SUSTAINING SPONSORS Black Hat AD FINAL.pdf 1 6/30/12 8:12 PM
C
M
Y
CM
MY
CY
CMY
K Black Hat AD FINAL.pdf 1 6/30/12 8:12 PM
SCHEDULE
WELCOME TABLE OF CONTENTS Schedule ...... 4-7 Welcome to Las Vegas, and thank you for your participation in the growing Black Hat community. As we celebrate our 15th anniversary, we believe that the event Briefi ngs ...... 8-24 continues to bring you timely and action packed briefi ngs from some of the top Workshops ...... 21 security researchers in the world. Security saw action on almost every imaginable front in 2012. The year started Turbo Talks ...... 23 with a massive online protest that beat back US-based Internet blacklist legislation Speakers ...... 25-39 including SOPA and PIPA, echoed by worldwide protests against adopting ACTA in the European Union. Attackers showed no signs of slowing as Flame Keynote Bio ...... 25 replaced Stuxnet and Duqu as the most sophisticated malware yet detected. The Floorplan ...... 40-41 Web Hacking Incident Database (WHID) has added LinkedIn, Global Payments, eHarmony and Zappos.com while Anonymous and other politically motivated groups Arsenal ...... 42-51 have made their presence known in dozens of attacks. Special Events ...... 52-53 No matter which incidents you examine—or which ones your enterprise must C respond to—one thing is clear: security is not getting easier. The industry relies upon Stay Connected + More ...... 54 M the Black Hat community to continue our research and education, and seeks our Sponsors ...... 55 guidance in developing solutions to manage these threats. Y Black Hat USA 2012 features nine tracks and fourty-nine live, onstage CM demonstrations presented by over one hundred of the community’s best and
MY brightest. We’re particularly excited about this year’s keynote speakers, Shawn Henry, former FBI Executive Assistant Director (EAD) and the current President of CY CrowdStrike Services; and Neal Stephenson, one of the world's foremost historical CMY and science fi ction authors. Shawn will take the stage to offer new insights on how UPCOMING EVENTS:
K a hostile cyber environment has rendered traditional security obsolete while Neal will take the stage for an interactive interview. Black Hat Training: HALO Summit 2012 The Arsenal returns for its third year, offering researchers and the open source San Diego, CA October 29-November 2 community a platform to demonstrate tools they develop and use in their daily Black Hat UAE 2012 professions. Abu Dhabi, United Arab Emirates December 10-13 I would like to ask for your help with two items: Black Hat EU 2013 U Keep your eye open for the review board members, and give them a hearty thank-you. This team spent countless hours reviewing over 500 submissions; Amsterdam, The Netherlands March 11-14 their guidance ensures that the show remains connected to its roots. Black Hat USA 2013 U Please fi ll out your surveys! Black Hat is the most important security event of the year, and our ethos remains focused on the community. We need to hear from Las Vegas, Nevada July 27-August 1 you! Whether it’s your fi rst Black Hat or your fi fteenth, I want to encourage all attendees reach out and connect. This event offers unique opportunities for STAY CONNECTED professional growth, while providing access to a very niche population—nowhere else on earth will you have this kind of access to researchers, technology experts Twitter: Twitter.com/Black HatEvents and Black Hat sponsors. We hope you enjoy this year’s show! Facebook: Facebook.com/Black Hat Trey Ford General Manager LINKED.IN: search for “Black Hat” on LinkedIN Groups Black Hat
3 SCHEDULE / WED, JULY 25
Time Track 1 Track 2 Track 3 Track 4 Track 5 Track 6 Track 7 Track 8 Track 9 Track Defi ning the Scope Upper Layers Lower Layers Mobile Defense Breaking Things Gnarly Problems Applied Workshop I Applied Workshop II Track Chair: Vincenzo Iozzo Track Chair: Shawn Moyer Track Chair: Chris Rohlf ROOM Augustus III + IV Augustus I + II Augustus V + VI Palace I Palace II Palace III Romans I-IV Florentine Pompeian 08:00-12:00 REGISTRATION: Emperiors Ballroom 08:00-08:50 BREAKFAST: Octavius Ballroom—Sponsored by 08:50-09:00 Jeff Moss: Welcome & Introduction to Black Hat USA 2012: Augustus Ballroom 09:00-10:00 Keynote Speaker: Shawn Henry: Augustus Ballroom 10:00-10:15 Break 10:15-11:15 Smashing the Future for Fun and Profi t Advanced ARM Exploitation SexyDefense: Maximizing the A Stitch in Time Saves Nine: File Disinfection Framework:
4 SCHEDULE / WED, JULY 25
Time Track 1 Track 2 Track 3 Track 4 Track 5 Track 6 Track 7 Track 8 Track 9 Track Defi ning the Scope Upper Layers Lower Layers Mobile Defense Breaking Things Gnarly Problems Applied Workshop I Applied Workshop II Track Chair: Vincenzo Iozzo Track Chair: Shawn Moyer Track Chair: Chris Rohlf ROOM Augustus III + IV Augustus I + II Augustus V + VI Palace I Palace II Palace III Romans I-IV Florentine Pompeian 08:00-12:00 REGISTRATION: Emperiors Ballroom 08:00-08:50 BREAKFAST: Octavius Ballroom—Sponsored by 08:50-09:00 Jeff Moss: Welcome & Introduction to Black Hat USA 2012: Augustus Ballroom 09:00-10:00 Keynote Speaker: Shawn Henry: Augustus Ballroom 10:00-10:15 Break 10:15-11:15 Smashing the Future for Fun and Profi t Advanced ARM Exploitation SexyDefense: Maximizing the A Stitch in Time Saves Nine: File Disinfection Framework: 5 SCHEDULE / THU, JULY 26 Time Track 1 Track 2 Track 3 Track 4 Track 5 Track 6 Track 7 Track 8 Track 9 Track Big Picture Web Apps Malware Enterprise Intrigue 92.2% Market Share Over the Air and Mass Effect Applied Workshop I Applied Workshop II Track Chair: Nathan Hamiel Track Chair: Stefano Zanero In the Device ROOM Augustus III + IV Augustus I + II Augustus V + VI Palace I Palace II Palace III Romans I-IV Florentine Pompeian 08:00-11:00 REGISTRATION: Emperiors Ballroom 08:00-08:50 BREAKFAST: Octavius Ballroom—Sponsored by 09:00-10:00 Keynote Speaker: Neal Stephenson: Augustus Ballroom 10:00-10:15 Break / Booksigning with Neal Stephenson: Palace Pre-Function 10:15-11:15 Trust, Security, and Society HTML5 Top 10 Threats: Stealth A Scientifi c ( but not academic) Catching Insider Data Theft With Exploitation of Windows 8 Metro iOS Security Still Passing the Hash 15 Years Lessons of Binary Analysis The Dark Art of IOS Application by Bruce Schneier Attacks and Silent Exploits Study of Malware Employs Anti- Stochastic Forensics Style Apps by Dallas De Atley Later? Using the Keys to the by Chrstien Rioux Hacking by Shreeraj Shah Debugging, Anti-disassemly, and by Jonathan Grier by Sung-ting Tsai + Kingdom to Access all Your Data by Jonathan Zdziarski Anti-virtualization Technologies Ming-chieh Pan by Alva Duckwall + by Rodrigo Branco Christopher Campbell 11:15-11:45 Coffee Service—Sponsored by / Booksigning with Bruce Schneier: Palace Pre-Function 11:45-12:45 The Christopher Columbus Rule AMF Testing Made Easy De Mysteriis Dom Jobsivs: Find Me in Your Database: We have you by the Gadgets iOS Kernel Heap Armageddon Recent Java Exploitation Trends Lessons of Binary Analysis cont. The Dark Art of IOS Application and DHS by Luca Carettoni Mac Efi Rootkits An Examination of Index Security by Mickey Shkatov + Revisited and Malware Hacking cont. by Mark Weatherford by Loukas K by David Litchfi eld Toby Kohlenberg by Stefan Esser by Jeong Wook Oh 12:45-14:15 Lunch: Forum Ballroom—Sponsored by 14:15-15:15 Legal Aspects of Cyberspace Hacking with WebSockets Dex Education: Practicing Safe Dex Passive Bluetooth Monitoring in Exchanging Demands When Security Gets in the Way: Digging Deep Into The Flash SNSCat: What You Don’t Ruby for Pentesters: Operations by Sergey Shekyan + by Timothy Strazzere Scapy by Peter Hannay Tools for PenTesting Mobile Apps Sandboxes Know About Sometimes Hurts The Workshop by Robert Clark Vaagan Toukharian by Ryan Holeman That Use Certifi cate Pinning by Paul Sabanal + the Most by Cory Scott + by Alban Diquet + Mark Vincent Yason by Dan Gunter + Michael Tracy + SYNful Deceit, Stateful Subterfuge Justine Osborne Solomon Sonya Timur Duehr by Tom Steele + Chris Patten Embedded Device Firmware Vulnerability Hunting Using FRAK Stamp Out Hash Corruption, by Ang Cui Crack All The Things by Ryan Reynolds + Mapping and Evolution of Jonathan Claudius Android Permissions by Andrew Reiter + Zach Lanier 15:15-15:30 Break 15:30-16:30 Targeted Intrusion Remediation: Blended Threats and JavaScript: Hardware Backdooring is Practical Clonewise: Automated Package Windows Phone 7 Internals and iOS Application Security SQL Injection to MIPS Overfl ows: Mobile Network Forensics Ruby for Pentesters: Lessons From The Front Lines A Plan for Permanent Network by Jonathan Brossard Clone Detection Exploitability Assessment and Automation: Rooting SOHO Routers with Eric Fulton The Workshop cont. by Jim Aldridge Compromise by Silvio Cesare by Tsukasa Oi Introducing SIRA by Zachary Cutlip by Phil Purviance + by Justin Engler + Joshua Brashars Seth Law + Joshua Dubik + David Vo 16:30-17:00 Coffee Service—Sponsored by 17:00-18:00 Hacking the Corporate Mind: State of Web Exploit Toolkits Flowers for Automated Malware SSRF VS. Business Critical Easy Local Windows Kernel How Many Bricks does it take to Hookin’ Ain’t Easy: BeEF Mobile Network Forensics cont. Ruby for Pentesters: Using Social Engineering Tactics by Jason Jones Analysis Applications Exploitations crack a microcell? Injection with MITM The Workshop cont. to Improve Organizational Security by Chengyu Song + by Alexander Polyakov + by Cesar Cerrudo by Mathew Rowley by Steve Ocepek + Acceptance Paul Royal Dmitry Chastuhin Ryan Linn by James Philput 6 SCHEDULE / THU, JULY 26 Time Track 1 Track 2 Track 3 Track 4 Track 5 Track 6 Track 7 Track 8 Track 9 Track Big Picture Web Apps Malware Enterprise Intrigue 92.2% Market Share Over the Air and Mass Effect Applied Workshop I Applied Workshop II Track Chair: Nathan Hamiel Track Chair: Stefano Zanero In the Device ROOM Augustus III + IV Augustus I + II Augustus V + VI Palace I Palace II Palace III Romans I-IV Florentine Pompeian 08:00-11:00 REGISTRATION: Emperiors Ballroom 08:00-08:50 BREAKFAST: Octavius Ballroom—Sponsored by 09:00-10:00 Keynote Speaker: Neal Stephenson: Augustus Ballroom 10:00-10:15 Break / Booksigning with Neal Stephenson: Palace Pre-Function 10:15-11:15 Trust, Security, and Society HTML5 Top 10 Threats: Stealth A Scientifi c ( but not academic) Catching Insider Data Theft With Exploitation of Windows 8 Metro iOS Security Still Passing the Hash 15 Years Lessons of Binary Analysis The Dark Art of IOS Application by Bruce Schneier Attacks and Silent Exploits Study of Malware Employs Anti- Stochastic Forensics Style Apps by Dallas De Atley Later? Using the Keys to the by Chrstien Rioux Hacking by Shreeraj Shah Debugging, Anti-disassemly, and by Jonathan Grier by Sung-ting Tsai + Kingdom to Access all Your Data by Jonathan Zdziarski Anti-virtualization Technologies Ming-chieh Pan by Alva Duckwall + by Rodrigo Branco Christopher Campbell 11:15-11:45 Coffee Service—Sponsored by / Booksigning with Bruce Schneier: Palace Pre-Function 11:45-12:45 The Christopher Columbus Rule AMF Testing Made Easy De Mysteriis Dom Jobsivs: Find Me in Your Database: We have you by the Gadgets iOS Kernel Heap Armageddon Recent Java Exploitation Trends Lessons of Binary Analysis cont. The Dark Art of IOS Application and DHS by Luca Carettoni Mac Efi Rootkits An Examination of Index Security by Mickey Shkatov + Revisited and Malware Hacking cont. by Mark Weatherford by Loukas K by David Litchfi eld Toby Kohlenberg by Stefan Esser by Jeong Wook Oh 12:45-14:15 Lunch: Forum Ballroom—Sponsored by 14:15-15:15 Legal Aspects of Cyberspace Hacking with WebSockets Dex Education: Practicing Safe Dex Passive Bluetooth Monitoring in Exchanging Demands When Security Gets in the Way: Digging Deep Into The Flash SNSCat: What You Don’t Ruby for Pentesters: Operations by Sergey Shekyan + by Timothy Strazzere Scapy by Peter Hannay Tools for PenTesting Mobile Apps Sandboxes Know About Sometimes Hurts The Workshop by Robert Clark Vaagan Toukharian by Ryan Holeman That Use Certifi cate Pinning by Paul Sabanal + the Most by Cory Scott + by Alban Diquet + Mark Vincent Yason by Dan Gunter + Michael Tracy + SYNful Deceit, Stateful Subterfuge Justine Osborne Solomon Sonya Timur Duehr by Tom Steele + Chris Patten Embedded Device Firmware Vulnerability Hunting Using FRAK Stamp Out Hash Corruption, by Ang Cui Crack All The Things by Ryan Reynolds + Mapping and Evolution of Jonathan Claudius Android Permissions by Andrew Reiter + Zach Lanier 15:15-15:30 Break 15:30-16:30 Targeted Intrusion Remediation: Blended Threats and JavaScript: Hardware Backdooring is Practical Clonewise: Automated Package Windows Phone 7 Internals and iOS Application Security SQL Injection to MIPS Overfl ows: Mobile Network Forensics Ruby for Pentesters: Lessons From The Front Lines A Plan for Permanent Network by Jonathan Brossard Clone Detection Exploitability Assessment and Automation: Rooting SOHO Routers with Eric Fulton The Workshop cont. by Jim Aldridge Compromise by Silvio Cesare by Tsukasa Oi Introducing SIRA by Zachary Cutlip by Phil Purviance + by Justin Engler + Joshua Brashars Seth Law + Joshua Dubik + David Vo 16:30-17:00 Coffee Service—Sponsored by 17:00-18:00 Hacking the Corporate Mind: State of Web Exploit Toolkits Flowers for Automated Malware SSRF VS. Business Critical Easy Local Windows Kernel How Many Bricks does it take to Hookin’ Ain’t Easy: BeEF Mobile Network Forensics cont. Ruby for Pentesters: Using Social Engineering Tactics by Jason Jones Analysis Applications Exploitations crack a microcell? Injection with MITM The Workshop cont. to Improve Organizational Security by Chengyu Song + by Alexander Polyakov + by Cesar Cerrudo by Mathew Rowley by Steve Ocepek + Acceptance Paul Royal Dmitry Chastuhin Ryan Linn by James Philput 7 BRIEFINGS KEYNOTES researchers around the world to focus their attention very surprising. The purpose of the talk is to reach on making their tools and processes more effi cient to a broader audience and share the more interesting rapidly avoid the malware authors’ countermeasures. bits of the research that went into developing the CHANGING THE SECURITY This fi rst of its kind, comprehensive catalog of Practical ARM Exploitation course that we are giving PARADIGM…TAKING BACK YOUR countermeasures was compiled by the paper’s at Black Hat 2012. We discuss reliably defeating NETWORK AND BRINGING PAIN TO authors by researching each of the known techniques XN, ASLR, stack cookies, etc. using nuances of the THE ADVERSARY employed by malware, and in the process new ARM architecture on Linux (in embedded applications Shawn Henry detections were proposed and developed. The and mobile devices). We will also demonstrate these JULY 25 / 09:00 / AUGUSTUS BALLROOM underlying malware sample database has an open techniques and discuss how we were able to discover The threat to our networks is increasing at an architecture that allows researchers not only to see the them using several ARM hardware development unprecedented rate. The hostile environment we results of the analysis, but also to develop and plug-in platforms that we custom built (see: http://bit. operate in has rendered traditional security strategies new analysis capabilities. The system will be made ly/zaKZYH). We will also share some anecdotal obsolete. Adversary advances require changes in the available in beta at Black Hat, with the purpose of “hardware hacking” experiences we had exploiting way we operate, and “offense” changes the game. serving as a basis for innovative community research. similar bugs on embedded devices running on other Former FBI Executive Assistant Director Shawn Henry platforms (see: http://bit.ly/pGAGlO) explores the state of the industry from his perspective A STITCH IN TIME SAVES NINE: as the man who led all cyber programs for the FBI. A CASE OF MULTIPLE OPERATING ADVENTURES IN BOUNCERLAND SYSTEM VULNERABILITY Nicholas Percoco AN INTERVIEW WITH Rafal Wojtczuk Sean Schulte NEAL STEPHENSON JULY 25 / 10:15 / PALACE III JULY 25 / 17:00 / PALACE I Neal Stephenson Six years ago Linux kernel developers fi xed a Meet 8 BRIEFINGS discovered using Blazer will be presented as well as a generic methodology to make AMF testing easier and more robust. Adobe BlazeDS, a well-known Java remoting technology, will be used as our server-side reference implementation. ARE YOU MY TYPE? BREAKING .NET SANDBOXES THOUGH SERIALIZATION James Forshaw JULY 25 / 15:30 / PALACE III In May, Microsoft issued a security update for .NET due to a number of serious issues I found. This release was the biggest update in the product’s history, it aimed to correct a number of specifi c issues due to unsafe serialization usage as well as changing some of the core functionality to mitigate anything which could not be easily fi xed without signifi cant compatibility issues. This presentation will cover the process through which I identifi ed these vulnerabilities and provide this year’s talk I’m going to play with some techniques software or fork development of an existing project. information on how they can be used to attack that are obviously wrong and evil and naive. There This practice can lead to software vulnerabilities .NET applications, both locally and remotely, as well will also be a lot of very interesting code, spanning when the embedded code is not kept up to date with as demonstrating breaking out of the partial trust the range from high speed network stacks to random upstream sources. As a result, manual techniques sandboxes used in technologies such as ClickOnce number engines to a much deeper analysis of non- have been applied by Linux vendors to track and XAML Browser Applications. neutral networks. Finally, we will revisit DNSSEC, embedded code and identify vulnerabilities. We both in code, and in what it can mean to change the propose an automated solution to identify embedded BLENDED THREATS AND battleground in your favor. packages, which we call package clones, without any JAVASCRIPT: A PLAN FOR prior knowledge of these relationships. Our approach PERMANENT NETWORK CATCHING INSIDER DATA THEFT identifi es similar source fi les based on fi le names and COMPROMISE content to identify elationships between packages. We WITH STOCHASTIC FORENSICS extract these and other features to perform statistical Phil Purviance Jonathan Grier classifi cation using machine learning. We evaluated Joshua Brashars JULY 26 / 10:15 / PALACE I our automated system named Clonewise against JULY 26 / 15:30 / AUGUSTUS I+II A stochastic process is, by defi nition, something Debian’s manually created database. During Black Hat 2006, it was shown how common unpredictable, but unpredictable in a precise way. Clonewise had a 68% true positive rate and a Web browser attacks could be leveraged bypass Think of the molecules in a gas: we can’t predict false positive rate of less than 1%. Additionally, our perimeter fi rewalls and “Hack Intranet Websites from how any individual molecule will move and shake; system detected many package clones not previously the Outside.” In the years since, the fundamental but by accepting that randomness and describing it known or tracked. Our results are now starting to be problems were never addressed and the Intranet mathematically, we can use the laws of statistics to used by Linux vendors such as Debian and Redhat remains wide open, probably because the attack accurately predict the gas’s overall behavior. to track embedded packages. Redhat started to techniques described had important limitations. What’s this have to do with data theft? Insider data track clones in a new wiki, and Debian are planning These limitations prevented mass scale and persistent theft often leaves no artifacts or broken windows, to integrate Clonewise into the operating procedures compromise of network connected devices, which making it invisible to traditional forensics. But copying used by their security team. Based on our work, over include but are not limited to home broadband routers. large amounts of data will always affect the fi le system, 30 unknown package clone vulnerabilities have been Now in 2012, with the help of new research and and when we look through stochastic lenses, copying identifi ed and patched. next-generation technologies like HTML5, browser- sticks out like a sore thumb. Stochastic forensics is a based Intranet attacks have overcome many of the old new technique which uses these patterns to detect limitations and improved to a new degree of scary. insider data theft, despite its lack of artifacts. CONFESSIONS OF A WAF This presentation will cover state-of-the-art Web I’ve used these techniques to catch data theft DEVELOPER: PROTOCOL-LEVEL browser blended threats launched with JavaScript, months after its occurrence. I’ll show you the statistical EVASION OF WEB APPLICATION using zero to minimal user interaction and complete patterns present on a typical fi lesystem, the distinct FIREWALLS every step of the exploit attack cycle. Starting with patterns induced by copying, and the mathematical Ivan Ristic enumeration and discovery, escalating the attack technique which highlights the difference. You’ll learn JULY 25 / 11:45 / ROMANS I-IV further upstream and into embedded network devices, how to spot otherwise invisible data theft. Most discussions of WAF evasion focus on bypassing and ultimately mass-scale permanent compromise. detection via attack payload obfuscation. These CLONEWISE: AUTOMATED techniques target how WAFs detect specifi c attack BLACK OPS PACKAGE CLONE DETECTION classes, and that’s fi ne. Protocol-level evasion Dan Kaminsky Silvio Cesare techniques target a lower processing layer, which JULY 25 / 11:45 / AUGUSTUS III-IV JULY 26 / 15:30 / PALACE I is designed to parse HTTP streams into meaningful If there’s one thing we know, it’s that we’re doing it Developers sometimes statically link libraries from data. A successful evasion at this layer makes the wrong. Sacred cows make the best hamburgers, so in other projects, maintain an internal copy of other WAF see a request that is different from that seen 9 BRIEFINGS In 1992, Steve Jackson Games published the DEX EDUCATION: game Hacker, satirizing the Secret Service raid that PRACTICING SAFE DEX seized drafts of GURPS Cyberpunk. The Hacker Timothy Strazzere game manual helpfully states, “Important Notice To JULY 26 / 14:15 / AUGUSTUS V+VI Secret Service! This Is Only A Game! These Are Not In an ecosystem full of potentially malicious apps, you Real Hacking Instructions! You Cannot Hack Into Real need to be careful about the tools you use to analyze Computers By Rolling Little Dice!” Now, 20 years them. Without a full understanding of how the Android later, we wish to announce a new card game that’s Dalvik VM or dex fi le interpreters actually work, it’s fun, yes, but also designed to illustrate important easy for things to slip through the cracks. Based on aspects of computer security. We licensed our game learnings from the evolution of PC-based malware, it’s mechanics (Ninja Burger) from none other than Steve clear that someone, somewhere will someday attempt Jackson Games, then created all-new content— to break the most commonly used tools for static and complete with illustrations and graphic design—to dynamic analysis of mobile malware. So we set out to deal with computer security topics. see who was already breaking them and how, then, Each person plays as a white hat hacker at a how we could break them more. company that performs security audits and provides We’ve taken a deep dive into Android’s dex fi le consulting services. Your job is centered around format that has yielded interesting results related to Missions—tasks that require you to apply your detection of post-compilation fi le modifi cation. After hacker skills (Hardware Hacking, Software Wizardry, deconstructing some of the intricacies of the dex fi le Network Ninja, Social Engineering, Cryptanalysis, format, we turned our attention to dex fi le analysis Forensics, and more) and a bit of luck in order to tools themselves, analyzing how they parse and succeed. You gain Hacker Cred by successfully manage the dex format. Along the way we observed a completing Missions (“Disinformation Debacle,” “Mr. number of easily exploitable functionality, documenting Botneto”, “e-Theft Auto”) and you lose Hacker Cred specifi cally why they fail and how to fi x them. From when you fail. Entropy cards help you along the way this output we’ve developed a proof of concept tool— with advantages that you can purchase (“Superlative APKfuscator—that shows how to exploit these fl aws. Visualization Software”) and unexpected obstacles It’s our hope that it can be a tool that helps everyone that you can use to thwart other players (“Failed to practice safe dex. by the victim application. Through evasion, attacks Document”). Gain enough Hacker Cred, and you become virtually invisible. The technique can be used win fame and fortune as the CEO of your very own with any class of attack. consulting company. DIGGING DEEP INTO THE Especially vulnerable to this type of attack are Why a game? Entertainment provides an engaging FLASH SANDBOXES virtual patches, which are, somewhat ironically, the medium with which to raise awareness of the diversity Paul Sabanal most successful use case for WAFs today. I will show of technologies impacted by security breaches and Mark Vincent Yason how, through the combination of WAF design and the creativity of techniques employed by attackers. JULY 26 / 14:15 / ROMANS I-IV implementation issues, inadequate documentation and In this talk, we will describe our goals in creating the Lately we have seen how sandboxing technology is inadequate user interfaces, many virtual patches can game, discuss trials involved in the game design positively altering the software security landscape. be trivially bypassed. process, and discuss the potential applications of From the Chrome browser, to Adobe Reader, to In this talk I will share the lessons learned from security-themed games. Come observe a game Mac and iOS applications, sandboxing has become 10 years of web application fi rewall development. demo, look for a free copy to give away one of the main exploit mitigation technologies that The focus will be on demonstrating the problems software has come to rely on. As with all critical that exist today, including a previously unknown security technologies, they need to be understood and fl aw in ModSecurity that remained undetected for DE MYSTERIIS DOM JOBSIVS: scrutinized, mainly to see how effective they are, or at many years. In addition, I will discuss many evasion MAC EFI ROOTKITS the very least, to satisfy one’s curiosity. The sandbox techniques that are countered in ModSecurity, but Loukas K implementations for Adobe’s Flash Player certainly which may be effective against other tools. JULY 26 / 11:45 / AUGUSTUS V+VI piqued ours. As part of this talk, I will release a catalogue of The EFI fi rmware used in Intel Macs and other modern Our talk will explore the internals of three sandbox protocol-level evasion techniques and a complete systems presents some interesting possibilities for implementations for Flash: Protected Mode Flash testing suite. rootkit developers. This presentation will provide for Chrome, Protected Mode Flash for Firefox, and a full account of how an EFI-based rootkit might Pepper Flash. And of course, we will show that an work. We will begin with some background on the exhaustive exploration of the Flash sandboxes will CONTROL-ALT-HACK(TM): EFI architecture—what it does, how it works, and WHITE HAT HACKING FOR FUN eventually yield gold as we discuss and demonstrate how we can leverage EFI to inject code into the Mac some Flash sandbox escape vulnerabilities we found AND PROFIT ( A COMPUTER OS X kernel or attack the user directly. We will then along the way. SECURITY CARD GAME) detail how a kernel payload might work, employing We start with a look at the high level architecture Tadayoshi Kohno a number of rootkit techniques that can be used of each sandbox implementation. Here we will defi ne Tamara Denning within the XNU kernel. Finally, we will discuss the the role of each process and the connections between Adam Shostack possibilities for rootkit persistence that are presented them. In the second part, we will dive deep into the JULY 25 / 14:15 / PALACE II by EFI. This presentation will not require a detailed internal sandbox mechanisms at work such as the You and your fellow players work for Hackers, Inc.: understanding of EFI, and will leave the audience with sandbox restrictions, the different IPC protocols a small, elite computer security company of ethical, an understanding of the ways in which EFI can be in use, the services exposed by higher-privileged white hat hackers that perform security audits and used in a modern Mac OS X rootkit. processes, and more. In the third part of our talk we provide consultation services. Their Motto: You Pay will take a look at each sandbox’s security and talk Us to Hack You. 10 BRIEFINGS about the current limitations and weaknesses of each EASY LOCAL WINDOWS KERNEL EXPLOIT MITIGATION implementation. We will then discuss possible avenues EXPLOITATION IMPROVEMENTS IN WIN 8 to achieve a sandbox bypass or escape. Throughout Cesar Cerrudo Matt Miller all this we will be pointing out the various differences JULY 26 / 17:00 / PALACE II Ken Johnson between these implementations. For some common local Kernel vulnerabilities there JULY 25 / 17:00 / PALACE II is no general, multi-version and reliable way to Over the past decade, Microsoft has added security DON’T STAND SO CLOSE TO ME: exploit them. There have been interesting techniques features to the Windows platform that help to mitigate AN ANALYSIS OF THE NFC published but they are not simple and/or neither they risk by making it diffi cult and costly for attackers ATTACK SURFACE work across different Windows versions most of the to develop reliable exploits for memory safety Charlie Miller time. This presentation will show some easy, reliable vulnerabilities. Some examples of these features JULY 25 / 14:15 / PALACE I and cross platform techniques for exploiting some include Data Execution Prevention (DEP), Address Near Field Communication (NFC) has been used in common local Windows kernel vulnerabilities. These Space Layout Randomization (ASLR), and Visual C++’s mobile devices in some countries for a while and new techniques allow even to exploit vulnerabilities code generation security (GS) protection for stack- is now emerging on devices in use in the United that have been considered diffi cult or almost based buffer overruns. In Windows 8, Microsoft has States. This technology allows NFC enabled devices impossible to exploit in the past. made a number of substantial improvements that are to communicate with each other within close range, designed to break known exploitation techniques and typically a few centimeters. It is being rolled out as a ERRATA HITS PUBERTY: in some cases prevent entire classes of vulnerabilities way to make payments, by using the mobile device from being exploited. This presentation will provide a 13 YEARS OF CHAGRIN detailed technical walkthrough of the improvements to communicate credit card information to an NFC Jericho that have been made along with an evaluation of their enabled terminal. It is a new, cool, technology. But JULY 25 / 15:30 / AUGUSTUS III-IV expected impact. In closing, this presentation will look as with the introduction of any new technology, the The attrition.org Errata project has documented beyond Windows 8 by providing a glimpse into some question must be asked what kind of impact the the shortcomings, hypocrisy, and disgraces of the of the future directions in exploit mitigation research inclusion of this new functionality has on the attack information technology and security industries. For 13 that are currently being explored by Microsoft. surface of mobile devices. In this paper, we explore years, we have acted as a watchdog and reminder this question by introducing NFC and its associated that industries who sell integrity should have it as well. protocols. The public face of Errata is very different than the EXPLOITATION OF WINDOWS 8 Next we describe how to fuzz the NFC protocol process that leads to it. METRO STYLE stack for two devices as well as our results. Then This presentation will give a unique insight into the Sung-ting Tsai we see for these devices what software is built on history, process, and blowback that are cornerstones Ming-chieh Pan top of the NFC stack. It turns out that through NFC, of the project. This will include statistics, how Errata JULY 26 / 10:15 / PALACE II using technologies like Android Beam or NDEF has fallen short, how it can be improved, and where the Windows 8 introduces lots of security improvements, content sharing, one can make some phones parse project is going. Most importantly, it will cover how the one of the most interesting feature is the Metro-style images, videos, contacts, offi ce documents, even industry can better help the project, both in staying off app. It not only provides fancy user interface, but also open up web pages in the browser, all without user the pages on attrition.org, as well as contributing to it. a solid application sandbox environment. interaction. In some cases, it is even possible to All Metro-style application run in AppContainer, and completely take over control of the phone via NFC, EXCHANGING DEMANDS the AppContainer sandbox isolates the execution of including stealing photos, contacts, even sending text Peter Hannay each application. It can make sure that an App does messages and making phone calls. So next time you JULY 26 / 14:15 / PALACE II not have access to capabilities that it hasn’t declared present your phone to pay for your cab, be aware and been granted by the user. Smart phones and other portable devices are you might have just gotten owned. This presentation will introduce the design of increasingly used with Microsoft Exchange to allow Metro-style app as well as AppContainer sandbox. people to check their corporate emails or sync their We will dive into details of the architecture and see calendars remotely. Exchange has an interesting how it works, how does it protect from a malicious relationship with its mobile clients. It demands a App attack. After reviewing the design, we will discuss certain level of control over the devices, enforcing some logic fl aws that we have discovered, and policy such as password complexity, screen timeouts, demonstrate how do we bypass AppContainer to remote lock out and remote wipe functionality. This access fi les, launch program, connect to Internet. And behavior is usually accepted by the user via a prompt also we will introduce how do we implement exploit/ when they fi rst connect to Exchange. However, the shellcode in Metro-style app by demonstrating a protocol for updating these policies provides very little memory corruption vulnerability in a Broker