Ole André Vadla Ravnås

Talk : Frida IRE – a tool for scriptable dynamic instrumentation in userland

Frida IRE (Interactive Reverse-engineering Environment) is an open source reversing tool focusing on scriptable dynamic instrumentation in userland. It runs on Windows, Mac, Linux and iOS.
In this talk, I will focus on live demos showing you how to use Frida’s scripting capabilities to explore live processes both locally and remote. I will also show how Frida potentially can be used to do stealthy instrumentation of paranoid processes protected by anti-debugging.

Bio :

Ole André V. Ravnås is the VP of Engineering and hacker-in-residence at Soundrop, where he helps build the music industry’s premier social music platform.

He’s also very passionate about reverse engineering and loves to build tools that help open source projects achieve interoperability with file formats and protocols from large software companies. Previously he authored oSpy and reverse-engineered Microsoft’s MSN webcam codec to allow their webcam chat to be used across different platforms. He also made it possible for the XBMC team to bring their media center to Apple TV.

Paul “RootBSD” Rascagneres

Talk : The reality about Red October

I propose to make a technical analysis of Red October. The talk will be deeply technical: how to get the payload stored in the .doc file, how to unpack the malware, the analysis of the final malware and to finish how to rewrite a C&C. The presentation will be base on these articles:

Bio :

Paul has been a security consultant and security researcher for 10 years. He is the creator of the project malware.lu, a repository of free samples for security researchers which also publishes technical analysis. Paul created the first private CERT in Luxembourg and also makes reverse engineering, malware analysis and incident response.

Philippe Teuwen

Talk : RFID/NFC security & privacy

Topics covered:

  • RFID/NFC readers for PC supported by open-source software
  • PC/SC: limits of manipulating RFID with contact-oriented standards (ATR/ATS & APDUs)
  • NFC, anticollision, card emulation, relay attacks, RFID authentication
  • protocol example
  • libnfc tools, RFIDIOt tools, ePassports, privacy
  • Open hardwares, Proxmark

Bio :

Principal researcher in security at NXP Semiconductors and contributor of a number of NFC-related open-source softwares.

Edmond “bigezy” Rogers

Talk : Defending Critical Infrastructure or Beating the Kobayashi Maru

The presentation will provide an overview of the issues that administrators face when dealing with the challenges of providing for security of critical infrastructure. Solutions must flexible and meet both operational and business needs. Also, it is very desirable to deploy solutions that actually work to secure your critical network. This talk will begin with an overview of the critical components of the Electric System, provide a breakdown of critical data flows, and finish with a review of tools currently being developed to better define, harden, or narrow network attack surface.

Bio :

Before joining ITI, Edmond Rogers was actively involved as an industry participant in many research activities in ITI’s TCIPG Center, including work on NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Prior to joining ITI, Rogers was a security analyst for Ameren Services, a Fortune 500 investor-owned utility, where his responsibilities included cyber security and compliance aspects of Ameren’s SCADA network. Before joining Ameren, he was a security manager and network architect for Boston Financial Data Systems (BFDS), a transfer agent for 43% of all mutual funds. He began his career by founding Bluegrass.Net, one of the first Internet service providers in Kentucky. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations.

Benjamin Vernoux

Talk : HackRF A Low Cost Software Defined Radio Platform

The HackRF project is developing an open source design for a low cost Software Defined Radio (SDR) transceiver platform. SDR technology allows a single piece of equipment to implement virtually any wireless technology (Bluetooth, GSM, ZigBee, etc.), and we hope the availability of a low cost SDR platform will revolutionize wireless communication security research and development
throughout the information security community.
Official web site: http://greatscottgadgets.com/hackrf/
Official github: https://github.com/mossmann/hackrf

Bio :

Benjamin Vernoux is an host/embedded software researcher who make software and hardware for hackers, working on HackRF project and Daisho project and also on personal project like NFC TI TRF7970A Breakout Board, STM32F4 Debug …

Glenn Wilkinson

Talk : The Machines that Betrayed their Masters: Mobile Device Tracking & Security Concerns

The devices we carry betray us to those who want to invade our privacy and security by emitting uniquely identifiable signals. The most common example is that of the wireless signals emitted by your mobile phone (even whilst tucked safely into your pocket), but as new technologies develop so do new signatures. Such signals may be used to track you, or be used toward more malicious intent.

