PACific SECurity - applied security conferences and training in Pacific Asia: CanSecWest | PacSec | EUSecWest |

PacSec 2014 Speakers and Slides

Speakers for PacSec 2014

Day 1

"Internet voting and signing legally binding documents over the Internet"
Harri Hursti, Margaret MacAlpine,
English Slides / Japanese Slides

Internet Voting initiatives are discussed around the world and the common claim made is that no successful attack against an Internet Voting system have ever been demonstrated. This is not the case anymore.

Also, there has been a drive from Estonia to Taiwan to deploy national ID cards enabling paperless legal document systems. Important lessons are now learned about how not to do that.

Two countries in the world have been deploying Internet Voting larger scale : Estonia and Norway. In Norway the deployment of Internet Voting was always labeled as a trial, leaving Estonia as the only prominent country to perform general elections deployment, in the last election, over 31% of all votes were cast over the Internet.

After the recommendation of Mr. Hursti in October 2013, the Centre Party of Estonia invited an independent team of security researchers as election observers, a team of 4 international experts : Margaret MacAlpine, Jason Kitcat, Alex Haldermand and Harri Hursti. As a result, a variety of deficienies and vulnerabilities were discovered. Partially as result of publishing these discoveries, Norway announced the termination of their Internet Voting experiments, stating that the risks are outweighting the benefits.

Estonia published a partial source code of their election system, namely they have published most of the server-side code, but without the client. This allowed the researchers to build a fully functional copy of the Estonian election system into a laboratory environment to develop and test fully-fuctional attacks.

The Estonian government has also announced a new initiative : E-Citizenship. Under Estonian law, any document cryptographically signed with a National ID card is legally as binding as if the document were signed and notarized. Under the Estonian E-Citizenship initiative, non-residents and non-citizens can apply for E-Citizenship and enjoy various benefits for handling their business and lives as virtual EU citizen. The heart of this initiative is legal document handling with an ID card issued.

Client-side attacks developed and demonstrated against the Estonian Internet Voting system have extemely far reaching implications towards the heart and core of the Estonian E-government, and global implications as almost anyone can become an Estonian E- Citizen.

"Message Queue (MQ) Vulnerabilities"
Georgi Geshev, MWR InfoSecurity, @munmap
English Slides /

Message Queueing concepts are well established in enterprise environments which are already known to be fairly insecure. Now that the Internet of Things is gaining momentum, MQ is also the lightweight mechanism of choice for communicating with your fridge and toaster. We discovered a series of vulnerabilities in several widely adopted MQ implementations that would allow an adversary to cause a mass disruption in your corporate network or maybe pull off the shadow file from your neighbours' microwave. General MQ concepts will be briefly introduced to the audience, followed by a short attack surface walk-through and quick review of the common vulnerabilities and typical misconfigurations and ways to identify and leverage them for fun or profit.

"Cloud Security at Scale"
Benjamin Hagen, Netflix, @benhagen
English Slides / Japanese Slides

Cloud computing is all the rage, but few organizations have really thought about what security means for their applications and networks in cloud-centric deployments. Netflix is amongst the largest users of public cloud resources in the world and consumes roughly 1/3 of all the US's downstream broadband at peak. This talk will cover the challenges and solutions used at Netflix to deploy and secure large-scale applications in the Cloud. Netflix has developed a suite of architectures, processes, and tools to make security in the Cloud as elegant as possible... most of these are, or will soon be, Open Sourced. Several of these tools will be previewed in the talk.

These systems include:
- Hundreds of applications; with hundreds of production deployments a day ... all using an immutable server model
- Crazy monkeys that roam the clouds to enforce availability models through random instance homicide
- OCD fish that swim cloudy waters to make sure firewalls are sane and consistent across the globe
- Inquisitive penguins automatically assess the risk of an application based upon its codebase and interconnections with other applications
... and many more ...

"BadUSB - On accessories that turn evil"
Karsten Nohl
English Slides / Japanese Slides

USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional virus scan, but we consider USB to be otherwise perfectly safe - until now.

This talk introduces a new form of malware that operates from controller chips inside USB devices. USB sticks, as an example, can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user.

We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses.

We then dive into the USB stack and assess where protection from USB malware can and should be anchored.

"Forging the USB armory"
Andrea Barisani, @AndreaBarisani
English Slides / Japanese Slides

Inverse Path recently introduced the USB armory project (, an open source hardware design, implementing a flash drive sized computer for security applications. The USB armory is a compact USB powered device that provides a platform for developing and running a variety of applications.

The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.

The presentation will cover the journey that we have taken to develop the USB armory board from scratch, explaining the lessons learned and its prospected applications.

