PacSec 2015 Speakers
"Attacking IoT with SDR (Software Defined Radio)"
Jonathan Andersson, HP,
Software defined radio (SDR) is an emerging technology focused on flexible radio implementation and design reusability. Complex radio protocols can be implemented quickly via software and deployed across a variety of diverse radio hardware. This presentation will focus on the application of SDR to the ever growing Internet of Things (IoT) with a specific focus on Home Automation. An overview of wireless attack vectors will be presented along with the results of their exploration. Attack techniques, defensive strategies, best practices and future market recommendations will also be discussed.
"Attacking HTTP2 Implementations"
Stuart Larsen + John Villamil, Yahoo!, @xc0nradx & @day6reak
HTTP2 is a new technology that will soon see widespread use across the internet. There has been little research into this new protocol from a security perspective yet multiple adoptions and code bases already exist. HTTP2 lives in browsers, caching proxies, and libraries. It is the undisputed future of internet connections and so vulnerabilities in this protocol have the potential to cripple infrastructure across the globe. We will present our research on the current state of the HTTP2 protocol from a security perspective. We will focus on threats, attack vectors, and vulnerabilities found during the course of our research. Two Firefox and two Apache Traffic Server (ATS) vulnerabilities will be discussed alongside the release of the first public HTTP2 fuzzer. We will show how the bugs were found, what they are, why they occur and how to trigger them.
"Criminal Hideouts for Lease: Bulletproof Hosting Services"
Maxim Goncharov, Trend Micro,
This type of activity is one of the most important parts of almost every single online criminal activity we see today. Without servers where people can put their malicious files or hosting facilities to execute malicious code - entire cybercriminal eco- systems would not work. An entire Bullet Proof Hosting Services industry is designed to host something that is not really welcome from white hat business models, but definitely expected by the black hat community.
Bullet Proof Hosting Services refers to hardware-based, virtual-based or application hosting facilities that can allow collocating any type of content or executable code on their platforms. The main difference between a Bullet Proof Hosting Service provider and a normal hosting service provider is the possibility to use facilities for hosting non-legitimate or semi- legitimate content or applications on their servers. Bullet Proof Hosting Services allows hosting everything from phishing websites to carding forums, from Command & Control (C2) environments to pornographic websites, from SEO tools to eCommerce sites with fake watches...
"BlueToot / BlueProx - when Bluetooth met NFC"
Adam Laurie, Aperture Labs, @rfidiot
This talk will cover one of the winning entries in last year's Mobile Pwn2Own, and show exactly how the exploit worked, why it was successful, and how it could have been avoided.
"Windows 10, Elevator Action"
James Forshaw, Google UK,
Windows is a fertile group for elevation of privilege vulnerabilities especially in new versions which introduce interesting features. Complexity however risks introducing bugs, some of which can be exploited to get system or kernel privileges. This presentation will describe some of the new features in Windows 10, some of the changes which have been made to old features and how this has an impact on local privilege escalation. I'll also show some interesting, rarely documented techniques to exploit certain types of vulnerabilities to get local system or kernel privileges from a sandbox or a normal user account.
"Panel discussion - Cybersecurity: Where do I start/what do I need to do?"
Panelists: Josh Ryder, Chris Kuethe, Masakazu Takahashi, AppNexus, Box, Microsoft Japan,
Tapping into years of enterprise and cloud security experience, our panelists will talk about what technology and practices are working for them now, including two-factor authentication, what constitutes good quality logging (and how to use those logs well), and some hard earned best-practices. This session is designed for interaction with the attendees.
"Warranty Void If Label Removed - Attacking MPLS Networks"
Georgi Geshev, MWR InfoSecurity,
Multiprotocol Label Switching (MPLS) is certainly the most prevalent service provider technology used by major players to build and offer highly scalable value-added services allowing reliable transport of data and latency-sensitive traffic like voice and video. It turns out MPLS has remained largely unexplored by the security community and very little security research has ever been done in this area.
This talk will be a walk-through of research findings from assessing multiple MPLS implementations and the various key weaknesses that were found to affect a number of leading vendors. General MPLS and MPLS related terms and concepts will be briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies.
