CONFidence 2013 schedule

Tuesday 28th May 2013

  • The Keynote

    by thomas lim

    At 10:00am to 10:50am, Tuesday 28th May

    In Krakow, Księcia Józefa 299 street

  • Invisible attacks – visible in your network. How to see and follow the tracks?

    by Mariusz Sawczuk and Jochen Belke

    The nature of attacks have significantly changed recently. From broad and scattershot to very targeted attacks with persistent adversaries (often times nation-states). The attacks of today use advanced malware, zero-day and APT tactics to penetrate networks for the purpose of control, espionage and data theft. What is the most important, these attacks evade and obfuscate traditional security solutions (FW, IPS, Content Security, Antyvirus, etc.), trying to hide and to be invisible in a compromised network. During this session we will cover this problem. We will present modern technologies which discover and block stealth attacks, with an emphasis on the network layer solutions. We will also present case study of detecting data loss, network reconnaissance activity as well as detecting botnet command, control activity and tracking the spread of a malware infection throughout the network.

    At 11:00am to 11:50am, Tuesday 28th May

  • Networking Security Treasures

    by Gaweł Mikołajczyk

    With the threat lanscape evolving rapidly, one seems to marginalize the networking importance these days. This session hopes to bring to the table a spectrum of the somewhat overlooked mechanisms and approaches, starting from the obvious, to the sophisticated ones. It is never enough to talk networking.

    At 11:00am to 11:50am, Tuesday 28th May

  • Linux Desktop Insecurity

    by Ilja van Sprudel

    I used to use Linux and the bsd’s. Then mostly switched to windows 6-7 years ago. I recently found some spare time and got reacquainted with the unices. Over the past weeks, I’ve spend some time assessing the local security of modern desktop unices. as it turns out, things are a total mess.

    A short layout of the presentation:

    • local security of modern desktop unices
    • attack surfaces
    • bugs found
    • X client libs (attack surface, bugs, how to use them correctly and securely)
    • shadow library issue
    • a model for more secure suid binaries

    At 12:00pm to 12:50pm, Tuesday 28th May

  • Cisco in the Sky with Diamonds

    by Gregor Kopf and Felix “fx” Lindner

    The majority of VMware Cloud deployments rely on Cisco virtual and physical switching and routing gear for the network layer. We will provide an introduction into the differences virtual networking makes, how to go about researching its components, as well as cover a number of issues, their exploitation path and some creative workarounds.

    At 1:00pm to 1:50pm, Tuesday 28th May

  • Opticode: machine code deobfuscation for malware analysts

    by Nguyen Anh Quynh

    Modern malware use a lot of obfuscation techniques to make its code more difficult to understand for malware analysts, with the hope of preventing attempts to reverse engineer their codes. Unfortunately, malware analysts are still reversing such nasty codes manually since there are no reliable tools to help with this problem.

    OptiCode is the answer to this headache. Our tool combines theorem prover and compiler techniques to automatically find and remove the obfuscated sections, then presents the cleaned code to the users. Available as a Web-based tool and IDA plugin, OptiCode is user-friendly, and supports both 32-bit and 64-bit Intel platforms.

    In this talk, we will analyze some obfuscation techniques in use by malware, and introduce the design and implementation of OptiCode. Some cool demo will be presented, so the audience can see how OptiCode works in reality.

    At 1:50pm to 2:40pm, Tuesday 28th May

  • Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel

    by Nikita Tarakanov

    Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms.

    Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using kernel vulnerability.

    That’s why Microsoft struggles to enhance security of Windows kernel. Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7 Microsoft started to enhance security of kernel pool allocator.

    Kernelpool aka Tarjei Mandt has done great job on analyzing internals of kernel pool allocator, which includes great attack techniques, mitigations bypasses etc. In windows 8 Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. However, attack techniques by Tarjei need a lot of prerequisites to get success. There are a lot of types of pool corruptions where these techniques don’t work, unfortunately.

    What if there is no control over overflown data?
    What if there is constant(zero bytes) and you have no chance to apply one of Tarjei’s techniques?
    What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable?

    So what to do?
    Commit suicide instantly?


    Come and see this talk!

