DEFCON 14: [Video] Speeches from the hacker conventions

Abstract: During this presentation SensePost will discuss and demonstrate two pieces of new technology?the Suru WebProxy and the SP_LR Generic network proxy. The Suru web proxy is an inline web proxy (the likes of Paros, @stake webproxy and Webscarab) and offers the analyst unparalleled functionality. Are the days of the web proxy counted? Is there really room for another web proxy? Come to their presentation and see what happened when the guys at SensePost decided to develop a proxy with punch. SP_LR is a generic proxy framework that can be used for malware analysis, fuzzing or just the terminally curious. Its a tiny, generic proxy built on open-source tools with extensibility in mind at a low low price (GPL - Free as in beer). Both proxies serve distinct masters and will be valuable tools in any analysts arsenal. Bios: Roelof Temmingh is the Technical Director of SensePost where his primary function is that of external penetration specialist. Roelof is internationally recognized for his skills in the assessment of web servers. He has written various pieces of PERL code as proof of concept for known vulnerabilities, and coded the world-first anti-IDS web proxy "Pudding". He has spoken at many International Conferences and in the past year alone has been a keynote speaker at SummerCon (Holland) and a speaker at The Black Hat Briefings. Roelof drinks tea and smokes Camels. Haroon Meer is currently SensePost's Director of Development (and coffee drinking). He specializes in the research and development of new tools and techniques for network penetration and has released several tools, utilities and white-papers to the security community. He has been a guest speaker at many Security forums including the Black Hat Briefings. Haroon doesnt drink tea or smoke camels. Charl van der Walt is a founder member of SensePost. He studied Computer Science at UNISA, Mathematics at the University of Heidelberg in Germany and has a Diploma in Information Security from the Rand Afrikaans University. He is an accredited BS7799 Lead Auditor with the British Institute of Standards in London. Charl has a number of years experience in Information Security and has been involved in a number of prestigious security projects in Africa, Asia and Europe. He is a regular speaker at seminars and conferences nationwide and is regularly published on internationally recognized forums like SecurityFocus. Charl has a dog called Fish.

Abstract: This talk looks at the technical and psychological backgrounds behind why phishing works, and how this can be exploited to make phishing attacks more effective. To date, apart from the occasional use of psychology grads by 419 scammers, no-one has really looked at the wetware mechanisms that make phishing successful. Security technology doesn't help here, with poorly-designed user interfaces playing right into the phishers hands. After covering the psychological nuts and bolts of how users think and make decisions, the talk goes into specific examples of user behaviour clashing with security user interface design, and how this could be exploited by attackers to bypass security speedbumps that might be triggered by phishing attacks. Depending on your point of view, this is either a somewhat hair-raising cookbook for more effective phishing techniques, or a warning about how these types of attacks work and what needs to be defended against. (Warning: Talk may contain traces of cognitive psychology. Keep away from small children). Bio: Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland, New Zealand, working on the design and analysis of cryptographic security architectures. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption including the X.509 Style Guide for certificates, and is the author of "Cryptographic Security Architecture: Design and Verification" (published by Springer-Verlag) and the open source cryptlib security toolkit. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about PKIs and the (un-)usability of security applications.

Abstract: An Anonymous identity is difficult but not impossible to obtain. With help of international laws and loopholes a new identity can be created. This talk will demonstrate how this can be done with never before published methods. There are many reasons why a person might choose to obscure their identity and become anonymous. Several of these reasons are legal and legitimate - someone, for example, who feels threatened by someone else might attempt to hide from the threat behind various means of anonymity. There are also many illegal reasons to hide behind anonymity. Criminals typically try to keep themselves anonymous either to conceal the fact that a crime has been committed, or to avoid capture. Bio: Johan Hybinette is CSO and founder of Cebic Technologies, inc. specializing in international security auditing, policy and monitoring. Johan has over 20 years of security experience and has been speaking on numerous international events. His expertise includes compliance, pen testing, SIM integration (Security Incident Management), auditing, and identity management. Some of the certifications held are CISM, CISSP, ISSAP, IAM, ISSMP, IEM.

