Speakers
Dan Tentler – Carpe Datum: Drinking from the espresso firehose we know as Shodan
Jimmy Shah – Real Advances in Android Malware
Joseph McCray – Big Bang Theory: The Evolution of Pentesting High Security Environments
Robert R. – Juice Jacking 101: Learning from Shenanigans
Vyrus & Frank^2 – My Other Shellcode is the da Vinci Virus
Aditya K Sood & Richard J Enbody – Insidious Infections: Mangling with Botnets
David M N Bryan – I pwned your router. Oops.
John Norman – Physical Security: Bridging the Gap with Open Source Hardware
Karthik Raman – Selecting Features to Classify Malware
Jon McCoy – Hacking .NET(C#) Applications: The Black Arts (v2)
DC949 Research Team – Codename Stiltwalker
Datagram & Schuyler Towne – Disc-Detainer Lockpicking
My Other Shellcode is the da Vinci Virus
Vyrus & Frank^2
This talk will focus on making native code execution cool again. Bitcoin wallet grabbers, banking trojans, key loggers, logic bombs designed to infect SCADA or networked subsystems, highly infectious worms; All of these are dangerous, and creative tools used by criminals to carry out all sorts of fancy crime schemes, and their post exploitation code is really REALLY fucking BORING! Through out the talk we will provide examples of shellcode designed to do FUN shit. Rabbits bouncing all over the screen, random instances of pong that start up on your machine, code snippets that play the pac – man theme in the background while displaying windows with messages that say things like “arf arf we gotcha!”, these are the types of shenanigans we hope to showcase, inspire and provide examples of.
The development of Vyrus started in the late 1950s by a team from PNIL-52, and a female chemist named Iya Danilovna Shilakova jointly. They completed their work in 1963 and were later awarded the Lenin Prize for their achievement. A binary version of the weapon comprising of two less toxic precursors which mixed during flight was later developed for which they were awarded the 1990 Lenin Prize. In 1972 the Soviets opened a manufacturing plant for Vyrus in Novocheboksarsk. All facilities in USSR produced 15,557 tons of Vyrus according to their declaration to the Organisation for the Prohibition of Chemical Weapons (OPCW), although most if not all of this has now been reported destroyed under disarmament treaties.
Fabrizio Tapioco started out selling gelato alongside an Italian coffeeshop when the cookie monster started consuming his cash register. That exciting day changed his life forever. Tapioco was soon tossed into a wicked spiral that is the binary rabbit hole, tossed down a tunnel of crypters and warez, keygens and cracks and shady affairs. Once escaped from the wickedness of dark buyers, he moved on to write controller code to help alcoholic robots with their ethanol addictions, earning an honorary Nobel prize for his noble service in curing one of the first known genetic diseases in the realm of robotics. Now he just writes PHP all day. It’s a thoughtless job that makes it easier to control the bots at all times!
(^Top)
Carpe Datum: Drinking from the espresso firehose we know as Shodan
Dan Tentler
Have you ever stayed up until 5am fiendishly digging around on shodan? I have. More times than I care to admit. I’m starting to find patterns. Shodan is genius. It’s a glorious search engine that catalogs the banners from TCP connections on several ports – for the entire IPV4 internet. This makes for some bodacious late night reading. The findings, on the other hand, are in a lot of cases most heinous. SCADA, Power company networks and controls, thousands of webcams, weed growrooms, .gov/.mil border routers and sharepoint systems. It’s a little overwhelming. I decided to sift it all through a strainer to make it easier to take in. So I wrote a scraper script and a viewer to better parse the results! Come with me on an excellent adventure – but without Bill or Ted – more like the haunted mansion ride, except all the ghosts and spooks are systems or cameras left wide open on the internet. Did you know you could telnet into hydrogen fuel cells? Neither did I!
Dan Tentler is currently employed at BT as a Security Consultant and parachuted into various clients in southern California. Previously Dan was a freelance Information Security Consultant and carried a wide breadth of clients and engagements, ranging from wireless site surveys and penetration testing, to full blown social engineering campaigns, to lockpicking and threat & vulnerability assessments. Dan has presented at various BarCamps, Toorcon San Diego, ToorCon Seattle, Refresh San Diego and SDSU computer security advanced lecture classes. Come find Dan and ask him about things, he’ll talk your ear off.