process. in the way of security and is quickly accepted by the device, often with no user interaction required. In this talk we will focus on the remote wipe EXPLOITING THE JEMALLOC functionality and how a potential attacker could MEMORY ALLOCATOR: abuse this functionality to remotely wipe devices OWNING FIREFOX’S HEAP that are connected to Exchange. By impersonating Patroklos Argyroudis an Exchange server and sending appropriate policy Chariton Karamitas updates through a simple script we are able to erase JULY 25 / 11:45 / PALACE III all data on devices remotely without any need for Jemalloc is a userland memory allocator that is being authentication. The presentation will explain how this increasingly adopted by software projects as a high can be accomplished and show proof of concept code performance heap manager. It is used in Mozilla Firefox for Android & iOS devices. for the Windows, Mac OS X and Linux platforms, and as the default system allocator on the FreeBSD 11 Able To Leap Tall Buildings...... and find the right people to strengthen your organization. • Building Organizations • Securing Relationships • Developing Leaders For 26 years Alta Associates has been an integral and trusted member of the The industry’s most trusted recruiting partner Information Security, IT Risk Management and GRC community offering the most sought after, respected team of recruiters led by a CEO named, “one of the 25 most influential women in information security” by Information Security Magazine. To learn more about Alta Associates, please visit www.altaassociates.com To continue promoting diversity and investing in the creation of future leaders, Alta Associates– once again–proudly hosts the Executive Women’s Forum on Information Security, Privacy & Risk Management; the annual Women of Influence Awards; and EWF Scholarship program. Register now for the 10th Annual EWF National Conference: Managing Current & Future Risks Globally EWF Gain a Security, Privacy, Risk and Leadership perspective on October 2-4, 2012 Hyatt Regency at Gainey Ranch latest trends, challenges, and game changing solutions for an Scottsdale, AZ increasingly mobile workforce. www.ewf-usa.com BRIEFINGS and NetBSD operating systems. Facebook also uses titled “Constant insecurity: Things you didn’t know FIND ME IN YOUR DATABASE: jemalloc in various components to handle the load of about PE fi le format”. These functions accurately AN EXAMINATION OF INDEX its web services. However, despite such widespread detect and identify all purposely-malformed PE fi les SECURITY use, there is no work on the exploitation of jemalloc. that break current security tools or evade detection. David Litchfi eld Our research addresses this. We will begin by In addition, if the fi le is damaged (as usually happens JULY 26 / 11:45 / PALACE I examining the architecture of the jemalloc heap during virus infections) and deemed repairable, it is This talk will look at the Oracle indexing architecture manager and its internal concepts, while focusing on automatically repaired to maximize the number of and examine some new fl aws, with demonstration identifying possible attack vectors. jemalloc does not remediated fi les. exploits. We’ll also discuss how to fi nd such issues in utilize concepts such as ‘unlinking’ or ‘frontlinking’ Integrated hash database functionality that helps to custom applications as well as an examination of the that have been used extensively in the past to resolved the otherwise unsolvable problem of reverting forensic aspects. undermine the security of other allocators. Therefore, function name hashes back to their original names. we will develop novel exploitation approaches and This custom database is easily extended to add even primitives that can be used to attack jemalloc heap more libraries and functions to its known hash lists. FLOWERS FOR AUTOMATED corruption vulnerabilities. As a case study, we will A truly unique x86 emulator written from scratch MALWARE ANALYSIS investigate Mozilla Firefox and demonstrate the that supports the following Windows features: Chengyu Song impact of our developed exploitation primitives on the U Multiple processes in parallel each in a separate Paul Royal browser’s heap. In order to aid the researchers willing emulated OS JULY 26 / 17:00 / AUGUSTUS V+VI to continue our work, we will also release our jemalloc U Vital Windows structures: PEB, TEB (with multiple Malware, as the centerpiece of threats to the Internet, debugging tool belt. threads) and SEH has increased exponentially. To handle the large U x86 assembly code execution with support for FPU volume of malware samples collected each day, FILE DISINFECTION FRAMEWORK: and MMX instructions numerous automated malware analysis techniques U Windows objects such as handles, mutexes and have been developed. In response, malware STRIKING BACK AT POLYMORPHIC authors have made analysis environment detections VIRUSES environment variables U Hundreds of standard Windows APIs that can increasingly popular and commoditized. In turn, Mario Vuksan security practitioners have created systems that make Tomislav Pericin easily be extended by the user U Dynamically build libraries that mirror the an analysis environment appear like a normal system JULY 25 / 10:15 / ROMANS I-IV (e.g., baremetal malware analysis). Thus far, neither “Invincibility lies in the defense; the possibility of victory application requirements U side has claimed a defi nitive advantage. in the attack.” – Sun Tzu The entire fi le system with customizable drives U Interface which matches the standard Windows In this presentation, we demonstrate techniques Polymorphic viruses make up an ever-increasing that, if widely adopted by the criminal underground, percentage of daily malware collections. The debug API U would permanently disadvantage automated malware sophistication of these attacks signifi cantly exceeds Use of emulated APIs which are directly exposed to user analysis by making it ineffective and unscalable. To the capabilities of existing classifi cation and handling do so, we turn the problem of analysis environment User can call standard Windows APIs inside the solutions. The situation goes from bad to worse when detection on its head. That is, instead of trying to context of an emulated process. For example the user we attempt the most complicated part of incident design techniques that detect specifi c analysis can dynamically create a new DLL fi le inside the virtual response, fi le disinfection and remediation. environments, we instead propose malware that will fi le system and load it into the context of an emulated To combat this problem we’ve created a new fail to execute correctly on any environment other than process by calling LoadLibrary equivalent. Every open source project, the File Disinfection Framework the one originally infected. emulated API is exposed to the user and therefore (FDF), built on top of a new generation of TitanEngine To achieve this goal, we developed two obfuscation usable with the option of hooking any API one or and tailored specifi cally to aid in solving these hard techniques that make the successful execution of a more times. problems. FDF combines both static analysis and malware sample dependent on the unique properties Advanced breakpoint logic which includes emulation to enable users to rapidly switch between of the original infected host. To reinforce the potential breakpoints on specifi c instruction groups and specifi c modes of operation to use the best features of each for malware authors to leverage this type of analysis instruction behavior such as read or write to a specifi c approach. Highly advanced static functions are resistance, we discuss the Flashback botnet’s use of part of the memory hidden behind a simple and easy-to-use program a similar technique to prevent the automated analysis Seamless switching between emulation and interface that enables the broad range of capabilities of its samples. that are required for decryption, decompression and static analysis disinfection. Their complement is a set of functions that Specifi c functionally designed to disinfect fi les enable quick and very customizable emulation. For the infected with polymorphic viruses such as Virut and FROM THE IRISCODE TO THE IRIS: fi rst time, analysts will have the ability to truly see and Sality with examples that show its use. A NEW VULNERABILITY OF IRIS control everything that happens inside the emulated Tools to aid in writing disinfection routines such as RECOGNITION SYSTEMS environment. They can run high level code inside the automatic binary profi ling with search for the presence Javier Galbally context of the emulated process to infl uence objects and location of the virus stub. JULY 25 / 17:00 / POMPEIAN and fi les and direct the execution fl ow. File disinfection framework has been developed A binary iriscode is a very compact representation File disinfection framework features: under the cyber fast track program run by DARPA and of an iris image, and, for a long time, it has been Static analysis functionality that has the ability built on top of the new generation of TitanEngine. It’s assumed that it did not contain enough information to view, modify and build on-the-fl y PE32/PE32+ an open source cross platform x86-x64 library that to allow the reconstruction of the original iris. The fi les, fi elds and tables. A large number of embedded enables its user to unpack, disinfect and build PE32/ present work proposes a novel probabilistic approach decompression routines is included along with PE32+ fi les. These and all Emulation components of to reconstruct iris images from binary templates systems that dynamically defi ne static structures and the new major release of this framework have been and analyzes to what extent the reconstructed build polymorphic decrypters. designed to be presented as a Black Hat exclusive. samples are similar to the original ones (that is, Highly advanced PE32/PE32+ fi le validation and This talk will be followed by the public release of the those from which the templates were extracted). repair functionality that completely solves the issues source code along with whitepapers that outline The performance of the reconstruction technique brought up by our last year’s Black Hat presentation possible use case scenario for this technology. is assessed by estimating the success chances of 13 BRIEFINGS an attack carried out with the synthetic iris patterns problems come from the very organizations that we deep dive into Coreboot and hardware components against a commercial iris recognition system. The are trying to protect. Departmental and organizational such as the BIOS, CMOS and PIC embedded on the experimental results show that the reconstructed concerns are often at odds with good security motherboard, before detailing the inner workings of images are very realistic and that, even though a practices. As information security professionals, Rakshasa and demo its capabilities. It is hoped to human expert would not be easily deceived by them, we are good at designing solutions to protect our raise awareness of the security community regarding there is a high chance that they can break into an iris networks, and the data housed on them. That the dangers associated with non open source recognition system. said, we are awful at communicating the need for fi rmwares shipped with any computer and question these controls in a way that the users will either their integrity. This shall also result in upgrading the GHOST IS IN THE AIR (TRAFFIC): understand or listen to. In this presentation, I will best practices for forensics and post intrusion analysis ON SECURITY ASPECTS OF discuss using social engineering techniques against by including the afore mentioned fi rmwares as part of your organization’s users. Through the application of their scope of work. ADS-B AND OTHER “FLYING” social engineering tactics, I will show how to bridge TECHNOLOGY the gulf between the user and the information security HERE BE BACKDOORS: Andrei Costin team. Allowing for better security awareness, better A JOURNEY INTO THE SECRETS JULY 25 / 17:00 / AUGUSTUS V-VI adherence to information security policy, and fewer Air-related technologies are on the verge of diffi culties in user acceptance. OF INDUSTRIAL FIRMWARE tehnological upgrade and advance in approximately Ruben Santamarta JULY 25 / 17:00 / ROMANS I-IV the same manner the mobile communication networks HACKING THE CORPORATE MIND: and smartphones were 5-10 years. PLCs, Smart Meters, SCADA, Industrial Control As noticed in practice, these technological HACKING WITH WEBSOCKETS Systems…nowadays all those terms are well known Sergey Shekyan advances open opportunities for performance for the security industry. When critical Infrastructures Vaagn Toukharian and innovation, but at the same time open great come into play, the security of all those systems and JULY 26 / 14:15 / AUGUSTUS I+II opportunity for security exploitation. devices that control refi neries, Water treatment or HTML5 isn’t just for watching videos on your iPad. In this talk and whitepaper, we will approach the nuclear plants pose a signifi cant attack vector. Its features may be the target of a security attack as ADS-B (in)security from the practical angle, presenting For years, the isolation of that world provided much as they may be used to improve an attack. the feasibility and techniques of how potential the best ‘defense’ but things are changing and that Vulnerabilities like XSS have been around since the attackers could play with generated/injected airtraffi c scenario is no longer valid. Is it feasible to attack a web’s beginning, but exploiting them has become and as such potentially opening new attack surfaces power plant without ever visiting one? Is is possible to increasingly sophisticated. HTML5 features like onto AirTraffi cControl systems. hack into a Smart meter…without having that Smart WebSockets are part of the framework for controlling Meter? Yes, it is. This talk discusses the approach browsers compromised by XSS. followed to do so, mixing theory and practice. GOOGLE NATIVE CLIENT: This presentation provides an overview of ANALYSIS OF A SECURE BROWSER WebSockets. How they might increase the attack PLUGIN SANDBOX surface of a web site, their implications for privacy, and Chris Rohlf the potential security problems with protocols tunneled JULY 25 / 11:45 / AUGUSTUS I-II over them. Then it demonstrates how WebSockets can Native Client is Google’s attempt at bringing millions be used as an effective part of a hacking framework. of lines of existing C/C++ code to the Chrome web It closes with recommendations for deploying browser in a secure sandbox through a combination WebSockets securely, applying security principles to of software fault isolation, a custom compiler toolchain web app design, and providing a tool for exploring and a secure plugin architecture. Sound challenging? WebSockets security. It is! Native Client isn’t a typical browser extension and it certainly isn’t ActiveX. Native Client allows for HARDWARE BACKDOORING IS all sorts of applications to run inside in your browser, PRACTICAL everything from games to PDF readers. In this talk I Jonathan Brossard will cover the basics of the Native Client sandbox and JULY 26 / 15:30 / AUGUSTUS V+VI general security relevant architecture including PPAPI This presentation will demonstrate that permanent (the replacement for NPAPI), vulnerabilities I discovered backdooring of hardware is practical. We have built via source review in the PPAPI interface and fi nally a a generic proof of concept malware for the intel tool that dynamically generates code to fuzz the Native architecture, Rakshasa, capable of infecting more Client PPAPI interfaces based on the IDL (Interface than a hundred of different motherboards. The fi rst Description Language) fi les found in the Chrome net effect of Rakshasa is to disable NX permanently source tree. and remove SMM related fi xes from the BIOS, resulting in permanent lowering of the security of the HACKING THE CORPORATE MIND: backdoored computer, even after complete earasing USING SOCIAL ENGINEERING of hard disks and reinstallation of a new operating TACTICS TO IMPROVE system. We shall also demonstrate that preexisting ORGANIZATIONAL SECURITY work on MBR subvertions such as bootkiting and ACCEPTANCE preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, James Philput Rakshasa is built on top of free software, including JULY 26 / 17:00 / AUGUSTUS III+IV the Coreboot project, meaning that most of its source Network defenders face a wide variety of problems code is already public. This presentation will take a on a daily basis. Unfortunately, the biggest of those 14 BRIEFINGS This presentation pivots around the analysis HOW THE ANLYSIS OF ELECTICAL U A1—CORS Attacks & CSRF of fi rmware through reverse engineering in CURRENT CONSUMPTION OF U A2—ClickJacking, CORJacking and UI exploits order to discover additional scenarios such as EMBEDDED SYSTEMS COULD U A3—XSS with HTML5 tags, attributes and events backdoors, confi dential documentation or software, LEAD TO CODE REVERSING? U A4—Web Storage and DOM information extraction vulnerabilities... Everything explained will be based U A5—SQLi & Blind Enumeration Yann Allain on real cases, unveiling curious ‘features’ found U A6—Web Messaging and Web Workers injections Julien Moinard in industrial devices and fi nally disclosing some U A7—DOM based XSS with HTML5 & Messaging JULY 25 / 11:45 / AUGUSTUS V-VI previously unknown details of an interesting case: U A8—Third party/Offl ine HTML Widgets and Gadgets A practical approach of Power Analysis dedicated to a backdoor discovered in a family of Smart Meters. U A9—Web Sockets and Attacks reverse Engineering We will navigate through the dark waters of Industrial U A10—Protocol/Schema/APIs attacks with HTML5 This submission presents an experimental protocol Control Systems, where the security by obscurity developed to extract (part of) the code that runs on an Above attack vectors and understanding will has ruled for years. Join us into this journey, here be embedded system using its power consumption give more idea about HTML5 security concerns and backdoors… Experimental content (no math!), proof of concept, required defense. It is imperative to focus on these tools, limits, protections and prospective new attack vectors and start addressing in today’s HOOKIN’ AIN’T EASY: The purpose of our study is to try to show how the environment before attackers start leveraging these BEEF INJECTION WITH MITM analysis of electrical consumption of an embedded features to their advantage. We are going to see new Steve Ocepek system enables us to fi nd parts of the codes that it tricks for HTML5 vulnerabilities scanning and tools. Ryan Linn executes; this is done by presenting an operating JULY 26 / 17:00 / ROMANS I-IV mode, tools, a solid analysis, results, counter- INTRUSION DETECTION ALONG Kiddies gotta make the money, and it don’t come measures and future research axes. It is all about THE KILL CHAIN: WHY YOUR easy when those mean users don’t click our links. trying to fi nd another approach to the audit system. DETECTION SYSTEM SUCKS AND And if there aren’t any ports open, what’s a PenTest This approach aims at acquiring the code (reverse John to do?? If you are curious about hooking engineering) without having a physical access to the WHAT TO DO ABOUT IT John Flynn browsers without yucky social engineering or XSS, internal system components. JULY 25 / 15:30 / PALACE II getting the goods through proxy hosts, or even if Our submission content will consist in making a The fi eld of intrusion detection is a complete failure. you’re just BeEF-curious, this is the one you’ve been quick presentation of the physical phenomenon at Vendor products at best address a narrow part of the waiting for. the origin of this type of information leak, confi rming problem and more typically are completely worthless This talk is about, that’s right, BEEF INJECTION: whether a sequence of instructions (opcode and data) at detecting sophisticated attacks. This talk discusses a completely unabashed love story between MITM can be found (reversed) by the analysis of electrical the fundamental problems in the fi eld and why the and the BeEF Framework. Through demos and new current used by the embedded system during the state of the art isn’t good enough. We then introduce code, we’ll show you how to hook up with browsers execution of a program, assessing then overcoming the concept of the attacker plane and the kill chain using old pickup lines like ARP Poisoning and Karma the technical diffi culties in its achievement (Signal how to use them to make a much more sophisticated Attacks, and once you get their digits, we’ll even Acquisition, treatment and analysis, limitsÉ), presenting intrusion detection system. Finally we cover ways of show you how to maintain that relationship, and use it a proof of concept and possible countermeasures to putting them into action. Even veterans of the fi eld will to get even more connections you never dreamed of. limit the risks. Featuring in-depth BeEF tips by Ryan Linn, author of fi nd something new here. “Coding for Penetration Testers”, and Steve Ocepek, HTML5 TOP 10 THREATS: STEALTH creator of thicknet and the seminal favorite, “How to IOS APPLICATION SECURITY Get a Date Using Unshielded Twisted Pair and a Hot ATTACKS AND SILENT EXPLOITS Shreeraj Shah ASSESSMENT AND AUTOMATION: Glue Gun”, you too can get in on the Pro Tips and up INTRODUCTING SIRA your IEEE 802 dating game. JULY 26 / 10:15 / AUGUSTUS I+II HTML5 is an emerging stack for next generation Justin Engler applications. HTML5 is enhancing browser capabilities Seth Law HOW MANY BRICKS DOES IT TAKE and able to execute Rich Internet Applications in the Joshua Dubick TO CRACK A MICROCELL? context of modern browser architecture. Interestingly David Vo Mathew Rowley HTML5 can run on mobile devices as well and it JULY 26 / 15:30 / PALACE III JULY 26 / 17:00 / PALACE III makes even more complicated. HTML5 is not a Apple’s AppStore continues to grow in popularity, This is a tale of a journey that tested almost every single technology stack but combination of various and iOS devices continue to have a high perception security related skill I have acquired over the past six components like XMLHttpRequest (XHR), Document of security from both users and experts. However, years. It is a story of a software hackers trip through a Object model (DOM), Cross Origin Resource Sharing applications on the AppStore often have security hardware hackers world; a story of successes, failures, (CORS) and enhanced HTML/Browser rendering. It or privacy fl aws that are not apparent, even to logic fl aws and learning. brings several new technologies to the browser which sophisticated users. Security experts can fi nd these This talk is my adventure through reverse were not seen before like localstorage, webSQL, fl aws via manual tests, but the enormity of the engineering a 3G microcell. It will cover topics websocket, webworkers, enhanced XHR, DOM based AppStore ensures that only a small minority of apps from hardware hacking, kernel reversing, fi rmware XPATH to name a few. It has enhanced attack surface could ever be manually tested. extraction and manipulation, software reversing, and point of exploitations for attacker and malicious This presentation will demonstrate a new tool and networking, memory forensics, social engineering, agents. By leveraging these vectors one can craft methodology to perform automated or semi-automated and more. I have gained a wealth of knowledge going stealth attacks and silent exploits, it is hard to detect assessment of iOS applications and assist with manual through the process of completely pulling apart this and easy to compromise. In this paper and talk we testing. In addition, our fi ndings about the prevalence of device and want to share my trial and errors. The are going to walk through these new architectures, different types of security issues in iOS applications will talk covers such a broad spectrum of topics with attack surface and possible threats. Here is the top 10 be discussed, giving a window into the risks of trusting differential depths that anyone attending should obtain threats which we are going to cover in detail with real your data to products on the AppStore. some knowledge they previously did not have. life examples and demos. 15 BRIEFINGS it? We will show you how they look into the eye of the meter. More specifi cally, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffi ng, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter’s IR port will be introduced to show that vendor specifi c software is not necessary to poke a meter in the eye. This IS the talk that was not presented at ShmooCon 2012 in response to requests from a Smart Grid vendor and the concerns of several utilities. We have worked with them. They should be okay with this.....should..... MY ARDUINO CAN BEAT UP YOUR HOTEL ROOM LOCK Cody Brocious JULY 24 / PALACE III Nearly ten million Onity locks are installed in hotels worldwide, representing 1/3 of hotels and about 50% of hotel locks. Chances are good that you’ve stayed in dozens of such hotels in your life and you may even be staying in one tonight. This presentation will show, in detail, how they’re designed and implemented. Then we will take a look at how they are insecure by design and release a number of critical, unpatchable vulnerabilities. IOS KERNAL HEAP ARMAGEDDON LEGAL ASPECTS OF CYBERSPACE You will never see locks the same way again. REVISTED OPERATIONS Stefan Esser Robert Clark OWNING BAD GUYS {AND MAFIA} JULY 26 / 11:45 / PALACE III JULY 26 / 14:15 / AUGUSTUS III+IV WITH JAVASCRIPT BOTNENTS Previous work on kernel heap exploitation for iOS or This presentation examines the legal regime Chema Alonso Mac OS X has only covered attacking the freelist of surrounding cyberspace operations. The analysis JULY 25 / 17:00 / AUGUSTUS I-II the kernel heap zone allocator. It was however never looks at the legal underpinnings of computer network Man in the middle attacks are still one of the most discussed before what other kernel heap memory security; defense; exploitation; and, attack. After powerful techniques for owning machines. In this talk allocators exist or what kernel heap allocation covering the laws and policies related to these topics, mitm schemas in anonymous services are going to be functions wrap these allocators. Attacks against further we will examine several of the recent incidents and discussed. Then attendees will see how easily a botnet heap meta data or attacking kernel application data intrusions that have occurred and discuss why none of using javascript can be created to analyze that kind of has not been discussed before. them have been classifi ed as “attacks” by those who connections and some of the actions of bad people, This talk will introduce the audience to the big could do so. Attendees will get an understanding of mafi a, scammers, etc... behind those services are picture of memory allocators in the iOS kernel heap. the hot legal topics in computer network operations. doing... in real. It promises to be funny It will be shown how attacks can be carried out Past presentations have shown much of what is taken against other meta data stored by other allocators away is audience driven in response to their questions PINPADPWN or wrappers. It will be shown how memory allocated and the subsequent discussion. And, as always, I try Nils into different zones or allocated by different allocators to impress upon computer security professionals the Rafael Dominguez Vega is positioned to each other and if cross attacks are importance of working closely with their legal counsel JULY 25 / 17:00 / PALACE III possible. It will be shown how overwriting C++ objects early and often, and explaining the technical aspects Pin Pads or Payment Terminals are widely used to inside the kernel can result in arbitrary code execution. of computer security to their attorneys at a third grade accept payments from customers. These devices run Finally this talk will leverage this to present a generic level so my profession can understand it and then turn Payment Applications on top of the device specifi c technique that allows to control the iOS kernel heap around and explain it to a judge or jury at a fi rst grade fi rmware. It shouldn’t come as no surprise to anyone in a similar fashion as JavaScript is used in today’s level. (All material is unclassifi ed and available in the that these applications and operating systems are just browser exploits to control the user space heap. public domain.) as vulnerable as any other systems when it comes to handling user input. IOS SECURITY LOOKING INTO THE EYE OF As the use of Chip and Pin continues to replace Dallas De Atley THE METER the fairly basic magnetic stripe cards, these devices JULY 26 / 10:15 / PALACE III Don C. Weber are handling more and more complex information from Apple designed the iOS platform with security at its JULY 25 / 14:15 / AUGUSTUS V-VI untrusted sources; namely the EMV protocol spoken core. In this talk, Dallas De Atley, manager of the When you look at a Smart Meter, it practically winks by all major payment smart-cards. On top of this many Platform Security team at Apple, will discuss key at you. Their Optical Port calls to you. It calls to of these terminals are connected through Ethernet, security technologies in iOS. criminals as well. But how do criminals interact with GPRS, WiFi or phone lines, which add to the overall 16 BRIEFINGS attack surface. supports multiple platforms, one Java vulnerability can better defenders. And that’s hard. Usually after the We will demonstrate that memory corruption sometimes lead to exploitation on multiple platforms. pentesters (or worst—red team) leaves, there’s a whole vulnerabilities in payment terminals and applications Java vulnerabilities are often about evading the lot of mess of vulnerabilities, exposures, threats, risks are a reality and that they can be used to gain code sandbox. With sandbox evasion vulnerabilities, and wounded egos. Now comes the money time—can execution on the terminals. Furthermore we will the exploitation is much easier and multi-platform you fi x this so your security posture will actually be demonstrate and discuss potential payloads and how attacks are feasible—all those security measures better the next time these guys come around? these can profi t an attacker. against memory corruption issues won’t help. The This talk focuses mainly on what should be done widely-exploited CVE-2012-0507 vulnerability, for (note—no what should be BOUGHT—you probably PRNG: PWNING RANDOM example, was a sandbox breach. We saw active Mac have most of what you need already in place and you NUMBER GENERATIONS OSX system breaches using this vulnerability, and just don’t know it yet). before that, the vulnerability was used for widespread The talk will show how to expand the spectrum of (IN PHP APPLICATIONS) infection of Windows systems. The cost of writing defenders from a reactive one to a proactive one, will George Argyrous multi-platform exploits is relatively low and the success discuss ways of performing intelligence gathering on Aggelos Kiayias rate of exploitation is high. your opponents, and modeling that would assist in JULY 25 / 15:30 / AUGUSTUS I-II As we can see, Java vulnerabilities have become focusing on an effective defense rather than a “best We present a number of novel, practical, techniques more and more popular. However, there is a lack of practice” one. Methodically, defensively, decisively. for exploiting randomness vulnerabilities in PHP knowledge on how exploitation of these vulnerabilities Just like the red-team can play ball cross-court, so applications. We focus on the predictability of actually works. Many Java vulnerabilities result in a should you! password reset tokens and demonstrate how an sandbox breach, but the way the breach happens attacker can take over user accounts in a web is quite a complex process. In this presentation, we application via predicting the PHP core randomness SMASHING THE FUTURE FOR will look at some recent Java vulnerabilities and show FUN AND PROFIT generators. where these vulnerabilities occur. We will also show Jeff Moss Our suite of new techniques and tools go far beyond you how the exploitation happens and how the bad Bruce Schneier previously known attacks (e.g. Kamkar and Esser) and guys adapt them to use in their arsenal. Of course, can be used to mount attacks against all PRNG of Adam Shostack Java exploits and malware are written in Java. That Marcus Ranum the PHP core system even when it is hardened with opens up an easy way for the attackers to obfuscate the Suhosin extension. Using them we demonstrate Jennifer Granick and hide their exploits inside complicated logic and JULY 25 / 10:15 / AUGUSTUS I-VI how to create practical attacks for a number of very code. On the other hand, it means a hard life for Has it really been 15 years? Time really fl ies when popular PHP applications (including Mediawiki, Gallery, security researchers. We are also going to show you keeping up with Moore’s law is the measure. In 1997, osCommerce and Joomla) that result in the complete an example of an exploit that was obfuscated and Jeff Moss held the very fi rst Black Hat. He gathered take over of arbitrary user accounts. modifi ed in a way that made analysis and detection together some of the best hackers and security minds While our techniques are designed for the PHP diffi cult. We share Java debugging techniques and our of the time to discuss the current state of the hack. language, the principles behind ]them are independent experience in dealing with these problems. of PHP and readily apply to any system that utilizes A unique and neutral fi eld was created in which the weak randomness generators or low entropy sources. security community—private, public, and independent We will also release tools that assist in the SCALING UP BASEBAND ATTACKS: practitioners alike—could come together and exploitation of randomness vulnerabilities and exploits MORE (UNEXPECTED) ATTACK exchange research, theories, and experiences with no for some vulnerable applications. SURFACE vendor infl uences. That idea seems to have caught on. Ralf-Phillip Weinmann Jeff knew that Black Hat could serve the community JULY 25 / 11:45 / PALACE I best if it concentrated on fi nding research by some of PROBING MOBILE OPERATOR the brightest minds of the day, and he had an uncanny NETWORKS Baseband processors are the components of your mobile phone that communicate with the cellular knack for fi nding them. Collin Mulliner network. In 2010 I demonstrated the fi rst vulnerabilities Please join Black Hat for this very special session, JULY 25 / 15:30 / PALACE I in baseband stacks that were remotely exploitable as we bring the 5 of the original 