Эпизоды
-
Jeff Moss introduces the Keynote and welcomes everyone tthe Amsterdam 2007 conference!
Roger will provide an overview of the work of CPNI in reducing vulnerability in information systems that form part of the UK. He will then challenge the community on a number of issues, including the development of the malicious market place, and the role security researchers in addressing vulnerabilities as used by a range of threat actors.
Until 31 January 2007 Roger Cumming was Director of the National Infrastructure Security Co-ordination Centre (NISCC), the UK centre responsible for minimising the impact of electronic attack on the UK critical national infrastructure. Since 1 February Roger has been Head of Advice Delivery and Knowledge Development at the UK Centre for the Protection of National Infrastructure (CPNI). CPNI provides protective security advice on information security as well as physical and personnel security treduce the vulnerability of the UK's national infrastructure tterrorism and other threats. -
RFID is being embedded in everything... From Passports tPants. Door Keys tCredit Cards. Mobile Phones tTrash Cans. Pets tPeople even! For some reason these devices have become the solution tevery new problem, and we can't seem tget enough of them....
"Adam Laurie is Chief Security Officer and a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micrcomputers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention tthose areas and away from programming, starting a data conversion company which rapidly grew tbecome Europe's largest specialist in that field (A.L. downloading Services).
During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own-'Apache-SSL'-which went on tbecome the de-factstandard secure web server.
Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers - http://www.thebunker.net) as secure hosting facilities.
Adam has been a senior member of staff at DEFCON since 1997, and alsacted as a member of staff during the early years of the Black Hat Briefings. More recently he has become interested in mobile device security, and was responsible for discovering many major Bluetooth security issues, and has alsspoken on other wireless topics such as InfraRed and Magnetic Stripes. His current interest, RFID, has spawned another Open Source project, RFIDIOt, which is alsbringing several security issues tthe fore. More detail can be found here: http://rfidiot.org" -
Пропущенные эпизоды?
-
"Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application.
This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker tset up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision.
This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for twcomplex heap corruption vulnerabilities.
The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable tother browsers as well. "
Alexander Sotirov has been involved in computer security since 1998, when he started contributing tPhreedom Magazine, a Bulgarian underground technical publication. For the past nine years he has been working on reverse engineering, exploit code development and research of automated source code auditing. His most well-known work is the development of highly reliable exploits for Apache modssl, ProFTPd and Windows ASN.1. He graduated with a Masters degree in computer science in 2005. His current job is as a vulnerability researcher at Determina Inc. -
"The last years have seen the growth of botnets and its transformation inta highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends tshow what are the major challenges faced by botnet authors and what they might try in the future tsolve them. The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used tmake botnets more reliable, extensible and hard tput down."
"Augustworks with Information Security since 2000. He worked for security consulting companies, Moduland Proteus, as security analyst and project manager. Augustalsworked in BankBoston, a Bank of America branch, as security manager, and now works as CSin a Credit Card processing company.
In 2003, coined the term honeytoken during a discussion with other researchers on the focus-ids mailing list. In his last research, Augustbuilt a Proof of Concept Trojan horse that works against the most recent security measures from Brazilian online banks, presented at the CNASI Conference in 2005. He is an active blogger (http://www.paesdebarros.com.br/indexpb.html).
Current president of the Brazilian ISSA Chapter, he alsgives Criptography and Ethical Hacking classes tthe post-graduation courses from IBTA University. He is finishing his Master in Computer Engineering at the Technology Research Institute (Institutde Pesquisas Tecnologicas de SoPaulo), working on a methodology for internal threats detection." -
"Data theft is becoming a major threat, criminals have identified where the money is, In the lafrom fortune 500 companies were compromised causing lots of money losses. This talk will discuss the Data Theft problem st years many databasesfocusing on database attacks, we will show actual information about how serious the data theft problem is, we will explain why you should care about database security and common attacks will be described, the main part of the talk will be the demostration of unknown and not well known attacks that can be used or are being used by criminals teasily steal data from your databases, we will focus on most used database servers: MS SQL Server and Oracle Database, it will be showed how to steal a complete database from Internet, how tsteal data using a database rootkit and backdoor and some advanced database 0day exploits. We will demostrate that compromising databases is not big deal if they haven't been properly secured. Alsit will be discussed how tprotect against attacks syou can improve database security at your site."