Abstract: This presentation will focus on disabling many of the windows based network security solutions that are most widely used. New payloads will be presented that demonstrate how host based firewalls at this time are not adequate defense to safeguard one's network resources. The speech is highly technical and requires knowledge of reverse engineering and process injection. Bio: Lin0xx has been a code and security enthusiast for a number of years along with speaking at interz0ne 5. He also helps run the local DC group in Atlanta, DC404.

Abstract: Reverse engineers often like to argue that a prime motivator for their activities is the desire to discover and patch vulnerabilities in closed-source binary software. Given the veritable plethora.. nay, Katrina-like flood of vulnerabilities being discovered on a near daily basis, one has to wonder where all these binary patches are hiding. Clearly this argument is a sham to make reverse engineers feel better about their DMCA violating activities. Now, just to be clear, there have been one or two third party binary patches released in the past year, but why haven't there been more? Is it truly a difficult task to develop such a patch or are our sights simply set too high? Is a true fix to the problem a requirement or is it sufficient to modify the vulnerable program just enough to make it immune to scripted attacks, the goal being to provide sufficient protection to survive until a vendor supplied patch can truly fix the problem. Dan Geer argued that a software monoculture is a dangerous thing leading to the rapid spread of malicious code in the event of a public vulnerability disclosure. The goal of this talk is to discuss simple yet effective measures to introduce sufficient genetic diversity into an inbred piece of software to allow it to survive in the wild until a vendor supplied update becomes available. Bio: Chris Eagle is a Defcon Black Badge holder, and the Dean of Hacking for the Sk3wl0fr00t. When not at a CTF table, he is the Associate Chairman of the Computer Science Department at the Naval Postgraduate School (NPS) in Monterey, CA. A computer engineer/scientist for 20+ years, his research interests include computer network operations, computer forensics and reverse/anti-reverse engineering. He has been a speaker at conferences such as Black Hat, CodeCon, and Shmoocon and is a co-author of the book "Gray Hat Hacking".

Abstract: The Census Bureau is the Only Federal Agency that is acquiring detailed personal data on Every person in the United States. While the Census provides valuable information that is vital to our form of government, major privacy concerns exists. The potential for abuse of the data has historical roots, the most notorious being the rounding up and relocation of Japanese-Americans during World War II. Learn how the Social, Economic, Housing, and Financial characteristics being gathered can be legally used against you. We will examine how dangerous the data could be if it was used illegally. (If you are paranoid, you do not want to miss this!) Finally, we will examine the laws that mandate that every American must cooperate with the Census Bureau or face possible Civil and/or Criminal Punishment. What are your options when that Census worker shows up at your door and threatens you with prosecution by the U.S. Attorneys office? Bio: Steve Dunker is a Professor of Criminal Justice at Northeastern State University. He is a former Major Case Squad Detective who worked as a planner and supervisor of an anti-crime and decoy unit. He is a licensed attorney in the State of Missouri.

Abstract: The web of trust, as used in PGP, is a well-known system for establishing trust between people, even if the people have not previously met. Why does it work so well in crypto? The answer is simple: it's the same system that we all use on a daily basis when dealing with friends, family, relationships, andjust about everyone else we have to interact with. On the crypto side, however, there are a number of restrictions that limit the effectiveness of this trust network. While many "security professionals" say that they are mandatory, the system seems to work just as well without them? are they completely arbitrary? Here we'll look at a couple of these restrictions, focusing on the technical aspects of identity verification, and evaluate their effectiveness through a couple of real-world experiments. Bio: Seth Hardy stopped writing these self-promoting blurbs a long while ago. While he acknowledges there's far too much information about him on the internet already, he's been told that just saying this doesn't look too good standing by itself in a bio.So, here's some supporting facts: he's been involved in cryptography research, academically and professionally, for the last eight years. Some of these areas of research include elliptic curves, combinatorial cryptography, random number generation, and trust networks. He's presented his work at a number of conferences, including Black Hat, DEFCON and the CCC Congress.

