24-25 October, Melbourne, Australia

PAUL VIXIE

DNS as a Defense Vector

DNS enables everything else on the Internet -- both good and bad. By watching what bad guys do with their DNS configurations and offering them differentiated (that is to say, poor) service, defenders can re-level the playing field in our favour. In this one-hour talk, Dr. Paul Vixie, CEO of Farsight Security, will explain what DNSSEC and TSIG (Secure DNS and Transaction Signatures) are and why you might want them, explain what RRL and RPZ (Response Rate Limiting and Response Policy Zones) do and why you absolutely do want them, then demonstrate SIE (the Security Information Exchange) which collects data from cooperating sensors all over the Internet and shares this telemetry with qualified non-profit and for-profit researchers. If there's enough time there will also be a demonstration of DNSDB, a passive DNS database. (Otherwise that demo will occur in the hotel bar area later on.)

PAUL VIXIE BIO

Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

CHRIS GATES

Purple Teaming: One year after going from full time breaker to part time fixer

A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.

CHRIS GATES BIO

Chris joined Facebook in April 2014 as an Offensive Security Engineer. Chris has extensive experience in redteaming, network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his... redacted...no one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, DerbyCon, Hashdays, DevopsDays DC. Chris is also a cofounder of NoVAHackers. Blog: carnal0wnage.attackresearch.com  Twitter: @carnal0wnage

RICHARD JOHNSON

High Performance Fuzzing

Security conference talks related to fuzzing tend to focus on distributed frameworks or new proof-of-concept engines. This talk will take a look at how to get the most performance out of your engine designs and fuzzing cluster for long term deployments. We will discuss topics like fork servers, static binary rewriting, patching Windows kernel to bypass memory limits and more tricks that have yet to be included in fuzzing talks. We have successfully applied these techniques to create a high performance port of AFL that targets binaries as well as speed up previous work on concolic execution and automated test generation. We will also compare effectiveness of various black box fuzzing approaches including model inference and directed fuzzing engines against a new benchmark composed of real-world vulnerabilities.

Highlights include:

• Highest performance program tracing options for coverage and dataflow

• Using bootkits to bypass software memory limits in Windows

• RAM disk options on Windows

• Harnessing copy-on-write on Windows

• High speed automatic test generation

• Benchmark set of real vulnerabilities for testing fuzzers

• Performance of best-in-class fuzzers against benchmarks

• Demo of port of AFL for targeting binaries

• Demo of fast concolic testing

RICHARD JOHNSON BIO

Richard Johnson is a computer security specialist in the area of software vulnerability analysis. Currently the Manager of Vulnerability Development for Cisco Talos, Richard offers 12 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade and was co-founder of the Uninformed Journal.

TEAM PANGU

Design, Implementation and Bypass of the Chain-of-trust Model of iOS

The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.  We will also analyze a code signing bypass vulnerability that enables untethered jailbreak against iOS 8.2, and explain how it was stealthily fixed by Apple in iOS 8.3.

TEAM PANGU BIO

The Pangu Team is a team of senior security researchers focusing on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014, becoming the first team in China to independently develop untethered jailbreaks and the first team in the world to jailbreak iOS 8.

VANESSA TEAGUE

The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found fundamental protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community. 

VANESSA TEAGUE BIO

Vanessa Teague is a research fellow in the computing and information systems department at the University of Melbourne, Australia. She has worked on cryptographic protocols for electronic voting ever since finishing a CS PhD at Stanford on cryptographic protocols for economic games. Australia's unusual voting system constitutes a special challenge. She also spends a lot of time explaining to parliamentarians and electoral officials that requirements for transparency, privacy and verifiability apply to computerised voting too.

MARK DOWD

MalwAirDrop: Compromising iDevices via AirDrop

iOS versions prior to iOS 9 contained a nasty bug that was exploitable via AirDrop. The flaw allows users to write arbitrary files to the filesystem as the 'mobile' user. Due to various protectionsin place on un-jailbroken iOS installations, turning this flaw in to some form of code execution is not entirely straight forward. This talk will discuss the uncovered flaw, and explain the system mechanisms that may be abused to leverage this flaw in to gaining code execution. 