"Cesar Cerrudis a security researcher & consultant specialized in application security. Cesar is running his own company, Argeniss (www.argeniss.com). Regarded as a leading application security researcher, Cesar is credited with discovering and helping fix dozens of vulnerabilities in applications including Microsoft SQL Server, Oracle database server, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. Cesar has authored several white papers on database and application security and has been invited tpresent at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest and WebSec." -
"The Achilles' heel of network IDSes lies in the large number of false positives (i.e., false attacks) that occur: practitioners as well as researchers observe that it is common for a NIDS traise thousands of mostly false alerts per day. False positives are a universal problem as they affect both signature-based and anomaly-based IDSs. Finally, attackers can overload IT personnel by forging ad-hoc packets tproduce false alerts, thereby lowering the defences of the IT infrastructure. Our thesis is that one of the main reasons why NIDSs show a high false positive rate is that they dnot correlate input with output traffic: by observing the output determined by the alert-raising input traffic, one is capable of reducing the number of false positives in an effective manner. Tdemonstrate this, we have developed APHRODITE (Architecture for false Positives Reduction): an innovative architecture for reducing the false positive rate of any NIDS (be it signature-based or anomaly-based). APHRODITE consists of an Output Anomaly Detector (OAD) and a correlation engine; in addition, APHRODITE assumes the presence of a NIDS on the input of the system. For the OAD we developed POSEIDON (Payl Over Som for Intrusion DetectiON): a two-tier network intrusion detection architecture.
Benchmarks performed on POSEIDON and APHRODITE with DARPA 1999 dataset and with traffic dumped from a real-world public network show the effectiveness of the twsystems. APHRODITE is able treduce the rate of false alarms from 50% t100% (improving accuracy) without reducing the NIDS ability tdetect attacks (completeness)."
DamianBolzoni received a MSc degree from the University of Venice, Italy, in Computer Science with a thesis about anomaly-based Network Intrusion Detection Systems. He has been working for a year at the Information Risk Management division in KPMG Italy. He is author of the POSEIDON and APHRODITE papers and gave talks at IWIA workshop, WebbIT and many security conferences in Netherlands. At the moment, he is a PhD student at the University of Twente, The Netherlands. His research topics are IDS and risk management. -
"Long gone are the days of widespread internet attacks. What's more popular now are more directed or targeted attacks using a variety of different methods. Since most of these attacks will be a single shot styled attack attackers will often look for anyway tincrease the likelihood of success.
This is where data seepage comes in. Unbeknownst ta lot of mobile professional's laptops, pdas, even cell phones can be literally bleeding information about a company's internal network. This can be due tapplications like email clients that are set tstart up and automatically search for its mail server, windows may be attempting tremap network drives, an application could be checking for updates.
All this information can be used by an attacker tmake attacks more accurate with a higher likelihood of success. Don't laugh and dismiss this as a trivial problem with nimpact. Through demonstrations and packet caps we will show how this problem can be the weak link in your security chain. " -
"Kernel vulnerabilities are often deemed unexploitable or at least unlikely tbe exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down t""creative debugging"" and knowledge about the target in question.
This talk intends tdemystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.
The entire process will be discussed, including how the vulnerabilities were found, how they were analyzed tdetermine if and how they can be reliably exploited and of course the exploits will be demonstrated in practice. -
"ScarabMon is a new tool and framework for simplifying web application pentests. It makes the process of finding many common webapp flaws much easier. The user simply navigates the target site while using the WebScarab proxy and ScarabMon constantly updates the user with information on discovered flaws.
ScarabMon is written in Python and all code and modules will be released at the conference.
ScarabMon is alseasily extensible, with useful checks often only requiring 5-10 lines of Python code.
I wrote ScarabMon because I couldn't find anything like it.
Historically the standard web proxies have been @Stake's WebProxy (which is totally unavailable anymore as Symantec killed it after the acquisition), SpikeProxy and WebScarab. Those have have recently been joined by twother apps, WebScarab-NG and Pantera.
The latter are not ready for serious usage yet. Pantera development seems thave stalled and WebScarab-NG is missing major features, though it shows the most promise. The latest date on any of the SPIKEProxy files is from 2003.
Sbasically everyone uses WebScarab for web application pen tests.
WebScarab is obnoxious tprogram for, as you have twrite dozens of lines of Java code (BeanShell) for the simplest tasks. BeanShell is alsoften unstable.
