Sessions at t2'12 on Friday 26th October

Your current filters are…

  • Morning Coffee

    At 9:30am to 10:00am, Friday 26th October

  • Draw Me A Trojan

    by Yuval Polevoy

    In this talk I will be presenting a recent research of Malware which really goes out of its way to disguise its true malevolent intentions, utilizing techniques of masquarding and steganography not commonly seen in the Malware world. In a sense - a true Trojan Horse.

    I will walk you step by step through the research performed, pealing off a layer of disguise at a time, to reveal the core of the modular and extensible Malware which lays beneath it all.

    For the grand finale, I will show a demo of how a seamingly innocent picture placed on a web server can contain malicious instructions for this Malware.

    Yuval is a Senior Security Researcher with RSA Security, where he leads a team of three Reverse Engineers. Together with them, Yuval works on unlocking the secrets of Malware which threatens Financial Institutions worldwide, as well as doing independent Security Research. Prior to joining RSA Security, Yuval worked as Software Engineer at Radware, focusing on solving tricky bugs in a Real Time Embedded Device

    At 10:00am to 11:00am, Friday 26th October

  • Coffee

    At 11:00am to 11:15am, Friday 26th October

  • Finding Flame

    by Costin Raiu

    When Stuxnet was discovered in 2010, everyone wondered if it was one of a kind, or, if there are others like it out there. We suspected there were others, but we had no proof. Every single anti-malware company in the world scoured their collections for samples similar to Stuxnet - without success. The theory was confirmed in September 2011, when the Duqu malware was discovered and announced by the Hungarian CrySyS lab and Symantec.

    For sure, Duqu and Stuxnet raised the stakes for cyberwar -- but with the discovery of Flame in May 2012, new bars have been raised. The Flame cyber-espionage worm came to the attention of the experts at Kaspersky Lab after the United Nation’s International Telecommunication Union asked for help finding an unknown piece of malware nicknamed Wiper. While searching for Wiper, Kaspersky Lab discovered Worm.Win32.Flame.

    Flame is a sophisticated attack toolkit that is a lot more complex than Duqu. It is a backdoor, a Trojan, and has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its controller.

    For instance, to replicate in local networks, Flame uses a unique “God mode” technique, which has long been feared and talked about -- hijacking Windows Update connections and presenting itself as a legitimate, Microsoft-signed update to the victim. To pull off this trick, the Flame operators performed an extraordinary collision attack on MD5, which currently remains unknown.

    Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations and intercepting keyboard strokes. All this data is available to the operators through the link to Flame’s command-and-control servers. Later, the operators can choose to upload further modules, which extend Flame’s functionality. We have so far seen about 20 modules and the purpose of some of these is still being investigated.

    Once again, the security industry wondered - Stuxnet, Duqu, Flame - are these all, or there are more military-grade malware out there? With the recent discovery of Gauss, we can confirm yet another spy trojan created in the same ‘factory’ as Flame, Duqu and Stuxnet. We are only seeing just a small picture of all the nation-state sponsored malware attacks that are crawling in the wild.

    In this presentation, we will look closely at Flame, how it infects and steals data from systems, how the data is sent to its C2 servers and how it is processed on the C2 side. We will show its links with Stuxnet, Duqu and Gauss - which allowed us to discover it in the first place.

    Finally, we will talk about the future of cyber-weapons and the challenges and dangers they pose to civilians, researchers, anti-malware companies and nation-states.

    Costin G. Raiu has extensive experience in antivirus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board, a member of the Computer AntiVirus Researchers’ Organization (CARO), and a reporter for Wildlist Organization International. Prior to joining Kaspersky Lab, Costin worked for GeCAD as one of their chief researchers and as a data security expert with the RAV antivirus developers group.

    His hobbies include playing chess, high precision arithmetic, cryptography, chemistry, photography and science fiction literature.