MARK DOWD BIO

Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at a fortune 500 company, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Assessment," and has spoken at several industry-recognized conferences.

ANDY DAVIS

Broadcasting Your Attack: Security Testing DAB Radio In Cars

Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are in most cases integrated into an IVI (In-Vehicle Infotainment) system, which is connected to other vehicle modules via the CAN bus. Therefore, any vulnerabilities discovered in the DAB radio stack code could potentially result in an attacker exploiting the IVI system and pivoting their attacks toward more cyber-physical modules such as those concerned with steering or braking. This talk will discuss the complex protocol capabilities of DAB and DAB+ and describe the potential areas where security vulnerabilities in different implementations may exist. I will discuss the use of Software Defined Radio in conjunction with open source DAB transmission software to develop our security testing tool (DABble). Finally I will talk about some of our findings, the implications of exploiting DAB-based vulnerabilities via a broadcast radio medium and what this could mean for the automotive world.

ANDY DAVIS BIO

Andy has worked in the Information Security industry for over 20 years, performing a range of security functions throughout his career. Prior to joining NCC Group, Andy held the positions of Head of Security Research at KPMG, UK and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded systems and hardware interface technologies and developing new techniques for software vulnerability discovery.

JAMES FORSHAW

Windows 10: 2 Steps Forward, 1 Step Back

Windows 10 is shaping up to be one of the most secure consumer operating systems yet, it includes many new security features baked in such as Control Flow Guard and the User Mode Font Driver. But new features have a habit of coming with additional bugs which only serve to reduce the security of the system at the same time. This presentation will describe a few of new security features introduced into Windows 10 as well as some of the vulnerabilities I’ve discovered which demonstrates that secure engineering is still very difficult in practice.

JAMES FORSHAW BIO

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.

VITALY NIKOLENKO

Practical Intel SMEP Bypass Techniques on Linux

The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities.

This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.

VITALY NIKOLENKO BIO

Vitaly is a security researcher specialising in malware analysis and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on Linux kernel exploitation techniques (SMEP/SMAP, ASLR bypasses) and the associated countermeasures. He currently works as a pentester and has performed countless penetration tests for large financial and governmental institutions.

LYON YANG

Advanced SOHO Router Exploitation

In this talk we will look into how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. We will elaborate on the techniques that were used in this research to locate exploitable routers, discover 0day vulnerabilities and successfully exploit them on both the MIPS and ARM platforms.

The talk will cover the following topics:

• Dumping and analyzing router firmware from an ISP provided router

• Tips and Tricks to discovering vulnerabilities on the router

• Identification of vulnerabilities

• Explanation of how to write ARM / MIPS exploits

• ROP Gadgets used for writing ARM and MIPS Proof-Of-Concept

• Post exploitation concepts – creative use of exploits

LYON YANG BIO

Lyon Yang is a senior security consultant at Vantage Point Security with a research focus on embedded systems hacking and exploitation. He is from sunny Singapore, the world’s first smart city.His regular discoveries of zero days in a variety of router models has earned him a reputation as the go-to guy for router hacking in Singapore, where he has been hired to do firmware source code reviews on popular router models. He is currently working on a comprehensive testing framework for ARM and MIPS based routers as well as shell code generation and post-exploitation techniques.

MATT MCCORMACK

Why Attacker's Toolsets Do What They Do

The heartwarming story of a researcher turned part-time consultant learning that many companies have the same internal network security blindspots. Naughty gals and guys use a variety of tools to techniques to get into your corporate network and steal all the things, but many of them come up time and time again; because they just. keep. working.

The aim of my talk is to dive into some of the tools and malware commonly deployed, show how and why they're typically used, and how we can map that back to some common weakpoints we continue to see across far too many networks. If all goes well, hopefully together we can help make Pentester's lives a little bit more difficult.

MATT MCCORMACK BIO

Matt is a member of the Special Operations group within SecureWorks' Counter Threat Unit, primarily splitting his time between Research and Development projects, Targeted Attack Incident Response, Threat Research and Reverse Engineering. Prior to SecureWorks Matt spent a decade in the Antivirus industry, six of those at Microsoft in the Anti-Malware team primarily focusing on malware research (oddly enough), where they let him do fun stuff like push out the Malicious Software Removal Tool to around half a billion machines, bluescreen a few thousand of them, and detect and name "Stuxnet" (later discovering the name had caught on while on holidays in Greece). Matt presents at various conferences here and there, has given training on Reverse Engineering, and has a cat named Gary. Matt currently works out of Melbourne most of the time, doing a mediocre job of accommodating the US east-coast timezone.