    This talk presents technique of 100% reliable exploitation of kernel pool corruptions.
    This unique technique works since NT 4.0 to Windows 8 including.

    At 2:50pm to 3:40pm, Tuesday 28th May

  • Ph0k 0-days, We Will Pwn U with Hardware Mofos

    by Yaniv Miron and Marcel Carlsson

    We gives you the ultimate hardware hacking kit.
    Wanna pwn some banks? Wanna own big companies? You need some boost up. We will show you that your current set of tools is not enough. You need to have some help from hardware, like 007.
    We have bundled a set of hardware hacking tools that will assist you.
    For example we will show you how to bypass typical corporate Windows 7 machines with Bitlocker encryption enabled, dump and extract goodies from memory, long range RFID tricks to copy ur CEOs proxcard, using hardware screenloggers (not the old crappy keyloggers – cuz everybody knows them and it’s lame) and more. You have to be there – cuz we rock.

    At 2:50pm to 3:40pm, Tuesday 28th May

  • Beyond MOV ADD XOR – the unusual and unexpected in x86

    by Gynvael Coldwind and j00ru//vx

    Intel x86 and the derived AMD64 architecture families are by far the most widespread and commonly known ones, powering millions and millions of desktop PCs, server racks and even some mobile devices. Although understanding low-level X86 assembly code has been subject to extensive study by hobbyists, professional reverse engineers and exploit developers alike, the research typically covers only a small subset of both instruction set and features the architecture has to offer. In this presentation, we will address numerous interesting, often security-relevant tidbits, unpopular features and unusual behaviors that we have came across during our journey through the manuals, books and research papers, as well as our own experience. Basic knowledge of x86 assembly and its execution environment is highly recommended.

    At 3:50pm to 4:40pm, Tuesday 28th May

  • PHP Object Injection revisted

    by Arseny Reutov

    The topic will cover new attack vectors regarding unserialiazation of user-supplied data due to vulnerabilities in PHP’s builtin classes. Universal XSS, local file read, open_basedir bypass, examples of vulnerable web applications including demo attack on latest vBulletin, Smarty and others.

    At 3:50pm to 4:40pm, Tuesday 28th May

  • ELF Eccentricities

    by Julian Bangret and Sergey Bratus

    .Bx has demonstrated how to build a Turing machine out of well-formed relocations and symbols of the ELF binary format. Other aspects of the format can be just as twisted. From a language-theoretic standpoint, the ELF format is very context-sensitive: much metadata is stored redundantly and interesting things can happen when metadata is inconsistent. Furthermore, we believe these dependencies are one of the reasons ELF binary manipulation tools are so hard get right and will present a work-in-progress framework in the style of ERESI’s elfsh that takes care of metadata-consistency for modified binaries and parsing inconsistencies for untrusted binaries.

    At 4:50pm to 5:40pm, Tuesday 28th May

  • The “Facebook PokerAgent”

    by Robert Lipovsky

    In March 2012 we have been tracking a botnet, which was used by the perpetrator to harvest Facebook log-on credentials. In addition to expanding the database of stolen Facebook user names and passwords, the bots were being instructed to ascertain the number of credit cards linked to the Facebook accounts and Zynga Poker player stats of the victimized users. The threat was mostly active in Israel.

    With Facebook being such a hot topic, this would constitute an interesting phishing threat just due to the aforementioned characteristics, but the matter gained more seriousness when we discovered that the bot master had managed to acquire over 16000 Facebook credentials through his operation, as our botnet monitoring had revealed.

    The presentation begins with an overview of the threat and the technical details of the used trojan horse. Afterwards, we will describe the process of monitoring the botnet and present the highlights of the following investigation.

    At 4:50pm to 5:40pm, Tuesday 28th May

  • Can You Hear Me Now: Leveraging Mobile Devices on Pentests

    by Georgia Weidman

    BYOD is not a new concept. From contractor laptops to an employee’s game console in the break room, a compromised device in the corporate environment can lead to all sorts of bad things. In this talk we will look at the unique threats that BYOD for mobile devices brings to the table. The most security conscious corporations are deploying the latest devices and policies to stop attackers from breaching the perimeter and if they do to stop data exfiltration. We will discuss how mobile devices on a corporate network and/or handling company data undermines these efforts. We will look at multiple mobile platforms gathering sensitive information, attacking other devices such as other mobile devices, servers, and workstations, and using out of band communication to perform data exfiltration and communicate with internal devices. Multiple live demo scenarios will be shown and some useful code for pentesters will be released.