    At 11:15am to 12:15pm, Friday 26th October

  • Lunch

    At 12:15pm to 1:15pm, Friday 26th October

  • Fuzzing at scale and in style

    by Atte Kettunen and Michel Aubizziere

    Heating your house is important, but it helps being smart about it. We will show you:

    1. who we are, what bugs we've found and where

    • why we are qualified to present on browser bug hunting in 2012

    2. where are the memory corruption bugs of modern browsers

    • bitflipping, in .gif, in 2012, really
    • how we evolve our fuzzers once a particular minefield has been cleared
    • stareability really helps

    3. tools - how we manage 10 concurrently open bugs, how do we tell the bugs apart, minimize repros, report bugs, track fixes, and step on each others toes

    • asan, asan, asan
    • rsync, for loops, grep, sed
    • git, redis, node.js, radamsa
    • vi, inotifywait

    Atte Kettunen is a security researcher at the Oulu University Secure Programming Group (OUSPG). In 2011 and 2012 he has successfully fuzzed Firefox and Chromium and found dozens of vulnerabilities in them. Atte has quickly become one of the top reporters in both browsers' bug bounty programs.

    Miaubiz is a software developer and independent security researcher who has found over 50 security vulnerabilities in WebKit in the past two years.

    At 1:15pm to 2:15pm, Friday 26th October

  • SAP Slapping - A pentesters guide

    by Dave Hartley

    SAP is one of the world's largest software companies. SAP offers approx. 40 products in the categories of "Business Solutions", "Industry Solutions" and "Solutions for Small and Midsize Enterprises" as well as approx. 8 interactive platforms and frameworks. The latest offering is "Business ByDesign" - a software as a service (SaaS) offering. SAP basically has an incomprehensibly massive attack surface, is a core component of many, many business operations and yet when talking with other 'pentesters', I have found many shy away from assessing these systems for fear of the unknown.

    There are also very few open source assessment tool kits and/or methodologies available to pentesters. In reality SAP is no different than any other interconnected business system. Traditional network and application testing tool sets/methodologies are just as applicable and; network and application security best practices/principals are just as relevant.

    This talk will not provide a deep understanding of SAP, nor will it provide you with the abilities to perform in depth, effective and comprehensive security assessments of SAP landscapes (did I mention massive attack surface?). The audience will however leave with just enough information to go from zer0 to her0 in as short a time as is possible when encountering SAP systems during engagements.

    Several Metasploit modules will be demoed during the presentation that can be used to form the base of an open source SAP assessment toolkit. The modules can be used to achieve complete compromise of insecure and misconfigured SAP environments. Its all just pushing buttons really ;)

    Dave is a Principal Security Consultant for MWR InfoSecurity operating as a CHECK and CREST Certified Consultant (Application and Infrastructure). Dave also sits on the CREST assessors’ and NBISE advisory panels, where he invigilates examinations and collaboratively develops new CREST examination modules. Dave is a published author and regular contributor to many information security periodicals and is also the author of the Bobcat SQL injection exploitation tool and several Metasploit modules.

    At 1:15pm to 2:15pm, Friday 26th October

  • Break

    At 2:15pm to 2:30pm, Friday 26th October

  • How to root your USB-device

    While a fair amount of public research on USB host stacks (i.e. in operating systems) has been done, very little has been shared about fuzzing USB device implementations. The published research so far has been mostly limited to the USB control transfer mechanism which is a pretty small part of the attack surface of most USB devices.

    This talk will present a step by step guide to building your own fuzzing tools both for USB control transfers and the common device class protocols that are used to provide the functionality of USB devices. A ready-to-run tool for fuzzing common USB device classes will be presented and released as open source in order to advance the industry standard in USB device security testing.

    Finally some war stories will be shared, including exploiting a code execution bug in the USB device stack of a "secure" USB memory stick with complete compromise of the claimed security features as a result.

    Olle has had a long career in the IT-security industry and has tried his hand at most of the challenges it has to offer. His latest challenge is in the employ of His Majesty's armed forces where he does Information Assurance work for the Swedish National COMSEC and Security Accreditation Authority. Having just acclimatized to working in the public sector, he is getting up to speed breaking all manner of security products before they sneak into production systems.

    At 2:30pm to 3:30pm, Friday 26th October