DAVID JORM

SDN Security

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.

DAVID JORM BIO

David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea's nuclear program is "ready to rock". He is currently focusing on SDN security, and leads the OpenDaylight and ONOS security teams.

ILJA VAN SPRUNDEL

Window Driver Attack Surface: Some New Insights

In this presentation I intent to cover a rapid fire set of issues that commonly occur in windows drivers.  From the trivial (ioctl, probing) to the obscure and subtle. The presentation will discuss these issues, illustrate them with examples, and offer developer guidance on how to avoid and mitigate these issues.

Whether you're a security researcher, a developer looking for some security guidance when writing these drivers, or just generally curious about driver internals, there's something here for all.

ILJA VAN SPRUNDEL BIO

Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive's Director of Penetration Testing, he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients in technology development telecommunications, and financial services. van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.

JASIEL SPELMAN & MATT MOLINYAWE

Abusing Adobe Reader¹s JavaScript APIs

Adobe Reader¹s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader¹s JavaScript APIs.

In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We¹ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we¹ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.

JASIEL SPELMAN & MATT MOLINYAWE BIO

Jasiel Spelman

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

Twitter: @wanderingglitch

Matt Molinyawe

Matt Molinyawe is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program, which represents the world¹s largest vendor-agnostic bug bounty program. His focus includes analyzing and  performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec.

Prior to joining HP, Matt worked as a reverse engineer for General Dynamics and a software engineer for both USAA and L3 Communications. In 2014, Matt played a key role on the HP team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity.

Twitter: @djmanilaice

HP¹s Zero Day Initiative, Twitter: @thezdi

JOSHUA “KERNELSMITH” SMITH

High-Def Fuzzing: Exploring Vulnerabilities in HDMI-CEC

The HDMI (High Definition Multimedia Interface) standard has gained extensive market penetration. Nearly every piece of modern home theater equipment has HDMI support and most modern mobile devices actually have HDMI-capable outputs, though it may not be obvious. Lurking inside most modern HDMI-compatible devices is something called HDMI-CEC, or Consumer Electronics Control. This is the functionality that allows a media device to, for example, turn on your TV and change the TV’s input. That doesn’t sound interesting, but as we'll see in this presentation, there are some very surprising things an attacker can do by exploiting CEC software implementations. Then there's something called HEC or HDMI Ethernet Connection, which allows devices to establish an Ethernet connection of up to 100Mbit/s over their HDMI connections (newer HDMI standards raise the speed to 1Gbit/s).

Don't think your mobile phone implements CEC? You might be wrong. Most modern Android-based phones and tablets have a Slimport(r) connection that supports HDMI-CEC. Ever heard of MHL (Mobile High-Definition Link)? Think Samsung and HTC (among other) mobile devices, and many JVC, Kenwood, Panasonic, and Sony car stereos – as many as 750 million devices in the world so far. Guess what? MHL supports HDMI-CEC as well. Let's explore, and own, this attack space.

JOSHUA “KERNELSMITH” SMITH BIO

Kernelsmith is senior vulnerability researcher with Hewlett-Packard Security Research (HPSR). In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Joshua is also a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications.

Prior to joining HP, Smith served in the U.S. Air Force in various roles including as an Intercontinental Ballistic Missile (ICBM) Crew Commander and Instructor, but more relevantly as a penetration tester for the 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the John Hopkins University Applied Physics Lab, where he began contributing to the Metasploit Framework. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Smith received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls.

Smith was drawn to ZDI for the chance to work with a world-wide network of security researchers while continuing his own vulnerability research. When not researching software vulnerabilities, Josh enjoys raising his two young hackers-to-be and watching sci-fi since he can't play sports anymore (there's no tread left on his knees).

Twitter: @kernelsmith

HP’s Zero Day Initiative Twitter: @thezdi

FATIH OZAVCI

VoIP Wars: Destroying Jar Jar Lync

Enterprise companies are to use Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference services. It is based on the VoIP and instant messaging protocols, and supports multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework.