The risk of an attack on these implementation flaws was first demonstrated in 2004 with the Karma exploit, however, the flaws still exist and have become more numerous as the number of WiFi enabled devices has grown. What’s more the privacy risks have not been fully explored until now.

This talk will discuss the process the author has gone through to build a resilient, modular, reliable, distributed, tracking framework. Data captured from several security conferences will be explored and discussed.

While Snoopy has been presented before, it was still in the earlier stages of development. Since then, a significant amount of work has been put into the framework (e.g XBee, SnooPi, and Quadcopters), and much experience gained in its use. A live demonstration will be given during the talk.

Bio :

Glenn currently works at SensePost with his role divided between penetration testing, training, and research. He holds two masters degrees from the University of Oxford.

Tal zeltzer

Talk : Virtually Secure, Analysis to Remote Root 0day on an Industry Leading SSL-VPN Appliance

Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.

Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses
we’ve experienced – EVER!

Bio :

Tal Zeltzer is an Israeli security researcher, reversing by day and hacking by night. Tal has a history of 0days behind him, ranging from his latest PCAnywhere findings to embedded systems and web applications. He spends most of his free time conducting research and developing research tools. He tweets under @talzeltzer and blogs at http://exploit-code.com

Daniel Mende

Talk : Paparazzi over IP

Almost every recent higher class DSLR camera features multiple and complex access technologies. For example, CANON’s new flagship features IP connectivity both wired via 802.3 and wireless via 802.11. All big vendors are pushing these features to the market and advertise them as realtime image transfer to the cloud. We have taken a look at the layer 2 and 3 implementations in the CamOS and the services running upon those. Not only did we discover weak plaintext protocols used in the communication, we’ve also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the “upload to the clouds” feature resulted in an image stealing Man-in-the-Imageflow. We will present the results of our research on cutting edge cameras, exploit the weaknesses in a live demo and release a tool after the presentation.

Bio :

Daniel Mende is a German security researcher specialized on network protocols and technologies. He’s well known for his Layer2/3 attack tool LOKI, the fuzzing framework DIZZY and has presented on protocol security at many occasions including Troopers, Blackhat, CCC, HIBT and ShmooCon. Usually he releases a new tool when giving a talk.

Raoul “Nobody” Chiesa

Talk : Information Warfare: mistakes from the MoDs.

This talk will analyze those mistakes commonly done by MoD when trying to deal with the so-called “Cyberwar”. The speaker will empass through cultural, practical, logistics and narrow-minds issues he’s been able to observe while training various military staff in different countries.

Bio :

Raoul “Nobody” Chiesa was born in Torino, Italy, in 1973. After being among the first italian hackers back in the 90’s (1986-1995), Raoul decided to move to professional InfoSec, founding in 1997 @ Mediaservice.net Srl, a vendor-neutral and well known security consulting company.
The company operates worldwide, being as well the oldest ISECOM Training Partner for the OPST, OPSA, OPSE and OWSE international security certifications. The company’s Red Team held also the following industry certifications: PCI-DSS QSA, PCI-DSS ASV, ISO/IEC 27001 Lead Auditor, CISA, CISSP, ITIL, SANS GCFA, ECCE.

Raoul is among the founder members of CLUSIT – the Italian Information Security Association – and he is a Board of Directors member at ISECOM, CLUSIT, OWASP Italian Chapter, Italian Privacy Observatory (AIP/OPSI).

Both Raoul and its security team work on research areas such as X.25 and PSDN networks, VoIp Security, Malware Analysis, Social Engineering, SCADA & Industrial Automation, Home Automation, Satellite communication, Mobile Security, SS7 threats and much more.