1997 speakers: Cellular networks do not only host mobile and smart using a fake base station. Jeff Moss, Bruce Schneier, Marcus Ranum, Adam phones but a wide variety of other devices. We Subsequently, people assumed that baseband Shostack, and Jennifer Granick to share their vision investigated what kind of devices currently sit on attacks are attack vectors requiring some physical of Security over the next 15 years. One of Black Hat’s cellular networks. In this talk we provide a walk through proximity of the attacker to the target. In this talk core values is its focus on cutting edge research and on how to probe cellular networks from start to end. we will uproot this narrow defi nition and show an emergent technologies. So there will be no war stories Finally we show some of our results from our effort and unexpected attack vector that allows an attacker to in this session. This is no panel either. Each speaker discuss the security implications of our fi ndings. remotely exploit bugs in a certain component of the will have the opportunity to deliver his or her own view. baseband stack over an IP connection. Depending on Based on the track records…. take good notes. RECENT JAVA EXPLOITATION the confi guration of certain components in the carrier TRENDS AND MALWARE network, a large population of smartphones may be SNSCAT: WHAT YOU DON’T Jeong Wook Oh simultaneously attacked without even needing to set KNOW ABOUT SOMETIMES JULY 26 / 11:45 / ROMANS I-IV up your own base station. HURTS THE MOST We are seeing more and more Java vulnerabilities Dan Gunter exploited in the wild. While it might surprise many SEXYDEFENSE-MAXIMIZING THE Solomon Sonya users, and even some people in the industry, to hear HOME-FIELD ADVANTAGE JULY 26 / 14:15 / FLORENTINE that Java is currently a major vector for malware Iftach Ian Amit A vulnerability exists through the use of Social propagation, attackers haven’t forgotten that it is still JULY 25 / 10:15 / PALACE II Networking Sites that could allow the exfi ltration / installed and used on a huge number of systems and Offensive talks are easy, I know. But the goal of infi ltration of data on “secured networks”. SNSCat devices, including those running Microsoft Windows, offensive security at the end of the day is to make us provides a simple to use post-penetration data Mac OSX and different fl avors of Unix. Since Java 17 BRIEFINGS exfi ltration/infi ltration and C2 (Command and Control) infi ltration/exfi ltration and C2 from any network with SSRF VS. BUSINESS CRITICAL platform using images and documents on social access to social networking sites. APPLICATIONS media sites (Facebook, Google Apps, twitter, imgur, Alexander Polyakov etc). The fi rst part of our presentation will focus on SQL INJECTION TO MIPS Dmirtry Chastuhin case studies demonstrating the risks assumed by OVERFLOWS: ROOTING SOHO JULY 26 / 17:00 / PALACE I allowing social media sites on business networks both Typical business critical applications have many by malicious insiders and outsiders. After coverage ROUTERS Zachary Cutlip vulnerabilities because of their complexity, customizable of preliminary terms and concepts, we will introduce options and lack of awareness. Most countermeasures our tool and show how one can easily move fi les in JULY 26 / 15:30 / ROMANS I-IV This presentation details an approach by which are designed to secure system using fi rewalls and and out of a network using social media sites. We will DMZ’s so that, for example, to enter technology next demonstrate how one can use SNSCat along SQL injection is used to exploit unexposed buffer overfl ows, yielding remote, root-level access to network from the Internet, attacker has to bypass 3 with the implants we have created to establish full or more lines of defense. It looks ok until somebody command and control between the controller and the Netgear wireless routers. Additionally, the same SQL injection can be used to extract arbitrary fi les, fi nds a way to attack secured system through trusted listening agents. Automation of commands is vital in sources. With the help of SSRF and one of its establishing a robust botnet covertly communicating including plain-text passwords, from the fi le systems of the routers. This presentation guides the audience implementations Ð XXE Tunneling Ð it is possible to and responding to instructions from the controller. root a system within one request which will be from Anonymity is also essential which keeps the attacker through the vulnerability discovery and exploitation process, concluding with a live demonstration. In the trusted source and will bypass all restrictions. and victim networks from ever touching each other. SSRF, as in Server Side Request Forgery. A SNSCat is built to provide these very functions! Finally, course of describing several vulnerabilities, I present effective investigation and exploitation techniques of great concept of the attack which was discussed we will introduce how one can plug in their own home- in 2008 with very little information about theory and brewed steganography and cryptology modules as interest to anyone analyzing SOHO routers and other embedded devices. practical examples. We have decided to change it well as how one can build connectors for additional and conducted a deep research in this area. As we sites into our framework. In a 60 minute presentation, deal with ERP security, we take SAP as the example we will show you how to bypass network security for practicing SSRF attacks. The idea is to fi nd victim equipment via social networking sites to mask data I Need YOU for OpenJDK8 Development WE’RE HIRING! @ BlackHat | July 25–26, 2012 Join us at Oracle Booth 135 in the sponsor exhibit hall. Check out these Java and other security-related positions: • Java Deployment Engineer • Java Security Program Manager • Java Graphics Engineer • Java Security Lead • Java Networking Engineer • Java Serviceability Engineer • Java Security Libraries Engineer • Java Security Quality Engineer • Java Core Libraries Engineer • And More java.oracle.com/javase Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. 81712 ORACLE CREATIVE PERSONNEL PRODUCTION NOTES INTERNAL RD File Name 81712 BlackHat AD_.indd Designer Molly Cover/ *7430 Color 4/C (colors): CMYK Type Tier 3 collateral Art Director Laura McGinn/ 650.607.5113 Printed at 100% Description Event Centric Ad- Half Pg_Vert Editor Kathryn Potterf/ 719.282.1331 Fonts Univers, Garamond Tri m 7.5” W x 4.5” H Traffic Fatima Silva/ *7396 Paper Check with RRD (printer) Nickie Tuthill-Delute/ *7396 2 Bleed NA Production Jane Grodem/ 650.607.5915 Other Special • Cyan keylines do not print Francine Taylor/ 650.506.5996 Instructions • Anything else you can think of • Page Count: 1 Finished 7.5” W x 4.5” H Client Andy Saldana/ 425.947.6111 Date 6.22.2012 BRIEFINGS server interfaces that will allow sending packets Kerberos is the cornerstone of Windows domain THE DEFENSE RESTS: initiated by victim’s server to the localhost interface authentication, but NTLM is still used to accomplish AUTOMATION AND APIS FOR of the victim server or to another server secured by everyday tasks. These tasks include checking IMPROVING SECURITY fi rewall from outside. Ideally this interface must allow email, sharing fi les, browsing websites and are all David Mortman us to send any packet to any host and any port. And accomplished through the use of a password hash. JULY 25 / 11:45 / PALACE II this interface must be accessed remotely without Skip and Chris will utilize several tools that have been Want to get better at security? Improve your ops and authentication or at least with minimum rights. Looks ÒenhancedÓ to connect to Exchange, MSSQL, improve your dev. Most of the security tools you need like a dream but this is possible. Why this attack SharePoint and fi le servers using hashes instead aren’t from security vendors, they don’t even need is especially dangerous to SAP? Because many of passwords. This demonstrates the “so what” of to be commercial. You need tools like chef & puppet, restrictions preventing the exploitation of previously losing control of the domain hashes on your domain jenkins, logstash + elasticsearch & splunk or even found vulnerabilities, for example in RFC and Message controller: all of your data can be compromised. hadoop to name but a few. The key is to centralize Server or Oracle auth, prevent only attacks from management, automate and test. Testing is especially external sources but not from localhost! TARGETING INTRUSION key, like Jeremiah says “Hack Yourself First”. So many We have found various SSRF vulnerabilities which REMEDIATION: LESSONS FROM vulnerabilities can be detected automatically. Let the allow internal network port scanning, sending any machines do that work and fi nd the basic XSS, CSRF HTTP requests from server, bruteforcing backed THE FRONT LINES and SQLi fl aws, not to mention buffer overfl ows, Save and more but the most powerful technique was XXE Jim Aldridge the manual effort for the more complex versions of Tunneling. We made a deep research of the XXE JULY 26 / 15:30 / AUGUSTUS III+IV the above attacks and for business logic fl aws. This is vulnerability and most of the popular XML parsers and Successfully remediating a targeted, persistent one of those spaces that dedicated security tools are found that it can be used not only for fi le reading and intrusion generally requires a different approach from a must. Leverage APIs (and protect API endpoints), hash stealing but even for getting shell or sending any that applied to non-targeted threats. Regardless be evidence driven. Counter intuitively, deploy more packet to any host (0-day). What does it mean for of the remediation actions enacted by victim often, with smaller change sets. Prepare for fail and fail business critical systems? Actually XML interfaces are organizations, experience has shown that such fast but recover faster. Not just theory, will include real normally used for data transfer between Portal’s, ERP’s, threats will continue to target certain organizations. In examples with real code including open protocols like BI’s, DCS’s, SCADA’s and other systems. Using an XXE order to be successful against these types of threats, netconf and open source software like dasein-cloud. vulnerability you can bypass fi rewalls and other security organizations must change the way they think about There will be no discussion of APT, DevOps vs NoOps, restrictions. What about practice? To show a real threat remediation. This presentation outlines a model to BYOD or Cloud Security concerns, there will however we took the most popular business application platform guide tactical and strategic security planning by be baked goods. Ð SAP NetWeaver and its various XML parsers. We focusing efforts on the following three goals: found that it is possible to bypass almost all security U Inhibit attacker’s activities. restrictions in SAP systems. Using XXE Tunneling it is U Enhance visibility to detect indicators of THE INFO LEAK ERA ON possible to reopen many old attacks and conduct new compromise. SOFTWARE EXPLOITATION ones which were impossible before. U Enhance the security team’s ability to effectively Fermin J. Serna A tool called XXEScanner which will help to gain and rapidly respond to intrusions JULY 25 / 14:15 / PALACE III critical information from server, make scans and Previously, and mainly due to application compatibility. execute attacks on victim host or backend will be THE CHRISTOPHER COLUMBUS ASLR has not been as effective as it has been released as part of the OWASP-EAS project. RULE AND DHS expected. Nowadays, once some of the problems Mark Weatherford to fully deploy ASLR has been solved, it has become the key mitigation preventing reliable exploitation of STATE OF WEB EXPLOIT TOOLKITS JULY 26 / 11:45 / AUGUSTUS III+IV software vulnerabilities. Defeating ASLR is a hot topic Jason Jones “Never fail to distinguish what’s new, from what’s in the exploitation world. JULY 26 / 17:00 / AUGUSTUS I+II new to you.” This rule applies to a lot people when During this talk, it will be presented why other Web exploit toolkits have become the most popular they think about innovation and technology in the mitigations without ASLR are not strong ones and method for cybercriminals to compromise hosts government. At the U.S. Department of Homeland why if you defeat ASLR you mainly defeat the rest of and to leverage those hosts for various methods of Security, in addition to running the National them. Methods to defeat ASLR had been fi xed lately profi t. This talk will give a deep dive on some of the Cybersecurity and Communication Integration Center and the current way for this is using information leak most popular exploit kits available today including (NCCIC), the US-CERT and the ICS-CERT, they work vulnerabilities. Blackhole and Phoenix and also take a look at some daily with companies from across the globe to share During this talk it will be presented several of the newer players that have appeared from Asia. critical threat and vulnerability information. DHS also techniques that could be applied to convert An overview of how each kit is constructed, analysis supports and provides funding for a broad range of vulnerabilities into information leaks: of its observed shellcodes, obfuscations, and exploits cutting-edge cybersecurity research initiatives, from will be presented to give a better understanding of the the development and implementation of DNSSEC to U Creating an info leak from a partial stack overfl ow differences and similarities between these kits, ways sponsoring the use of open source technologies and U Creating an info leak from a heap overfl ow with that we have developed to harvest data from them and from development of new cyber forensics tools to heap massaging any trends that may be present. testing technologies that protect the nation’s industrial U Creating an info leak from an object though non control systems and critical infrastructures. This is not virtual calls U STILL PASSING THE HASH 15 your grandfather’s Buick! Come hear Deputy Under Member variables with function pointers U Write4 pointers YEARS LATER? USING THE KEYS Secretary for Cybersecurity Mark Weatherford talk about research and training opportunities, the growing U Freeing the wrong object TO THE KINGDOM TO ACCESS ALL number of cybersecurity competitions sponsored by U Application specifi c info leaks: CVE-2012-0769, the YOUR DATA DHS, and how they are always looking to hire a few case of the perfect info leak Alva Duckwall good men and women. U Converting an info leak into an UXSS Christopher Campbell JULY 26 / 10:15 / ROMANS I-IV 19 BRIEFINGS THE MYTH OF TWELVE MORE al. for the Chinese Remainder Theorem (CRT) [D. comprised of JS, CSS and HTML and are application BYTES: SECURITY ON THE POST- Boneh, R. DeMillo, and R. Lipton. On the importance that the Windows operating system has embedded by SCARCITY INTERNET of eliminating errors in cryptographic computations. default. As a result there are a number of interesting Alex Stamos Journal of Cryptology, Dec 2001], an algorithm attack vectors that are interesting to explore and take Tom Ritter particularly prone to attacks. Depending of the window advantage of. JULY 25 / 17:00 / AUGUSTUS III-IV size used in the encryption algorithm, it is possible to We will be talking about our research into creating extract 4-6 bits of the private key from an erroneously malicious gadgets, misappropriating legitimate In what may be the greatest technical shift the Internet signed message. gadgets and the sorts of fl aws we have found in has seen, three of the network’s major foundations are Our attack is perpetrated using a FPGA platform published gadgets. being overhauled simultaneously: IPv6, DNSSEC and implementing a SPARC-based microprocessor the creation of hundreds of new top-level domains. running unmodifi ed Linux and the OpenSSL Two of these technologies are direct responses to WEB TRACKING FOR YOU authentication library. The server provides 1024-bits the artifi cial scarcity of names and addresses on the Gregory Fleischer RSA authentication to a client we control via Ethernet Internet, and one is meant to address the lack of trust JULY 25 / 15:30 / ROMANS I-IV connection. Faults are injected by inducing variations we have in the Internet’s fundamental architecture. There has been a lot of conversation recently around in the supply voltage on the FPGA platform or by Unfortunately the unexpected secondary effects of the privacy degrading techniques used by shady subjecting the server to high temperatures. Our client these changes have not been appropriately explored, online advertisers, faceless megacorps, and social collects a few thousands signed messages, which and enterprise IT and risk teams need to come to network overlords to track users across the web. we transfer to an 80-machines computing pool to grips with the fact that the products and processes But, after all the recriminations and fancy infographics compute the private RSA key in less than 100 hours. they have honed over the last decade will not serve about the supposed loss of privacy, where does Note that our attack does not require access to them well in the next. that leave people who need to implement tracking the victim system’s internal components, but simply This talk will provide a quick background of these of website visitors? People seem so distracted with proximity to it. Moreover, it is conceivable that an technologies and the direct security impacts faced “punch the monkey” advertising cookies that they attack leveraging solely high temperatures can by network administrators today, even if you’re “not have lost a sense of the need to legitimately track and be carried out on machines in a remote poorly- using that yet”. (Hint: You probably are, you just don’t identify potential bad actors. conditioned server room. Finally, the attack does not know it.) A great deal of modern fraud, spam and This talk is a technical examination of the tracking leave any trail of the attack in the victim machine, and brand abuse infrastructure is based upon assumptions techniques that can be implemented to identify and thus it cannot be detected. from the IPv4/old gTLD world, and we will explore track users via their web browsers. The key concepts The presentation includes a live demo of the attack which of these protections are completely useless and of active and passive fi ngerprinting, tracking, and user on an FPGA platform implementing a SPARC system. which can be retrofi tted to provide some value. We unmasking are discussed in detail. From the humble The system is powered via a voltage controller, used will then explore the indirect impacts on monitoring, browser cookie to more advanced techniques to to induce variations in the supply voltage. The server compliance, intrusion detection and prevention, and sidestep private browsing modes, the most effective is simplifi ed to use a 128-bits private key so that the the future of enterprise architecture and defense. approaches are discussed in relation to the various attack can be perpetrated during the briefi ng. web browsers across operating systems and desktop TORTURING OPENSSL and mobile environments. Valeria Bertacco TRUST, SECURITY AND SOCIETY At the conclusion of the presentation, an open Bruce Schneier JULY 25 / 14:15 / ROMANS I-IV source tracking server will be released that implements JULY 26 / 10:15 / AUGUSTUS III+IV the techniques covered in the talk. Additionally, For any computing system to be secure, both Human societies run on trust. Every day, we all trust several utilities to facilitate injection of tracking content hardware and software have to be trusted. If the millions of people, organizations, and systems—and and correlation of collected data will also be made hardware layer in a secure system is compromised, we do it so easily that we barely notice. But in any available. These tools will be suitable to deploy on your not only it is possible to extract secret information system of trust, there is an alternative, parasitic, network to track web users or on your local machine about the software, but it is also extremely diffi cult for strategy that involves abusing that trust. Making sure in a standalone “Track Yourself” mode. the software to detect that an attack is underway. those defectors don’t destroy the very cooperative This talk will detail a complete end-to-end security systems they’re abusing is an age-old problem, and attack to on a microprocessor system and will WINDOWS PHONE 7 INTERNALS we’ve developed a variety of societal pressures to demonstrate how hardware vulnerabilities can be AND EXPLOITABILITY induce cooperation: moral systems, reputational exploited to target systems that are software-secure. Tsukasa Oi systems, institutional systems, and security systems. Specifi cally, we present a side-channel attack to JULY 26 / 15:30 / PALACE II Understanding how these different societal pressures the RSA signature algorithm by leveraging transient Windows Phone 7 is a modern mobile operating work—and fail—is essential to understanding the hardware faults at the server. Faults may be induced system developed by Microsoft. This operating problems we face in today’s increasingly technological via voltage-supply variation, temperature variation, system—based on Windows CE 6—protects the and interconnected world. injection of single-event faults, etc. When affected by system and the user by modern sandbox and secure faults, the server produces erroneous RSA signatures, application model. These security models are veiled which it returns to the client. Once a suffi cient number WE HAVE YOU BY THE GADGETS and were diffi cult to uncover but we succeeded of erroneously signed messages is collected at the Mickey Shkatov to analyze and inspect not well-known Windows client end, we fi lter those that can leak private key Toby Kohlenberg Phone 7 security internals by comprehensive reverse information and we use them to extract the private JULY 26 / 11:45 / PALACE II engineering. key. We developed an algorithm to extract the private Why send someone an executable when you can just This operating system is properly implemented RSA key from messages affected by single-bit faults in send them a sidebar gadget? which makes exploitation and privilege escalation the multiplication during Fixed Window Exponentiation We will be talking about the windows gadget extremely diffi cult. However, it does not mean (FWE), that is, the standard exponentiation algorithm platform and what the nastiness that can be done with exploitation is impossible. Even the sandbox can be used in OpenSSL during RSA signing. Our algorithm it, how are gadgets made, how are they distributed breached on some latest Windows Phone 7.5 devices. was inspired by a solution developed by Boneh, et and more importantly their weaknesses. Gadgets are The fi rst topic is Windows Phone 7 security 20 BRIEFINGS analysis. In this presentation, I will talk how we WORKSHOPS provided with guided tasks to ease participants into analyzed the system and how Windows Phone 7 looks understanding the nuances of each framework and the secure/unsecure along with examples. overall steps a code reviewer should follow to identify The second topic is customizations by thirt-party 21 BRIEFINGS MOBILE NETWORK FORENSICS THE DARK ART OF IOS This talk is designed to demonstrate many of Eric Fulton APPLICATION HACKING the techniques black hats use to steal data and JULY 26 / 15:30 / FLORENTINE Jonathan Zdziarski manipulate software, so that developers will better Intentionally or not, your phone leaks data to the JULY 26 / 10:15 / POMPEIAN know the fi ght they’re up against, and hopefully how to world. What can you—or your enemies—uncover This talk demonstrates how modern day fi nancial avoid many all-too common mistakes that leave your from mobile network traffi c? Dig through real-life applications, password and credit card managers, applications exposed to easy attacks. These attacks Android packet captures to uncover GPS coordinates, and other applications handling sensitive data are are not necessarily limited to just the theft of data from usernames and accounts, social networking data, and attacked on the iOS platform, and sometimes all too the device, but can sometimes even lead to much more. Dissect a traffi c dump of Android malware and easily breached in as little as seconds. Attendees will more nefarious attacks. The audience will also learn analyze phone data as it is exfi ltrated to third-party learn how iOS applications are infected, how low-level about some techniques to better secure applications, servers. The second half of this workshop is a mobile classes and objects are manipulated and abused, such as counter debugging techniques, attack network forensics contest. Each attendee will be given logic checks bypassed, and other dark techniques response, implementing better encryption, etc. a mysterious USB drive and a note with a challenge. used to steal data. In this talk, the audience will see an example of how Students must use the skills they’ve gained in class to The electronic information age has made the theft some credit card payment processing applications unravel the mystery. You are the forensics investigator. of data a very lucrative occupation. Criminals stand have been breached, allowing a criminal not only to Can you solve the puzzle in time? to greatly benefi t from electronic crimes, making their expose the credit card data stored on the device, but To participate, workshop attendees must bring investment well worth the risk. The chances that your also to manipulate the application to grant him huge a laptop with at least 2GB of RAM, a DVD drive. applications will be vulnerable to attack are very high. credit card refunds for purchases that he didn’t make, and VMWare Workstation or Player preinstalled Due to a number of common vulnerabilities in the iOS paid straight from the merchant’s stolen account. and licensed (evaluation licenses are available from monoculture, attackers can easily reverse engineer, You’ll see many more examples, too, of exploits that VMWare’s web site). trace, and manipulation applications in ways that even put data at risk, such as password and credit card most iOS developers aren’t aware of. Even many managers, and other applications. Attendees will RUBY FOR PENTESTERS: encryption implementations are weak, and a good gain a basic understanding of how these attacks are executed, and many examples and demonstrations of THE WORKSHOP hacker can penetrate these and other layers that, so many times, present only a false sense of security to how to code more securely in ways that won’t leave Cory Scott applications exposed to such attacks. Michael Tracy the application’s developers. Timur Duehr JULY 26 / 14:15 / POMPEIAN Having a great set of test tools could be the difference between a successful engagement and utter catastrophe. Being able to create tools on the fl y to solve intractable test or research problems is a challenge we face every day. In this workshop we’ll lead off by demonstrating the power and fl exibility of Ruby. Then we’ll teach you how to use your new superpowers to rapidly prototype solutions for real-world problems including: U The fast path to binary and protocol reversing tools U Rapidly prototyped network clients using our ‘bag of tricks’ approach U Dealing with Java using JRuby U Extending Burp Suite using Buby U Building scriptable debuggers and hit tracers with Ragweed U Hooking into native code with FFI U Adding Redis in the mix to manage test cases and results from within your Ruby code Participants will be given a virtual test environment to use that includes a toolchain and sample applications to test—they just need to bring a laptop. The toolchain will also be available on the conference DVD and for download. Quick demonstrations leading into hands-on hacking on real apps will keep the workshop fast- paced and fun. 22 BRIEFINGS TURBO TALKS LIBINJECTION: A C LIBRARY available for IIS and nginx servers, making it a fi rst FOR SQLI DETECTION AND free cross-platform WAF for on-line services. Using GENERATION THROUGH LEXICAL MSRC response process and CVE-2011-3414 as CUTECATS.EXE AND THE an example, we will show how ModSecurity can be ARAB SPRING ANALYSIS OF REAL WORLD used in early detection of attacks and mitigation of Morgan Marquis-Boire ATTACKS vulnerabilities affecting web infrastructure. We will also JULY 25 / 14:15 / AUGUSTUS III-IV Nick Galbreath show how OWASP ModSecurity Core Rule Set can There has been signifi cant discussion regarding the JULY 25 / 14:55 / AUGUSTUS I-II be used as a base for detection of 0-day attacks on impact of the internet, social media, and smart phones SQLi and other injection attacks remain the top Apache, IIS and nginx servers. on the uprisings in the Middle East. Accompanying the OWASP and CERT vulnerability. Current detection digitisation of dissent and the growth of an increasingly attempts frequently involve a myriad of regular connected online community has been the rise in expressions which are not only brittle and error prone PASSIVE BLUETOOH MONITORING malware targeting activists in the region. but also proven by Hanson and Patterson at Black IN SCAPY From backdoored anti-censorship software to Hat 2005 to never be a complete solution. libinjection Ryan Holeman malicious PDFs promising details on revolutionary is a new open source C library that detects SQLi JULY 26 / 14:15 / PALACE I high councils, this talk will detail specifi c examples using lexical analysis. With little upfront knowledge of Recognizing a need to support passive bluetooth and provide analysis of malware which has been what SQLi is, the algorithm has been trained on tens monitoring in Scapy, Python’s interactive monitoring seen to target dissidents in Libya, Syria and other of thousands of real SQLi attacks and hundreds of framework, a project was launched to produce this countries over the past 18 months. The distribution of millions of user inputs taken from a Top 50 website functionality. Through this functionality, a new means these attacks across forums specialising in regional for high precision and accuracy. In addition, the for interactively observing bluetooth was created issues, social media and spear phishing will also be algorithm categorizes SQLi attacks and provides along with Python APIs to assist in the development of discussed. templates for new attacks or new fuzzing algorithms. bluetooth auditing, pentesting and exploitation tools. libinjection is available now on github for integration The project supplements the work of Michael Ossman et al by providing Python extensions and EMBEDDED DEVICE FIRMWARE into applications, web application fi rewalls, or porting to other programming languages. Scapy modules which interact with an Ubertooth VULNERABILITY HUNTING dongle. The project also provides support for other USING FRAK passive bluetooth techniques not present in the current Ang Cui MAPPING EVOLUTION OF Ubertooth core software such as NAP identifi cation, JULY 26 / 14:35 / PALACE III ANDROID PERMISSIONS vendor lookup, extended logging and more. We present FRAK**, the fi rmware reverse analysis Andrew Reiter In conjunction with this presentation, the source konsole. FRAK is a framework for unpacking, Zach Lanier for this project will be released along with distribution analyzing, modifying and repacking the fi rmware JULY 26 / 14:55 / PALACE III packages for easy installation. images of proprietary embedded devices. The FRAK The Android Open Source Project provides a software stack for mobile devices. The provided framework provides a programmatic environment for STAMP OUT HASH CORRUPTION, the analysis of arbitrary embedded device fi rmware as API enforces restrictions on specifi c operations a well as an interactive environment for the disassembly, process is allowed to perform through a permissions CRACK ALL THE THINGS manipulation and re-assembly of such binary images. mechanism. Due to the fi ne-grained nature of the Ryan Reynolds Jonathan Clauduis We demonstrate the automated analysis of Cisco model (and lack of a map), it is non-obvious which IOS, Cisco IP phone and HP LaserJet printer fi rmware calls require which permission(s) for an API of over JULY 26 / 14:55 / PALACE I images. We show how FRAK can integrate with 2400 classes. Also, due to the on-going development The precursor to cracking any password is getting existing vulnerability analysis tools to automate bug of the AOSP and API, these required permissions the right hash. In this talk we are going to cover hunting for embedded devices. We also demonstrate have changed. Both of these provide headaches how we discovered that Cain and Able, Creddump, how FRAK can be used to inject experimental host- for application security testers and application Metasploit and other hash extraction tools regularly based defenses into proprietary devices like Cisco developers. We fi rst discuss our methodology for yield corrupt hashes that cannot be cracked. We routers and HP printers. building a Android API permission map, including will take a deep dive into password extraction active and passive discovery tools. We then present mechanics, the birth of a viral logic fl aw that started the evolution of the map as the Android API has it all and how to prevent corrupt hashes. At the HTEXPLOIT BYPASSING HTACCESS transformed through releases. This work is signifi cant conclusion of this talk we will release patches that RESTRICTIONS because of the need for an understanding of the API prevent hash corruption in these tools that many Maximiliano Soler permission requirements in application security testing security professionals use every day. Matias Katz and the current lack of clarity in this ever-growing JULY 25 / 14:35 / AUGUSTUS I-II environment. STIX: THE STRUCTURED THREAT HTExploit is an open-source tool written in Python that exploits a weakness in the way that htaccess fi les INFORMATION EXPRESSION can be confi gured to protect a web directory with an MODSECURITY AS UNIVERSAL Sean Barnum authentication process. By using this tool anyone would CROSS-PLATFORM WEB JULY 25 / 14:55 / AUGUSTUS III-IV be able to list the contents of a directory protected this PROTECTION TOOL This Turbo Talk will give a brief introduction and way, bypassing the authentication process. Greg Wroblewski overview of an ongoing effort to defi ne a standardized Ryan Barnett integrated information architecture for representing JULY 25 / 14:15 / AUGUSTUS I-II structured cyber threat information. For many years ModSecurity was a number one free The effort known as the Structured Threat open source web application fi rewall for the Apache Information eXpression (STIX) is a work in web server. At this year’s Black Hat we would like progress among a broad community of industry, to announce that right now ModSecurity is also government, academic and international experts. This representation, as a whole or in parts, is actively being 23 BRIEFINGS pursued as a basis for automation and information have demonstrated individual utilities control systems While improving the security of end users, not using sharing within several active communities. directly connected to the internet. However, this is not the device trust store to validate the servers’ identity an isolated incident of failure, but rather a disturbing also makes black-box testing of such apps much SYNFUL DECEIT, STATEFUL trend. By visualising results from SHODAN over a 2 more challenging. Without access to the application’s SUBTERFUGE 1/2 year period, we can see that there are thousands source code to manually disable certifi cate validation, of exposed systems around the world. By using the tester is left with no simple options to intercept the Tom Steele some goelocation, and vulnerability pattern matching application’s SSL traffi c. Chris Patten to service banners we can see their rough physical We’ve been working on a set of tools for both JULY 26 / 14:35 / PALACE I location and the numbers of standard vulnerabilities Android and iOS to make it easy to defeat certifi cate Successful network reconnaissance and attacks they are exposed to. pinning when performing black-box testing of are almost always predicated by effectively identify This allows us to look at some statistics about the mobile apps. listening application services. However, the task industrial system security posture of whole nations On iOS, a Mobile Subtrate “tweak” has been can be daunting with various deployments of SYN and regions. During the process of this project I developed in order to hook at run-time specifi c SSL Flood protections that can mask legitimate results. worked with ICS-CERT to inform asset-owners of their functions performing certifi cate validation. Using Cydia, Furthermore, misconceptions are plenty and exposure and other CERT teams around the world. the “tweak” can easily be deployed on a jailbroken suggestions are elusive regarding how to truly detect The project has reached out to 63 countries, and device, allowing the tester to disable certifi cate the actual available services from the false positives. sparked discussion of convergence towards the public validation for any app running on that device in a This presentation will delve into techniques used for internet of many insecure protocols and devices. matter of minutes. SYN Flood protection and how to defeat various open- For Android applications, a custom JDWP debugger source and commercial vendor implementations. has been built to perform API hooking tasks. This tool The presentation will consist of IPv4 packet WHEN SECURITY GETS IN THE can be easily used on any Android device or emulator level details. As a result, a solid understanding of WAY: PENTESTING MOBILE APPS that allows USB debugging and application debugging. TCP/IP and the IPv4 connection process is highly THAT USE CERTIFICATE PINNING This presentation will discuss the techniques advised prior to attending this presentation. Further Alban Diquet we used to create those iOS and Android API understanding of typical port scanning techniques, Justine Osborne hooking tools, common use case scenarios, and such as SYN and ACK scans, will be useful, as JULY 26 / 14:15 / PALACE III demonstrations of the tools in action. well. Finally, a tool will be released so attendees can More and more mobile applications such as the continue to explore the concepts and techniques Chrome, Twitter and card.io apps have started relying within their own networks. on SSL certifi cate pinning to further improve the security of the application’s network communications. THE LAST GASP OF THE Certifi cate pinning allows the application to INDUSTRIAL AIR-GAP authenticate the application’s servers without relying Eireann Leverett on the device trust store. Instead, a white-list of JULY 25 / 14:35 / AUGUSTUS III-IV certifi cates known to be used by the servers is directly Industrial Systems are widely believed to be air- stored in the application, effectively restricting the gapped. At previous Black Hat conferences, people set of certifi cates the application will accept when connecting to those servers. EVENT AUDIO & VIDEO THE SOURCE OF KNOWLEDGE Palace Ballroom Foyer JULY 25-26 Did you miss a session? The Source of Knowledge is onsite to sell audio and video recordings of the Briefi ngs sessions. Media, including iPad ready presentations, may be purchased onsite at a substantial discount. 