Although the Microsoft Lync platform developed with the new technologies, it still suffers the old VoIP, teleconference and platform issues. Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack the enterprise communication. The enterprise users and employees are also the next generation targets for these attackers. They can attack the client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead privacy violations, legal issues, call/toll fraud and intelligence collection.

Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.  A brief introduction to Microsoft Lync ecosystem  Security requirements, design vulnerabilities and priorities  Modern threats against commercial Microsoft Lync services  Demonstration of new attack vectors against target test platform

FATIH OZAVCI BIO

Fatih Ozavci is a Security Researcher and a Principal Security Consultant with Sense of Security, and the author of the Viproy VoIP Penetration Testing Kit. Fatih has discovered several previously unknown security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments for his customers. He has completed several unique penetration testing services during his career over than 15 years. His current research is based on securing IMS/UC services, IPTV systems, attacking mobile VoIP clients, VoIP service level vulnerabilities, SaaS, mobility security testing, hardware hacking and MDM analysis. Fatih has presented his VoIP and mobile researches at BlackHat USA’14, DefCon 23, 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. Also he has provided VoIP and Mobility Security Testing trainings at AustCert’14, Kiwicon’15 and Troopers’15 events.

JASON GEFFNER

VENOM

Sit back and listen to the fascinating journey of this year’s VENOM vulnerability discovery. Learn how hypervisors work and where researchers should look for critical vulnerabilities. Find out how the VENOM vulnerability was found and why it went unnoticed for so many years. Hear all about the challenges of a coordinated vendor disclosure process. And take in the lessons we learned from the media exposure VENOM received.

JASON GEFFNER BIO

Jason Geffner is a world-renowned industry thought-leader in the fields of computer security and reverse engineering. He has been interviewed by Forbes, Fortune, CBS, AP, CSO Magazine, c|net, PCWorld, Dark Reading, and Threatpost, and has been featured on Slashdot, The Register, SC Magazine, ZDNet and Computerworld. Geffner holds several patents, is the discoverer of VENOM, and the inventor of Tortilla. He has been invited to present numerous times at Black Hat, RSA Conference, CanSecWest, OWASP, REcon, ISOI, Lockdown, and other industry conferences, in addition to delivering training to the United States Air Force, Japan’s National Police Agency, and private industry.

PETER FILLMORE

Fruit Salad, yummy yummy: An analysis of ApplePay

Interested in what the heck ApplePay is and how it works?
This talk is about demystifing ApplePay and providing information about it's internals.
Since there is very little public domain knowledge available around this, the speaker decided to blow a grand on an iphone 6, commit an incy wincy bit of fraud in America and find this stuff out for you.

You'll get to know:

• how the iphone loads the card.

• hardware used.

• what crypto is used.

• different authentication codes generated.

• is it vulnerable to existing card attacks?

• testing methodology and tools used

Most likely this talk will tick off someone in Apple - hopefully that person is employed in the marketing department so stuff gets fixed.

PETER FILLMORE BIO

Peter Fillmore is (according to his US bank) a security consultant working in Santa Monica, Los Angeles, California*.
He likes to blow all his money on security tools.
Also he's talked on payment stuff, music stuff and stuff stuff.
Occasionally he will design a silly flashing thing that looks suspicious - it's a crocodile head people!

*May not be true.

RAPHAËL RIGO

A Peek Under The Blue Coat

Blue Coat ProxySG systems are widely deployed in big corporations to handle web traffic proxying and filtering. While they are very common, no work has ever been published regarding the internals of the system. With this talk, I will present the results of a detailed analysis of the entirely proprietary SG OS, which runs on commodity Intel hardware.

The talk will include a detailed description of :

• OS mechanisms
• File system internals
•  Security mechanisms (or lack thereof)

RAPHAËL RIGO BIO

Raphaël Rigo is now a security researcher at Airbus Group Innovations, after working in the past for Orange labs and the French Network and Information Security Agency (ANSSI).

He has been doing reverse engineering for 15 years and is mostly interested in system security.

CHRIS ROCK

Hacked to Death

Want to kill someone? Get rid of your boss? Want to enjoy your life insurance payout while you’re still alive and have a “Do Over” new identity.