Since 2003 he started its cooperation with the UN agency “UNICRI” (United Nations Interregional Crime and Justice Research Institute), working on “HPP”, the Hackers Profiling Project run by ISECOM and UNICRI; in 2005 he has been official recognized by UNICRI’s Director, Mr. Sandro Calvani, as a cybercrime advisor. Nowadays his role at UNICRI is “Senior Advisor, Strategic Alliances and Cybercrime Issues Technical Contact Officer”. More info on UNICRI’s Cybercrime Trainings maybe found at: http://www.unicri.it/wwd/cybertraining/index.php

On February 2010, Raoul has been selected among the 30 European top security expert to assist the ENISA Director until 2012 at the PSG, Permanent Stakeholders Group, for the European Network & Information Security Agency.

Fabian ‘fabs’ Yamaguchi

Talk : Information Retrieval and Machine Learning Tools for Interactive Bug Hunting

When hunting bugs in large code bases you have never seen before, tools allowing quick navigation and recognition of patterns can be of great help. Surprisingly, most navigational features of popular IDEs and dedicated code understanding tools offer only very basic search capabilities and seldom exploit language information.

In this talk, we present a new language-aware open-source code indexing tool, which allows you to mine code for bugs by quickly executing complex queries on large C/C++ code. The tool offers a fuzzy parser, allowing code with missing headers to be processed in most cases. If you have ever wanted to search code fragments, which “fell off some truck” for all local variables passed as third arguments to memcpy, which hold l-values of assignments involving multiplications as r-values where all variables involved do not occur in conditions, this tool is for you.

We then show that the fine-grained representation of code stored in the generated index is a valuable source of information for code analysis tools. In particular, we present a second tool, which uses this information alone to automatically derive simple programming rules such as “the return value of malloc should be checked when processing packets from the network” using machine learning techniques. By employing anomaly detection, this allows us to
highlight violations of these rules and present them to auditors as they browse code. We close by providing a number of examples demonstrating that these tools are “nice to have” in practice.

Bio :

Fabs is currently doing research on machine learning for offensive security at the Computer Security Group of the University of Goettingen (Germany). Prior to joining the group, he worked as a security researcher/consultant for Recurity Labs GmbH in Berlin.

Adam “Major Malfunction” Laurie & Zac Franken – Aperture Labs

Keynote: Rfcat and beyond (Adam “Major Malfunction” Laurie)

With more and more products incorporating RF into their profiles,
sub-GHz radio is fast becoming central to the security landscape and this is something that should be on every hacker’s radar…

As a contributor to the rfcat project, I can provide first hand experience of the practicalities of intercepting, analysing and spoofing RF communications, and will present some useful methodologies and python extensions that will help you get the most out of your rfcat dongle, as well as my new rfcat-inspired wearable RF hacking tool prjoect: “Chronic”.

Talk : Decapping chips the easy hard way (Adam “Major Malfunction” Laurie & Zac Franken)

For some time it has been possible to discover the inner workings of microprocessors with the help of a microscope and some nasty chemicals such as fuming nitric acid. However, unless you have access to a university or work science lab, this is beyond the reach of most hackers, and, even it were to be attempted, difficult and potentially extremely dangerous…

In this talk we will go through our own adventures in tackling the issue from the point of view of the back-room hacker/researcher, and how we have solved many of the problems using only tools and devices that were freely and cheaply available from online sources such as ebay.

There is also the secondary problem of what to do with the chip once you’ve decapped it. For example: if you’ve taken microscopic images of a masked ROM, in theory you can extract the code, but in practice you’re looking at thousands of tiny dots, each of which represent a 0 or a 1, which, once correctly read and compiled into HEX, will represent the original byte code. Many projects (e.g. MAME) have used crowd-sourcing as a means of converting the images by eye, but we will present a software tool that semi-automates this process and we’ll demonstrate how what was once the works of tens if not hundreds of hours can be reduced to a few minutes.