(^Top)
Selecting Features to Classify Malware
Karthik Raman
Polymorphic malware is a menace to modern computing and a strain business productivity. The challenge faced by antivirus technology is that there is not enough time for new variants of this type of malware to be collected, sent to antivirus companies, and analyzed, and for signatures to be created and returned to customers. To attempt to address this problem, we explore the classification of malware using machine learning. We compare some classifiers for malware and present a carefully selected set of attributes that result in good classification between malware and clean programs. We discuss the application of this research to security technologies.
Karthik Raman, CISSP, is a security researcher on the Adobe Product Security Incident Response Team (PSIRT), where he focuses on vulnerability analysis and technical collaboration with industry partners. Before joining Adobe, Karthik was a research scientist at McAfee Labs, where he worked on threat analysis, building automation systems, malware analysis, and developing advanced antimalware technology. Karthik holds a Master of Science degree in Computer Science from UC Irvine and Bachelor of Science degrees in Computer Science and Computer Security from Norwich University. Both universities are National Security Agency Centers of Excellence in Information Assurance.
(^Top)
Real Advances in Android Malware
Jimmy Shah
Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn’t be sending SMS messages to expensive numbers. They’re leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software. It’s not all that bad. Attackers aren’t going out of their way to discover their own vulnerabilities or writing their own exploits. They’re happy to repurpose the work done by legitimate developers, security researchers and the rooting community. If the malware has gotten trickier, what are those tricks? We’ll look at portions of code (bytecode/decompiled Java source & disassemblies) from in the wild mobile malware and show how earlier research is adapted by attackers.
Jimmy Shah is a Mobile Security Researcher specializing in analysis of mobile/embedded threats on existing platforms (J2ME, Symbian, Windows Phone, iOS, Android) and potential mobile malware and spyware. If it’s lighter than a car, has a microprocessor, and is likely to be a target it’s probably his problem. He has presented on mobile threat research at a number of computer security conferences.
(^Top)
Juice Jacking 101: Learning from Shenanigans
Robert Rowley
The concept originated on July 4th, and within a month (with some help) a ‘malicious’ charging kiosk was designed and deployed in the most untrusted environment we could find, DefCon. The presentation will go over basics of the build, information learned during the deployment of the “juice jacker” and goal of the project. It may be rumored that we’ve designed a better kiosk that is far more malicious. I will bring it on stage with me to give a demo.
Robert Rowley is a security researcher (news to me) credited with pioneering “Juice Jacking”, a cell phone attack using public charge kiosks for malicious intent. Founding member of Irvine Underground, a computer security group out of Irvine, California since 2002.
(^Top)
Big Bang Theory: The Evolution of Pentesting High Security Environments
Joe McCray
This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests. This presentation picks up where Joe left off in last year’s presentation “You Spent All That Money And You Still Got Owned” and takes it to the next level.
Joe McCray is an Air Force Veteran and has been in security for over 10 years. Joe has been involved in over 150 high level penetration testing engagements and has some major hacking accomplishments that he can share with his students and clients. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe is the founder and CEO of http://strategicsec.com an IT Security consulting firm that provides in-depth technical security assessments of your network, web application, and regulatory compliance gap analysis.
(^Top)
Insidious Infections: Mangling with Botnets
Aditya K Sood & Richard J Enbody
Malware is increasingly becoming aggressive with the advent of new exploitation techniques. Third
Generation Botnets (TGBs) such as SpyEye, Zeus and ICE X exhibit rapid advancements in the malware
design and implementation techniques. Hybrid botnets such as NGR are exploiting the integrity of online
world. This talk sheds light on the robust exploitation techniques used by the present day botnets. We
will be discussing about FormGrabbing, Web Injects, DNS Changers, Web Fakes and Ruskill in detail. In
relation to this, data exfiltration strategies will be discussed in detail in which design and execution of
plugin architecture will be presented. Primarily, the nature of malware is better revealed by
visualization. This talk has a good set of live demonstrations for showing exploitation tactics of the
present day malware.
Aditya K Sood is a senior security researcher and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security Labs, an independent security research arena for cutting edge computer security research. At SecNiche, he also acts as an independent researcher and security practitioner for providing services including software security and malware analysis. He has been an active speaker at industry conferences and already spoken at RSA, Virus Bulletin, HackInTheBox, ToorCon, HackerHalted, Source, TRISC, AAVAR, EuSecwest, XCON, Troopers, OWASP AppSec USA, FOSS, CERT-IN, etc. He has written
content for HITB Ezine, VB Magazine, ISSA, ISACA, CrossTalk, Usenix Login, Hakin9 and Elsevier Journals
such as NESE and CFS. He is also a co author for debugged magazine.