Then, this presentation is for you! I’ll provide you with the insight and techniques on how to “kill” someone and obtain a real death certificate and shutdown their lives. You could be dead right now and not even know it.

The presentation will explain the death process and will highlight the vulnerabilities and its implications world-wide.

 You will learn:

• How to fill in a doctor’s medical cause of death certificate anonymously.
• How to become a funeral director and dispose of the body.
• How to obtain a Death Certificate.

 As a bonus, I will also show you how to “birth” Virtual identities that obtain real birth certificates. You will learn the birth registration process and the security vulnerabilities.

 The third and final step of the presentation is “The baby harvest”, which involves creating and raising virtual identities. This technique is similar to a shelf company. Virtuals will be “born”, registered with the government. They can open up bank accounts, get a virtual job to launder money, pay taxes, obtain home loans and obtain life insurance policies.

CHRIS ROCK BIO

Chris Rock, CEO of Kustodian, (This impresses his mum a lot, he had to repeat Kinder) Kustodian is a security company that focuses on Security Operations Centres and Penetration Testing and is operational across the world. Chris recently presented at DEFCON, where he ate too much at the buffet. 

KARL DENTON

Automated Malware Analysis: A Behavioural Approach to Automated Unpacking

With malware being developed at an alarming rate, the quicker we can analyse and classify it, the better. Quicker analysis and classification enables us to develop defences sooner, and because of this malware authors often try to slow us down by hindering analysis.

One of the techniques often used by malware authors to hinder analysis of their handiwork, is that of 'packing'. Packing an executable file involves compressing, and optionally encrypting the file on disk, and unpacking it at runtime.

Packing makes it difficult to simply disassemble a malicious sample. It also makes it difficult to find useful strings which might reveal clues about its behaviour.

A packed executable must be unpacked before the processor can run it, and in this presentation I will introduce WinAppDbg -- a Python module originally written for coding instrumentation scripts and fuzzing -- and demonstrate how it can be used to not only detect an executable unpacking itself, but also dump a copy of the unpacked memory, locate the original entry point, and attempt to locate the unpacking loop -- with varying degrees of success.

I'll conclude the presentation by mentioning some of the other automated analysis ideas that I've been playing with -- some of which proved successful, and some were so slow that it may have been quicker to do the work manually. 

KARL DENTON BIO

Karl is a malware analysis hobbyist who analyses malicious code to make use of a misspent youth which involved more assembly language than it probably should have.

Karl needs challenges, so when not working he'll often try not hurting himself while mountain unicycling. He much prefers writing scripts to writing this. 

JASON JONES

Tasty Malware Analysis with T.A.C.O.: Bringing Cuckoo Reports into IDA Pro

JASON JONES BIO

Jason Jones is a Senior Security Researcher for Arbor Networks' ASERT team. His primary role involves reverse engineering malware, development of internal malware processing infrastructure, and other development tasks. Jason has spoken at various industry conferences including BlackHat USA, BotConf, REcon, and AusCERT.

YVES YOUNAN

A Practical Robust Mitigation and Testing Tool for Use-After-Free Vulnerabilities

Use-after-free vulnerabilities occur when a program marks memory as free, but then subsequently tries to use that memory.

Such a vulnerability can lead to remote code execution when exploited. These vulnerabilities are difficult to spot during code reviews because of the complexity of dynamic memory operations, where the free can occur thousands of lines from the actual re-use. Many of these vulnerabilities will also not cause many runtime errors during regular operation, making them hard to detect through automated testing. Due to various mitigations that have been deployed on modern operating systems, these are currently the most exploited vulnerabilities on Windows 7 and higher platforms. The mitigation presented here, FreeSentry, provides protection for these types of vulnerabilities. It provides protection by dynamically tracking memory, when a memory location is freed, all pointers to that location are invalidated. If a use-after-free occurs within a program, the program will attempt to use one of the invalidated pointers and will crash, preventing an attacker from exploiting this vulnerability.

A major advantage to our approach is that it is fully compatible with unprotected code, allowing a non-protected libraries to work in conjunction with protected programs or modules, this also allows programmers to coarsely or granularly decide what parts of the application they want to protect. Since any attempted misuse of the protected memory will result in a crash, it can also be used as a testing tool to detect the existence more easily when fuzzing applications.