Several network reconnaissance techniques will be presented that allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. The attack scenarios against service provider infrastructure will then be followed by attacks on customers of the MPLS domain. It should be noted that none of the examples and demonstrations require access to the MPLS backbone, i.e. attacks are executed from the perspective of a client of the MPLS domain.
Talk will be concluded with both general and, where applicable, vendor specific best practices and recommendations on reducing the attack surface of an MPLS network.
"The plain simple reality of entropy (Or how I learned to stop worrying and love urandom)"
Filippo Valsorda, CloudFlare, @FiloSottile
Entropy, the randomness used in many critical cryptography processes including key generation, is as important as it is misunderstood. Many myths are fuelled by misleading documentation. This presentation aims to provide simple and actionable information whiltechnical details and real world implementations.
"High Performance Fuzzing"
Richard Johnson, Cisco Talos, @richinseattle
Security conference talks related to fuzzing tend to focus on distributed frameworks or new proof-of-concept engines. This talk will take a look at how to get the most performance out of your engine designs and fuzzing cluster for long term deployments. We will discuss topics like fork servers, static binary rewriting, patching Windows kernel to bypass memory limits and more tricks that have yet to be included in fuzzing talks. We have successfully applied these techniques to create a high performance port of AFL that targets binaries as well as speed up previous work on concolic execution and automated test generation. We will also compare effectiveness of various black box fuzzing approaches including model inference and directed fuzzing engines against a new benchmark composed of real-world vulnerabilities.
"Universal Pwn n Play"
Martin Zeiser + Aleksandar Nikolic, Cisco,
Universal Plug and Play (UPnP) is a protocol which is in widespread use, supported by every major operating system and in use just about everywhere in the embedded world. In addition to home routers, it's providing functionality to devices such as DVD players, IP cameras, printers, televisions, media centers, HVAC and many more. Right now it is active on hundreds of millions of devices, many of them facing the Internet.
While previous research has focused on directly exploiting the functionality or implementation of UPnP, there's an attack vector which has been overlooked. UPnP has client-side functionality which opens up a whole new attack surface. In our talk we discuss the client side of the protocol, present ways to reach this attack surface and demonstrate a PoC exploit against a major implementation.
"Vulnerabilities mining technology of Cloud and Virtualization platform"
Qinghao Tang, Qihoo 360,
As a key foundation of cloud computing, virtualization technology plays a more and more important role while cloud platform is widely and rapidly developing. However, in recent years, virtualization systems continue bursting high-risk vulnerabilities, which could brought great challenges to cloud security. This topic is combined with the experience of 360 virtualized security research team, which would reveal the frame of virtualization systems and the process of 0day vulnerability discovery comprehensively to you.
"Exploiting Heap Corruption due to Integer Overflow in Android libcutils -- Escalate privilege by vulnerabilities in Android system services"
Guang Gong, Qihoo 360, @oldfresher
How to exploit CVE20151528 to get system_server permission in Android.
"BadBarcode: Hacking with A PIECE of PAPER"
Hyperchem Ma, Tencent,
As the most ancient technology of IOT, barcode has been applied in vast areas, such as logistics, self-checkout machines, parking ticket machines, turnstiles, self boarding and many kinds of kiosks.
For the decades, many barcode protocols (both 1D and 2D) have been invented. Although most of them are being applied in some certain scenarios, for the manufactures of barcode scanner, they still manage to support various protocols as much as possible, which inspired us and came up this topic. After a deep insight of those protocols, we found that some special barcode command would help us achieve our goals: execute arbitrary commands on the target system. To accomplish this, all you need is just A PIECE of PAPER.
"Hidden dangers inside your platform"
Mickey Shkatov + Jesse Michael, Intel,
With today's advancement in connectivity and internet access using 3G and LTE modems it seems we all can have a device that's always internet capable, including our laptops, tablets, 2 in 1's ultrabook. It becomes easier to be online without using your WiFi at all. However, this introduces a new attack vector, one that is scary in a sense that, if abused, can avoid detection and act as an independent computer. In our talk we will discuss and review the threat, vulnerabilities, and fixes we have discovered and responsibly disclosed in an internal 3G/LTE modem product that surprised even us.
*note: Due to various circumstanses, speakers, topics, date and stage order may be changed without notice.