"Detecting BGP hijacks in 2014"
Guillaume Valadon and Nicolas Vivet,
English Slides / Japanese Slides

The main goal of this talk is to raise awareness of routing security issues by providing a tutorial on the BGP routing protocol and on the detection of specific routing events called IP prefixes hijacks. In a nutshell, such events happen when two network operators announce overlapping IP prefixes using BGP. As a consequence, IP packets could be delivered to these two operators. The final destination mainly depends on the home network of the sender. Overlapping announcements can disturb the whole Internet as observed in 2008 when YouTube traffic was partially redirected to Pakistan Telecom.

However, duplicated and overlapping announcements may also be legitimate when an operator wishes to distribute its DNS servers using anycast to filter out DDoS attacks, or needs to assign IPv4 resources to its clients. As a consequence, detecting and classifying hijacks is a challenging task, not only because the dataset is large (around 500 Gb per year), but also because of engineering and commercial practices.

Day 2

"TENTACLE: Environment-Sensitive Malware Palpation"
Yosuke Chubachi and Kenji Aiko, FFRI, Inc., @ybachi @07c00
English Slides / Japanese Slides

Recently, a malware is constantly growing which forces malware analyst in hard work. An automated malware analysis can helps to security engineers, but some malware cannot be run in a sandbox environment. For example, sophisticated malware such as the Citadel and Zeus/GameOver are armed with anti-sandbox techniques to prevent running except on an infected host. These malware detects the execution environment and do not engage in malicious behavior when the current host differs from the infected host.

In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.

"Windows Kernel Graphics Driver Attack Surface"
Ilja Van Sprundel, IOActive, @IOActive
English Slides / Japanese Slides

Ever wondered about the attack surface of graphics drivers on Windows? Are they similar to other drivers? Do they expose ioctl's? In this talk, all those questions will be answered and more. Whether you're a security researcher, a developer looking for some security guidance when writing these drivers, or just generally curious about driver internals, there's something here for all. The research done focuses both on C/C++ code when available, as well as reverse engineering of these drivers.

"Hey, we catch you - dynamic analysis of Android applications"
Wenjun Hu, Ministry of Education Key Lab For Intelligent Networks and Network Security in Xi'an Jiaotong University,
English Slides / Japanese Slides

During dynamic analysis period of Android malware, one core problem is how to trigger as many behaviors as possible. There are mainly three points we need conquer fist.
1. How to invoke the components declared in the Android application? Even the unexposed components which can't be triggered by third applications?
2. How to implement an automatic user interaction mechanism?
3. How to cheat the Android applications that they are running on real Android devices when we use Android emulators as the analysis environment?
In this topic, we will propose some methods to solve these problems.

"An Infestation of Dragons: Exploring Vulnerabilities in the ARM TrustZone Architecture"
Josh "m0nk" Thomas, Charles Holmes, Nathan Keltner, Atredis Partners, @m0nk_dot, @afrochees, @natronkeltner
English Slides / Japanese Slides

ARM TrustZone is being heavily marketed as a be all solution for mobile security. Through extensive marketing promising BYOD, secure pin entry, and protection against APT ( processors/technologies/trustzone/index.php) and the prevalence of ARM devices on mobile platforms, millions of devices now contain an implementation of TrustZone. However, the current drivers for TrustZone adoption primarily relate to vendor lock and Digital Rights Management (DRM), rather than increasing the difficulty in compromising user data. Further, due to TZ architecture, the inclusion of DRM protections provide a net reduction in real world security provided to the device owner.

In this talk, we provide an overview of the ARM TrustZone architecture as utilized by modern Android, Blackberry, and Windows phones. We discuss its potential, its current use cases, its shortcomings, and its impact on the security of modern phones. At this point, we dive into the details of the Qualcomm implementation, which is utilized on the flagship mobile devices from each major vendor, excluding Apple. Specifically, we cover vulnerabilities in codebases from Qualcomm, OEM Vendors, and 3rd Parties, as well as attack surface, exploitation pathways, difficulties, and successes.

Vulnerabilities in TrustZone on Android have been presented before, but we will push current research further by exploring the codebases related to alternate attack surfaces and alternate use cases, such as Blackberry and Windows Phone.

"Root via SMS: 4G access level security assessment"
Sergey Gordeychik, Alexander Zaytsev, Positive Hack Days international forum on practical security, @scadasl
English Slides / Japanese Slides

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.

And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.

Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

"Blowing up the Celly - Building Your Own SMS/MMS Fuzzer"
Brian Gorenc and Matt Molinyawe, HP,
English Slides / Japanese Slides

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (incorrectly) handle a large number of data types, including various picture, audio, and video formats. To make matters worse, you are relying on the carriers to be your front line of defense against these types of attacks. Honestly, the mobile device sounds like it was custom built for remote exploitation.

The question you should be asking yourself is: How do I find weaknesses in this attack surface? This talk will focus on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer. We will take an in-depth look at exercising this attack surface virtually, using emulators, and on the physical devices using OpenBTS and a USRP. To help ease your entry into researching mobile platforms, we will examine the messaging specifications along with the file formats that are available for testing. The value of vulnerabilities in mobile platforms has never been higher. Our goal is to ensure you have all the details you need to quickly find and profit from them.