The presentation will demonstrate the effectiveness of the protection by showing that the mitigation protects against a number of real-world vulnerabilities. However, it has also found new ones, particularly in a popular performance benchmark that was missed by similar mitigations. This means that it is effective to use as a tool when fuzzing.

YVES YOUNAN BIO

Yves Younan is a Senior Research Engineer with the Talos Security Intelligence and Research Group at Cisco. Cisco purchased Sourcefire a couple of years ago.

Prior to joining Sourcefire’s Vulnerability Research Team, he worked as a Security Researcher with BlackBerry Security. Before joining BlackBerry, he was an academic, founding the Native Code Security group within the DistriNet research group at the  Katholieke Universiteit Leuven in Belgium. He received a Master in Computer Science from the Vrije Universiteit Brussel and a PhD in Engineering: Computer Science from the Katholieke Universiteit Leuven. His PhD focussed on efficient countermeasures against code injection attacks on programs written in C and C++.

HUBERT KARIO

Testing TLS - How To Check If Your TLS Implementation Is Correct

While we all use TLS and depend on its security, recent stream of severe issues in major TLS implementations undermined trust in it. How many of those implementations are tested and how thoroughly? In the talk Hubert Kario will discuss problems related to testing TLS implementations and propose a solution in form of an open source test suite and framework for verifying correctness and resiliency of TLS implementations against attacks. The tools described are aimed at anybody from system administrators to developers working on new TLS implementations. The presentation will include examples showing how easy it is to test correctness of an arbitrary TLS server as well as how to test a new feature added to a given TLS stack.

HUBERT KARIO BIO

Hubert Kario started work in IT as a network administrator, later moving to security related programming. At his previous employer he worked on electronic signature systems and archival systems for electronically signed documents (XAdES). After earning his master's degree in Computer Science from WIT in Warsaw he moved to Brno where he's currently employed by Red Hat as a Quality Engineer for security sensitive  software. Lately he's focusing on code review, creating test coverage as well as performing regression testing of the Mozilla NSS, OpenSSL and GnuTLS cryptographic libraries. Some other projects he is involved in  are Crypto Policy and Shared System Certificates in Fedora as well as the IETF TLS 1.3 work group. In free time he's an avid cyclist and skier.

BABIL GOLAM SARWAR

Hack NFC Access Cards & Steal Credit Card Data with Android For Fun &Profit

Proximity dependent wireless technologies based on short range radio such as Near Field Communication (NFC) continues to be popular for physical access-control i.e. open doors, crossing security check-points etc. with wearable access cards, and also in global payment systems e.g. Mastercard's Paypass, Visa Paywave i.e. where the user makes a payment just by tapping the card on the merchant's reader.

Although several previous research work demonstrated several vulnerabilities in the NFC protocol and standard used in these systems, the users (and the policy-makers) generally continue to be unaware of the risks.

Therefore this talk focuses on some current widely deployed NFC standards used for access control systems in large institutions (hotels, universities etc.), and financial systems (Paypass, Paywave etc.) and provides easy to follow guidelines and source-code to attack, bypass, sniff and steal personal information from these systems using rather inexpensive Android devices.

BABIL GOLAM SARWAR BIO

Babil Golam Sarwar is currently working as the Chief Information Security Officer (CISO) at Vysk Communications in the Silicon Valley, USA. His current major projects include design and implementation of a highly secure real-time and asynchronous communications platform at Vysk. Before moving to the valley, he has spent a tenure of about 7 years working in various research and development projects at National ICT Australia (NICTA), one of Australia's largest Research Centres of Excellence, and had earned two PhD degrees from University of New South Wales, Australia and University of Toulouse, France in Electrical Engineering and Telecommunications. His research interests include - reverse engineering, cryptography, network and operating system security, kernel development and exploitation techniques, radio communications technologies such as GSM, LTE and short-range NFC, RFID etc.

BALINT SEEBER

Hacking the Wireless World - Software Defined Radio Exploits

Ever wanted to communicate with a NASA space probe launched in 1978, or spoof a restaurant’s pager system? There are surprising similarities! How about using an airport’s Primary Surveillance RADAR to build your own bistatic RADAR system?