ScarabMon is currently designed twork with WebScarab, but could be ported twork with any of the above should the need arise. Instead of acting as a proxy, it just monitors the output of the proxy and opportunistically performs tests. Some tests are things people have seen before in other tools (like finding directories that support PUT) and others aren't anything I've seen in any other tool such as finding values that were set as cookies over SSL that later wind up as a query string parameter.
The best thing is that you get all of this for free. You don't have tchange *anything* about your current testing methodology. You just run ScarabMon in the background and it sees the servers and files you're accessing and generates findings. -
"Classical debuggers make use of an interface provided by the operating system in order taccess the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level.
This alternative modelization is alsmore performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how tkeep memory unintrusiveness using a new technique called allocation proxying.
We reveal how we developed the organization of our multi- architecture framework and its multiple modules sthat they allow for graph-based binary code analysis, compositional Fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. Finally we reveal the re?ective essence of our framework : our analyzers are made aware of their own internal structures using concepts of aspect oriented programming, embedded in a weakly typed language dedicated treverse engineering. "
Julien Vanegue is a predoctorate student in the Parisian Master of Research in Computer Science (MPRI). He is the founder of the ELF shell and the Embedded ELF debugger projects for which he realized the software architecture and development for now 6 years. His interrests are about program analysis, semantics, logic, reverse engineering, embedded systems and security. -
"When dealing with Windows exploits, an issue that often emerge is their cross-platform reliability, meaning they often work against either some given service packs of the OS, or some localization of the OS. It is quite rare tfind exploits that will work on a very wide range of Windows installs.
While multiplying the number of targets in an exploit is often the solution found in the wild, it seems that nobody has yet disclosed a solution tfingerprint a Windows language, or discuss about cross languages and service packs return addresses (though cross SP only is now fairly well mastered).
Immunity, Inc. had twork on this issue for CANVAS, in order tbuild more reliable exploits, and this paper intend texplain some of the solutions that were found tthese issues.
" Kostya is well known in the security industry for various vulnerability research projects. He is the discoverer of many software vulnerabilities which have resulted in several Microsoft patches, latest one being MS06-074, the SNMP service remote code execution. His most recent conference presentations were at Microsoft's BlueHat Fall 2006 Sessions, speaking on Skype security and at RECON'06. Kostya has joined Immunity, Inc. from the European Aeronautic Defence and Space Company (EADS), where he was a research engineer. He manages Immunity, Inc. Partners Program and does exploit development for CANVAS. Prior tthat, Kostya was manager of the French Academic CERT. -
"Fuzzing is a software testing technique that consists in finding implementation bugs. Fuzzing Wi-Fi drivers is becoming more and more attractive as any exploitable security bug will enable the attacker trun arbitrary code with ring0 privileges (within victim's radicoverage).
This presentation will describe all the processes involved in the design from scratch of a fully-featured Wi-Fi fuzzer. It will pinpoint all issues and constraints when fuzzing 802.11 stacks (scanning, bugs identification, replaying bugs, analyzing kernel crashes...).
Then some features will be focused on, in order tunderstand which kind of implementation bugs may be discovered and which vulnerabilities we discovered thanks tthis tool (CVE-2006-6059, CVE-2006-6125).
Finally, a real-world example will be fully explained: how we found the first (publicly known) madwifi stack-based overflow thanks tour Wi-Fi fuzzer (CVE-2006-6332)."
Laurent is a network security expert working for France Telecom RD labs, where he works on wireless security (IEEE 802.11, IEEE 802.16...), honeypots and malwares. He alsspoke at numerous security-focused conferences (EuroSec, SSTIC, FIRST, LSM, ToorCon, ShmooCon, BlackHat...). -
"The SMTP protocol, used in the transport and delivery of e-mail messages, includes control headers along with the body of messages which, as opposed tother protocols, are not stripped after the message is delivered, leaving a detailed record of e-mail transactions in the recipient mailbox.
Detailed analysis of SMTP headers can be used tmap the networks traversed by messages, including information on the messaging software of clients and gateways. Furthermore, analysis of messages over time can reveal organization patching policies and trends in user location and movements - making headers a very valuable resource during the target selection phase of targeted attacks."
"Lluis Mora is a researcher at Neutralbit, a research and development provider for information security vendors, where he specializes in vulnerability assessments and penetration testing of products, applications and products.