24 SPEAKERS KEYNOTES recognized by SC Magazine as one of the top YANN ALLAIN Opale Security industry pioneers who shaped the information security Yann ALLAIN, founder and current director of the industry. In 2010, he was named one of the most OPALE SECURITY company (www.opale-security. SHAWN HENRY CrowdStrike infl uential people in security by Security Magazine; eu). He graduated from a computer and electronic Shawn retired as FBI Executive Assistant Director received the Federal 100 Award as a government engineering school (Polytech -UniversitŽ Pierre et (EAD) in March 2012, with responsibility for all criminal leader who played a pivotal role in the federal Marie Curie). After a time in the electronic industry and cyber programs and investigations worldwide, as government IT community; and was selected as as an engineer in embedded system conception, well as international operations and the FBI’s critical cybercrime fi ghter of the year by McAfee Inc. he made a career move towards IT. He started as a incident response. During his career as a Special Shawn earned a Bachelor of Business production manager for a company in the fi nancial Agent, Shawn served in three FBI Field Offi ces and Administration from Hofstra University and a Master sector (Private Banking), and evolved towards IT at FBI Headquarters, where he held a wide range of Science in Criminal Justice Administration from security when he became part of the ACCOR group. of operational and leadership positions, including Virginia Commonwealth University. He is a graduate of He was in charge of applicative security for the group. Assistant Director in Charge of the Washington the Homeland Security Executive Leaders Program of He has an 18-year experience, 14 of which dedicated Field Offi ce. the Naval Postgraduate School’s Center for Homeland to IT system and embedded system security. OPALE Having served in multiple positions relating to cyber Defense and Security. As President of CrowdStrike SECURITY deals with research projects linked, intrusions since 1999, Shawn has been the Bureau’s Services, Shawn leads a world-class team of amongst other things to the security of embedded outspoken top agent on cybersecurity issues, and is cybersecurity professionals who respond to computer systems (http://www.opale-security.eu/innovation- credited with boosting the FBI’s computer crime and network intrusions to mitigate Advanced Persistent information-systems-security.html) cybersecurity investigative capabilities. In addition Threats (APT). to his last position as EAD of the Criminal, Cyber, Response and Services Branch, he served as both IFTACH IAN AMIT IOActive Deputy Assistant Director and Assistant Director of NEAL STEPHENSON With over a decade of experience in the information the Cyber Division at FBI Headquarters; Supervisor Neal Stephenson is the author of the three-volume security industry, Iftach Ian Amit brings a mixture of of the FBI Cyber Crime squad in Baltimore; and Chief historical epic “The Baroque Cycle” (Quicksilver, The software development, OS, network and Web security of the Computer Investigations Unit within the FBI-led Confusion, and The System of the World) and the expertise as Director of Services to the top-tier security National Infrastructure Protection Center. novels Cryptonomicon,The Diamond Age, Snow consulting fi rm IOActive. Prior to IOActive, Ian was the During his tenure, Shawn oversaw major Crash, and Zodiac. He lives in Seattle, Washington. VP consulting for Security Art, Ian also held Director computer crime and cyber investigations spanning of Security Research positions with Aladdin and the globe, from denial-of-service attacks, to major Finjan, leading their security research while positioning bank and corporate breaches, to nation-state BRIEFINGS them as leaders in the Web security market. Ian has sponsored intrusions. Shawn led the establishment also held leadership roles as founder and CTO of a of the National Cyber Investigative Joint Task Force security startup in the IDS/IPS arena, developing new JIM ALDRIDGE Mandiant (NCIJTF), a multi-agency center led by the FBI, which techniques for attack interception, and a director at Jim Aldridge is a Manager in Mandiant’s Washington, coordinates and shares information about cyber Datavantage, responsible for software development D.C. offi ce and is responsible for Mandiant’s incident threat investigations. He also forged partnerships and information security, as well as designing and remediation services. His areas of expertise include domestically and internationally within governments building a fi nancial datacenter. Prior to Datavantage, he security incident response, penetration testing, and the private sector, and posted FBI cyber experts managed the Internet Applications as well as the UNIX security strategy, and secure systems and network in police agencies around the world, including departments at the security consulting fi rm Comsec. design. Jim has signifi cant experience working with Amsterdam, Romania, Ukraine, and Estonia. Early in Ian is also the founder of the local DEF CON group the defense industrial base, technology, and industrial his cyber career, Shawn served on the U.S. delegation in Tel-Aviv DC9723, as well as one of the founding products sectors. to the G8 as a member of the High-Tech Crimes members of the PTES (Penetration Testing Execution Subgroup. Standard), and the IL-CERT. Shawn was an original member of the National CHEMA ALONSO Informatica64 Cyber Study Group, under the direction of the Chema Alonso is a Security Consultant with GEORGE ARGYROS Offi ce of the Director of National Intelligence. This Informatica64, a Madrid-based security fi rm. Chema University Of Athens / Census, Inc. organization developed the Comprehensive National holds respective Computer Science and System George Argyros is an undergraduate student at Cybersecurity Initiative (CNCI), the U.S. government’s Engineering degrees from Rey Juan Carlos University University Of Athens in Greece but he is about to national strategy to mitigate threats and secure and Universidad Politacnica de Madrid. During his start a Ph.D. at Columbia University in September. He cyberspace, to which Shawn was a key contributor. more than six years as a security professional, he has also works as an intern at Census inc. His research Shawn has been a keynote speaker on a multitude consistently been recognized as a Microsoft Most interests include cryptography, software testing, of cyber issues in venues around the world. He has Valuable Professional (MVP). Chema is a frequent source code auditing and anything else related to been sought out by the media for his cyber expertise, speaker at industry events (Microsoft Technet / computer security seems interesting. and has been featured on television and radio, Security Tour, AseguraIT) and has been invited to including 60 Minutes; CBS Evening News; Good present at information security conferences worldwide Morning America; The Today Show; Dateline; Rock including Black Hat Briefi ngs, DEF CON, Ekoparty and PATROKLOS ARGYROUDIS Census Inc Center with Brian Williams and C-SPAN. He has also RootedCon. He is a frequent contributor on several Patroklos Argyroudis is a computer security researcher conducted interviews with numerous print and online technical magazines in Spain, where he is involved at Census Inc, a company that builds on strong publications, including Forbes Magazine, Business with state-of-the-art attack and defense mechanisms, research foundations to offer specialized IT security Week, The Wall Street Journal, The Associated Press, web security, general ethical hacking techniques services to customers worldwide. Patroklos holds The New York Times, and USA Today. and FOCA, the meta-data extraction tool which he a PhD in Computer Security from the University of Shawn has been professionally recognized during co-authors. Dublin, Trinity College, where he has also worked as his career. In 2009, he received the Presidential Rank a postdoctoral researcher on applied cryptography. Award for Meritorious Executive for his leadership His current focus is on vulnerability research, in enhancing the FBI’s cyber capabilities, and was exploit development, reverse engineering, source 25 SPEAKERS code auditing and malware analysis. Patroklos has researcher, reverse engineer, and developer. Prior to presented research at several international security this, he worked for Matasano Security as a senior conferences on topics such as kernel exploitation, security consultant. His reverse engineering and kernel mitigation technologies, and electronic hardware analysis work, written about in Forbes and payments. Ars Technica, includes early key research in hardware jailbreaking (including an ARM decompiler), reversing VALERIA BERTACCO projects that led to the fi rst Linux compatibility for the University of Michigan Apple iTunes Music Store, and Linux compatibility for Valeria Bertacco is an Associate Professor of Electrical Windows games. Engineering and Computer Science at the University of Michigan. She is currently spending her sabbatical at JONATHAN BROSSARD the Addis Ababa Institute of Technology. Her research Toucan System Security Company interests are in the area of design correctness, with Jonathan is a security research engineer. Born in emphasis on full design validation, digital system France, he’s been living in Brazil and India, before reliability and hardware security assurance. Valeria currently working in Australia. With about 15 years joined the faculty at Michigan after being in the of practice of assembly, he is specialised in low level Advanced Technology Group of Synopsys for four security, from raw sockets to cryptography and years as a lead developer of Vera and Magellan, two memory corruption bugs. He is currently working as popular verifi cation tools. CEO and security consultant at the Toucan System Valeria serves in several conference program security company. His clients count some of the committees, including DATE and DAC and she the biggest Defense and Financial Institutions worldwide. author of three books on design errors and validation. Jonathan is also the co-organiser of the Hackito Ergo She received her M.S. and Ph.D. degrees in Electrical Sum conference (HES2011) in France. Engineering from Stanford University in 1998 and 2003, respectively; and a Computer Engineering CHRISTOPHER CAMPBELL degree (“Dottore in Ingegneria”) summa cum laude Northrop Grumman from the University of Padova, Italy in 1995. Valeria is Works for Northrop Grumman as a full-scope Server, Microsoft Windows, Yahoo! Messenger, the recipient of the IEEE CEDA Early Career Award, penetration tester for several years. He holds many etc. In addition, Cesar has authored several white an IBM faculty award, an NSF CAREER award, and industry certifi cations and a Master of Science in IA papers on database, application security, attacks and the Air Force Offi ce of Scientifi c Research’s Young from Capitol College. Chris served over ten years in exploitation techniques and he has been invited to Investigator award. the Army with most of that time as a Signal Offi cer. present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, RODRIGO BRANCO Qualys EuSecWest, WebSec, HITB, Microsoft BlueHat, LUCA CARETTONI EkoParty, FRHACK, H2HC, DEF CON, Infi ltrate, Rodrigo Rubira Branco (BSDaemon) is the Director of Matasano Security etc. Cesar collaborates with and is regularly quoted Vulnerability & Malware Research at Qualys. In 2011 he Luca Carettoni is a senior security consultant for in print and online publications including eWeek, was honored as one of the top contributors to Adobe Matasano Security with over 7 years experience as ComputerWorld, and other leading journals. Vulnerabilities in the past 12 months. Previously, as the a computer security researcher. His professional Chief Security Research at Check Point he founded expertise includes black box security testing, web the Vulnerability Discovery Team (VDT) and released application security, vulnerability research and source SILVIO CESARE Deakin University dozens of vulnerabilities in many important software. code analysis. Prior to Matasano, Luca worked at Silvio Cesare is a PhD student at Deakin University. Previous to that, he worked as Senior Vulnerability The Royal Bank of Scotland as a penetration testing His research is supported by a full scholarship under Researcher in COSEINC, as Principal Security specialist where he performed security audits against a Deakin University Postgraduate Research Award. Researcher at Scanit and as Staff Software Engineer several online banking systems worldwide. In the His research interests include malware detection in the IBM Advanced Linux Response Team (ALRT) past years, Luca has been an active participant in the and automated vulnerability discovery using static also working in the IBM Toolchain (Debugging) Team security community and a member of the Open Web analysis of executable binaries. He has previously for PowerPC Architecture. He is a member of the Application Security Project (OWASP). Luca holds a spoken at industry conferences including Black Hat, RISE Security Group and is the organizer of Hackers Master’s Degree in Computer Engineering from the Cansecwest, Ruxcon, and has published in academic to Hackers Conference (H2HC), the oldest security Politecnico di Milano university. journals such as IEEE Transactions on Computers. research conference in Latin America. He is also author of the book Software Similarity and Classifi cation, published by Springer. He has worked in IOActive Labs CESAR CERRUDO industry within Australia, France and the United States. JOSHUA BRASHARS AppSec Consulting Cesar Cerrudo is CTO at IOActive Labs where he This work includes time as the scanner architect Joshua Brashars is a senior penetration tester at leads the team in producing ongoing cutting edge of Qualys – now the world’s largest vulnerability AppSec Consulting. He specializes in network, research in the areas of SCADA, mobile device, assessment company. In 2008 he was awarded $5000 application, and the mobile security testing. In application security and more. Formerly the founder USD tied 3rd prize for the highest impact vulnerability his spare time, he enjoys playing around with old and CEO of Argeniss Consulting, acquired by IOActive, reported to security intelligence company IDefense telephone systems. Joshua has presented at several Cesar is a world renown security researcher and for an implementation specifi c IDS evasion bug in the industry-recognized conferences and has contributed specialist in application security. widely deployed Snort software. He has a Bachelor of to several books by Syngress Publishing. Throughout his career, Cesar is credited with Information Technology and a Master of Informatics by discovering and helping to eliminate dozens of research from CQUniversity where he was awarded vulnerabilities in leading applications including CODY BROCIOUS Mozilla with two academic prizes during his undergraduate Microsoft SQL Server, Oracle database server, IBM Cody Brocious is a hacker for the Mozilla Corporation degree, and a University Postgraduate Research DB2, Microsoft BizTalk Server, Microsoft Commerce with over 8 years of experience as a computer security Award full scholarship during his Masters degree. 26 SPEAKERS DMITRY CHASTUHIN and Image Processing. While starting out his IT-career Skip currently holds the following certs:GSE, CISSP, St. Petersburg State Polytechnic University in the Computer Games industry, he has worked in CISA, and RHCE. Skip currently works for Northrop The student of St. Petersburg State Polytechnic the Telecom fi eld and also was a senior developer Grumman as a Sr. Cyber Something or other. University, computer science department, he works at a specialized fi rm programming various GSM/ upon SAP security, particularly upon Web applications UMTS/GPS sub-systems. He is the author of the JUSTIN ENGLER FishNet Security and JAVA systems. He has offi cial acknowledgements MiFare Classic Universal toolKit (MFCUK), the fi rst Justin Engler is a Senior Security Consultant for from SAP for the vulnerabilities found. publically available (FOSS) card-only key cracking FishNet Security’s Application Security practice. His Dmitriy is also a WEB 2.0 and social network tool for the MiFare Classic RFID card family and is focus is on the security of web applications, mobile security geek who found several critical bugs in known as the “printer guy” for his “Hacking MFPs” and devices, web-backed thick clients, databases, and Yandex services (Russian largest search engine), “Hacking PostScript” series of hacks & talks at various industrial control systems. Justin has previously Google, Vkontakte (vk.com), the Russian largest social international conferences. He is passionate about spoken at Black Hat USA and DEF CON. network. He is a contributor to the OWASP-EAS security in a holistic fashion. Currently he is a PhD project. He spoke at the following conferences: Hack candidate with EURECOM in the fi eld of “Security of in the Box and BruCON. embedded devices”. STEFAN ESSER SektionEins GmbH Actively participates in the life of the Russian DEF Stefan Esser is best known in the security community CON Group. as the PHP security guy. Since he became a PHP core ZACHARY CUTLIP developer in 2002 he devoted a lot of time to PHP Tactical Network Solutions and PHP application vulnerability research. However Zachary Cutlip is a security researcher with Tactical ROBERT CLARK in his early days he released lots of advisories about Network Solutions, in Columbia, MD. At TNS, U.S. Army Cyber Command vulnerabilities in software like CVS, Samba, OpenBSD Zach develops exploitation techniques targeting Robert Clark is currently the operational attorney for or Internet Explorer. In 2003 he was the fi rst to boot embedded systems and network infrastructure. Since the U.S. Army Cyber Command. He is the former Linux directly from the hard disk of an unmodifi ed 2003, Zach has worked either directly for or with Cybersecurity Information Oversight & Compliance XBOX through a buffer overfl ow in the XBOX font the National Security Agency in various capacities. Offi cer with the Offi ce of Cybersecurity and loader. In 2004 he founded the Hardened-PHP Project Before embracing a lifestyle of ripped jeans and Communications, Department of Homeland Security to develop a more secure version of PHP, known as untucked shirts, he spent six years in the US Air Force, and former legal advisor to the Navy CIO; United Hardened-PHP, which evolved into the Suhosin PHP parting ways at the rank of Captain. Zach holds an States Computer Emergency Readiness Team; and, Security System in 2006. Since 2007 he works as undergraduate degree from Texas A&M University and the Army’s Computer Emergency Response Team. In head of research and development for the German a master’s degree from Johns Hopkins University. these positions he has provided advice on all aspect web application company SektionEins GmbH that he of computer network operations. He interacts regularly cofounded. with many government agencies and is a past lecture DALLAS DE ATLEY Apple at Black Hat; DEF CON; Stanford Center for Internet Dallas De Atley, Manager of the Platform Security GREGORY FLEISCHER FishNet Security and Society and the Berkman Center for Internet & Team, Apple Society at Harvard University -Four TED-TECH Talks Gregory is a Senior Security Consultant in the 2011; SOURCE Boston 2010; the iapp; and, the Application Security practice at FishNet Security where DoD’s Cybercrimes Conference. TAMARA DENNING he conducts security assessments against a wide University of Washington variety of web and mobile applications. In his spare Tamara Denning is a fi fth year PhD student at the time, he likes to fi nd and exploit vulnerabilities in web JONATHAN CLAUDUIS Trustwave University of Washington working with Tadayoshi browsers and client-side technologies such as Java Jonathan Claudius is a Security Researcher Kohno in the Security and Privacy Research Lab. and Flash as well as working on open source security at Trustwave. He is a member of Trustwave’s She received her B.S. in Computer Science from the tools. He has an interest in privacy and anonymity and SpiderLabs—the advanced security team focused on University of California, San Diego in 2007 and her has worked with The Tor Project to identify potential penetration testing, incident response, and application Master’s degree from the University of Washington issues. Gregory has previously spoken at the Black security. He has eleven years of experience in the IT in 2009. Her main area of focus is the intersection Hat USA and DEF CON security conferences. industry with the last nine years specializing in Security. of humans and computer security with a focus on At Trustwave, Jonathan works in the SpiderLabs emerging technologies. Research Division where he focuses on vulnerability JOHN FLYNN Facebook research, network exploitation and is the creator of the John “Four” Flynn is an expert in Information Security FishNet Security BNAT-Suite. Before joining SpiderLabs, Jonathan ran JOSHUA DUBICK with over 10 years of experience in the fi eld. At Joshua Dubik is a Security Consultant for FishNet Trustwave’s Global Security Operations Center. Google, he was the founder and lead architect of Security’s Application Security practice. His focus is on Before joining Trustwave, Jonathan was a Network Google’s innovative Intrusion Detection group which the security of web, mobile and desktop applications. Penetration Tester for a Top 10 Consulting and led to the successful detection of the Aurora attack Previously, Joshua worked as a developer for several Accounting fi rm and worked for a US Department in December 2009. Four also led Google’s Security organizations including the United States Coast Guard. of Defense contractor in their Communications Operations team where he pioneered innovative Joshua is currently working on the iOS Application Electronics Warfare Division. Jonathan holds a approaches to Enterprise IT Security. He is a technical Assessment Tool. Bachelor of Science in Applied Networking and advisor to both a prominent political campaign and a System Administration from the Rochester Institute top tier Venture Capital fi rm. Four holds a Masters in of Technology and is a Certifi ed Information Systems ALVA DUCKWALL Northrop Grumman Computer Science and Information Assurance from Security Professional (CISSP). Alva “Skip” Duckwall has been using Linux back George Washington University as well as a Bachelors before there was a 1.0 kernel and has since moved in Computer Engineering from the University of into the information security arena doing anything Minnesota. Currently he works as a Security Engineer ANDREI COSTIN Eurecom from computer/network auditing, to vulnerability at Facebook and maintains a blog at SecInt.org. Born and grown-up in Moldova, Andrei is a Computer assessments and penetration testing. Skip currently Science graduate of the Politechnic University of works for a group doing full-scope penetration testing. Bucharest where he did his thesis work in Biometrics 27 ISSA Information Systems Security Association SPEAKERS JAMES FORSHAW earned her law degree from University of California, the fi eld, sometimes by any means necessary, he thinks Context Information Security Hastings College of the Law and her undergraduate the idea of ‘forward thinking’ is quaint; we’re supposed James is a principal consultant for Context Information degree from the New College of the University of to be thinking that way all the time. No degree, no Security in the UK, with a keen focus on novel security South Florida. certifi cations, just the willingness to say things many research. He has been involved with computer in this dismal industry are thinking but unwilling to hardware and software security for almost 10 years JONATHAN GRIER say themselves. He remains a champion of security with a skill set which covers the bread and butter Jonathan Grier has been an independent security industry integrity and small misunderstood creatures. of the security industry such as application testing, consultant and researcher for over a decade. He has through to more bespoke product assessment, conducted forensic investigations, performed security KEN JOHNSON Microsoft vulnerability analysis and exploitation. audits, trained programmers in secure application Ken Johnson works on the Security Science team He has spoken at a number of security conferences development, and advised clients on data security. within the Microsoft’s Security Engineering Center in the past, on a range of different topics such as He has forensically investigated employee dishonesty, (MSEC), where he primarily focuses on researching, Sony Playstation Portable hacking at Chaos Computer network break-ins, data theft and industrial espionage. developing, and implementing exploitation mitigation Congress, WebGL exploitation at Ruxcon and Citrix Jonathan has consulted for clients in health care, techniques. Ken’s prior contributions to the fi eld network exploitation at Black Hat Europe. He is also telecommunications, construction, and professional have included the development of an Address Space the developer of CANAPE networking tool presented services, and taught classes sponsored by the US Layout (ASLR) implementation for Windows earlier at that conference. Department of Defense Cyber Crime Center. than Vista. He is known for a number of prior articles An active researcher, Jonathan has developed new on security-related, Windows internals, debugging, JAVIER GALBALLY methods used in forensics and application security. and reverse engineering topics (often contributed to Universidad Autonoma de Madrid Microsoft Press, the Journal of Digital Investigation, the Uninformed Journal). Prior to joining Microsoft, Javier Galbally received the MSc in electrical Digital Forensics Magazine, Symantec, Information Ken developed a number of advanced debugging engineering in 2005 from the Universidad de Week and the US Department of Defense have all tools for Windows on his own time, including the Cantabria, and the PhD degree in electrical featured his work. fi rst accelerated kernel debugger transport for engineering in 2009, from Universidad Autonoma de Windows VMware VMs (VMKD), and a debugger Madrid, Spain. Since 2006 he is with Universidad DAN GUNTER extension capable of importing data from IDA into Autonoma de Madrid, where he is currently working Dan brings a depth and breadth of experience for WinDbg (SDbgExt). He has continued this tradition as an assistant researcher. He has carried out both the technical and business development side of in recent times, contributing Hyper-V VM debugging different research internships in worldwide leading information security. He has worked and consulted support and self-consistent physical machine groups in biometric recognition such as BioLab from across the commercial, non-profi t, academic and memory snapshot support to the Sysinternals LiveKd Universita di Bologna Italy, IDIAP Research Institute in government sectors and recognizes the unique needs debugging too. Switzerland, or the Scribens Laboratory at the Ìcole and constraints within each setting. He has served Polytechnique de Montreal in Canada. His research in roles ranging from proposal development and JASON JONES HP DVLabs interests are mainly focused on the security evaluation customer need analysis for high value information I am a security researcher at HP DVLabs and lead of biometric systems, but also include pattern and security contracts to designing and coding solutions to for the ASI team that specializes in applied security biometric recogniton, and synthetic generation of solve unique and challenging problems in settings with research, malware analysis, and is responsible for our biometric traits. He is actively involved in European anywhere from a few users to hundreds of thousands IP Reputation product. I have done research on Webkit projects focused on vulnerability assessment of of users. Dan holds an Undergraduate Degree in instrumentation, web exploit toolkits, honeypots, and biometrics (e.g, STREP Tabula Rasa) and is the Computer Science and will fi nish his Masters in reverse engineering malware. recipient of a number of distinctions, including:IBM Computer Science soon. Best Student Paper Award at ICPR 2008, and fi nalist of the EBF European Biometric Research Award. LOUKAS K aka SNARE Assurance PETER HANNAY Edith Cowan University Once upon a time, snare was a code-monkey, Peter Hannay is a PhD student, researcher and cranking out everything from pre-press automation JENNIFER GRANICK Stanford lecturer based at Edith Cowan University in Perth apps to fi rmware for Big F***ing Laser Machines. Upon Jennifer Stisa Granick started as the Stanford Western Australia. His PhD research is focused on discovering that “information security” was actually Law School Center for Internet and Society’s (CIS) the acquisition and analysis of data from small and a somewhat legitimate industry, and not just hacking Director of Civil Liberties in June of 2012. Jennifer embedded devices. In addition to this he is involved stuff for fun, he got himself a job as a penetration returns to Stanford after stints as General Counsel in smart grid & network security research and other tester. He now works as the Principal Consultant for of entertainment company Worldstar Hip Hop and projects under the banner of the SECAU research Assurance in Melbourne, Australia. as counsel with the internet boutique fi rm of Zwillgen organisation. Having been a Mac fanboy since around 1987, PLLC. Before that, she was the Civil Liberties Director Peter is an accomplished academic, with more snare spends most of his free time messing with at the Electronic Frontier Foundation. Jennifer than 20 publications in peer reviewed conferences Mac OS X -from fi rmware to kernel rootkits to writing practices, speaks and writes about computer crime and journals, in addition he is a regular speaker at the actual useful applications. When he’s not playing with and security, electronic surveillance, consumer Ruxcon and Kiwicon hacker conferences taking place computers he enjoys hoppy pale ales, guitars, metal privacy, data protection, copyright, trademark and the in Australia and New Zealand respectively. \m/, and