PacSec2011 Speakers
Day 1
"Targeted Espionage Attacks"
Mikko Hypponen, F-Secure, @mikkohypponen
State-sponsored online espionage is a growing threat to corporate and national security. Not only has the volume of targeted attacks surged, the techniques used are growing ever more sophisticated. Citing new data and recent real- world examples, this presentation will explore the rising threat of targeted attacks, how they operate, whom they're targeting, and how to defend against them. The presentation will include dozens of examples of real life emails, documents, exploits and backdoors used in the attacks. A discussion about attacker attribution and source nation will be included.
"Black Box Auditing Adobe Shockwave"
Aaron Portnoy , Logan Brown, Tipping Point / H.P. Zero Day Initiative
Tools, discoveries,and methodologies resulting from analyzing an external view of a large codebase. Some surprising results.
"Cracking the perimeter through the weakest link: the human"
Marat Vyshegorodtsev, InformZaschita JSC, @touzoku
This material is a description of the methodology developed inside of our company based on 4 years of penetration testing experience of the largest enterprises in Russia and CIS countries. It describes not only the approach to the testing itself, but also the way to automate it by using Metasploit Framework.
"Rapid and Massive monitoring of DHT: crawling 10 millions of nodes in 24 hours"
Ruo Ando, National Institute of Information and Communications Technology + Takayuki Sugiura, NetAgent,
BitTorrent is one of the most and P2P network applications for content file distribution. However, BitTorrent network is huge and no one can estimate about dynamics: how many nodes are communicating and how many files are flying over border. Also, no one can know about where (potential) security incidents and illegal adoption has been occurred. We have tackled this problem of monitoring the largest scale network using our rapid and massive DHT crawler. Our DHT crawler can be designed for work with KVS and scaled out using hypervisor.
We have succeeded to obtain 100,000,000 nodes in 24 hours. Proposed system can provide file-grained statistics, detailed domain information to analyze illegal adoption of the largest scale contents distribution network Also we present visualization of the dynamics and node distribution.
"Dynamic cryptographic trapdoors to take over the TOR network"
Eric Filiol, Groupe ESIEA , @efiliol
The TOR network is one of the most famous way to use Internet in a anonymous and secure way. Tor client software routes Internet traffic through a worldwide volunteer network of servers in order to conceal a user's location or usage from someone conducting network surveillance or traffic analysis. Aside protocol-oriented aspects, TOR security relies heavily on cryptography.
The aim of this talk is to explain how it is possible to take over a significant part of the TOR network by using the concept of dynamic cryptographic backdoors (presented at CanSecWest 2011). We present different possible attack scenarii which are malware-based or not (depending on the scenario considered) that have been experimented and validated on a TOR simulation network of 32 nodes. Those attacks rely on the fact that the cryptography used in TOR is weakly implemented.
We show that it is indeed possible to gain a lot of sensitive information thus bypassing and managing existing cryptographic mechanisms in a very efficient way. We propose some modification in the TOR source in order to prevent those attacks.
Day 2
"Secure Development on iOS"
David Thiel, iSEC Partners,
Drawing on real-world experience with insecure iOS applications both pre-release and post-disclosure, this talk helps fill the void of information available on secure iOS development and penetration testing. Background is provided on Objective-C/Cocoa and their quirks, characteristics and proper use of Apple-provided security APIs, common pitfalls in iOS application design, and security risks specific to mobile iOS devices. Take-away for attendees: ability to audit, pentest and improve iOS application security.
"How Security Broken? : Android Internals and Malware Infection Possibility"
Tsukasa Oi, Fourteenforty Research Institute, @a4lg
Over the years some vulnerabilities were found in smartphone operating systems such as Apple iOS and some were used for exploiting smartphones and infecting malware to the system. On the other hand, the Android OS is designed as a open platform and some considered it is not safe. Now, Android's security is very important because some press reported that the Android retained the top spot of the Japanese smartphone operating system market. I will show the Android internals (including Zygote, prelinking, intents and several protection mechanisms) and describe possibilities of exploitation. I will also report that current mobile security software cannot protect whole system from infection and malware can use several techniques to take over the system.
"Ramooflax, pre-boot virtualization"
Stephane Duverger, EADS Innovation Works,
Ramooflax is a bare metal hypervisor developped from scratch, based on hardware virtualization extensions as found in Intel and AMD CPUs. The purpose of this tool is to provide an analysis environment for already installed software pieces on a physical machine: operating systems, drivers for "real" hardware hardly emulated in classical virtualization solutions, "real life" BIOS, and so on. The physical machine is virtualized during the boot process and remotly controlled using a python framework.
The presentation consists in presenting concepts and architecture of the tool but also gives a return on experience at using hardware virtualization extensions and especially painfull limits while trying to virtualize the BIOS.
"A New Approach to Automated JavaScript De-obfuscation"
Ulysses Wang + Nick Guo, Websense,
Virus evolution seen adoption of PE packers; malicious web attacks similarly took on obfuscation to evade detections. Nowadays, over 90% of malicious JavaScript codes are obfuscated, Attacks such as malicious payload used by Exploit Kits, website injections, and JavaScript embedded documents used in Advanced Persistent Threats (APT) are vastly using JavaScript Obfuscation. Obfuscation algorithms are not limited to simple mathematic functions and they are growing in complexity. Additionally tactics are used by cyber-criminals to anti de-obfuscate content, tactics such as Ajax, browser check, fragmented JavaScript, etc. The desire to de-obfuscating JavaScript in real-time is far more complex than unpacking PE. Existing solutions are struggling to on top of threats especially where performance matters.
In this presentation, we will explore the trend on malicious obfuscation used in the wild, followed by a detailed revision on evasive techniques used by JavaScript obfuscations, then challenges to facilitate complete and accurate JavaScript de-obfuscation. Presenter will then reveal a new solution to de-obfuscate JavaScript in real-time developed by Websense Security Labs. We will share our knowledge on the research, the prototype, and the system. Presenter will conclude it with a demonstration on the solution.
"ARM Exploitation ROPmap"
Thanh Le Nguyen + Long Dinh Le, VNSECURITY ,
It is no doubt that ARM will be the next mainstream of exploitation with hundred of millions smartphones, tablets delivered today. There are several talks and papers about ROP on ARM but no any public ROP toolkit for ARM has been released so far as leet hackers keep their tools privately.
In this presentation we will show how ROP exploitation on ARM can be done easily via a systematic, generic approach to generate, search and chain gadgets together. A simple Intermediate Language will be presented that helps people write ROP shellcode and get it transformed automatically to chain of gadgets. As a part of the presentation, we will release an updated version of ROPEME with additional ARM support along with a demo of advanced ROP payloads on latest Android OS.
*note: Due to some circumstanses, there is a chance speakers may be changed without notice.