Richard J. Enbody, Ph.D., is associate professor in the Department of Computer Science and Engineering
at Michigan State University (USA) where he joined the faculty in 1987. Enbody has served as acting and
associate chair of the department and as director of the computer engineering undergraduate program.
His research interests include computer security; computer architecture; web-based distance education;
and parallel processing, especially the application of parallel processing to computational science
problems. Enbody has two patents pending on hardware buffer-overflow protection that will prevent
most computer worms and viruses
(^Top)
David M N Bryan
Embedded system market is great! They give us the power to make things happen, and give us shiny unicorns. I’m coming at this with the approach of a service provider, producing hardware for end users. The developers, and system engineers seem to think that being a “custom” solution gives them amnesty from security. I will focus on issues that I have identified, and what would is recommended for the future of embedded computing for commercial applications. Time permitting (and demo gods) I would love to do a demo of JTAG memory dumping, and show the fun things we can find using IDA Pro.
David has over 10 years of computer security experience, including pentesting, consulting, engineering, and administration. As an active participant in the information security community, he volunteers at DEFCON, where he designs and implements the firewall and network for what is said to be the most hostile network environment in the world. This network allows speakers, press, vendors, and others to gain access to the Internet, without being hacked. In his spare time he runs the local DEFCON group, DC612, is the president of the Minneapolis Hack Factory, and participates in the Minneapolis OWASP chapter.
(^Top)
Physical Security: Bridging the Gap with Open Source Hardware
John Norman
This talk will be a follow-up to last year’s overview of physical access control systems and the vulnerabilities and challenges associated with implementing them. Highlights include new research on DIY access control, fusion of off-the-shelf sensors and other cheap technology to maximize physical security and minimize false alarms, and a new project involving the Raspberry Pi physical computing platform.
Additionally, a series of new open-source security monitoring and interoperability protocols under development will be discussed. Sample code using the Arduino IDe will be provided, along with links to a wiki with reference designs and protocol standards.
John Norman is a founding member of the 23b Hacker Space in Fullerton, CA. He is also the principal of ACCX Products Inc, an open-source hardware company. Expertise includes enterprise security and DR, physical computing and physical computing.
(^Top)
Hacking .NET(C#) Applications: The Black Arts (v2)
Jon McCoy
This presentation will cover the Black Arts of making Cracks, KeyGens, Malware, and more. The information in this presentation will allow a .NET programmer to do unspeakable things .NET applications. I will cover the life cycle of developing such attacks and over coming common countermeasures to stop such attacks. New tools to assist in the attacks will be supplied. This presentation will focus on C# but applies to any application based on the .NET framework.
Jon McCoy is a .NET Software Engineer that focused on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for paralyzed people. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework it self. He provides consulting to protect .NET applications.
(^Top)
DC 949 Research Team (C-P, Adam, Jeffball)
Don’t let the unassuming codename fool you, this project is a sexy as it gets. As usual, we decided to dig into a popular system, which will be named at this exclusive disclosure It is the most widely used and popular system of its kind, all of you have most assuredly used it at some point. We will be detailing Stiltwalker and the methods it uses, followed by a source code distribution and live demonstration.
Bios coming soon!
(^Top)
datagram & Schuyler Towne
Most lockpicking talks focus on the common pin-tumbler locks and combination locks we use in every day. This talk will go over “disc-detainer” locks, a type of key-operated lock that uses rotating discs instead of pins or wafers. These locks range from low to high security and are extremely popular in certain parts of the world. They’re slowly becoming more popular in the United States and Europe, especially in high-security settings. We’ll go over how these locks work, differences in designs between low and high security disc-detainer locks, and do live demonstrations to show how these locks can be picked, impressioned, and decoded.
datagram has taught about locks, safes, and methods to compromise them for many years, including training to private companies and government agencies. He has spoken many times on physical and digital security at various conferences and is a part-time forensic locksmith. datagram runs the popular lock and security websites LockWiki and Lockpicking Forensics.
Schuyler Towne is obsessed with locks. While he got his start picking locks competitively, his interest has since exploded into every aspect of their history, design and manipulation. He’s taught hackers, authors, cops and even toy designers. There is nothing Schuyler loves more than to talk locks with anyone who will listen. His interests in the history of physical security and design of locks provides a passionate background to his lectures and workshops on lockpicking. Currently he is writing an Almanac of Locksport for O’Reilly and studying media portrayals of lockpicking.
(^Top)
For a list of presentations from past years, check out the LayerOne Archives
LayerOne Elsewhere