building robots. Digital Millennium Copyright Act. From 2001 to 2007, Jennifer was Executive Director of CIS and taught Cyberlaw, Computer Crime Law, Internet intermediary JERICHO DAN KAMINSKY liability, and Internet law and policy. Before teaching at Jericho has been poking about the hacker/security Dan Kaminsky has been a noted security researcher Stanford, Jennifer spent almost a decade practicing scene for over 19 years (for real), building valuable for over a decade, and has spent his career advising criminal defense law in California. She was selected by skills such as skepticism and anger management. Fortune 500 companies such as Cisco, Avaya, and Information Security magazine in 2003 as one of 20 As a hacker-turned-security whore, he has a great Microsoft. Dan spent three years working with Microsoft ISSA “Women of Vision” in the computer security fi eld. She perspective to offer unsolicited opinion on just about on their Vista, Server 2008, and Windows 7 releases. Information Systems Security Association any security topic. A long-time advocate of advancing Dan is best known for his work fi nding a critical fl aw 29 SPEAKERS in the Internet’s Domain Name System (DNS), and for fi rm. Mr. Lawler has been actively working in He is a four time winner of the CanSecWest Pwn2Own leading what became the largest synchronized fi x to information security for over 7 years, primarily in competition. He has authored three information the Internet’s infrastructure of all time. Of the seven reverse engineering, malware analysis, and exploit security books and holds a PhD from the University of Recovery Key Shareholders who possess the ability development. While working at Mandiant he was a Notre Dame. He is currently being held in a maximum to restore the DNS root keys, Dan is the American principal malware analyst for high-profi le computer security prison in Cupertino, but hopes to be released representative. Dan is presently developing systems intrusions affecting several Fortune 100 companies. soon for good behavior. to reduce the cost and complexity of securing critical Prior to this, as a founding member of ManTech infrastructure. International’s Security and Mission Assurance MATT MILLER Microsoft (SMA) division he discovered numerous “0-day” Matt Miller works on the Security Science team within CHARITON KARAMITAS Census Inc vulnerabilities in COTS software and pioneered Microsoft’s Security Engineering Center (MSEC) Chariton is an undergraduate student at the several exploitation techniques that have only been where he primarily focuses on researching and engineering school and works as an intern at Census recently published. developing exploit mitigation technology. Some of Inc. His research interests include compilers, static Prior to his work at ManTech, Stephen Lawler was Matt’s past contributions in this space have included analysis, reverse engineering and source code the lead developer for the AWESIM sonar simulator a functional implementation of Address Space Layout auditing. He enjoys spending his free time studying as part of the US Navy SMMTT program. Randomization (ASLR) for Windows 2000/XP/2003 maths and coding stuff. Stephen is also the technical editor of the book and a mitigation for SEH overwrites that is now “Practical Malware Analysis” published by No known as SEHOP. Prior to joining Microsoft, Matt Starch Press. TOBY KOHLENBERG Infosec was involved with the Metasploit framework where Toby is a senior information security technologist he helped develop Metasploit 3.0 and contributed for a Fortune 50 company and has been working in RYAN LINN Trustwave features like Meterpreter and VNC injection. Matt infosec since 1999. He has worked on a large number Ryan Linn is a Senior Consultant with Trustwave’s also co-founded the Uninformed Journal and has of different technologies in the information security SpiderLabs -the advanced security team focused written articles on exploitation techniques, reverse space. His primary job is new technology evaluation, on penetration testing, incident response, and engineering, and program analysis. penetration, and defense. Recently he has been application security. Ryan is a penetration tester, focusing on cloud and virtualization security. an author, a developer,and an educator. He comes JULIEN MOINARD from a systems administration and Web application Julien Moinard, an electronics technician with a solid development background, with many years of IT TADAYOSHI KOHNO background in this fi eld (over 7 years) associated with security experience. Ryan currently works as a full-time many personal and professional experiments in the University of Washington penetration tester and is a regular contributor to open Tadayoshi Kohno is an Associate Professor of fi eld of microcontrollers. Furthermore, he contributes source projects including Metasploit and BeEF, the to training 1st year students in an electrical engineering Computer Science and Engineering at the University of Browser Exploitation Framework. Washington. His work focuses on fi nding vulnerabilities and industrial computing DUT (2-year technical in insecure systems, and building secure systems. degree). He is in the 2nd year of this program. In 2003 he was part of the team that conducted the DAVID LITCHFIELD fi rst security review of the Diebold electronic voting David Litchfi eld is recognized as one of the world’s DAVID MORTMAN enStratus machine software, and he also conducted the fi rst leading authorities on database security. He is the David Mortman has been doing Information Security public experimental security analysis of a modern author of “Oracle Forensics”, the “Oracle Hacker’s for well over 15 years and is currently the Chief implantable cardiac device (2008) and a complete Handbook”, the “Database Hacker’s Handbook Security Architect at enStratus. Most recently, he automobile (2010 and 2011). His group also framed a and SQL Server Security” and is the co-author of was the Director of Security and Operations at C3. networked printer for copyright infringement, with the the “Shellcoder’s Handbook”and “Special Ops”. Previously, David was the CISO at Siebel Systems printer receiving a DMCA takedown notice for illegally He is a regular speaker at a number of computer and the Manager of Global Security at Network downloading Iron Man. Prior to academia, Kohno security conferences and has delivered lectures to the Associates. David speaks regularly at Black Hat, DEF worked as a cryptographer and security consultant National Security Agency, the UK’s Security Service, CON, RSA and other conferences. Additionally, he at Counterpane Systems and Cigital. Kohno is the GCHQ and the Bundesamt für Sicherheit in der blogs at emergentchaos.com, newschoolsecurity.com co-author of Cryptography Engineering, with Niels Informationstechnik in Germany. and securosis.com. David sits on a variety of advisory Ferguson and Bruce Schneier, and is chairing the boards, including Qualys and Virtuosi. David holds a 2012 USENIX Security Symposium. TARJEI MANDT Azimuth Security B.S. in Chemistry from the University of Chicago. Tarjei Mandt is a senior vulnerability researcher at SETH LAW FishNet Security Azimuth Security. He holds a Master’s degree in JEFF MOSS ICANN Seth Law is a Principal Consultant for FishNet Security Information Security and has previously spoken Jeff Moss has been a hacker for over twenty years. in Application Security. He spends the majority of his at security conferences such as Black Hat USA, In 1992 Jeff founded DEF CON, the largest hacker time breaking web and mobile applications, but has INFILTRATE, SyScan, H2HC, and Hackito Ergo Sum. community and gathering in the world. Five years later, been known to code when the need arises. Seth is In his free time, he enjoys spending countless hours he started Black Hat, a series of technical conferences currently involved in multiple open source projects challenging security mechanisms and researching featuring the latest security research. In 2009, Jeff was (including RAFT) and is working with others to advance intricate issues in low-level system components. appointed to the DHS Homeland Security Advisory the state of mobile security testing tools. He has Recently, he has done extensive research on modern Council, a group of subject matter experts providing spoken previously at Black Hat, DEF CON, and other kernel pool exploitation and discovered several advice to the Secretary of DHS. In 2011 Jeff was security conferences. vulnerabilities in Windows kernel components. named Vice President and Chief Security Offi cer at the Internet Corporation for the Assignment of Names and STEPHEN LAWLER CHARLIE MILLER Accuvant Labs Numbers (ICANN). Stephen Lawler is the Founder and President of a Charlie Miller is Principal Research Consultant at ICANN is a non-profi t whose responsibilities include small computer software and security consulting Accuvant Labs. He was the fi rst with a public remote coordinating and ensuring the security, stability and exploit for both the iPhone and the G1 Android phone. resiliency of the Internet’s unique global identifi ers such 30 SPEAKERS NILS MWR InfoSecurity TSUKASA OI Nils is heading the security research at MWR Fourteenforty Research Institute, Inc. InfoSecurity. He likes to break and exploit stuff, which Tsukasa Oi is a research engineer at Fourteenforty he demonstrated at pwn2own 2009 and 2010. He has Research Institute, Inc. He is interested in low-level spent most of 2010 and 2011 researching different technologies such as virtualization and rootkits. He mobile platforms and how to evade the exploitation spoke at PacSec about anti-forensic rootkit and mitigations techniques in place on these platforms. virtualization-based tracer. Currently, he focuses on His current interest are embedded payment devices. mobile security and reverse engineering. Nils has previously presented at Black Hat on Android security. MING-CHIEH PAN Trend Micro Ming-chieh’s (Nanika) major areas of expertise include STEVE OCEPEK Trustwave vulnerability research, exploit techniques, malware Steve Ocepek serves as the Senior Security Research detection and mobile security. He has 10+ years of Manager for Trustwave’s SpiderLabs division -the experience on vulnerability research on Windows advanced security team focused on penetration platform and malicious document and exploit. He has testing, incident response, and application security. discovered numerous Windows system and document An innovative network security expert with an application vulnerabilities, such as Microsoft Offi ce, entrepreneurial spirit, Steve Ocepek has been a Adobe PDF, and Flash. He frequently presents his driving force in pioneering Network Access Control researches at security conferences in Asia, including (NAC) technologies delivering comprehensive Syscan Singapore/Taipei/Hong Kong 08/10, Hacks in endpoint control for mitigation of zero attacks, policy Taiwan 05/06/07/09/10. Ming-chieh is a staff research enforcement, and access management, for which he engineer with Trend Micro. He and Sung-ting are as IP address allocations, AS and protocol numbers, has been awarded 4 patents with 1 patent pending. members of CHROOT security group in Taiwan. and digitally signing and maintaining the root zone of With a reputation for preventing, intercepting, and the Internet. resolving malicious attacks from malware, viruses, and Jeff is uniquely qualifi ed with his ability to bridge the TOMISLAV PERICIN ReversingLabs worms, Steve has provided consultative testing, and Tomislav Pericin has been analyzing and developing gap between the underground researcher community made recommendations for remediation for Fortune and law enforcement, between the worlds of pure software packing and protection methods for the last 9 500 and government enterprises in fi nancial, credit years. He is one of the founders of ReversingLabs and research and responsible application. As such, he card processing, educational, healthcare, and high- is a popular keynote speaker at conferences and the chief software architect behind such projects as tech industries. His testing of network penetration, use TitaniumCore, TitanEngine, NyxEngine and RLPack. referenced in the Associated Press, CNN, New of Network Access Control (NAC), Intrusion Detection York Times, Reuters, Vanity Fair, and the Wall Street Recently he spoke at Black Hat, ReCon, CARO Systems (IDS), Intrusion Prevention Systems (IPS), Workshop, SAS and TechnoSecurity conferences. Journal. In 2011 Moss received the ICSA President’s Web Application Firewalls (WAF), Network Firewalls, Award for Public Service and in 2012 he was named and Encryption Solutions enable him to advise on new in Discovery Magazines “top 100 stories of 2012” as countermeasures improving security, saving clients NICHOLAS PERCOCO Trustwave story #50. millions of dollars in losses of intellectual property, With more than 15 years of information security Prior to ICANN Moss was the founder and CEO client data, customer confi dence, and litigation costs. experience, Percoco leads the global SpiderLabs of Black Hat, where he remains as Conference Chair. Steve has led the growth of SpiderLabs Security organization that has performed more than He was a director at Secure Computing Corporation Research Department, more than doubling services 1300 computer incident response and forensic where he helped establish the Professional Services providing solutions to meet the needs of clients investigations globally, run thousands of ethical Department in the United States, Asia, and Australia. worldwide in identifying, preventing, and solving hacking and application security tests for clients, and He has also worked for Ernst & Young, LLP in their network security threats and problems. He is known conduct bleeding-edge security research to improve Information System Security division. Moss graduated as a trusted resource and problem solver by chief Trustwave’s products. from Gonzaga University with a BA in Criminal information offi cers, directors of security, chief Prior to joining Trustwave, Percoco ran security Justice. He currently serves as a member of the U.S. technical offi cers, chief operating offi cers, chief consulting practices at VeriSign, and Internet Security Department of Homeland Security Advisory Council, executive offi cers, and military and national security Systems. In 2004, he drafted an application security and is a member of the Council on Foreign Relations. leaders. framework that became known as the Payment Application Best Practices (PABP). In 2008, this framework was adopted as a global standard called COLLIN MULLINER JEONG WOOK OH Microsoft Technische Universitaet Berlin Payment Application Data Security Standard (PA- I am a security researcher from Microsoft Malware Collin Mulliner is a researcher at Technische DSS). Protection Center. We are dealing with all sorts of Universitaet Berlin (TU Berlin) and Deutsche Telekom As a speaker, he has provided unique insight malwares and vulnerabilities. Laboratories. Collin’s main interest is in the area of around security breaches, malware, mobile security One of my main subject of researches was patch security and privacy of mobile and embedded devices and InfoSec trends to public (Black Hat, DEF CON, analysis in the past. I released DarunGrim as an with an emphasis on mobile and smart phones. SecTor, You Sh0t the Sheriff, OWASP) and private opensource project (http://darungrim.org) and it is one Since 1997 Collin has developed software and did audiences (Including DHS, US-CERT, Interpol, United of the popular patch analysis tools. security work for Palm OS, J2ME, Linux, Symbian States Secret Service) throughout North America, Currently my research interests include but not OS, Windows Mobile, Android, and the iPhone. In South America, Europe, and Asia. limited to binary instrumentation, Java and Adobe 2006 he published the fi rst remote code execution Percoco and his research has been featured by Flash related vulnerabilities, application virtual exploit based on the multimedia messaging service many news organizations including:The Washington machines, reverse engineering methodology and (MMS). Collin’s most recent projects are in the area of Post, eWeek, PC World, CNET, Wired, Hakin9, toolsets. vulnerability analysis and offensive security. Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The 31 SPEAKERS Times of London, NPR, Gizmodo, Fast Company, published a signifi cant number of the vulnerabilities STEPHEN RIDLEY Financial Times and The Wall Street Journal. found in the applications of these vendors. He Stephen A. Ridley is a security researcher with more In 2011, SC Magazine named Percoco Security is the writer of multiple whitepapers devoted to than 10 years of experience in software development, Researcher of the Year. In addition, he was inducted information security research, and the author of the software security, and reverse engineering. He into the inaugural class of the Illinois State University book “Oracle Security from the Eye of the Auditor: currently serves as Director of Information Security for College of Applied Science and Technology Academy Attack and Defense” (in Russian). He is also one of a fi nancial services fi rm. Before this, Mr. Ridley served of Achievement. the contributors to Oracle with Metasploit project. as Senior Researcher at Matasano. Prior to that:Senior Percoco is a member of the Dean’s Advisory Board Alexander spoke at the international conferences Security Architect at McAfee where he helped build for The College of Applied Science & Technology like Black Hat, HITB (EU/ASIA), Source, DeepSec, the McAfee Security Architecture research group. at Illinois State University and a co-creator on CONFidence, Troopers. Before that, he was a founding member of ManTech the planning committee of THOTCON, a hacking International’s Security and Mission Assurance conference held in Chicago each year. He has a PHIL PURVIANCE AppSec Consulting (SMA) group where he did vulnerability research and Bachelor of Science in Computer Science from Illinois Phil Purviance is an Application Security Consultant for reverse engineering in support the U.S. defense State University. AppSec Consulting where he researches application and intelligence communities. He has spoken about security vulnerabilities and performs penetration reverse engineering and software security on every JAMES PHILPUT testing. Phil’s body of work includes the discovery continent except Australia and Antartica (Black Hat, Information Assurance Professionals and proof-of-concept exploitations of critical security ReCon, Summercon, EuSecWest, Syscan and others). James Philput has worked in Information Technology vulnerabilities, design fl aws, and system weaknesses Mr. Ridley currently lives in Manhattan and frequently for the past 15 years. Specializing in Information in hundreds of custom web sites and web application guest lectures at New York area universities such as Security, he has worked for organizations in the frameworks. Purviance also consults with clients and NYU and Rensselaer Polytechnic Institute. Education, Healthcare, Communications, Government, recommends helpful countermeasures that are useful and Defense fi elds. to mitigate serious security vulnerabilities. Phil’s recent IVAN RISTIC SSL Labs James is currently a Sr. Information Security Analyst exploit talks include the security of HTML5, and the Ivan Ristic is a respected security expert and with IAP, Information Assurance Professionals. There revealing of cross-site scripting vulnerabilities in Skype author, known especially for his contribution to the he works with clients to secure their infrastructure, for iOS. Phil’s contributions to the security community web application fi rewall fi eld and the development focusing on organizational architecture, and have earned him a placement into both the Google of ModSecurity, an open source web application compliance with applicable laws and standards. In and Facebook Security Hall of Fame. fi rewall. He is also the author of Apache Security, a addition to consulting on security architecture, James comprehensive security guide for the Apache web is responsible for the design and maintenance of the MARCUS RANUM Tenable Security, Inc. server, and ModSecurity Handbook. He founded SSL intrusion detection and prevention systems, writing and Marcus J. Ranum is a world-renowned expert on Labs, a research effort focused on the analysis of the updating information security policy, and running the security system design and implementation. He is real-life usage of SSL and the related technologies. A vulnerability assessment tools needed to keep abreast recognized as an early innovator in fi rewall technology, frequent speaker at computer security conferences, of potential vulnerabilities within client networks. and the implementor of the fi rst commercial fi rewall Ivan is a member of the Open Web Application Prior to his work with the IAP, James worked to product. Since the late 1980’s, he has designed a Security Project (OWASP), and an offi cer of the Web improve the state of information security as a whole number of groundbreaking security products including Application Security Consortium (WASC). in his time as an author and instructor for the SANS the DEC SEAL, the TIS fi rewall toolkit, the Gauntlet Institute. At SANS, James co-authored a course on fi rewall, and NFR’s Network Flight Recorder intrusion Linux Systems Administration, and acted as editor detection system. He has been involved in every level and technical reviewer for various security courses. of operations of a security product business, from While acting as an author and editor, James also developer, to founder and CEO of NFR. Marcus has taught various courses on information security and IT served as a consultant to many FORTUNE 500 fi rms operations at SANS conferences across the US. and national governments, as well as serving as a James plays an active role in the security guest lecturer and instructor at numerous high-tech community. An active participant of the GIAC advisory conferences. In 2001, he was awarded the TISC board, and several other mailing lists, he provides “Clue” award for service to the security community, information and opinion that is used to shape future and the ISSA Lifetime Achievement Award. Marcus training classes and best practices within the industry. is Chief of Security for Tenable Security, Inc., where James continues to work on a volunteer basis for the he is responsible for research in open source logging SANS Institute as a technical reviewer for new and tools, and product training. He serves as a technology updated course material, and has begun working as advisor to a number of start-ups, established a guest speaker for organizations such as the Virginia concerns, and venture capital groups. Information Security Offi cers Advisory Group and the League of Women Voters. RYAN REYNOLDS Crowe Ryan has been with Crowe for fi ve years and is the ALEXANDER POLYAKOV ERPSCAN Manager responsible for Crowe’s Penetration Testing Alexander Polyakov aka @sh2kerr, CTO at ERPSCAN, methodology and tool development. Ryan has a head of DSecRG and architect of ERPSCAN Security wide range of knowledge and experience in system scanner for SAP. His expertise covers security of administration and networking to include security enterprise business-critical software like ERP, CRM, applications and controls. He is a technical lead for SRM, RDBMS, banking and processing software. He engagements including application, network and is the manager of OWASP-EAS ( OWASP subproject), infrastructure penetration testing on both internal and a well-known security expert of the enterprise external systems. applications of such vendors as SAP and Oracle, who 32 SPEAKERS TOM RITTER iSEC Partners Yason on the subject of C++ reversing and Adobe FERMIN J. SERNA Google Tom Ritter is a Security Consultant at iSEC Partners, Reader’s Protected Mode Sandbox. His main research My name is Ferm’n J. Serna (aka Zhodiac). I was a strategic digital security organization, performing interests these days are in protection technologies and born in Madrid (Spain) in the 1979. I am a Computer application and system penetration testing and automated binary analysis tools. He is currently based Science Engineer graduated at the UCM, and currently analysis for multiple platforms and environments. He in Manila, Philippines. working for Google at the Mountain View (California) graduated from Stevens Institute of Technology with offi ces as a Information Security Engineer at the (ISE) a Masters in Computer Science; prior to iSEC, he RUBEN SANTAMARTA IOActive labs team. Previously I have worked for Microsoft at the has worked as a Security Engineer at a lead security Ruben Santamarta works as security researcher MSRC Engineering team. consulting company and a Team Lead in .Net and SQL at IOActive labs. He has been mainly focused on I have lots of things that attract my attention, mainly Server Development for a Financial Services Company. offensive security and research, discovering dozens security ones such as exploitation techniques, fuzzing, He has presented at security conferences in Europe, of vulnerabilities in leading software and industrial binary static analysis, reverse engineering, coding... North and South America and is involved in IETF vendors, also worked in other areas such as malware but also Artifi cial Intelligence, chess... Working Groups relating the internet-standard secure analysis or anti-fraud technologies. During the last few protocols. His research interests are centered around years he has been researching into the ICS security, SHREERAJ SHAH Blueinfy cryptography, anonymity, and privacy. releasing important vulnerabilities and presenting a Shreeraj Shah, B.E., MSCS, MBA, CSSLP is the research about very specifi c attacks against the power founder of Blueinfy, a company that provides CHRIS ROHLF Leaf Security Research grid. Ruben has been presenting at international application security services. Prior to founding Blueinfy, Chris Rohlf has been working in computer security conferences such as Ekoparty, AppSecDC, he was founder and board member at Net Square. for nearly a decade and is currently an Independent RootedCon. He also worked with Foundstone (McAfee), Chase Security Consultant and President of Leaf Security Manhattan Bank and IBM in security space. He is also Research (Leaf SR). Prior to founding Leaf SR, Chris BRUCE SCHNEIER the author of popular books like Web 2.0 Security, was a principal security consultant at Matasano Bruce Schneier is an internationally renowned Hacking Web Services and Web Hacking:Attacks Security in NYC. He has spent the last 10 years security technologist and author. Described by The and Defense. In addition, he has published several as a security researcher, consultant, developer Economist as a “security guru,” Schneier is best advisories, tools, and whitepapers, and has presented and engineer for organizations including the US known as a refreshingly candid and lucid security critic at numerous conferences including RSA, AusCERT, Department of Defense. He has spoken at industry and commentator. When people want to know how InfosecWorld (Misti), HackInTheBox, Black Hat, conferences including Black Hat Vegas 2009 and security really works, they turn to Schneier. His fi rst OSCON, Bellua, Syscan, ISACA etc. His articles are 2011, guest lectured at NYU Poly in Brooklyn NY, has bestseller, “Applied Cryptography”, explained how the regularly published on Securityfocus, InformIT, DevX, been published in IEEE Security and Privacy magazine arcane science of secret codes actually works, and Oreilly, HNS. His work has been quoted on BBC, Dark and is occasionally quoted by various media outlets. was described by Wired as “the book the National Reading, Bank Technology as an expert. His security advisories include every major web Security Agency wanted never to be published.” His browser, operating systems and more. book on computer and network security, Secrets SERGEY SHEKYAN Qualys and Lies, was called by Fortune “[a] jewel box of little Sergey Shekyan is a Senior Software Engineer MATHEW ROWLEY Matasano Security surprises you can actually use.” for Qualys, where he is focused on development Mathew Rowley is a security consultant for Matasano His current book, Beyond Fear, tackles the of the company’s on demand web application Security with over 6 years experience as a computer problems of security from the small to the large: scanning service. With more than 10 years of security professional. His experience includes reverse personal safety, crime, corporate security, national experience in software design, development, testing engineering, mobile security, web application security security. Schneier also publishes a free monthly and documentation, Sergey has contributed key assessment, network security, fuzzing, and application newsletter, Crypto-Gram, with over 100,000 readers. product enhancements and software modules to development. In its seven years of regular publication, Crypto-Gram various companies. Prior to Qualys, he designed has become one of the most widely read forums for and implemented a web-based system for general PAUL ROYAL free-wheeling discussions, pointed critiques, and aviation pilots. As a senior software engineer for Navis, serious debate about security. As head curmudgeon Georgia Institute of Technology he contributed to projects involving development of at the table, Schneier explains, debunks, and draws Paul Royal is a Research Scientist at the Georgia container terminal operating systems (TOS) simulation lessons from security stories that make the news. Institute of Technology, where he engages in software. He also designed and developed data Regularly quoted in the media, Schneier has written collaborative research on various facets of the online analysis software modules for Virage Logic, a provider op ed pieces for several major newspapers, and has criminal ecosystem. Prior to Georgia Tech, Royal of semiconductor IP for the design of complex testifi ed on security before the United States Congress served as Principal Researcher at Purewire, Inc, where integrated circuits. Prior to working at Virage Logic, on many occasions. Bruce Schneier is the founder he worked with other researchers to identify threats he developed manufacturing test program generation and CTO of Counterpane Internet Security, Inc., the and design methods that enhanced the company’s software for Credence Systems Corporation. Sergey world’s leading protector of networked information— web security service. Royal often focuses on research holds both Masters and BS Degrees in Computer the inventor of outsourced security monitoring and the topics interesting to both academics and industry Engineering from the State Engineering University of foremost authority on effective mitigation of emerging practitioners, with previous work presented at Black Armenia. IT threats. Hat USA that subsequently appeared in ACM CCS. ADAM SHOSTACK Microsoft SEAN SCHULTE Trustwave PAUL SABANAL IBM Shostack helped found the CVE, the Privacy Sean develops backend services for Trustwave SSL, Paul Sabanal is a security researcher on IBM ISS’s Enhancing Technologies Symposium and the and writes mobile apps and games in his spare time. X-Force Advanced Research Team. He has spent International Financial Cryptography Association. He’s done malware analysis on Android malware found most of his career as a reverse engineer, initially as He has been a leader at a number of successful in the wild, and discovered an Android design fl aw that a malware researcher and now focusing mainly on information security and privacy startups, and is he presented at DEF CON. vulnerability analysis and exploit development. He co-author of the widely acclaimed book, “The New has previously presented at Black Hat with Mark School of Information Security”. Shostack is currently 33 SPEAKERS a principal program manager on the Microsoft A PROUD DC9723 MEMBER, NOT memory management. Solomon’s main research areas Trustworthy Computing Usable Security team, where A MOSSAD AGENT, BREAKER center on the discovery of vulnerabilities introduced among other accomplishments, he’s Shostack helped OF CODE, RESEARCHER OF by the mismanagement of volatile computer memory found the CVE, the Privacy Enhancing Technologies and resource allocations. Solomon has devoted Symposium and the International Financial VULNERABILITIES THAT WILL many hours in academia mentoring students and Cryptography Association. He has been a leader at a NEVER SEE THE LIGHT OF DAY teaching Computer Science techniques. As a Network number of successful information security and privacy AND A GUY WHO WILL ALLWAYS Security Engineer, Solomon provides digital forensics startups, and is co-author of the widely acclaimed SAY WHAT IS ON HIS ON MIND SO capabilities and security solutions to better prevent, book, The New School of Information Security. BRACE YOUR SELVES. CHENGYU detect, respond to and mitigate network penetrations, Shostack is currently a principal program manager on SONG malware infections and other threats from large-scale the Microsoft Trustworthy Computing Usable Security Georgia Institute of Technology enterprise networks for the commercial, private, team, where among other accomplishments, he Chengyu Song is a PhD student at Georgia Institute of and government sectors. Solomon received his shipped the Microsoft Security Development Lifecycle Technology. His current research interest is in system Undergraduate Degree in Computer Science and is (SDL) Threat Modeling Tool and the Elevation of security, with a special focus on topics that may have currently pursuing Masters Degrees in Information Privilege threat modeling game as a member of the practical impact. Prior to Georgia Tech, Chengyu Systems Engineering and Computer Science. SDL team. received his Bachelor’s and Master’s degree at Peking University China, where he worked with other ALEX STAMOS Artemis MICKEY SHKATOV Intel Corporation researchers on malware analysis, botnet, underground Alex Stamos is the CTO of Artemis, the division of My name is Mickey Shaktov (AKA Laplinker), I am economy and drive-by download attacks. He is also a NCC Group that is taking on hard security problems from Israel and am an Information systems engineer member of the Honeynet Project. starting with the .Secure gTLD. He was the co-founder graduated at the BGU. I am currently unaffi liated to of iSEC Partners, one of the world’s premier security any corporation, Previously I have worked for Intel SOLOMON SONYA consultancies and also a part of NCC Group. Alex Corporation as a security researcher and evaluator, Solomon is an avid programmer and researcher has spent his career building or improving secure, breaking software, fi rmware and hardware. focusing on the analysis of malware and computer trustworthy systems, and is a noted expert in Internet SPEAKERS infrastructure, cloud computing and mobile security. and is the chairman of SummerCon, the nation’s Network Defense operations and the Naval Computer He is a frequently request speaker at conferences oldest hacker convention. Incident Response Team (NAVCIRT). such as Black Hat, DEF CON, Amazon ZonCon, Weatherford earned a bachelor’s degree from the Microsoft Blue Hat, FS-ISAC and Infragard. He holds RAFAEL DOMINGUEZ VEGA University of Arizona and a master’s degree from a BSEE from the University of California, Berkeley and MWR InfoSecurity the Naval Postgraduate School. He also holds the his personal security writings are available at http:// Rafa works in the UK as a Security Consultant Certifi ed Information Systems Security Professional unhandled.com. and Security Researcher for MWR InfoSecurity. He (CISSP) and Certifi ed Information Security Manager enjoys testing “out of the ordinary” technology and (CISM) certifi cations. He was awarded SC Magazine’s TIMOTHY STRAZZERE is particularly interested in embedded devices and prestigious “CSO of the Year” award for 2010. He Lookout Mobile Security hardware hacking. He has previously presented was named one of the 10 Most Infl uential People in Tim Strazzere is a Security Engineer at Lookout innovative research on topics such as USB drivers Government Information Security for 2012 by GovInfo Mobile Security. Along with writing security software, exploitation and Smart card hacking at various well Security. he specializes in reverse engineering and malware known security conferences. Weatherford is an avid runner and enters races analysis. Some interesting past projects include with his wife at least monthly. He also travels frequently for pleasure. having reversing the Android Market protocol, Dalvik DAVID VO FishNet Security decompilers and memory manipulation on mobile Over 10 years of IT experience. 