Lluis has worked in the information security field for over a decade, consulting for various service providers and corporations throughout Spain and South America. He has published various papers on vulnerability research in IT and SCADA systems and won the openhack competition back in 1999 and 2000. " -
"Introduction:The following presentation is twparts, the first covers aspects of Microsoft's GS implementation and usage. The second is a complementary section dealing with ASLR in Windows Vista, its implementation and some surprising results...
Part I Synopsis: GS is a Visual Studicompiler option that was introduced in Visual Studi2002 tmitigate the local stack variable overflows that resulted in arbitrary code execution. The following paper details the methods Symantec used tassess which binaries within Windows Vista 32bit leveraged GS as a defensive mechanism. This paper presents the results of this analysis, the techniques that have been developed, and supporting material. The results in this paper are from the 32bit RTM release of Microsoft Windows Vista
Part II Synopsis: Address Space Layout Randomization (ASLR) is a mitigation technique designed thinder the ability of an attacker tachieve arbitrary code execution when exploiting software vulnerabilities. As the name implies, ASLR involves placing a computer program and its associated memory at random locations, either between reboots or executions, thinder the attacker's ability treliably locate either their shell code or other required data. This paper is the result of a brief analysis of the implementation of ASLR within Microsoft Windows Vista 32bit RTM, conducted by Symantec's Advanced Threat Research. "
"Mr Whitehouse has worked in information security both as a consultant and researcher. This has included being employed by companies in a variety of industries ranging from financial services ttelecommunications. Mr Whitehouse originally created Delphis Consulting's security practice in 1999. Mr Whitehouse joined @stake Inc in 2000 as a Managing Security Architect before becoming European Technical Director in 2004. After Symantec's acquisition of @stake Inc in 2004 Mr Whitehouse continued as Technical Manager for its professional services division in London until 2005. In mid 2005 he took a full time research role with Symantec Research Labs in Government research. Mr Whitehouse subsequently moved tSymantec's Response division joining its Advanced Threats Research team specializing in mobile platforms and related technologies.
Mr Whitehouse as previously published research on the security of mobile telecommunication networks, mobile devices and Bluetooth. In addition he has alsdiscovered numerous security vulnerabilities in a wide range of desktop and server applications. His previous research has led him tpresent at CanSecWest, RuxCON, UNCON and Chaos Communication Camp among others" -
"SS7 has been a walled garden for a long time: only big telcwould be interconnected tthe network. Due tderegulation and a push toward all-IP architecture, SS7 is opening up, notably with SIGTRAN (SS7 over IP) and NGN (Next Gen Networks) initiatives.
SCTP is the protocol used tcarry all telecom signalling information on IP according tthe SIGTRAN protocol suite. It's the foundation, as TCP is the foundation for the web and email. SCTP is alsused for high-performance clusters, resources pooling and very high-speed file transfer.
When you discover open SCTP ports, you discover a secret door tthis walled garden. As a walled garden, the internal security of the SS7 network is not as good as one might expect. SCTPscan is a tool tdexactly just that, and is released as open source.
This presentation will explain how SCTPscan manages tscan without being detected by remote application, how discrepancies between RFC and implementation enable us tscan more efficiently and how we manage tscan without even being detect by systems like SANS - Dshield.org. Here we will have a look at INIT packet construction, stealth scanning and a beginning of SCTP fingerprinting.
Then, we gon tdetail upper layer protocols that use SCTP and the potentials of the SIGTRAN protcol suite in term of security. We'll see the M2UA, M3UA, M2PA, IUA which are SIGTRAN-specific protocols, and alsthe more generic SS7 protocols such as ISUP, BICC, BSSAP, TCAP, SCCP and MTP. "
"Philippe Langlois is a founder and Senior Security Consultant for Telecom Security Task Force, a research and consultancy outfit.
He founded and led technical teams in several security companies (Qualys, WaveSecurity, INTRINsec) as well as security research teams (Solsoft, TSTF).
He founded Qualys in 1999 and led the R&D for this world-leading vulnerability assessment service.
He founded Intrinsec, a pioneering network security company in 1995, as well as Worldnet, France's first public Internet service provider, in 1993.
He has proven expertise in network security, from Internet tless well known networks - X25 and other legacy systems mostly used in banking, travel and finance.
Philippe was alslead designer for Payline, one of the first e-commerce payment gateways on Internet. He has written and translated security books, including some of the earliest references in the field of computer security, and has been giving speeches on network security since 1995 (RSA, COMDEX, Interop).