Adam Laurie Bio :

Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe’s largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world’s first CD ripper, ‘CDGRAB’. At this point, he and Ben became interested in the newly emerging concept of ‘The Internet’, and were involved in various early open source projects, the most well known of which is probably their own—’Apache-SSL’—which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library ‘RFIDIOt’, which can be found at http://rfidiot.org. Adam is a Director and full time researcher working for Aperture Labs Ltd., specialising in reverse engineering of secure systems. http://aperturelabs.com

Zac Franken Bio :

Zac Franken has been working in the computer and technology industry for over 20 years for major industry players such as ICL, Informix, British Airways and Motorola. Founding his first company, Point 4 Consulting at the age of 25, he built it into a multi-million pound technology design consultancy. Point 4 was the leading provider for critical back end technology in the UK and was used by many major web sites such as The Electronic Telegraph, MTV, United Airlines, Interflora, Credit Suisse, BT, Littlewoods and Sony. Following Point 4 he went on to found Ablaise, a company that manages the considerable intellectual property generated by Point 4, and Aperture Labs Ltd. In his spare time he manages the worlds largest and longest running security conference, Defcon.

Zac’s research focuses on embedded hardware with a perchant for access control systems and biometric devices, he has spoken and trained at public information security conferences in Europe and the US and for private and governmental audiences. He is responsible for identifying major vulnerabilities in access control and biometric systems, and has a passion for creating devices that emulate access control tokens either electronic physical or biometric. Zac has been responsible both directly and indirectly for changing access control guidelines for several western governments.

Mathieu ‘GoToHack’ RENARD

Talk : Hacking apple accessories to pown iDevices – Wake up Neo! Your phone got pwnd !

Unlike the previous jailbreakme.com exploits targeting MobileSafari that could be used against an unwitting victim, publicly available jailbreaks require USB tethering. Since iDevices refuse to communicate over USB if they are locked unless they have previously paired with the connecting device these jailbreaks have a lower security impact, and are usually only useful to the phone’s owner. Then it is legitimate to think we are safe. Nevertheless, malicious codes already running on hosting personal computers silently steal confidential information using iTunes services or leverage USB jailbreaks.

This talk will discuss about the most interesting Apple services (from the attacker point of view) and describe how they can be exploited in order to retrieve confidential information or to deploy the evasi0n jailbreak. Finally, the author will present the analysis of a Made For Apple (MFI) dock station and its weapownizing in order to allow an automated jailbreak.

Bio :

Mathieu Renard “GoToHack” is a Senior Penetration tester/team leader during the day and Security ressearcher at nigth. His research areas focus in embedded systems, hardware hacking and mobile device security. Since two years, he has focused is work (security assessments) and his research on the iOS platform.

Xavier ‘xEU’ Martin

Talk : Nifty stuff that you can still do with Android

Fact: It is generally assumed that reverse engineering of Android applications is much easier than on other architectures. Static program analysis is the way to go.You can go back and forth between application and bytecode assembly without much hassle.

Reality: Few techniques are willing to make their comeback on this platform, namely dynamically code loading and self modifying code : bringing the fun back ! Source code examples will be shown, with step by step explanation.

Bio :

I’ve been practising reversing engineering as an amateur, since years. As a child of the 80s, computer devices at home evolved from cassette to floppy disk then hard drive. Looking at different assembly languages enlightened my winter evenings. I’ve reverse engineered video game consoles ; namely Dreamcast & Playstation 2. I was involved in the making of CodeBreaker cheat device on those platforms (writing debuggers, assembly stub with size constraint).

Emmanuel Gadaix

Talk : Keynote : Carrier-Grade Insecurity

Bio :

CTO at Globe Relay Inc.
Extensive experience of mobile telecommunications technologies (value-added services, intelligent networks, payment systems, fraud management, security)
Specializations: Mobile Payments, Intelligent Network and Value-Added Services, Penetration testing, Architecture Audits, Cryptography