5 yrs of experience in devices. AppSec and Mobile Security. Currently on the Mobility DON C. WEBER InGuardians team at FishNet Security working with MDM and Jack of All Trades and hardware analysis expert for VAAGN TOUKHARIAN Qualys Mobile Security. CISSP the InGuardians. Don specializes in physical and Toukharian is a developer for Qualys’s Web Application information technology penetration testing, web assessments, wireless assessments, architecture Scanner. He has been involved in the security industry MARIO VUKSAN ReversingLabs since 1999. Experience includes work on Certifi cation review, incident response/digital forensics, product Mario has been involved in development of advanced research, hardware research, code review, security Authority systems, encryption devices, large CAD security solutions for the last seven years and has systems, Web scanners. His outside of work interests tool development, and the list goes on. Don is rich engineering background spanning the last 20 currently focusing on hardware research specifi cally include Web Design, Photography, and Ironman years. Before founding ReversingLabs, Mario was the Triathlons. in the technologies surrounding products comprising Director of Research at Bit9 and one of its founding the SMART GRID. He has focused on implementing engineers. He spoke at numerous conferences over various communication protocols and microprocessor SUNG-TING TSAI Trend Micro the last 6 years including CEIC, Black Hat, RSA, disassemblers/emulators for research, testing, risk Sung-ting (TT) is a manager of an advanced threat DEF CON, Caro Workshop, Virus Bulletin and AVAR assessment, and anything else you can think of with research team in core tech department of Trend Micro. Conferences. He is author of numerous blog posts on these technologies. His major areas of interest include document exploit, security and has authored “Protection in Untrusted malware detection, sandbox technologies, system Environments” chapter for the “Virtualization for vulnerability and protection, web security, cloud and Security” book. He coordinates AMTSO Advisory RALF-PHILLIP WEINMANN virtualization technology. He also has been doing Board and works with IEEE Malware Working Group. University of Luxembourg document application security research for years, and Ralf-Philipp Weinmann is a research associate at the Interdisciplinary Centre for Security, Reliability and Trust has presented his researches in Black Hat USA 2011, MARK WEATHERFORD Cybersecurity Syscan Singapore 10 and Hacks in Taiwan 08. He and (SnT) of the University of Luxembourg. His research Mark Weatherford is the Deputy Under Secretary interests lie in the intersection of cryptography, Ming-chieh are members of CHROOT security group for Cybersecurity for the National Protection and in Taiwan. privacy, mobile security and reverse-engineering. In Programs Directorate (NPPD), a position that will allow the past years was involved in speeding up attacks DHS NPPD to create a safe, secure, and resilient against WEP, the deDECTed.org team that broke the CHRIS VALASEK Coverity cyberspace. Weatherford has a wealth of experience proprietary crypto of DECT, PWN2OWN wins and the Chris Valasek is a Senior Security Researcher at in information technology and cybersecurity at the fi rst demonstrated remote vulnerabilities in cellular Coverity. As part of the security research team in Federal, State and private sector levels. baseband stacks. He is one of the authors of the “iOS the Offi ce of the CTO, Valasek is focused on reverse Weatherford was previously the Vice President and Hacker’s Handbook”. engineering and researching new and existing security Chief Security Offi cer of the North American Electric vulnerabilities; building this knowledge into the Coverity Reliability Corporation (NERC) where he directed the technology portfolio and share it broadly across the cybersecurity and critical infrastructure protection RAFAL WOJTCZUK Bromium development community. Prior to Coverity, Valasek program. Rafal Wojtczuk has over 15 years of experience with was a Senior Research Scientist at Accuvant LABS Before NERC, Weatherford was with the State computer security. Specializing primarily in kernel and and IBM Internet Security Systems. Valasek’s research of California where he was appointed by Governor virtualization security, over the years he has disclosed focus spans areas such as vulnerability discovery, Arnold Schwarzenegger as the state’s fi rst Chief many security vulnerabilities in popular operating exploitation techniques, and reverse engineering, Information Security Offi cer. Prior to California, he system kernels and virtualization software. He is also contributing public disclosures and authoring research served as the fi rst Chief Information Security Offi cer well known for his articles on advanced exploitation on these topics to the broader security community. for the State of Colorado, where he was appointed by techniques, including novel methods for exploiting While Valasek is best known for his publications two successive governors. Previously, as a member buffer overfl ows in partially randomized address space regarding the Microsoft Windows Heap, his research of the Raytheon Company, he successfully built and environments. Recently he was researching advanced has broken new ground in areas such as vulnerability directed the Navy/Marine Corps Intranet Security Intel security-related technologies, particularly TXT and discovery, exploitation techniques, reverse engineering, Operations Center (SOC) in San Diego, California, VTd. He is also the author of libnids, a low-level packet source code and binary auditing, and protocol and also was part of a team conducting security reassembly library. He holds a Master’s Degree in analysis. Valasek has presented his research at major certifi cation and accreditation with the U.S. Missile Computer Science from University of Warsaw. international security conferences including Black Hat Defense Agency. A former U.S. Navy Cryptologic USA and Europe, ekoparty, INFILTRATE, and RSA, Offi cer, Weatherford led the U.S. Navy’s Computer 35 SPEAKERS MARK VINCENT YASON IBM KRZYSZTOF KOTOWICZ other activities with L0pht included signifi cant security Mark Vincent Yason is a security researcher on AppSec Consulting research, publication work and public speaking IBM’s X-Force Advanced Research team. Mark’s Krzysztof Kotowicz is a Web security researcher engagements. Mr. Rioux is also responsible for current focus area is vulnerability and exploit research specialized in the discovery and exploitation of HTML5 numerous security advisories in many applications, -he analyzes known vulnerabilities, discovers new vulnerabilities. He is the author of multiple recognized operating systems and environments. He is recognized vulnerabilities, studies exploitation techniques, and HTML5/UI redressing attack vectors. Speaker at as an authority in the areas of Windows product creates detection guidance/algorithms which are used international IT security conferences & meetings vulnerability assessment, application optimization and in the development of IDS/IPS signatures. He also (SecurityByte, HackPra, Hack In Paris, CONFidence). program analysis. previously worked on malware research which naturally Works as IT security consultant with SecuRing and His background includes 23 years of computer involved some degree of software protection research. IT security trainer with Niebezpiecznik.pl. Author of programming and software engineering experience He authored the paper “The Art of Unpacking” and co- the “Hacking HTML5” training program. Takes part on a wide range of platforms and for numerous authored the papers “Reversing C++” and “Playing In in multiple Security Bug Bounty programs (Google companies, including fi nancial institutions, mechanical The Reader X Sandbox”, all of which were previously Security Bug Bounty, Facebook White Hat, Piwik engineering fi rms, educational institutions and presented at Black Hat. Security Bug Bounty). multimedia groups. He graduated from the Massachusetts Institute LONG LE of Technology in 1998, with a Bachelor’s Degree in Computer Science. WORKSHOPS Long Le, CISA, is a security manager at one of the largest software outsourcing companies in Vietnam. ATLAS He has been actively involved in computer security for CORY SCOTT Matasano Security Cory Scott is a director at Matasano Security, an Atlas is a doer of stuff. inspired by the illustrious sk0d0, more than 10 years since he and his friends founded independent security research and development fi rm egged on by invisigoth of kenshoto, atlas has done the pioneer Vietnamese security research group that works with vendors and enterprises to pinpoint a lot of said ‘stuff’ and lived to talk about it. whether VNSECURITY (http://vnsecurity.net). Described as and eradicate security fl aws, using penetration testing, he’s breaking out of virtual machines, breaking into neither a researcher nor a hacker, he loves playing reverse engineering, and source code review. Prior banks, or breaking into power systems, atlas is always wargames and Capture-The-Flag with the CLGT team to joining Matasano, he was the Vice President of entertaining, educational and fun. in his spare time. He was also a speaker at various conferences including Black Hat USA, HackInTheBox, Technical Security Assessment at ABN AMRO / SyScan, PacSec. Royal Bank of Scotland. He also has held technical TIMUR DUEHR Matasano Security management positions at @stake and Symantec. Timur Duehr is a Senior Security Consultant at He has presented at Black Hat Briefi ngs, USENIX, KYLE OSBORN AppSec Consulting Matasano Security with over seven years computer OWASP and SANS. consulting experience and a Master’s degree in Kyle Osborn is a penetration tester at AppSec Mathematics. His professional experience includes Consulting, where he specializes in web application MICHAEL TRACY Matasano Security application development, security assessment, and security, network penetration, and physical Mike is a senior security consultant at Matasano. code review. assessments. He plays a bad guy at the Western At Matasano he develops security assessment Regional Collegiate Cyber Defense Competition. tools, maintains Ragweed and Buby, performs Osborn has developed a CTF, with his team, for the JONATHAN ZDZIARSKI viaForensics blackbox and code assisted penetration tests, and United States Cyber Challenge ÒCyber CampsÓ, Jonathan is Sr. Forensic Scientist for viaForensics, a source code audits. He has tested applications where a number of campers competed in. Osborn has Chicago-based consulting fi rm where, among other employing numerous technologies. Previously, he has previously discussed browser and mobile security at things, he performs research and development, and presented at OWASP Chicago and Black Hat Arsenal. prominent conferences such as Black Hat USA, DEF penetration testing of iOS applications for corporate CON, Toorcon, DerbyCon, and TakeDownCon. clients. Jonathan gets paid, in part, to hack things for ERIC FULTON a living. Jonathan Zdziarski is better known as the hacker Eric Fulton is a specialist in network penetration testing CHRISTIEN RIOUX Veracode “NerveGas” in the iPhone development community. and web application assessments. His clients have Christien Rioux, co-founder and chief scientist of His work in cracking the iPhone helped lead the included Fortune 500 companies, international fi nancial Veracode, is responsible for the technical vision and effort to port the fi rst open source applications, and institutions, global insurance fi rms, government entities, design of Veracode’s advanced security technology. his fi rst iOS-related book, iPhone Open Application telecommunications companies, as well as world- Working with the engineering team, his primary Development, taught developers how to write renowned academic and cultural institutions. In his role is the design of new algorithms and security applications for the popular device long before Apple spare time, Eric works with local students to provide analysis techniques. Before founding Veracode, Mr. introduced its own SDK. Jonathan has since written hands-on security training, and conducts independent Rioux founded @stake, a security consultancy, as several books on iOS, including iPhone Forensics, security research on a number of topics. well as L0pht Heavy Industries, a renowned security think tank. Mr. Rioux was a research scientist at @ iPhone SDK Application Development, and his latest stake, where he was responsible for developing new book, Hacking and Securing iOS Applications. ABRAHAM KANG HP Fortify software analysis techniques and for applying cutting Jonathan frequently trains and consults law Currently am a Principal Security Researcher with HP edge research to solve diffi cult security problems. He enforcement agencies to assist forensic examiners in Fortify Have been focused on Application Security for also led and managed the development for a new high profi le criminal cases. over 8 years. Working as a Security Architect, Security enterprise security product in 2000 known as the Code Reviewer/Vulnerability Researcher and Principal SmartRisk Analyzer (SRA), a binary analysis tool and Security Researcher. Contributed content and articles its patented algorithms, and has been responsible for for the OWASP Guide and OWASP Cheat Sheets. its growth and development for the past fi ve years. Have been a developer since 1996. Have a At L0pht, he co-authored the best-selling Windows Bachelor of Science from Cornell University and Juris password auditing tool @stake LC (L0phtCrack) and Doctor from Lincoln Law School of San Jose. the AntiSniff network intrusion detection system. His 37 SPEAKERS TURBO TALKS RYAN BARNETT SpiderLabs Ryan Barnett joined SpiderLabs after a decade in computer security. As Research -Surveillance Team Leader, he leads the SpiderLab team which specializes in application defense. This includes SPAM fi ltering, network IDS/IPS and web application fi rewalls. His main area of expertise is in application defense research. Barnett is renowned in the industry for his unique expertise. He has serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set Project Leader and Project Contributor on the OWASP Top Ten and AppSensor Projects. He is a Web Application Security Consortium (WASC) Board Member and Project Leader for the Web Hacking Incident Database (WHID) and the Distributed Web Honeypot Projects. He is also a Certifi ed Instructor at the SANS Institute. Barnett is regularly consulted by industry news outlets like Dark Reading, SC Magazine and of the Air Force Application Software Assurance Market, and has consulted for many more. He is the Information Week. He is the author of Preventing Web Center of Excellence (ASACoE). author of “Cryptography for Internet and Database Attacks with Apache (Addison-Wesley Professional, Applications” (Wiley), and was awarded a number of 2006.) Key industry events he has addressed include patents in the area of social networking. He holds a Black Hat, SANS AppSec Summit and the OWASP ANG CUI Columbia University master’s degree in mathematics from Boston University. Global Summit. Ang Cui is currently a PhD student at Columbia University in the Intrusion Detection Systems Laboratory. His research focuses on the exploitation RYAN HOLEMAN Ziften Technologies SEAN BARNUM The MITRE Corporation and defense of embedded devices. Before starting his Ryan Holeman resides in Austin Texas where he Sean Barnum is a Cyber Security Principal at The PhD, Ang worked as a security specialist within various works as a senior server software developer for MITRE Corporation where he acts as a thought fi nancial institutions. Ziften Technologies. He has a Masters of Science leader and senior advisor on software assurance in Software Engineering and has published papers and cyber security topics to a wide variety of US though ICSM and ICPC. His spare time is mostly spent government sponsors throughout the national ALBAN DIQUET iSEC Partners digging into various network protocols and shredding security, intelligence community and civil domains. Alban Diquet is a Senior Security Consultant at iSEC local skateparks. He has over 25 years of experience in the software Partners, a strategic digital security organization, industry in the areas of architecture, development, performing application and system penetration testing software quality assurance, quality management, and analysis for multiple platforms and environments. MATIAS KATZ process architecture & improvement, knowledge While at iSEC, Alban has led or contributed to Matias Katz is a Penetration Tester who specializes management and security. He is a frequent numerous security assessments on a variety of Web security analysis. He loves to build simple tools to contributor, speaker and trainer for regional, national client/server applications, including large scale web perform discovery and exploitation on any software or and international cyber security and software quality applications, iOS/Android applications, thick clients, network. Also, he is Super Mario World master!! publications, conferences & events. He is very active and server applications. Alban’s research interests in the Cyber Security community and is involved include web security, SSL, and PKI. He recently ZACH LANIER Veracode in numerous knowledge standards-defi ning efforts released an open source SSL scanner written in Zach Lanier is a Security Researcher with Veracode, including the Common Weakness Enumeration Python, called SSLyze. specializing in network, mobile, and web application (CWE), the Common Attack Pattern Enumeration Prior to working at iSEC, Alban was a Software security. Prior to joining Veracode, Zach served as and Classifi cation (CAPEC), the Software Assurance Engineer at Sigma Designs Inc, where he was Principal Consultant with Intrepidus Group, Senior Findings Expression Schema (SAFES), the Malware implementing Digital Right Management solutions for Network Security Analyst at Harvard Business Attribute Enumeration and Characterization (MAEC), video content. Alban received a M.S. in Computer School, and Security Assessment Practice Manager the Cyber Observables eXpression (CybOX), and Electrical Engineering from the “Institut Superieur at Rapid7. He has spoken at a variety of security the Indicator Exchange eXpression (IndEX), the d’Electronique de Paris” in Paris, France, and a M.S conferences, including INFILTRATE, ShmooCon, and Structured Threat Information eXpression (STIX) and in “Secure and Dependable Computer Systems” from SecTor, and is a co-leader of the OWASP Mobile other elements of the Cyber Security Programs of Chalmers University, in Gothenburg, Sweden. Security Project. Zach likes Android, vegan food, and the Department of Homeland Security, Department cats (but not as food). of Defense and NIST. He is coauthor of the book NICK GALBREATH Etsy “Software Security Engineering:A Guide for Project Nick Galbreath is a director of engineering at Etsy, Managers”, published by Addison-Wesley. He serves EIREANN LEVERETT IOActive overseeing groups handling security, fraud, security, Eireann Leverett studied Artifi cial Intelligence and as the offi cial liaison between ISO/IEC JTC 1/SC 27/ authentication and other enterprise features. Over WG 3 and the Cyber-Security Naming & Information Software Engineering at Edinburgh University and went the last 18 years, Nick has held leadership positions on to get his Masters in Advanced Computer Science Structures Group. He also acted as the lead technical in number of social and e-commerce companies, subject matter expert for design and implementation at Cambridge. He studied under Frank Stajano and including Right Media, UPromise, Friendster, and Open Jon Crowcroft in Cambridge’s computer security 38 speakers group. In between he worked for GE Energy for 5 focusing on web and mobile application penetration Maximiliano Soler years and has just finished a six month engagement testing, code review, and secure coding guidelines. Maximiliano Soler lives in Buenos Aires, Argentina and with ABB in their corporate research Dept. He now She also performs independent security research, currently works as Security Analyst, in a International proudly joins IOActive to focus on Smart Grid and and has presented at security conferences such Bank. Maxi has discovered vulnerabilities in different SCADA systems. as Black Hat, DEF CON, DeepSec, IT-Defense and applications Web and Microsoft’s products. His MPhil thesis at Cambridge was on the SysScan. Her research interests include emerging increasing connectivity of industrial systems to the web application technologies, dynamic vulnerability Tom Steele FishNet Security public internet. He focussed on finding the cheapest assessment tools, Rich Internet Applications (RIA), and Tom Steele hails from Seattle Washington where he way to find and visualise these exposures and mobile device security. works as a Security Consultant at FishNet Security. associated vulnerabilities. He shared the data with The dynamic nature of his current role allows him to ICS-CERT and other CERT teams globally, and Chris Patten touch many areas of the offensive security spectrum. presents regularly to academics and government Chris Patten performs penetration testing both day When not working he can be found gaming and agencies on the security of industrial systems. and night while researching new attack techniques. creating tools to solve complex problems. More importantly, he is a circus and magic Chris has been participating in the security community enthusiast, and likes to drink beer. for a number of years in various capacities. Only Greg Wroblewski Microsoft over the last year has his personal and professional Greg Wroblewski, PhD, CISSP, is a senior security Morgan Marquis-Boire Google interests aligned allowing for numerous opportunities researcher at Microsoft’s Trustworthy Computing Morgan Marquis-Boire is a Security Engineer at to get back to the real passion with technology. Security group. Over the last 8 years he worked in Google on the Incident Response Team. He acts as Fortunately, Chris has the pleasure to currently work many areas of security response, presenting part of a Technical Adviser at the Citizen Lab, Munk School with some very talented individuals affording him the his work at Black Hat 2007. At Microsoft he focuses of Global Affairs, University of Toronto and was one of opportunity to consistently share penetration testing on security problems in on-line services, detection of the original organizers of the KiwiCON conference in experiences. attacks and pentesting. In the past he was responsible New Zealand. In addition to talking about himself in the for the technical side of patches in over 50 Patch 3rd person and presenting at security conferences, he Andrew Reiter Veracode Tuesday bulletins as well as hardening products has spent time moon-lighting in such diverse fields as Andrew Reiter has been in someway involved with the like Windows and Office 2007. Recently he lead environmentalism and academia. security industry since the late 1990s. He has worked development effort to port ModSecurity module to IIS as a security researcher for Foundstone, BindView, and nginx servers. Justine Osborne iSEC Partners and WebSense. Currently, he is working on the Justine Osborne is a Principal Security Consultant for research team at Veracode. Andrew holds a BS and iSEC Partners, an information security organization. MS in Mathematics from UMASS-Amherst. At iSEC, Justine specializes in application security, DAY ZERO BRIEFINGS Tuesday, July 24 / Palace Ballroom III / 18:30-20:30 We’ve all been there. It is the night before the big show, you checked into the hotel, clothes put away, and maybe even a quick VPN back into the office to confirm that everything’s not on fire. And now what? Black Hat is pleased to announce the first ever Day Zero Briefings, a series of light-hearted and fun presentations. In addition to the briefings, drop by the Day Zero Lounge and have a bit of food and an adult beverage courtesy of Black Hat. The Lounge will also contain a gaming area powered by Microsoft and Xbox. Oh yes, there will be prizes. 18:30-18:50: Review Board Meet and Greet Join the members of the Black Hat Review Board for an entertaining panel discussion. Ever wonder how the content was selected? Or which talks the Review Board Members are looking forward to? Come and join the discussion. 19:00-19:20: Collegiate Cyber Defense Competition: The Game Representatives of the CCDC will be on hand to explain the first ever onsite Black Hat cyber challenge. Hop on the alternate SSID and join the fun. With prizes and bragging rights on the line, expect stiff competition. 19:30-20:30: My Arduino Can Beat Up Your Hotel Room Lock by Cody Brocious Nearly ten million Onity locks are installed in hotels worldwide, representing 1/3 of hotels and about 50% of hotel locks. This presentation will show, in detail, how they’re designed and implemented. Then we will take a look at how they are insecure by design and release a number of critical, unpatchable vulnerabilities. 39 FLOOR PLAN PROMENADE SOUTH EMPERORS LEVEL PROMENADE LEVEL FLOOR 4 FLOOR 3 NEOPOLITAN BALLROOM 1 + 2 + 3 + 4 5 + 6 UMBRIA 5 + 6 + 7 + 8 OCTAVIUS OCTAVIUS BALLROOM AUGUSTUS BALLROOM TUSCANY + BALLROOM + MILANO BALLROOM FORUM 3 + 4 FORUM OCTAVIUS BALLROOM BALLROOM BALLROOM 1 + 2 + 3 + 4 Sponsor Hall FLOOR 3 + FLOOR 4 1 + 2 + ARSENAL FORUM BALLROOM The Embassy Hall SOK VERONA Black Hat TURIN Registration PISA TREVI EMPERORS BALLROOM PALERMO POOL LEVEL SIENA VENICE Black Hat TARRANTO Store SICILY BOOKSTORE Information Booth POMPEIAN BALLROOM 1 + 2 + 3 + 4 23 1 TRIBUNE LIVORNO CAMPANIA 22 2 1 PATRICIAN 24 25 21 3 MESSINA CALABRIA PALACE ROMAN BALLROOM 20 4 BALLROOM 1 + 2 + 3 + 4 ABRUZZI FORUM BALLROOM 2 GENOA 19 5 18 3 17 6 FLOOR 3 + FLORENTINE FLOOR 4 BALLROOM 16 15 14 13 12 11 10 9 8 7 + 1 + 2 + 3 + 4 OCTAVIUS BALLROOM DAY 1 ONLY DAY 2 ONLY SPECIAL EVENTS DEFINING THE SCOPE ...... AUGUSTUS III + IV BIG PICTURE ...... AUGUSTUS III + IV RECEPTION ...... OCTAVIUS BALLROOM UPPER LAYERS ...... AUGUSTUS I + II WEB APPS—NATHAN HAMIEL ...... AUGUSTUS I + II PWNIE AWARDS...... AUGUSTUS III + IV LOWER LAYERS ...... AUGUSTUS V + VI MALWARE—STEFANO ZANERO ...... AUGUSTUS V + VI MOBILE—VINCENZO IOZZO ...... PALACE I ENTERPRISE INTRIGUE ...... PALACE I DAYS 1+2 DEFENSE—SHAWN MOYER ...... PALACE II 92.2% MARKET SHARE ...... PALACE II BREAKFAST ...... OCTAVIUS BALLROOM BREAKING THINGS—CHRIS ROHLF . . . . .PALACE III OVER THE AIR AND IN THE DEVICE . . . . . PALACE III KEYNOTE ...... AUGUSTUS BALLROOM GNARLY PROBLEMS ...... ROMANS I-V MASS EFFECT ...... ROMANS I-IV LUNCH ...... FORUM BALLROOM APPLIED WORKSHOP I ...... FLORENTINE APPLIED WORKSHOP I ...... FLORENTINE SPONSOR HALL ...... OCTAVIUS BALLROOM APPLIED WORKSHOP II ...... POMPEIAN APPLIED WORKSHOP II ...... POMPEIAN EMBASSY HALL: MEDIA PARTNERS . . . . OCTAVIUS FOYER ARSENAL ...... AUGUSTUS FOYER 40 FLOOR PLAN: SPONSOR HALL OCTAVIUS BALLROOM Wednesday 7/25 08:00-19:30 – Thursday 7/26 08:00-17:00 730 728 726 716 714 712 621 607 601 629 627 617 613 642 640 634 628 626 624 620 616 612 509 501 537 535 529 525 521 517 513 536 534 530 528 524 518 441 409 401 435 431 429 425 419 Coffee Station 442 440 436 434 430 428 426 424 418 309 301 337 335 331 329 325 319 336 334 330 328 326 320 316 312 241 201 237 235 229 227 221 217 213 ENTRANCE TO THE SPONSOR HALL 242 240 234 230 226 216 212 121 107 101 143 141 137 135 131 129 127 117 115 113 EMBASSY TT8 TT5 TT4 TT3 P5 P3 HALL TT9 TT7 TT6 TT2 TT1 P4 P2 P1 SPONSOR BOOTH NUMBERS AccessData Group ...... 534 FireMon ...... 517 Mykonos Software ...... 441 Securonix ...... 129 Veracode ...... 229 Accuvant LABS ...... 107 Fluke Networks ...... 426 nCircle ...... 628 Silicium Security ...... 230 Verizon ...... 121 AlienVault ...... 442 Foreground Security ...... 212 NCP Engineering ...... 716 Silver Sponsor ...... 334 Vmware ...... 524 Amazon.com ...... 430 Forescout Technologies, Inc. . . . . 513 Neohapsis ...... 115 Skybox Security ...... 642 WatchGuard Technologies...... 436 Barracuda Networks ...... 636 Fortinet ...... 640 Net Optics ...... 617 Solera Networks ...... 418 WhiteHat Security ...... 234 BeyondTrust...... 629 GFI ...... 613 Norman ASA ...... 319 Sophos ...... 137 Bit9, Inc...... 331 Guidance Software ...... 113 Onapsis, Inc ...... 316 Splunk...... 320 EMBASSY HALL Blue Coat Systems, Inc ...... 621 GuruCul ...... 143 OPSWAT ...... 235 SSH Communications Security . . 536 Appthority ...... P3 Booz Allen Hamilton ...... 325 HBGary, Inc ...... 428 Oracle ...... 135 StillSecure ...... 217 Carnegie Mellon University ...... P1 Cisco...... 309 HP Enterprise Security ...... 312 Palo Alto Networks, Inc...... 429 Stonesoft ...... 213 ERPScan ...... P4 Click Security ...... 326 IBM ...... 601 Parsons ...... 535 StrongAuth, Inc...... 240 Pwnie Express ...... P2 Codenomicon ...... 328 Imation Mobile Security ...... 726 PhishMe.com...... 712 Stroz Friedberg LLC ...... 237 yaSSL ...... P5 Core Security Technology ...... 409 Immunity Inc...... 330 Pico Computing ...... 424 Symantec ...... 101 Alta Associates Executive Coverity ...... 728 Imperva ...... 425 Qualys ...... 401 TeleCommunication Systems Inc . 714 Women’s Forum ...... TT2 Cybertap LLC ...... 521 Lancope ...... 336 Radware ...... 624 Tenable Network Security ...... 431 Cloud Security Alliance ...... TT7 Damballa Inc...... 620 Lieberman Software ...... 241 Rapid7 ...... 518 The Hacker Academy ...... 242 Denim ...... TT1 Dell SecureWorks ...... 419 LogLogic, Inc ...... 329 Red Lambda ...... 117 Trend Micro Incorporated ...... 626 Electronic Frontier Foundation . . . TT8 Dell SonicWALL ...... 528 LogRhythm ...... 607 RedSeal Networks ...... 525 Tripwire ...... 226 Federal Reserve Bank of SF . . . . TT3 Emulex ...... 141 Lookingglass Cyber Solutions . . . 501 Research in Motion ...... 335 Trustwave ...... 507 Information Systems ESET North America ...... 537 Mandiant ...... 337 Reversing Labs ...... 131 University of Maryland University Security Association...... TT4 F5 Networks ...... 127 McAfee an Intel Company ...... 435 RSA ...... 201 College ...... 634 LimitlessShot ...... TT9 Fidelis Security Systems ...... 616 Microsoft Corporation ...... 301 RUNE ...... 434 ValidEdge ...... 627 OWASP Foundation ...... TT5 FireEye ...... 529 MITRE–CVE/OVAL ...... 216 Saint Corp ...... 612 Vasco Data Security ...... 730 UTSA-CCDC ...... TT6 FireHost...... 221 Mocana ...... 227 SecureNinja ...... 