    At 5:50pm to 6:35pm, Tuesday 28th May

  • Desktop applications vulnerabilities

    by Grzegorz Niemirowski

    The complexity of modern software in connection with low awareness of security issues among developers, often turns out to be a deadly combination. This applies to both desktop and web applications. The desktop programs, despite they often have web counterparts, are still popular and are an attractive target for cybercriminals. History of finding and exploiting their vulnerabilities is long, just like the list of security mechanisms used to protect them. The topic of desktop applications security is constantly evolving, and in the case of web browsers also touches the issue of security of Web solutions. For example when websites are attacked and infected in order to place malicious code inside visitors’ browsers and execute it. A look at the most common attacks on desktop applications and used countermeasures gives an outlook on the most important issues of current situation of software security.

    At 5:50pm to 6:35pm, Tuesday 28th May

Wednesday 29th May 2013

  • Embedded Devices Hacking

    by Michał Sajdak

    The presentation will cover a few simple but unusual methods of obtaining root shell on embedded devices. I will also present my latest research – backdoor in TP-Link devices which allows for unauthenticated remote root execution. The whole discovery features such problems as – path traversal, ftp chroot escape, http communication, tftp communication and configuration files overwriting.

    At 10:00am to 10:50am, Wednesday 29th May

  • My Experiments with truth: a different route to bug hunting

    by Devesh Bhatt

    The Best way to improve the security of your systems is to hire hackers. Unfortunately, companies can’t hire all best hackers, so the companies has chosen another best way to improve their system security, “Bug Bounty Program”

    Google, Facebook, Mozilla, PayPal, Etsy and many other companies pay a good amount to hackers for responsible disclosure and recently it is being started as a service in the form of “bugcrowd” Security Researchers have submitted bugs ranging from configuration issues to SQL injections.

    This topic is not about what is a “Bug Bounty” program, who all is paying what amount and the scope of testing. This paper is basically focused on the approach to finding simple and yet devastating vulnerabilities, earn hefty amounts and share space with the top researchers from around the globe.

    This paper depicts easy but unique methods to look for bugs online.

    I started on this journey roughly five months back and kind of formulated a procedure to attack the strongest of applications in a short span of time.

    At 10:00am to 10:50am, Wednesday 29th May

  • Crashdumps: hunt 0days and rootkits

    by Adam Zabrocki

    Crashdumps are often underestimated source of very interesting information. It is a common belief that they are used only for application/system bugs/vulnerabilities analysis. In this presentation I would like to show a little bit different approach for this source of information. Microsoft Windows allows to change default configuration for WER/CER protocol in such a way, that all generated crashdumps will be stored in a custom storage. This is very useful in a large corporate networks, where we can find tens, hundreds or even thousands of machines, because more than a hundred crashdumps may be generated per day. In most of the cases administrators are afraid of a critical information leak (XBI, PII) via crashdumps, but could they gain some useful knowledge about the network status via this source? I will try to show what kind of benefits could be gained if we start analyzing crashdumps independently and in a little bit different perspective…

    At 11:00am to 11:50am, Wednesday 29th May

  • Any Input Is a Program: Weird Machines in ABI and architecture metadata

    by Julian Bangret, Sergey Bratus and Rebecca Shapiro

    Complex enough input to a complex enough system can have effects indistinguishable from a native program for that system. A sufficiently complex input format may become “byte code” for a kind of a virtual machine within the software that handles it; in many classic exploit programming techniques, data is the program that runs on the code. We will show two examples of this that aren’t exploits as such, but show Turing-complete programming by kinds of data that are hardly ever given a second glance: (1) ELF binary format headers with nothing but well-formed relocation and dynamic symbol entries (executed by the runtime linker-loader), and (2) x86 memory and interrupt descriptor tables (executed by the CPU page fault handling and context switching logic, without any instructions being successfully dispatched).

