIDs
Cracking WLAN Encryption – WEP, WPA/WPA2 Personal and Enterprise, Understanding encryption based flaws (WEP,TKIP,CCMP)
Attacking the WLAN Infrastructure – Rogues Devices, Evil Twins, DoS Attacks, MITM
Advanced Enterprise Attacks – 802.1x, EAP, LEAP, PEAP, IPSec over WLAN
Attacking the Wireless Client – Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing
Breaking into the Client – Metasploit, SET, Social Engineering
Enterprise Wi-Fi Worms, Backdoors and Botnets
Wireshark as a Wireless Forensics Tool
Programming and Scripting Wireless packet sniffers and Injectors for fun and profit

Thomas Roth
WORKSHOP – Breaking Encryption in the Cloud: Cheap, GPU Assisted Supercomputing for Everyone

“It has been known since some time now that the massive parallel architecture of modern GPUs provide enormous acceleration when trying to break encryption- or hashalgorithms: GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad core CPUs when it comes to brute forcing SHA1 and MD5. The enormous potential can also be seen in the supercomputing business: The Tianhe-1A, leader of the top 500 list of supercomputers, is not only equipped with 14.336 CPUs but also with 7.168 NVIDIA Tesla “”Fermi”” M2050 GPUs – each of which has 448 cores and 3GB RAM. Until recently, one needed to spend a lot of money to get a small cluster of GPU assisted servers, but Amazon now provides an instance type in it’s EC2 cloud that sports two of the GPUs that are also used in the Tianhe-1A, resulting in a cheap way to boot up a cluster of GPU accelerated servers that can be used for own purposes.

The first part of the talk will be about the design and the implementation of a massive parallel and GPU assisted environment for breaking encryptions: From generation, the storing and the use of rainbow tables to brute forcing in the cloud. In the second part of the talk the “Cloud Cracking Suite” is introduced: An open source suite designed to demonstrate the performance of breaking several algorithms in the cloud.

The ‘Cloud Cracking Suite’ is splitted in two parts: The server side and the client. The server side consists of especially for the Fermi-architecture optimized, high performance implementations of SHA1 and MD5 with an interface to use them for rainbow table generation or brute forcing as well as a self-configuring Pyrit for WPA database generation. The client side provides an easy to use CLI which allows one to spawn and control a cluster for a specific task.

As the server side will be available as a hosted AMI, everyone participating can simply download the client, create an account at the AWS and try it out himself.”

Mark Russinovich
WORKSHOP – Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning – so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus.

Justin Searle
WORKSHOP – Pentesting the Smart Grid

This workshop will take a deep dive into the penetration testing of the hardware and network protocols of three of the most important systems of the Smart Grid, namely smart meters, SCADA, and synchrophasors. We’ll look at the common features provided by AMI meters, dissect the ANSI c12 family of protocols they use, and the systems they connect to. Next we’ll look the most common SCADA protocols used in the Smart Grid (DNP3 and IEC 61850), the devices they control, and the infrastructure used for substation automation. Finally we’ll look at synchrophasor architectures, look at their most common protocol (C37.118), and discuss how they are used in Wide-Area Monitoring, Protection, and Control (WAMPAC). To wrap up the workshop, we’ll play with embedded hardware pentesting techniques and introduce a new live Linux distro created for this purpose.

Overview of Smart Grid Architecture
Deep dive into AMI Smart Meters
Architectural Overview
Functions & Data Flows Breakdown
ANSI C12.xx
Deep dive into SCADA
Architectural Overview
Functions & Data Flows Breakdown
DNP3 & IEC 61850
Deep dive into Sycnrophasors
Architectural Overview
Functions & Data Flows Breakdown
IEEE C12.118
Embedded Hardware Pentesting
Flash/EEPROM Dumping
Bus Sniffing
Key Extraction
Conclusions and Wrap-up

Sumit Siddharth
WORKSHOP – The Art of Exploiting Lesser Known Injection Flaws

“OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. This hands-on session gives attendees an over-view of this vulnerability. While topics such as SQL Injection are very well documented, there are quite a lot of other injection flaws which are not much talked about. Some of these are:

XPATH Injection
LDAP Injection
Hibernate Query Language Injection
Direct OS Code Injection
XML Entity Injection
This hands-on session will introduce the attendees to such less popular vulnerabilities and allow the attendees to gain an in-depth knowledge of the impact of the vulnerability.


No comments yet.

Leave a Reply