440 Venafi , Inc...... 530 41 ARSENAL SCHEDULE Day 1 Pod 1 Pod 2 Pod 3 Pod 4 Pod 5 Pod 6 Pod 7 9:00 Keynote Speaker 10:00 Break 10:15 peepdf HTExploit ThreadFix Oyedata for OData ice-hole 0.3 (beta) Registry Decoder phpmap by Jose Miguel bypassing htaccess by Dan Cornell Assessments by Darren Manners by Lodovico by Matt Bergin Esparza Restrictions by Gursev Singh Marziale by Maximiliano Soler Kalra 11:15 Break 11:45 Armitage OWASP Broken Web FakeNet SAP Proxy ARPwner Smartphone Generic Metasploit by Raphael Mudge Applications Project by Andrew Honig by Ian De Villiers by Nicolas Trippar Pentesting NTLM Relayer by Chuck Willis Framework by Rich Lundeen by Georgia Weidman 12:45 Lunch 14:15 zCore IPS Tenacious Diggity: GDFuzz ..cantor.dust.. AWS Scout iSniff GPS CrowdRE by Itzhak (Zuk) New Google Hacking by Rahul Sasi by Christopher by Jonathan by Hubert Seiwert by Georg Wicherski Avraham Diggity Suite Tools Domas Chittenden by Francis Brown 15:15 Break 15:30 WATOBO: Web ModSecurity Open LiME Forensics 1.1 Semi-Automated iOS Vega Burp Extensibility MAP Application Toolbox Source WAF by Joe Sylve Rapid Assessment by David Mirza Suite by Jerome Radcliffe by Andreas Schmidt by Ryan Barnett by Justin Engler Ahmad by James Lester Day 2 Pod 1 Pod 2 Pod 3 Pod 4 Pod 5 Pod 6 Pod 7 9:00 Keynote Speaker 10:00 Break 10:15 peepdf ModSecurity Open ThreadFix Oyedata for OData backfuzz CrowdRE phpmap by Jose Miguel Source WAF by Dan Cornell Assessments by Matías Choren by Georg Wicherski by Matt Bergin Esparza by Ryan Barnett by Gursev Singh Kalra 11:15 Break 11:45 Armitage OWASP Broken Web FakeNet bypassing Every Gsploit Smartphone Generic Metasploit by Raphael Mudge Applications Project by Andrew Honig CAPTCHA provider by Gianni Gnesa Pentesting NTLM Relayer by Chuck Willis with clipcaptcha Framework by Rich Lundeen by Gursev Singh by Georgia Weidman Kalra 12:45 Lunch 14:15 zCore IPS Tenacious Diggity: GDFuzz ..cantor.dust.. MIRV iSniff GPS Redline by Itzhak (Zuk) New Google Hacking by Rahul Sasi by Christopher by Konrads by Hubert Seiwert by Lucas Avraham Diggity Suite Tools Domas Smelkovs Zaichkowsky by Francis Brown 15:15 Break 15:30 Kautilya and XMPPloit LiME Forensics 1.1 MAP Vega Burp Extensibility Incident Response Nishang by Luis Delgado by Joe Sylve by Jerome Radcliffe by David Mirza Suite Analysis by Nikhil Mittal Ahmad by James Lester Visualization and Threat Clustering through Genomic Analysis by Anup Ghosh Sponsored by 42 ARSENAL TALKS Back by popular demand, we International Bank. Maxi has discovered vulnerabilities 7. Data generator for EDMSimpleType test data are pleased to offer a Tool/ in different applications Web and Microsoft’s products. generation. Demo area that will allow 8. Ability to generate “Read URIs” for Entities, Entity THREADFIX Properties and Entity Property Values. delegates to view and test 9. Ability to identify Keys, Nullable and Non-Nullable open source community tools BY DAN CORNELL Denim Group Properties and indicate the same in the attack fi rsthand and have direct ThreadFix is an open source software vulnerability templates. access to the developers of aggregation and management system that allows 10. Web proxy, HTTP and HTTPS support. the tools. software security teams to reduce the time it takes BIO: Gursev Singh Kalra serves as a Principal to fi x software vulnerabilities. ThreadFix imports the Consultant with Foundstone Professional Services, a PEEPDF results from dynamic, static and manual testing to division of McAfee. Gursev has done extensive security BY JOSE MIGUEL ESPARZA provide a centralized view of software security defects research on CAPTCHA schemes and implementations. S21sec across development teams and projects. The system He has written a Visual CAPTCHA Assessment peepdf is a Python tool to explore PDF fi les in order allows companies to correlate testing results and tool TesserCap that was voted among the top ten to fi nd out if the fi le can be harmful or not. The aim of streamline software remediation efforts by simplifying web hacks of 2011. He has identifi ed CAPTCHA this tool is to provide all the necessary components feeds to software issue trackers. By auto generating implementation vulnerabilities like CAPTCHA Re-Riding that a security researcher could need in a PDF analysis web application fi rewall rules, this system also allows Attack, CAPTCHA Fixation and CAPTCHA Rainbow without using 3 or 4 tools to make all the tasks. It’s companies to protect vulnerable applications while tables among others. He is actively pursuing OData included in BackTrack and REMnux. remediation activities occur. ThreadFix empowers security research as well. He has also developed open Some of the peepdf features: managers with vulnerability trending reports that source SSL Cipher enumeration tool SSLSmart and demonstrate software security progress over time. has spoken at conferences like ToorCon, OWASP, U It shows all the objects in the document, BIO: Dan Cornell has over fi fteen years of NullCon, Infosec Southwest and Clubhack. highlighting the suspicious elements and potential experience architecting and developing web-based vulnerabilities. software systems. He leads Denim Group’s security U It supports all the most used fi lters and encodings. ICE-HOLE 0.3 (BETA) research team in investigating the application of secure U It can parse different versions of a fi le, object BY DARREN MANNERS coding and development techniques to improve web- streams and encrypted documents. SyCom Technologies based software development methodologies. U It provides Javascript and shellcode analysis Ice-hole is a java email phishing tool that identifi es Dan was the founding coordinator and chairman wrappers, thanks to Spidermonkey and Libemu. when a user has clicked on the link. It allows internal for the Java Users Group of San Antonio (JUGSA) and U It’s able to create new PDF fi les and modify existent organizations to test their users social engineering currently serves as the OWASP San Antonio chapter ones using obfuscation techniques. defenses. The tool can be used in conjunction with leader, member of the OWASP Global Membership U It’s able to extract all the information easily thanks various third party software like SET, Java Keystroke Committee and co-lead of the OWASP Open Review to its interactive console. loggers and the BEEF framework to create real life Project. Dan has spoken at such international social engineering attacks. Ice-Hole can also be used BIO: Jose Miguel Esparza is a security researcher conferences as RSA, OWASP AppSec USA, and with training websites to not only capture when a user and has been working as e-crime analyst at S21sec OWASP EU Summit in Portugal. clicks on a link, but register when their training has e-crime for more than 5 years, focused in botnets, been completed. A simple email phishing tool that can malware and Internet fraud. Author of some exploits be expanded upon in multiple ways and analysis tools (http://eternal-todo.com/tools) like OYEDATA FOR ODATA BIO: 9 years Royal Naval Intelligence peepdf and Malybuzz, with which he has discovered ASSESSMENTS (Communication Technician (Analyst). Worked for vulnerabilities in several products. He is also a regular BY GURSEV SINGH KALRA 12 years in various security roles with VAR’s and writer in the S21sec blogs (http://blog.s21sec.com Foundstone, A Division of McAfee education. Certifi cations obtained include; SANS GSE and http://securityblog.s21sec.com) and http://eternal- OData is a new data access protocol that is being (#42), CCIE sec (18929), OSCP, CISSP, and others. todo.com about security and threats in Internet, and adopted by many major software manufacturers such Written papers on iPhone backup fi les for penetration has taken part in several conferences, e.g. RootedCon as Microsoft, IBM, and SAP but hasn’t been publically testing and anomaly detection using user agent (Spain), CARO Workshop (Czech Republic), Source explored in terms of security. OData aims to provide a headers. Designer of Sphere of Infl uence (security Seattle (USA) and Black Hat (Netherlands). consistent access mechanism for data access from a variety of sources including but not limited to, relational visualization tool) and Ice-hole. (email phishing tool) databases, fi le systems, content management HTEXPLOIT BYPASSING HTACCESS systems, and traditional web sites. I will be presenting REGISTRY DECODER RESTRICTIONS and releasing a new tool that can be used to assess BY LODOVICO MARZIALE BY MAXIMILIANO SOLER OData implementations. Tool features include: Digital Forensics Solutions HTExploit is an open-source tool written in Python 1. Intuitive GUI based tool written in C#. The registry on Windows systems contain a that exploits a weakness in the way that htaccess fi les 2. Ability to create attack templates from local and tremendous wealth of forensic artifacts, including can be confi gured to protect a web directory with an remote Service Documents and Service Metadata application executions, recently accessed fi les, authentication process. By using this tool anyone would Documents. application-specifi c passwords, removable device be able to list the contents of a directory protected this 3. Ability to generate attack templates for Creation activity, search terms used and more. Existing registry way, bypassing the authentication process. of new Entries, updating existing Entries, Service analysis tools are poorly suited for investigations Using HTExploit you will learn how to take Operation invocation, Entry deletion etc… involving more than one machine (or even more advantage of weaknesses or miss-confi gurations in 4. Ability to export attack templates in JSON and that one registry fi le), for either registry acquisition htaccess fi les, bypassing the authentication process. XML formats that can be fed to custom Fuzzers. or analysis. This problem is only exacerbated by the Download these protected fi les and proving against 5. Support for XML and JSON data formats. now-standard Volume Shadow Service, which makes LFI, RFI and SQL Injection. 6. Ability to engage the OData services for manual available multiple historical copies of the registry by BIO: Maximiliano Soler lives in Buenos Aires, testing. default. In order to make large scale investigations of Argentina and currently works as Security Analyst, in a 43 arsenal talks the registry feasible, we developed Registry Decoder, emphasizing innovative, practical tools for computer BIO: Raphael Mudge is the founder of Strategic an open source tool for automated acquisitions security and digital forensics. Lodovico has designed Cyber LLC, a Washington, DC based company and deep analysis of the large sets of Windows and implemented several digital forensics and security that creates software for red teams. He created registry data. Registry Decoder includes powerful applications, including co-developing the Scalpel file Armitagefor Metasploit, the Sleep programming search functionality, activity timelining, plugin-based carver and Registry Decoder, a tool for automated language, and the IRC client jIRCii. Previously, Raphael extensibility, a differencing engine and multi-format acquisition and analysis of the Windows registry. worked as a security researcher for the US Air Force, reporting. Since its release at Black Hat Vegas Arsenal a penetration tester, and he even invented a grammar 2011, it has been downloaded almost 10,000 times phpmap checker that was sold to Automattic. His work has and has been nominated for the Computer Forensic by Matt Bergin appeared in Hakin9, USENIX ;login:, Dr. Dobb’s Software Tool of the Year by Forensic 4cast. This year CORE Secuirty Journal, on the cover of the Linux Journal, and the at Black Hat we plan to release Registry Decoder Attempts to leverage the lack of input validation on the Fox sitcom Breaking In. Raphael regularly speaks on 2.0 which has a number of new features, including php eval() function in web applications. security topics and provides red team support to many new plugins, better timelining, and huge performance cyber defense competitions. enhancements. Armitage BIO: Dr. Lodovico Marziale is a Senior Security OWASP Broken Web Researcher at Digital Forensics Solutions, LLC, where by Raphael Mudge Strategic Cyber LLC Applications Project he is responsible for conducting penetration tests, Armitage is a red team collaboration tool built on by Chuck Willis application security audits, and forensic investigations. the open source Metasploit Framework. Released in MANDIANT He is also charged with engineering new applications December 2010, Armitage has seen constant updates The Open Web Application Security Project (OWASP) to support security and forensics functions, performing and improvements since its inception—updates and Broken Web Applications project (www.owaspbwa. training on incident response handling and digital improvements driven by feedback from its wonderful org) provides a free and open source virtual machine forensics, and conducting research on cutting- user community. This demonstration will show how loaded with web applications containing security edge techniques in computer security. He is active Armitage works and dive into some of the lesser known vulnerabilities. This session will showcase the project in the computer security research community and features that are quite handy for penetration testers. and exhibit how it can be used for training, testing, has numerous peer-reviewed publications, most ARSENAL TALKS and experimentation by people in a variety of roles. information of great sensitivity to companies. of Science degree in computer science, secure Demonstrations of the new 1.0 release will However, by default the communication protocol software engineering, and information security as cover how the project can be used by penetration can be described as telnet-meets-gzip and Secure well as holding CISSP, CEH, NIST 4011, and OSCP testers who discover and exploit web application Network Communication (SNC) is not enabled in most certifi cations. Her work in the fi eld of smartphone vulnerabilities, by developers and others who prevent organisations where SAP GUI is used. Furthermore, exploitation has been featured in print and on and defend against web application attacks, and by the protocol can be abused with relatively devastating television internationally. She has presented her individuals who respond to web application incidents. effect against both server and client side components. research at conferences around the world including BIO: Chuck Willis is a Technical Director with SensePost’s tools for decoding and analysing SAP Shmoocon, Hacker Halted, Security Zone, and Bsides. MANDIANT, a full spectrum information security DIAG protocol has now been refi ned to a production Georgia has delivered highly technical security training company in Alexandria, Virginia. At MANDIANT, ready, and offensive platform with scripting and fuzzing for conferences, schools, and corporate clients Mr. Willis concentrates in several areas including support. In addition, the toolset has been extended to to excellent reviews. Building on her experience, application security, where he assesses the security of include support for intercepting and decoding RFC- Georgia recently founded Bulb Security LLC (http:// sensitive software applications through external testing based communication. www.bulbsecurity.com), a security consulting fi rm and static analysis. He also studies static analysis tools BIO: Ian de Villiers is a security analyst at specializing in security assessments/penetration and techniques and strives to identify better ways to SensePost. Coming from a development background, testing, security training, and research/development. evaluate and secure software. Mr. Willis is the leader of his areas of expertise are in application and web She was awarded a DARPA Cyber Fast Track grant to the OWASP Broken Web Applications project, which application assessments. Ian has spent considerable continue her work in mobile device security. distributes a virtual machine with known vulnerable time researching application frameworks, and has web applications for testing and training. published a number of advisories relating to portal GENERIC METASPLOIT NTLM platforms. He has also provided security training and RELAYER spoken at security conferences internationally. FAKENET BY RICH LUNDEEN BY ANDREW HONIG Microsoft FakeNet is a tool that aids in the dynamic analysis of ARPWNER NTLM auth blobs contain the keys to the kingdom malicious software. The tool simulates a network so BY NICOLAS TRIPPAR in most domain environments, and relaying these that malware interacting with a remote host continues ARPwner is a tool to do arp poisoning and dns credentials is one of the most misunderstood and to run allowing the analyst to observe the malware’s poisoning attacks, with a simple gui and a plugin deadly attacks in a hacker’s corporate arsenal. Even network activity from within a safe environment. The system to do fi ltering of the information gathered, also for smart defenders it’s almost like a belief system; tool is extremely light weight running inside the same has a implementation of sslstrip and is coded 100% in some people believe mixed mode IIS auth saves them, virtual machine as the malware. This allows dynamic python, so you can modify on your needs NTLMv2 is not exploitable, enabling the IIS extended malware analysis without the burden of setting up BIO: I’m independent security researcher based on protection setting is all you need, it was patched with multiple virtual machines. It supports HTTP, SSL, DNS, vulnerability research and exploit development, I also MS08-068, you have to be in the middle, you have to and several other protocols. The tool is extendable via program tools for fun. visit a website, you have to be an administrator for the Python extensions. It redirects all traffi c to it’s listeners attack to matter, etc. etc. on the localhost, including traffi c to hard coded IP SMARTPHONE PENTESTING http_ntlm_relay is a highly confi gurable Metasploit addresses. It creates output specifi c to the needs of FRAMEWORK module I wrote that does several very cool things, a malware analyst. It also has the ability to create a BY GEORGIA WEIDMAN allowing us to leverage the awesomeness of packet capture from local traffi c; something that’s not Bulb Security LLC Metasploit and show the way for these non-believers: possible with pcap based tools such as wireshark. As smartphones enter the workplace, sharing the U HTTP -> HTTP NTLM relay with POST, GET, BIO: Andrew Honig is an independent security network and accessing sensitive data, it is crucial to HTTPS support. consultant and the co-author of Practical Malware be able to assess the security posture of these devices U HTTP -> SMB NTLM relay with ENUM_SHARES, Analysis. He spent eight years with the National in much the same way we perform penetration tests LS, WRITE, RM, and EXEC support. This extended Security Agency where he taught courses on software on workstations and servers. However, smartphones support allows a lot of interesting attacks against analysis, reverse-engineering, and Windows system have unique attack vectors that are not currently non admins and multiple browsers that aren›t programming at the National Cryptologic School. Andy covered by available industry tools. The smartphone currently available in Metasploit. discovered several zero-day exploits in VMware’s penetration testing framework, the result of a DARPA U NTLMv2 support, which means that this attack virtualization products and has developed tools for Cyber Fast Track project, aims to provide an open now works a lot more often on modern windows detecting innovative malicious software, including source toolkit that addresses the many facets of environments. malicious software in the kernel. An expert in analyzing assessing the security posture of these devices. We U Mutex support allowing information from one and understanding both malicious and non-malicious will look at the functionality of the framework including request to be used in a future request. A simple software. information gathering, exploitation, social engineering, example of this would be a GET to retrieve a and post exploitation through both a traditional IP CSRF token used in a POST. A more complex SAP PROXY network and through the mobile modem, showing how example would be an HTTP GET request to recover BY IAN DE VILLIERS this framework can be leveraged by security teams computer names, and then using that information SensePost and penetration testers to gain an understanding to SMB relay to those computers for code The analysis and reverse engineering of SAP GUI of the security posture of the smartphones in an execution. network traffi c has been the subject of numerous organization. We will also show how to use the It will be open source and I’ll try my darndest to get research projects in the past, and several methods framework through a command line console, a it included in Metasploit proper before Black Hat. have been available in the past for decoding SAP DIAG graphical user interface, and a smartphone based app. BIO: Rich Lundeen graduated from UofI with a traffi c. Until the release of SensePost’s freely available Demonstrations of the framework assessing multiple Masters in CS, and is currently working for Microsoft proof of concept SAP DIAG tools (SAPProx and smartphone platforms will be shown. where he does security research, penetration testing, SApCap) in 2011, most methods were complicated BIO: Georgia Weidman is a penetration tester, code review, and tool development. He sometimes and convoluted, or not in the public domain. security researcher, and trainer. She holds a Master talks at conferences where he’s usually a nervous SAP is widely used and normally stores 45 ARSENAL TALKS wreck, but he likes doing it anyway. He likes CTFs and data to your enemies. in mobile security. Zuk is the proud holder of a too, where he bangs his head against things until they The next step of the attackers will be fi nding a way SVC card, which is only in the possession of elite break, or his head breaks. into your internal network or other key-people at your researchers such as Matt Swich. Zuk really dislikes organization, using the same infection routine. writing about himself in the third person so for more ZCORE IPS Smartphones hacking has increased signifi cantly as information you can check out his personal hacking BY ITZHAK (ZUK) AVRAHAM more researched have adopted this new technology. related blog at http://imthezuk.blogspot.com and on The awareness of cyber-espionage has increased We will cover recent attacks and threats that are being Twitter as @ihackbanme. signifi cantly with recent malwares found, such as discovered every-day that puts us at risk! Stuxnet and Flame, and with the discovery of attacks, We will show and demonstrate several attack TENACIOUS DIGGITY: such as Aurora. A research published at DEF CON18 vectors that are being used today against targeted WNEW GOOGLE HACKING devices and how we’re preventing those attacks using and BHDC showed that modern ARM architecture DIGGITY SUITE TOOLS is not immune to vulnerabilities that are popular in zCore IPS, our comprehensive Mobile IPS solution. This solution has been specially built for Smartphones BY FRANCIS BROWN X86 architecture. Hacking smartphones became Stach & Liu with zMitigaion™, a highly effective technology for common knowledge, and we’ve realized that it is only All brand new tool additions to the Google Hacking 0day protection offered to those who face targeted a matter of time until we will see the next Aurora on Diggity Project—The Next Generation Search Engine and government-grade attacks on Smartphones. Smartphones. Hacking your computer has become Hacking Arsenal. As always, all tools are free for BIO: Itzhak “Zuk” Avraham is a Security Expert who harder with time and multiple versions so the attackers download and use. has been engaged on a wide variety of vulnerability seek additional entry-points to your organization and When last we saw our heroes, the Diggity Duo assessments. Zuk worked at the IDF as a Security your Smartphone, with features like VPN access being had demonstrated how search engine hacking could Researcher and has also published a technique on the perfect target! be used to take over someone’s Amazon cloud in shellcoding for modern ARM exploits. As the proud We will go through modern government-grade less than 30 seconds, build out an attack profi le founder of the Mobile-Security company, Zimperium, attacks on smartphones and will prove that the same of the Chinese government’s external networks, and the Godfather of ANTI (Android Network Tollkit), smartphone you are carrying with you today can act and even download all of an organization’s Internet Zuk is diligently working on the next big breakthrough as a spying-machine that will reveal all of your secrets facing documents and mine them for passwords and Dev ♥ Security (Ok, maybe not yet.) Let us show you how. Learn how Coverity has helped 1,100 companies including SAP, Juniper Networks, LG, and Emerson effectively build security into development. Visit us at booth #728 Enter to Win Soul by Ludacris Headphones. www.coverity.com ARSENAL TALKS secrets. Google and Bing were forced to hug it out, effective network port scanning tool. You can InfoSec World, ToorCon, and HackCon and has been as their services were seamlessly combined to identify provide domains, hostnames, and even IP address cited in numerous industry and academic publications. which of the most popular websites on the Internet ranges to scan in order to identify open ports Francis holds a Bachelor of Science and were unwittingly being used as malware distribution ranging across all 65,535 TCP ports. An additional Engineering from the University of Pennsylvania with platforms against their own end-users. benefi t is that this port scanning is completely a major in Computer Science and Engineering and a Now, we’ve traveled through space and time, my passive—no need to directly communicate minor in Psychology. While at Penn, Francis taught friend, to rock this house again… with target networks since Google has already operating system implementation, C programming, True to form, the legendary duo have toiled night performed the scanning for you. and participated in DARPA-funded research into and day in the studio (a one room apartment with no advanced intrusion prevention system techniques. air conditioning) to bring you an entirely new search U CloudDiggity Data Mining Tool Suite—Ever wanted engine hacking tool arsenal that’s packed with so to data mine every single password, email, SSN, GDFUZZ much tiger blood and awesome-sauce, that it’s credit card number on the Internet? Our new cloud BY RAHUL SASI banned on 6 continents. Many of these new Diggity tools combine Google/Bing hacking and data loss iSIGHT partners tools are also fueled by the power of the cloud and prevention (DLP) scanning on a massive scale, PHP Framework is built in native C and the no of provide you with vulnerability data faster and easier made possible via the power of cloud computing. memory corruptions and chances of code executions than ever thanks to the convenience of mobile Chuck Norris approved. in the frame work is high. PHP framework takes inputs applications. Just a few highlights of new tools to be U CodeSearchDiggity-Cloud Edition—Google recently form web applications and process it on the web unveiled are: shut down Code Search in favor of focusing server. There are a lot of image processing functions U AlertDiggityDB—For several years, we’ve collected on Google+, putting “more wood behind fewer in PHP where user controls the input “Images” . vulnerability details and sensitive information arrows”. I suppose we could have let the matter go, The usage of image processing functions could be disclosures from thousands of real-time RSS feeds and let CodeSearchDiggity die, but that would be detected via the metadata they insert in the images. setup to monitor Google, Bing, SHODAN, and the mature thing to do. Instead, we are harnessing We would be demonstrating a cool fuzzer [GDFuzz] various other search engines. We consolidated the power of the cloud to keep the dream alive—i.e. that is specifi cally made capable to Fuzzing PHP GD this information into a single database, the performing source code security analysis of nearly Engine. Its basically an image Fuzzer which we have AlertDiggityDB, forming the largest consolidated every single open source code project in existence, build from scratch. It’s uniqueness is it’s ability to repository of live vulnerabilities on the Internet. Now simultaneously. handle PHP Framework and fuzz reveal PHP script it’s available to you. U BingBinaryMalwareSearch (BBMS)—According engine [GDI] bugs. U Diggity Dashboard—An executive dashboard of to the Verizon 2012 DBIR, malware was used We would be demonstrating our tool along with all of our vulnerability data collected from search to compromise a staggering 95% of all records many Stack ,Heap corruptions revealed by our Fuzzer engines. Customize charts and graphs to create breached for 2011. BBMS allows users to , that could get attacker Code execution on the tailored views of the data, giving you the insight proactively track down and block sites distributing Webserver via crafted Images. With few changes in necessary to secure your own systems. This web malware executables on the web. The tool the tool it could be used to Fuzz browsers, Windows portal provides users with direct access to the most leverages Bing, which indexes executable fi les, to system or anything that renders an image. current version of the AlertDiggityDB. fi nd malware based on executable fi le signatures The tool would be of intrest to Wep App Enthusiast U Bing Hacking Database (BHDB) 2.0—Exploiting (e.g. “Time Stamp Date:”, “Size of Code:”, and and Vulnerability Researchers . recent API changes and undocumented features “Entry Point:”). BIO: Rahul(fb1h2s) is working as an Info Security within Bing, we’ve been able to completely U Diggity IDS—Redesigned intrusion detection Researcher for iSIGHT partners. He has responsibly overcome the previous Bing hacking limitations to system (IDS) for search engine hacking. Will disclosed vulnerabilities/Bugs to Google, Apache, create an entirely new BHDB that will make Bing still leverage the wealth of information provided Banking sectors and many IT giants. Rahul hacking just as effective as Google hacking (if not by the various Diggity Alert RSS feeds, but will has authored articles and spoken at Clubhack, more so) for uncovering vulnerabilities and data also make more granular data slicing and dicing Cocon(2011), Nullcon(2011,2012), HITB(2012) and leaks on the web. This also will include an entirely possible through new and improved client tools. Black Hat(2012). His work could be found at www. new SharePoint Bing Hacking database, containing Also includes the frequently requested SMS/email Garage4Hackers.com. attack strings targeting Microsoft SharePoint alerting capabilities, making it easier than ever for users to keep tabs on their vulnerability exposure deployments via Bing. REGISTRY DECODER U via search engines. NotInMyBackYardDiggity—Don’t be the last to BY LODOVICO MARZIALE know if LulzSec or Anonymous post data dumps of BIO: Francis Brown, CISA, CISSP, MCSE, is a Digital Forensics Solutions your company’s passwords on PasteBin.com, or if Managing Partner at Stach & Liu, a security consulting The registry on Windows systems contain a a reckless employee shares an Excel spreadsheet fi rm providing IT security services to the Fortune tremendous wealth of forensic artifacts, including with all of your customer data on a public website. 500 and global fi nancial institutions as well as U.S. application executions, recently accessed fi les, This tool leverages both Google and Bing, and and foreign governments. Before joining Stach & application-specifi c passwords, removable device comes with pre-built queries that make it easy for Liu, Francis served as an IT Security Specialist with activity, search terms used and more. Existing registry users to fi nd sensitive data leaks related to their the Global Risk Assessment team of Honeywell analysis tools are poorly suited for investigations organizations that exist on 3rd party sites, such as International where he performed network and involving more than one machine (or even more PasteBin, YouTube, and Twitter. Uncover data leaks application penetration testing, product security that one registry fi le), for either registry acquisition in documents on popular cloud storage sites like evaluations, incident response, and risk assessments or analysis. This problem is only exacerbated by the Dropbox, Microsoft SkyDrive, and Google Docs. A of critical infrastructure. Prior to that, Francis was now-standard Volume Shadow Service, which makes must have for organizations that have sensitive data a consultant with the Ernst & Young Advanced available multiple historical copies of the registry by leaks on domains they don’t control or operate. Security Centers and conducted network, application, default. In order to make large scale investigations of U PortScanDiggity—How would you like to get wireless, and remote access penetration tests for the registry feasible, we developed Registry Decoder, Google to do your port scanning for you? Using Fortune 500 clients. an open source tool for automated acquisitions undocumented functionality within Google, Francis has presented his research at leading and deep analysis of the large sets of Windows we’ve been able to turn Google into an extremely conferences such as Black Hat USA, DEF CON, registry data. Registry Decoder includes powerful 47 ARSENAL TALKS search functionality, activity timelining, plugin-based ISNIFF GPS similar to what BinCrowd (which is offl ine nowadays) extensibility, a differencing engine and multi-format BY HUBERT SEIWERT offered but with support for multiple co-existing reporting. Since its release at Black Hat Vegas Arsenal iSniff GPS performs passive wireless sniffi ng to commits for the same function. We also supports 2011, it has been downloaded almost 10,000 times identify nearby iPhones and iPads. list-based commit visibility to give users control over and has been nominated for the Computer Forensic Data disclosed by all iDevices when they connect who else can see and import their contributions. In the Software Tool of the Year by Forensic 4cast. This year to WiFi networks is used to track where each device coming days we will release a series of how-to blog at Black Hat we plan to release Registry Decoder has recently been. Each device’s recent locations and posts and videos to speed up adoption of CrowdRE. 