We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house. We discuss how malware authors are aware of, and actively exploit inherent inefficiencies in the current generation of competitive, closed malware collections. We demonstrate how, by illuminating AV sensors, and by using frequent updates, malware authors can keep their victims within a perpetual zero-day window. The are numerous cooperative malware repositories created to address problems in private collections. After exploring the policy trade-offs, we describe our own solution. Features include automated unpacking of samples, data mining of packed samples, static and dynamic analysis, and selected network trace files. Bio: Paul Vixie holds the record for "most CERT advisories due to a single author" which came primarily from his years hacking on BIND4 and BIND8. Later on he cut off the oxygen supply to his brain by wearing a necktie for AboveNet, MFN, and PAIX. At the moment he is President at ISC where his primary duty is to sign paychecks for the people who bring you BIND9 and F.ROOT-SERVERS.NET. He is also an occasional critic of just about everything (the blog: FM.VIX.COM). David Dagon is a PhD student in the College of Computing at Georgia Institute of Technology. His area of research includes network security, BSD kernel hacking, honeynets, and malware analysis. He has written extensively about malware, including modelling botnet propagation using time zones and the KarstNet active sinkhole. We describe requirements for a malware collection repository. The repository serves as a clearing house for malware samples, as well as analysis provided by members of the clearing house.

Abstract: This session will reveal to you how the FBI uses Neuro-Linguistic Programming (NLP) during interview and interrogation sessions. Gaining cooperation with special speech and word changes, Clues to help determine whether clients are lying or remembering and the traditional "Cop Stop technique" will all be revealed and practiced by attendees. Seldom taught outside the law or medical community, you'll be instructed in and actual practice techniques, just like the Feds do. While you may not be able to stop leaking information to the specially trained professional, you'll now see the extra information other are giving off. Come prepared to talk to others and learn invaluable skills that can C.Y.A. Bio: Brad Smith, RN, BS-Psych, CISSP has utilized social engineering in Emergency rooms to defuse medical crisis for many years. He has taught Neuro-Linguistic Programming to healthcare, law enforcement and security professionals and now helps educate everyone on the reality of social engineering and its exploits. Session attendees get cutting edge information they can immediately start using to protect themselves. He is know for his high energy presentation style and group participation format that helps people truly understand the concepts presented, while also having a fun time. He has attended Defcon for many years and looks forward to Coffee Wars, Hacker Jeopardy and the Black and White Ball again this year. The Jericho Forum and Challenge

Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation.'-" The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine?s native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Java except it fits within 150K on some platforms. This talk will demonstrate the use of Mosquito to write exploits on the fly while the audience watches; the advantages and flexibility of using a virtual machine will be leveraged to implement a second stage puddle-hop exploit into another host. The cross-platform advantages of writing exploits in a portable virtual machine will also be demonstrated. There will be some discussion of Mosquito itself to give context and understanding. Bio: Wes Brown is a long-time network security practitioner who specializes in code reviews, web application assessments, penetration testing, and tools development. Prior to joining Accuvant as a senior security consultant, Wes worked for Internet Security System?s X-Force Consulting team. He conducted hundreds of penetration tests and web application assessments for ISS clients ranging from the smallest to Fortune 500 companies. He was also responsible for many of the in-house tools that helped the external assessment consulting practice succeed. He also can be frequently seen at industry conferences, having spoken at Defcon in the past. In founding Ephemeral Security, Wes hopes to advance the state of the art in network security by doing innovative and original research work. When not conducting consulting work, he has spent the last year and half on the Mosquito Environment along with other members of his company. Currently, he is hard at work as one of Accuvant?s lead consultants which gives him an opportunity to test the tools and environments that is developed as part of Ephemeral Security?s research efforts. He does the majority of the automation and tools that streamlines the assessment practice?s engagements, increasing quality while reducing turnaround time. Of course, Wes also does conventional consulting with a keen focus on code reviews and application assessments.