    If these data formats can hide a Turing-complete computation, what about all others more complex “feature-rich” ones? What makes a format lend itself to being an equivalent of an instruction set? Can looking for “weird machines” help design trustworthy systems? Join us for the talk and discussion of this weird research direction!

    At 12:00pm to 12:50pm, Wednesday 29th May

  • Breaking, Forensicating and Anti-Forensicating SAP Portal and J2EE Engine

    by Dmitriy Chastuchin and Eugene Neyolov

    One of the most critical SAP applications in terms of cyber attacks is SAP Portal, which is based on J2EE engine because it is usually available from the Internet and provides access and connections to other internal SAP and legacy systems. It is necessary to increase awareness in this area, especially after the Anonymous attack on Greece Government where an SAP 0-day vulnerability probably was used, but are you sure that your system has not been compromised? If we talk about SCADA attacks, they are mostly focused on sabotage, which is easy to recognize; attacks on financial systems like banking are focused on money stealing; but if we talk about SAP, the most critical attack is probably espionage, and it is hard to understand if there was espionage because there is no direct evidence of compromise except logs. In this talk, the security architecture of Portal itself and custom applications like iViews will be reviewed, and we will demonstrate how SAP Portal can be attacked. But the main area of the talk will be focused on forensics and finding attack patterns in logs traces and other places to understand if it is possible to completely reverse complex attack patterns. Finally, we will look at how an attacker can try to hide their attacks and how it is possible to deal with it.

    There have been a lot of talks covering attacks, but now we will move to the understanding of how to deal with them in the cybercrime era.

    At 12:00pm to 12:50pm, Wednesday 29th May

  • Insecurities in blackberry

    by Yury Chemerkin

    This paper proposes a new security research covers BlackBerry issues relating their own features relied on highest possible way of integration and aggregation with data, service and application that simplifies management. Such way integration shapes developer’s outlook as well as malware writer’s outlook led to the bypass security methods. Despite of that, BlackBerry is full of holes to the brim if consumer has a flexible IT Policy even because current security techniques implemented in BIS (BlackBerry Internet Service) or BES (BlackBerry Enterprise Server) are indecisive argument to be sure in security and privacy and do not provide enough control. As opposite to smartphone, the tablets (PlayBook) are quite new, QNX-based and have the most known technologies, such Adobe Air, HTML5, and Android Dalvik-Runtime, are implemented widely. However, they have a poor application environment and a little those feature known on non-QNX BlackBerry device. This makes security more difficult and unstable to reliably use it by end-users. Research shows that additional third party security solutions often ruin security while native environment allows intercepting, blocking, stealing, misleading, substitute data in real-time bypassing security controls that, finally, reveal sensitive information and turn security solutions to the malware agents. The non-malware applications may use rootkit techniques, e.g. firewall hooks API to watch any incoming or outgoing network traffic. The legitimizing effect of commercial “malware” software led away from user-mode towards the kernel-mode techniques at first glance. However, user-mode rootkits or spyware are still effective to bypass security applications because they have simple APIs calling kernel methods. This research examines and highlights a range of issues referred to the incorrect approach to the security techniques development. It draws security management level of inefficiency outside isolated environment as well as old-attack techniques possibility of application for new BlackBerry device known as Playbook. The research presents pressing issues for fundamental and application BlackBerry security cases, exploitation of native applications built in OS. In additional, third-party security applications are going to be examined for security holes and misunderstanding BlackBerry security concepts.

    At 3:00pm to 3:50pm, Wednesday 29th May

  • Network Reconnaissance in IPv6 Networks

    by Fernando Gont

    One of the traditional ways of doing network reconnaissance in the IPv4 world has been to perform IPv4 address scans of the target network prefixes. That is, given the IPv4 network prefix of a target network, every single IPv4 address in that prefix is probed in the hopes of finding “alive” nodes. This (somewhat) rudimentary approach to network reconnaissance has proved to be very effective in the IPv4 world, thanks to the reduced scale of the problem: since IPv4 networks are composed of a very reduced number of addresses, brute-forcing the entire search space is not only a feasible task, but is also generally a “good enough” approach.