2.0 which has a number of new features, including other information is displayed on a live-updated map. BIO: Georg Wicherski is a Senior Security new plugins, better timelining, and huge performance There will be a live demonstration at Black Hat Arsenal. Researcher with CrowdStrike, mostly analyzing enhancements. iSniff GPS is a combination of a commandline tool advanced targeted threats but also putting himself in BIO: Dr. Lodovico Marziale is a Senior Security and web application written in Python. A turnkey Linux attackers’ shoes from time to time. He loves to work Researcher at Digital Forensics Solutions, LLC, where VM image containing the complete tool ready to run on a low level, abandoning all syntactic sugar that he is responsible for conducting penetration tests, will be made available at Black Hat, with source code HLL offer and working on instructions or bytecode. application security audits, and forensic investigations. to be published on Github. Recently, he has developed an interest for the ARM He is also charged with engineering new applications References: http://arstechnica.com/apple/2012/03/ architecture in addition to his old x86 adventures. to support security and forensics functions, performing anatomy-of-an-iphone-leak training on incident response handling and digital BIO: Hubert is an experienced penetration tester WATOBO: WEB APPLICATION forensics, and conducting research on cutting- and security consultant with more than 5 years TOOLBOX edge techniques in computer security. He is active industry experience in the UK and Australia. His main BY ANDREAS SCHMIDT in the computer security research community and interests are web and mobile application security. He Siberas has numerous peer-reviewed publications, most has given talks on iPhone security at Ruxmon and Doing manual penetration tests on web applications emphasizing innovative, practical tools for computer presented an iPhone SSL man-in-the-middle tool at is time-consuming and can be very boring or even security and digital forensics. Lodovico has designed the CCC Conference in 2011. frustrating. On the other hand, if you use an automated and implemented several digital forensics and security tool you often don’t know if or how things have been applications, including co-developing the Scalpel fi le CROWDRE checked because there’s too much “Voodoo” under carver and Registry Decoder, a tool for automated BY GEORG WICHERSK the hood. acquisition and analysis of the Windows registry. CrowdStrike Each approach has its advantages and Reversing complex software quickly is challenging disadvantages but the selection of tools which merge AWS SCOUT due to the lack of professional tools that support both worlds is very limited. BY JONATHAN CHITTENDEN collaborative analysis. The CrowdRE project aims In this presentation I will introduce WATBO iSEC Partners to fi ll this gap. Rather than using a live distribution (Web Application Toolbox) which closes the gap The scale and variety of Amazon Web Servers (AWS) of changes to all clients, which has proven to fail and combines the advantages of both, the manual has created a constantly changing landscape. What in the past, it leverages from the architecture that and the automated approach to web application was previously managed by enterprise IT groups is being used with success to organize source assessments. WATOBO works like a local proxy and is now done through a variety of Amazon-based code repositories: a system that manages a history is analyzing the traffi c on the fl y for helpful information services, leaving many questions concerning the risk of changesets as commit messages. The central and vulnerabilities. It also has automated scanning and security of these environments unanswered. This component is a cloud based server that keeps track capabilities, e.g. SQL-Injection, XSS-Checks and presentation will discuss the most common mistakes of commits in a database. Each commit covers one more. It can handle of One-Time-Tokens (aka Anti- that we have seen in the fi eld and show you how to or more functions of an analyzed binary and contains CSRF-Tokens) and has powerfull session management audit them using AWS Scout. information like annotations, comments, prototype, capabilities. Scout is a security tool that lets AWS administrators struct and enum defi nitions and the like. Clients can WATOBO is written in (FX)Ruby and was initially make an assessment of their environments security search the database for commits of functions by released in May 2010 as an open source project on posture. Using the AWS API, we can gather constructing a query of the analyzed binary’s hash and SourceForge (http://watobo.sourceforge.net). confi guration data for manual inspection or highlight the function offset. Different concurring commits for a BIO: Andreas Schmidt started working as a high-risk areas automatically. Rather than pouring function are possible; in such cases it is up to the user security consultant in 1998. At the beginning he was through dozens of pages on the web, we can get an to decide which commit is better. involved with planning and implementing high security clear view of the attack surface. This basic concept is suffi cient for a collaborative infrastructures. Later on he focused on security audits BIO: During his employment with iSEC Partners, workfl ow on a per-function basis for a shared binary. and penetrationtests. He also developed and held Jonathan has been tasked with a variety of One exciting feature is a similarity hashing scheme that hands-on hacking trainings focused on Windows and engagements. Of which his memorable projects considers the basic block boundaries of a function. Unix systems. Andreas is Co-Founder of the german include, code reviewing custom kernel modules to be Each function is mapped on a similarity preserving security consulting company siberas (http://www. used for virtualization and reviewing both public and hash of fi xed size. A database query for such a siberas.de) and author of WATOBO. private cloud architectures. Outside of project work, functions similarity hash returns a set of functions Jonathan is in the process of writing a cloud security sorted by their similarity value, and the analyst can MODSECURITY OPEN SOURCE book to be published by McGraw-Hill in 2012. choose amongst them. This is extremely helpful Prior to his employment with iSEC, Jonathan when analyzing variants based on the same code or WAF BY RYAN BARNETT worked for the Air Force as a civilian. His roles generations of a malware family, for example. SpiderLabs consisted of reverse engineering malware for both The CrowdRE client is now freely available as an ModSecurity is already the most widely deployed WAF signature development. During this time, he also IDA Pro plugin. CrowdStrike maintains a central cloud in existence protecting millions of web sites, but we assisted in the development of an open-source for the community to share their commits amongst are now also announcing that we have ported the intelligence application to be used to identify indicators each other. It is our goal to help building a public module to both the Microsoft IIS and Nginx platforms. of compromise. database of known, well annotated functions to speed These ports will allow you to run ModSecurity natively up the analysis of standard components, somewhat 48 ARSENAL TALKS write their own. The Vega web vulnerability scanner runs on Linux, Windows, and OS X. Vega can be downloaded from our website, http:// www.subgraph.com. BIO: David has over 10 years in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the fi rst version of the CVSS (Common Vulnerability Scoring System) model and served as editor for the Attack within the web servers you want to protect. Come in computer security and digital forensics. He is the Trends section of IEEE Security & Privacy for over three to this demo to see the latest new features recently author of LiME Forensics, the fi rst tool set that allows years. His current obsession is building Subgraph, a added to ModSecurity including crypto/hashing full physical memory acquisition from Android devices, Montreal-based open source security startup. protections. and has presented this work on Android memory BIO: Ryan Barnett joined SpiderLabs after a acquisition and analysis at Shmoocon 2012 and decade in web security. He currently leads the web the SANS Digital Forensic and Incident Response BURP EXTENSIBILITY SUITE server security research team which specializes in Summit. He holds a M.S. In Computer Science, with BY JAMES LESTER web application defense. Barnett is renowned in a concentration in Information Assurance, from the IOActive the industry for his unique web operational security University of New Orleans and is also a GIAC Certifi ed Whether it be several Class B Subnets, a custom Web expertise. He has serves as the Open Web Application Forensic Analyst. Application utilizing tokenization, or the integration Security Project (OWASP) ModSecurity Core Rule of 3rd party detection/exploitation software, there Set Project Leader and Project Contributor on the comes a time when your go-to testing application is SEMI-AUTOMATED IOS RAPID not suffi cient as is. With Burp Suite Extensibility you OWASP Top Ten and AppSensor Projects. He is a ASSESSMENT Web Application Security Consortium (WASC) Board can push these requirements to the next level by BY JUSTIN ENGLER building functionality that allows you to perform your Member and Project Leader for the Web Hacking FishNet Security Incident Database (WHID) and the Distributed Web required task, maintaining effi ciency, value, and most Apple’s AppStore continues to grow in popularity, Honeypot Projects. He is also a Certifi ed Instructor of all, detection/exploitation of the specifi ed target. and iOS devices continue to have a high perception at the SANS Institute. Barnett is regularly consulted Several Extensions along with a common extensibility of security from both users and experts. However, by industry news outlets like Dark Reading, SC framework will be on display demonstrating its ability, applications on the AppStore often have security Magazine and Information Week. He is the author of adaptation, and ease of use while overall being able or privacy fl aws that are not apparent, even to Preventing Web Attacks with Apache (Addison-Wesley to reach your testing requirements. Along with the sophisticated users. Security experts can fi nd these Professional, 2006.) Key industry events he has demonstration, these extensions will be released to fl aws via manual tests, but the enormity of the addressed include Black Hat, SANS AppSec Summit the public during the week of Black Hat to encourage AppStore ensures that only a small minority of apps and the OWASP Global Summit. further development and extensibility participation. could ever be manually tested. BIO: As a Senior Security Consultant at IOActive, This presentation will demonstrate a new tool James Lester works with platinum-level clients on LIME FORENSICS 1.1 and methodology to perform automated or semi- network and application penetration tests, PCI BY JOE SYLVE DIGITAL automated assessment of iOS applications and assist compliance, and general consulting engagements. Forensics Solutions with manual testing. Before joining the IOActive team with the goal of taking LiME (formerly DMD) is a Loadable Kernel Module BIO: Justin Engler is a Senior Security Consultant his talents to the next level, he was a Senior Security (LKM), which allows the acquisition of volatile memory for FishNet Security’s Application Security practice. Analyst with the McAfee Corporation. Passionate from Linux and Linux-based devices, such as those His focus is on the security of web applications, about Internet security and privacy, James enjoys powered by Android. The tool supports acquiring mobile devices, web-backed thick clients, databases, designing new procedures and methods to Identify, memory either to the fi le system of the device or and industrial control systems. Justin has previously test, secure, and mitigate compromised and high-risk over the network. LiME is unique in that it is the fi rst spoken at Black Hat USA and DEF CON. websites. He has previously been a featured speaker tool that allows full memory captures from Android at many local security chapter roundups and Internal devices. It also minimizes its interaction between user VEGA Corporate Security events. and kernel space processes during acquisition, which BY DAVID MIRZA AHMA allows it to produce memory captures that are more Subgraph forensically sound than those of other tools designed MAP Vega is a GUI-based, multi-platform, free and open for Linux memory acquisition. BY JEROME RADCLIFFE source web security scanner that can be used to fi nd BIO: Joe Sylve is a senior security researcher Smart Device Threat Center for Mocana instances of SQL injection, cross-site scripting (XSS), at Digital Forensics Solutions, where he conducts With MAP, enterprise apps can be wrapped post- and other vulnerabilities in your web applications. forensic investigations and penetration tests, performs development, so there is no code to write: just point Vega also includes an intercepting proxy for interactive training on incident response handling and digital and click to add new security features to any app. web application debugging. Vega attack modules are forensics, and researches cutting edge technologies All that is needed is the binary fi le of the app (.apk written in Javascript, users can easily modify them or for Android and .ipa for Apple iOS) to be loaded into 49 ARSENAL TALKS the Mocana MAP server on-premise in the enterprise for offensive security and post exploitation. The Filters that have been implemented in this version datacenter, or to a secure cloud-based environment scripts are written on the basis of requirement by for Google Talk are: in the near future. There is no need to have access to the author during real Penetration Tests. It contains U Read all the the user’s account mails the original source code, no need for an SDK, and no many interesting scripts like download and execute, U Read and modify all the user’s account contacts need for a separate agent on the device. keylogger, password hash dumper, time based (being or not in the roster). The resulting Self Defending App™ can then be payload and much more. A preliminary version was described in my talk made available through any app catalog or private BIO: Nikhil Mittal is a hacker, info sec researcher ‘XMPP, more than chat’ (http://slidesha.re/GWBwMF) app store the enterprise chooses. And MAP is totally and enthusiast. His area of interest includes presented in RootedCON 2012 (Spain). transparent to end users, with no need for separate penetration testing, attack research, defence BIO: Luis Delgado is a security researcher focused client-side software or agents. Newly-secured strategies and post exploitation research. He has on Web&IM security, wireless protocols and android apps work like users expect them to. MAP protects many years of experience in Penetration Testing of security&development. He is a regular writer on corporate data without compromising the user many Government Organizations of India and other Security by Default (http://www.securitybydefault. experience, while alternative technologies restrict global corporate giants. com), one of the most important spanish security end users to a tiny selection of unfamiliar apps, or He specializes in assessing security risks at secure blogs and has published many vulnerabilities and confi ne their apps in “walled” environments or virtual environments which require novel attack vectors and research papers that have ranged from messaging machines. “out of the box” approach. He has worked extensively protocols security to the Android market security BIO: Jay Radcliffe has been working in the on using HID in Penetration Tests and powershell for measures. Author of WIFI Auditor (http://www. computer security fi eld for over twelve years and is post exploitation. He is creator of Kautilya, a toolkit ldelgado.es/?wifi auditor), a wireless security analyzer currently the Director for the Smart Device Threat which makes it easy to use Teensy in penetration with more than 800K downloads. He works as a Center for Mocana. He has an extensive public tests. In his free time, Nikhil likes to scan full IP ranges freelance auditor for customers in the defense sector speaking background, going back to middle school, of countries for specifi c vulnerabilities, does some and important ISPs. and has spoken on a variety of security and legal vulnerability research and works on his projects. He topics at major conferences, universities, and other has spoken/trained at Clubhack’10, Hackfest’11, community events. He holds a Masters degree Clubhack’11, Black Hat Abu Dhabi’11, Troopers’12, BYPASSING EVERY CAPTCHA in Information Security Engineering form SANS PHDays’12, GrrCon’12 and Black Hat Europe’12. PROVIDER WITH CLIPCAPTCHA Technology Institute as well as a bachelor’s degree in BY GURSEV SINGH KALRA Criminal Justice/Pre-Law from Wayne State University. XMPPLOIT Foundstone reCAPTCHA and other CAPTCHA service providers His experience with radios and hardware goes back to BY LUIS DELGADO when he was 12 and earned his Ham Radio license, XMPPloit is a command-line tool to attack XMPP validate millions of CAPTCHAs each day and protect now with the callsign N8OS. connections, allowing the attacker to place a gateway thousands of websites against the intertube bots. between the client and the server and perform different A secure CAPTCHA generation and validation KAUTILYA AND NISHANG attacks on the client stream. ecosystem forms the basis of the mutual trust model and large scale damage can happen if any component BY NIKHIL MITTAL The tool exploit, implementation vulnerabilities at Kautilya is a toolkit and framework which allows the client&server side and XMPP protocol. of this ecosystem is compromised. usage of USB Human Interface Devices in Penetration The main goal is that all the process is transparently The presentation explains third party CAPTCHA Tests. The toolkit contains useful payloads and for the user and never replace any certifi cate (like provider integration and explains vulnerabilities that modules which could be used at different stages of HTTPS attacks). affect almost every CAPTCHA provider including a Penetration Test. Kautilya is tested with Teensy++ Some features are: reCAPTCHA. These vulnerabilities can be exploited to completely bypass the protection offered by device but could be used with most of the HIDs. It has U Downgrade the authentication mechanism (can been successfully tested for breaking into Windows 7, CAPTCHA providers. A new signature based obtain the user credentials) tool clipcaptcha will be introduced and released Ubuntu11 and Mac OS X Lion. U Force the client not to use an encrypted Nishang is a framework and collection of scripts that can be used to exploit these vulnerablities to communication bypass CAPTHCA provider protection. clipcaptcha’s and payloads which enables usage of PowerShell U Set fi lters for traffi c manipulation operational modes will be demonstrated. The operational modes include the following three mondes among others: 1. Avalanche Mode: All CAPTCHA validation requests are approved. 2. Stealth Mode: Only attacker provided CAPTCHAs are approved. 3. DoS Mode: All CAPTCHA validation requests are denied. Demonstrations will explain these modes along with live CAPTCHA provider bypass on the test server. BIO: Gursev Singh Kalra serves as a Principal Consultant with Foundstone Professional Services, a division of McAfee. Gursev has done extensive security research on CAPTCHA schemes and implementations. He has written a Visual CAPTCHA Assessment tool TesserCap that was voted among the top ten web hacks of 2011. He has identifi ed CAPTCHA implementation vulnerabilities like CAPTCHA Re-Riding Attack, CAPTCHA Fixation and CAPTCHA Rainbow 50 ARSENAL TALKS tables among others. He is actively pursuing OData for deployment, are not stealthy and do not have the indicator when choosing which indicators to include security research as well. He has also developed open ability to be safely extended. in a search. source SSL Cipher enumeration tool SSLSmart and MIRV’s main design feature are the embedded Lua BIO: Lucas Zaichkowsky is an engineer at has spoken at conferences like ToorCon, OWASP, micro-agents to monitor various system activity events MANDIANT with over fi fteen years of diverse NullCon, Infosec Southwest and Clubhack. and the ability to act on those events using the full information technology and information security fl exibility and most importantly—safety of Lua. experience. He conducts threat briefs and customizes ..CANTOR.DUST.. It also revives the discussion of active defence— solutions for Fortune 1000 companies to detect and BY CHRISTOPHER DOMAS not just alarms, but traps: can the defender use the respond to advanced targeted threats. Prior to joining ..cantor.dust.. is an interactive binary visualization attacker’s connection to obtain some information MANDIANT, Lucas worked for a payment processor, tool, a radical evolution of the traditional hex editor. By about the attacker’s system, or even attack the specializing in electronic payment processing, Point translating binary information to a visual abstraction, attacker’s system? An example based on terminal of Sale (POS) systems, PCI standards, and merchant reverse engineers and forensic analysts can sift services shared drive feature is presented. MIRV’s breach response coordination. through mountains of arbitrary data in seconds. features can also be used for offence as a fl exible Even previously unseen instruction sets and data rootkit and some examples are given. Paper: https://docs.google.com/document/d/1cC INCIDENT RESPONSE ANALYSIS formats can be easily located and understood through VISUALIZATION AND THREAT their visual fi ngerprint. ..cantor.dust.. dramatically D6fAnMpfl tchPbfreWgIZxzI87F4lt2E5RjWV0OqU/edit; accelerates the analysis process, and, for the Video: http://youtu.be/teMgpW3hAuk CLUSTERING THROUGH GENOMIC experienced user, forms an indispensable tool in the BIO: My name is Konrads Smelkovs and I am ANALYSIS reverser’s arsenal. a security consultant within KPMG’s Information BY ANUP GHOSH BIO: Chris is an embedded systems engineer Protection practice in London, UK where I practice Invincea and cyber security researcher, focused on low level the arts of attacking web application and network By capturing real-time forensic information on hardware and software RE and exploitation. security as well as defence—incident response thwarted zero-day attacks using virtual environments and malware reverse engineering. At the moment I for browsers and PDF readers and feeding that believe that defending is more intellectually stimulating information to the Invincea Threat Data Server, the BACKFUZZ than attacking, albeit the rush from getting root is paradigm can shift from one of post-facto breach BY MATÍAS CHOREN never getting old. My research is focused on how detection and analysis to pre-breach forensic backfuzz is a fuzzing tool for different protocols (FTP, to help defenders to fi ght back. Previous speaking examinations on the motives and methods of the HTTP, IMAP, etc) written in Python. engagements include CRESTCon and ISF Nordic adversary. Feeding this information into a high The general idea is that this script has several spring. dimention data analysis engine that categorizes predefi ned functions, so whoever wants to write their malware based on core genomic characteristics, own plugin’s (for another protocol) can do that in few REDLINE Invincea provides a visualization capability for malware lines. research. A demonstration of this capability can BY LUCAS ZAICHKOWSKY BIO: Independent Security Researcher & System be seen here: http://www.invincea.com/2012/06/ Engineer Student at Buenos Aires, Argentina. MANDIANT Redline is free utility from Mandiant that makes both applying-machine-learning-to-security-incident- experienced and entry-level incident responders response-with-invincea/ GSPLOIT faster and more effi cient. Using Redline, responders BIO: Anup Ghosh, Ph.D., is Founder and CEO at BY GIANNI GNESA can perform a guided investigation of possibly Invincea. Additionally, he is Research Professor and Ptrace Security compromised systems. Chief Scientist in the Center for Secure Information Gsploit is a scriptable penetration testing framework The updated version 1.5 of Redline includes new Systems (CSIS) at George Mason University. He was written in Python that not only provides a simple features and enhancements to existing capabilities, previously Senior Scientist and Program Manager platform to launch multi-stage / multi-vector attacks, including: in the Advanced Technology Offi ce of the Defense but also provides a rich set of functions to develop Advanced Research Projects Agency (DARPA) where U Improved Analysis Capabilities exploits for several different architectures. he managed an extensive portfolio in information U Include and search for Indicators of Compromise This tool is particularly useful for penetration testers assurance and information operations programs. He (IOC) and create a searchable report detailing any and vulnerability researchers who need to quickly turn previously held a role as Vice President of Research suspicious activity found matching those IOCs. a Proof-of-Concept (PoC) into a working exploit that at Cigital, Inc. In his career he has served as principal Simultaneously perform multiple tasks such as can be subsequently used in a real penetration test. investigator on contracts from DARPA, NSA, and conducting an investigation while searching BIO: Gianni Gnesa is a Malware Analyst at Ptrace NIST’s Advanced Technology Program and has written for IOCs. Security. He has been working in the information more than 40 peer-reviewed conference and journal U Check the progress of an investigation at any time security industry for over 6 years and has been articles. He was awarded the NSA’s Frank Rowlett via “Background Tasks” in the main menu and focused on exploit development and penetration Trophy for Individual Contributions in 2005 and the receive a notifi cation when a background task has testing. In his spare time, he likes to fi nd and exploit Secretary of Defense Medal for Execptional Public been scheduled. vulnerabilities in Web browser and interpreted Service for his contributions while at DARPA. Anup U Enhanced Data Collection and Confi guration languages, such as Java and PHP. was named to the Naval Studies Board for a National Confi gure and collect a much broader range of Academies Study in 2008 on Information Assurance data about the target host, such as event logs for Network-Centric Naval Forces and currently sits on MIRV and fi le listings. a number of advisory boards informing the future of BY KONRADS SMELKOVS KPMG U Convert this into searchable data using the new American cyber-defenses. MIRV (Metasploit’s Incident Response Vehicle) is a IOC search options. new tool (based on Metasploit’s meterpreter) which U Specify a set of IOCs before collection and Redline was created to address the perceived shortcomings in will now help tailor the confi guration to provide existing host-based incident response tools: they do meaningful search results and ensure that all the not operate on large amounts of nodes, are diffi cult to data required by the chosen IOCs is collected. get past change advisory boards that grant approval U See the detailed information associated with each 51 SPECIAL EVENTS BLACK HAT BOOKSTORE PWNIE AWARDS Emperors Foyer, Floor 4 / July 22-26 AUGUSTUS III+IV Ballroom / July 25, 18:15 Come by the offi cial bookstore and browse and In 2012 the Black Hat USA Briefi ngs are once again providing the venue for purchase the latest titles in security. the Pwnie Awards, the security industry’s premier award show celebrating the achievements and failures of the security community over the past year. For more information about the awards, please visit the offi cial Pwnie Awards BLACK HAT EMBASSY HALL website at http://pwnies.com Octavius Ballroom / July 25-26 Come by the Embassy Hall and learn more about our media partners, venerable institutions such as Federal Reserve of SF, OWASP, ISSA, and more. BLACK HAT EXECUTIVE BRIEFING ROMAN I-IV / July 24 BLACK HAT One hundred executives from Global 2000 corporations and federal agencies are invited to attend a full day of high-level discussions about topics unique MERCHANDISE STORE to Black Hat. The Executive Briefi ng will begin with an introduction from one Venice, Floor 4 / July 24-26 of the highest-ranked US government offi cials, discussing the importance of Get your Black Hat branded merchandise—t-shirts, jackets, mugs, barware cyber security to homeland security. The morning sessions will preview the and more! Please note: No cash will be accepted. Purchases can be made most important technical discussions planned for the main Black Hat Briefi ngs. with any major credit. Lead by Jeff Moss, founder of Black Hat and DEF CON, these previews will enable executives to discuss the implications of the newest vulnerabilities and attacks with their peers and the actual researchers. Executives can then use this knowledge to prepare their teams ahead of time and direct their technical BLACK HAT SPONSOR HALL experts to the most important research being released. Octavius Ballroom / July 25-26 As an attendee, you’ll have opportunities for discussion with presenters and Here is your chance to meet with representatives from and explore the peers, plus the chance to ask “threat direction” questions. Those questions offerings that the top security companies have to offer. will be funneled to the appropriate Black Hat speakers to discussion in the afternoon. The afternoon sessions will further include strategic discussions around the latest threats to the public and private sectors and long-term countermeasures BLACK HAT WORKSHOPS to be taken into consideration. Round out the afternoon with cocktails followed Florentine & Pompeian / July 25-26 by a dinner in one of the great restaurants housed in the Caesar’s complex. In our experience, Security professionals are always looking for the latest After the Executive Briefi ng dinner, executives are invited to mingle with tools and resources to perform their jobs effectively and effi ciently. This year speakers at the Black Hat VIP Party until midnight. we will be hosting two tracks of security workshops to provide delegates a deeper understanding with regards to a specifi c subject. These tracks will run Premium & Dinner Co-Sponsor: concurrently with the Briefi ngs presentations and are available to all persons holding a Briefi ngs pass, space permitting. Foundation Sponsor: What we hope to achieve: Greater awareness and access to terrifi c work for the security world at large. Event Sponsors: These will be deep technical sessions that can give delegates a chance to delve deeply into tech and hopefully take away practical applications to the Dinner Co-Sponsor: information presented. DEF CON BADGE PICKUP Emperors Ballroom / July 26, 11:00-17:00 DEF CON badge pickup will take place on July 26 starting at 11:00 for Black Hat delegates from the Emperors Ballroom. You will need to present both the DEF CON voucher portion of your badge as well as show your main Black Hat badge. DEF CON Badges must be pre-purchased as a part of your Black Hat registration. Discount pricing will not be offered at the regular DEF CON registration desk at the Rio. 52 SPECIAL EVENTS An exciting night awaits you at Black Hat’s “No Limit Mobile Security Reception by invite only. Hold’em” Poker Tournament, sponsored by Arbor Networks, on Wednesday, July 25th, 7pm, at Caesars Palace. Back by popular demand, this game of strategy, skill and psychology is an invitation-only event not to be missed! Register today at arbornetworks.com/poker12 How deep can you dive in your data? How low can you go at the Solera Networks World-Famous Blue Martini Party? Find out on Wednesday, July 25, 7:30-9:30 pm, at the Shadow Bar. Text “Hacked” to (702) 749-4808 to pre-register and score exclusive prizes throughout Black Hat! Emulex, a leader in Fibre Channel and 10GbE networking solutions has leveraged their enterprise expertise in the new Network Xceleration solution, Sniffer10G™. We’re hosting a very exclusive customer event during the conference— please RSVP, stop by booth 141 where the team will demonstrate Sniffer10G, and enter for a chance to win a The Stonesoft Enrichment Center is now accepting more test spot at this event. http://connect.emulex.com/LP=423 subjects. Stop by the Pisa Room where food, drinks, games, prizes and an authentic Portal Gun replica will be given away. Stop by booth 213 for details, and to secure your spot. Visit us at booth 537 for your chance to win tickets to our private party on Cleopatra’s Barge with L.A. indie rockers, NO. http://nomusicfor.me/ Come by Symantec booth #101 with your notebook and penetration tools, try your hacking skills, and see if you can Do you rule the code? Find out by taking our crack-me break into one of our systems. A grand prize of $2000 will be challenge, eset.com/us/rulethecode. Winner gets admission given to the person who captures the main fl ag and several to Black Hat USA or Europe 2013 and $1000 cash. other GREAT prizes will be awarded for those that capture several fl ags. Join Mandiant for our annual M After Dark party at the Shadow Bar in Caesars Palace! Festivities begin on Tuesday, July 24 at 7:00 p.m. Register here: http://marketing.mandiant.com/Mafterdark-shadowbar 53 STAY CONNECTED + MORE THE OFFICIAL BLACK HAT BOOK SIGNGINGS WIRELESS NETWORK with these speakers in the Palace Ballroom Foyer: Aruba Networks is proud to be supplying, July 25 / 15:15 installing, and managing the WLAN infrastructure Dino Dai Zovi, Stefan Esser, Vincenzo Iozzo, Charlie Miller, at Black Hat USA 2012. Ralf-Philip Weinmann authors of the ios Hackers Handbook A / B / G / N WLAN Access July 26 / 10:00 SSID: BlackHat Neal Stephenson author of Snow Crash, Cryptonomicon, WPA2-PSK: ArubaNetworks Anathem, Quicksilver Be sure to visit the Aruba NOC in GENOA Meeting Room (3rd July 26 / 11:15 Floor/Promenade Level) to speak with wireless security engineers Bruce Schneier authors of Liars and Outliers, Beyond Fear, or see the actual BH USA 2012 network Secrets & Lies STAY CONNECTED VIDEO GUIDELINES Keynotes and Sessions: All video content must be Twitter: Twitter.com/Black HatEvents attributed to Black Hat USA 2012. Zooming in on laptops is Facebook: Facebook.com/Black Hat not permitted. Camera crews and videographers must receive permission from the subject being recorded. LINKED.IN: search for “Black Hat” on LinkedIN Groups Major media companies: contact Black Hat show management for special arrangements. We encourage sharing UPCOMING EVENTS: of video content with Black Hat show management for greater exposure and cross promotion opportunities. Sponsor Hall & Black Hat Training: HALO Summit 2012 General Areas: Handheld cameras and mobile devices are not San Diego, CA October 29-November 2 permitted on the Sponsor Hall or in main traffi c areas. Black Hat UAE 2012 Abu Dhabi, United Arab Emirates December 10-13 Booths & Sponsors: Sponsors may record videos within the confi nes of their booth, but may not record other Sponsors Black Hat EU 2013 booths or their staff without their permission. Before doing stand- Amsterdam, The Netherlands March 11-14 up or fi xed video recording, Sponsors should contact Show Black Hat USA 2013 Management for special arrangements. For more information, Las Vegas, Nevada July 27-August 1 contact Show Management in the Press Room, Messina and Livorno rooms, Floor 3. EVENT AUDIO + VIDEO THE SOURCE OF KNOWLEDGE LATEST INTEL PALACE BALLROOM FOYER / JULY 25-26 “scientia potentia est” = “Knowledge is Power” Afraid you’ll miss a session? The Source of Knowledge will be Thomas Hobbes was not speaking directly about the world of onsite to sell audio and video recordings of the Briefi ngs sessions. Information Security, but he should have been. Survival in InfoSec Media, including iPad ready presentations, may be purchased is determined by one’s ability to keep up. Black Hat’s Latest Intel onsite at a substantial discount. provides inside information on the latest discoveries, breaking content, speaker selections, schedules, contests, and in general, all things Black Hat. So be sure to check back regularly! Black Hat is exclusively focused on the security community. If you have any new and interesting Intel of your own that the rest of the world should know, email “intel (at) Black Hat (dot) com” 54 SPONSORS DIAMOND PLATINUM TM GOLD SILVER Detecting Tomorrow’s Threats Today Network Performance + Security Monitoring™ TRONG UTH® MEDIA S SecuringA the Core ASSOCIATED OFFICIAL WIRELESS PROVIDER NATIONAL COLLEGIATE CYBER OWASP The Open Web Application Security Project DEFENSE COMPETITION 55 PAN_BH12_AD_062612.pdf 1 6/26/12 3:06 PM C M Y CM MY CY CMY K Learn About Next-Generation Threat Prevention Palo Alto Networks™ next-generation firewalls identify known and unknown threats on all ports, all traffic, all the time. Our top malware and vulnerability researchers are available to share Palo Alto Networks latest advancements in network security, including WildFire™, which has uncovered thousands of new and targeted malware samples. www.paloaltonetworks.com