Philippe Langlois is a regular contributor of french-speaking security portal vulnerabilite.com. and a writer for ITaudit, the magazine of the International Association of Internal Auditors.
Samples of the missions he has been involved with are Penetration Testing contract on multi-million live users infrastructures such as Telecom operators GSM backbone, due diligence for M&A, security architecture audits, product security analysis and advisory." -
"n this talk, after briefly reviewing why we should build a good anomaly-based intrusion detection system, we will briefly present twIDS prototypes developed at the Politecnicdi Milanfor network and host based intrusion detection through unsupervised algorithms.
We will then use them as a case study for presenting the difficulties in integrating anomaly based IDS systems (as if integrating usual misuse based IDS system was not complex enough...).
We will then present our ideas, based on fuzzy aggregation and causality analysis, for extracting meaningful attack scenarios from alert streams, building the core of the first 360 anomaly based IDS.
Also, we will introduce some brand new ideas for correlation based on statistical fitting tests."
Andrew Walenstein is a Research Scientist at the Center for Advanced Computer Studies at the University of Louisiana at Lafayette. He is currently studying methods for malware analysis, and brings in experience from the area of reverse engineering and human-computer interaction. He received his Ph.D. from Simon Fraser University in 2002. -
"This paper will show a extremely simple technique tquickly audit a software product in order tinfer how trustable and secure it is. I will show you step by step how tidentify half dozen of local 0day vulnerabilities in few minutes just making a couple of clicks on very easy tuse free tools, then for the technical guys enjoyment the vulnerabilities will be easily pointed out on disassembled code and detailed, finally a 0day exploit for one of the vulnerabilities will be demonstrated and explained.
While this technique can be applied tany software in this case I will take a look at the latest version of Oracle Database Server: 10gR2 for Windows, which is a extremely secure product sit will be a very difficult challenge tfind vulnerabilities since Oracle is using advanced next generation tools tidentify and fix vulnerabilities."
Sun Bing is the Research Scientist at McAfee (China) currently, and has held security related positions at several famous companies heretofore, such as Rising and Siemens. SUN BING has more than 6 years of experience in Windows Kernel and Security Techniques (Anti-Virus, Firewall, IPS etc) research development, especially with deeply delving intBuffer Overflow Prevention, Rootkit Detection and x86 Virtualization. His main works previously involve participating in Rising Anti-Virus Softwares development, publishing the paper (The Design Of Anti-Virus Engine) at xfocus, taking charge of the design and development of a desktop security product-LinkTrust IntraSec, and speaking at security conferences such as XCON2006 and POC2006... -
"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that it's doing the right thing.
But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application?
In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"Toshinari Kureha is the technical lead and principal member of technical staff at Fortify Software. He oversees the development of the Red Team Workbench project. Prior tjoining Fortify, Toshinari was a technical lead at Oracle's Application Server Division, where he provided leadership in the architecture, implementation and delivery of several high-profile projects including Oracle Grid Control, Oracle Exchange, and BPEL Orchestration Designer. Prior tworking with Oracle, Toshinari worked as Lead Developer at Formal Systems a web-based computer testing and assessment system for use in the Internet/Intranet. Toshinari holds a B.S. in computer science from Princeton University. -
"Vboot kit is first of its kind technology tdemonstrate Windows vista kernel subversion using custom boot sector. Vboot Kit shows how custom boot sector code can be used tcircumvent the whole protection and security mechanisms of Windows Vista.
The booting process of windows Vista is substantially different from the earlier versions of Windows.The talk will give you details and know abouts for the Vista booting process.Then, we will be explaining the vboot kit functionality and how it works.We will alshave an insight intthe Windows Vista Kernel.We alsgthrough a sample Ring 0 Shell code(for Vista).The sample shellcode effectively raises the privileges of certain programs tSYSTEM.Also, a live demonstration of vboot kit POC will be done.
Prerequisites :- Knowledge about Windows Internals, and a bit assembly language."
Mr. Vipin Kumar is an independent security consultant and analyst. He has experience in system and network security as well as programming and project design. He likes tdevelop specialized software and/or stuffs related twindows kernel. He holds MCSE and Bachelor's of Technology in Computer Science. His latest work involves the development of boot kit (a technique tsubvert Windows 2000/XP/2003 System using custom boot sector). He is currently analyzing windows vista kernel architecture.