SDR can be used to accomplish a many varied thing in the wireless world - a place where communications systems, and their radio signals, are everywhere: consumer, corporate, government, amateur – widely deployed and often vulnerable. I’ll review some interesting and unusual radio systems, and show how you can 'interact' with them using open source software and cheap hardware.

Additional topics include decoding SATCOM messages, RF spectrum monitoring, and using drones as a aerial radio 'survey & research' platform.

BALINT SEEBER BIO

A software engineer by training, Balint is a perpetual hacker, the Director of Vulnerability Research at Bastille Networks, and guy behind spench.net. His passion is Software Defined Radio and discovering all that can be decoded from the ether, as well as extracting interesting information from lesser-known data sources and visualising them in novel ways. When not receiving electromagnetic radiation, he likes to develop interactive web apps for presenting spatial data. Originally from Australia, he moved to the United States in 2012 to pursue his love of SDR as the Applications Specialist and SDR Evangelist at Ettus Research.

SHANE MACAULAY

Microarchitecture Independent VM Introspection

Mapping a physical memory dump back into virtual space is the first step in volatile memory forensics.  Serious barrios have been broken down over several years by tools like volatility and recent forks.  Cloud and virtualized environments have compounded these issues which has brought about the need for virtual machine introspection capabilities to be developed.

Current techniques, like Actaeon and Google’s ReKall  have implemented methods for acquiring and analyzing physical memory which are hypervisor-agnostic (able to work with Hyper-V, Xen, VMWare, etc…).  Unfortunately, both of these existing tools require specific profiles to be created/maintained (e.g. using ReKall’s vmcs_layout Linux kernel module) based on the platform architecture where the memory dump was acquired. 

I will demonstrate with an extension of our earlier physical methods for hidden process detection which leverages the self-referencing PTE entry present in the page table for all Windows (and many other OS platforms).  This capability is rooted in hardware and intimate interaction with the page fault handler and as such provides near perfect assurance that all virtual address space mappings be detected.  

Google’s Rekall symbol enumeration extraction and profile generation to base their logical (OS level) capabilities to recover artifacts from memory dumps.   Their ability to perform hypervisor introspection is however based on heuristics and signatures. 

A revolutionary memory forensics analysis method based almost entirety in hardware defined (and required baselines, thus not able to be adjusted) hypervisor internals (VMCS/VMCB configuration) will be demonstrated.  This capability ensures not only a high level of assurance in attesting that all physical pages are able to be addressed including arbitrary nesting depth of hypervisors, it can also vastly reduce the amount of time spent managing profile collections and overall headakes that come with trying to identify if any given cloud service provider uses Haswell, Ivy bridge, SkyLake. 

This method is microarchitecture independent as well as hypervisor-agnostic. 

I’ve also finished reviewing FreeBSD and will likely complete an update to include FreeBSD hidden process detection (physically detected) and VM introspection as well.  I will sum up with a short list of possible attacks against systems which may not anticipate (Intel architecture manual Table 24-7 Secondary Processor-based VM-Execution Controls 0x80) , “Unrestricted guest” operation.

SHANE MACAULAY BIO

Shane has presented at many industry conferences (CanSecWest, DefCon, BlackHat, BlueHat, BSides, IEEE, American Academy of Forensic Science and specialized industry/government conferences/DoD cyber crime) on topics ranging from attack & penetration techniques, polymorphic shellcode, forensic and APT analysis methods.

Shane is currently the primary architect and developer for BlockWatch (https://blockwatch.ioactive.com), the only integrity proving forensic Windows memory analysis tool known to exist. 

COLBY MOORE ** BY VIDEO **

Spread Spectrum Satcom Hacking: Attacking the Globalstar SDS

Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.

COLBY MOORE ** BY VIDEO ** BIO

Colby Moore is Synack's Manager of Special Activities. He works on the oddball and difficult problems that no one else knows how to tackle and strives to embrace the attacker mindset during all engagements. He is a former employee of VRL and has identified countless 0-day vulnerabilities in embedded systems and major applications. In his spare time you will find him focusing on that sweet spot where hardware and software meet, usually resulting in very interesting consequences.