    The Internet Protocol version 6 (IPv6), and the emerging IPv6 deployments, somehow change the rules of the “network reconnaissance” game: with the typical 264 addresses per subnetwork, the traditional brute-force approach to address scanning from the IPv4 world becomes unfeasible. This has led to the widespread (and incorrect) assumption that “IPv6 address scanning attacks are unfeasible”.

    During the last few years, we have been working on the development of IPv6 network reconnaissance techniques, with two different (but somewhat related) goals in mind: enabling “traditional” penetration testing in the IPv6 world, and dismantling the myth that address scans are not possible in the IPv6 world (hence encouraging the mitigation of these attacks). The aforementioned work has led to the publication of an IETF Internet-Draft entitled “Network Reconnaissance in IPv6 Networks”, that has already been adopted by the OPSEC (operations security) Working Group of the IETF (Internet Engineering Task Force).

    Alongside our publication efforts at the IETF, we produced and released the SI6 Networks’ IPv6 toolkit: a portable, free-software IPv6 toolkit for assessing and trouble-shooting IPv6 networks and implementations. The latest release (v1.3.1) of the toolkit ships with a full-fledged IPv6 address-scanning tool (scan6), that implements all the IPv6 address-scanning techniques discussed in our IETF Internet-Draft, and takes IPv6 address scanning to a new level.

    New releases of the IPv6 toolkit are planned for the next few months, with a focus on network reconnaissance: essentially, we aim at producing an implementation of every single IPv6 network reconnaissance technique discussed in our IETF Internet-Draft “Network Reconnaissance in IPv6 Networks”.

    Following the release of the SI6 Networks’ IPv6 toolkit v1.3.1, we embarked ourselves on related (and still ongoing) project: assessing public IPv6 Internet in the hopes of gaining further insights about IPv6 network reconnaissance. We believe that this project will not only serve as a basis to assess the effectiveness of the techniques that we have developed so far, but that the project will also result in a number of insights that will lead to new features in our IPv6 toolkit.

    Fernando Gont will provide an overview of IPv6 network reconnaissance techniques, and wil explain how each of those techniques can be implemented in real networks with the SI6 IPv6 toolkit. Fernando will then describe our (currently) ongoing project of assessing the public IPv6 Internet (from a “network reconnaissance” perspective), and will discuss the insights learned as a result of that project.

    At 3:00pm to 3:50pm, Wednesday 29th May

  • Penetration Testing – 7 Deadly Sins

    by Marek Zmysłowski

    Wiele dużych korporacji oraz mniejszych firm wykorzystuje testy penetracyjne jako narzędzie sprawdzania bezpieczeństwa różnych komponentów swojego systemu. Jednak jak każde narzędzie musi być poprawnie wykorzystane. Wiele błędów popełnianych na różnych etapach planowania testów powodują, że testy penetracyjne są nieskuteczne. Prezentacja ma na celu pokazanie 7 głównych powodów dla których testy przestają mieć znaczenie. Nie są to błędy testerów ale menadżerów projektów i programistów.

    At 4:00pm to 4:50pm, Wednesday 29th May

  • Securing Data in Mobile Application Suites

    by Jesse Burns

    Building sets of applications that work together, securely sharing data between them is a common challenge for developers at large companies. On mobile platforms like Android and IOS, this challenge has new dimensions. This talk will discuss how mobile security models need to be worked with in order to safely share data between members in families of applications without also allowing attackers access. Android and IOS have very different ways of achieving similar security goals, and this talk will cover how to leverage the tools these platforms provide, as well as provide some advice for checking that your protections worked. The talk will also discuss user security expectations.

    At 4:00pm to 4:50pm, Wednesday 29th May

  • LANGSEC 2011-2016

    by Meredith L Patterson

    As our “voyage of the Beagle” continues, the language-theoretic security framework, initially proposed by Len Sassaman, Meredith L. Patterson, and Sergey Bratus, has developed not only as a descriptive framework for the classification of vulnerabilities, but a constructive framework for conceptualizing and reducing to practice both “weird machines” in the most unusual places and engineering principles for more attack-resistant, more performant software. In this talk, we’ll highlight an important example of LANGSEC in practice before we even gave it that name, follow the growth in the field over the last two years, and give a look ahead at just some of the directions in which the field is expanding.

    At 5:00pm to 5:50pm, Wednesday 29th May