Ruxcon

DAVE JORM

Amateur Satellite Intelligence: Watching North Korea

North Korea is one of the most secretive, and fascinating, places on Earth. Details about the country emerge fleetingly: through the testimony of refugees, from unconfirmed South Korean sources, and from the largely dubious reports of the regime's official mouthpiece, the KCNA. To fill the information vacuum, a vibrant online community of North Korea watchers has emerged. This community makes innovative use of publicly available remote sensing data and other sources of information to fill in the many blanks left by the official accounts.

This talk will outline various investigations undertaken by the North Korea watcher community, and the technologies and techniques it employs. Commercially-available satellite imagery has been used to pre-empt rocket launches well ahead of corporate media, track development and new construction, as well as to map out prison camps such as Yodok in conjunction with the accounts of refugees. More recently, the community has produced an atlas that defines the various sub-national jurisdictions of the country in the absence of officially defined GIS data. Interceptions of North Korean television are analyzed for political and economic developments, as are the first-hand accounts and photo galleries of western tourists. The North's satellite launch in December 2012 has been closely watched by the community, with many members tracking the satellite's trajectory and attempting to receive and decode its transmissions. Even the North's computing systems have been analyzed, for example via leaked copies of the Red Star OS Linux distribution. Screenshots from official government presentations confirm that this OS is indeed used across the country (that's right, pariah states use KDE!). Finally, this talk will cover my own research into using remote sensing to track North Korean food production, and thereby verify (or refute) the official figures that are periodically released by the regime.

DAVE JORM BIO

David studies geography and mathematics at the University of Queensland. He recently completed a study on long-term remote-sensing analysis of North Korea, a subject with which he is thoroughly obsessed. He has also worked in the software industry for 13 years, and currently works as a security response engineer for a major vendor.

MARK SWIFT & ALBERTO REVELLI

Payment Applications Handle Lots of Money. No, Really: Lots Of It.

A medium-sized bank will funnel hundreds of billions through one such app, every year. A larger one will easily be deep in 'trillions' territory. You work for a company with more than a handful of employees? Chances are that your company shoves lots of money through one of these applications.

Surprisingly, however, the security of these apps is often flaky: people who understand the business process rarely understand the technical risks. Vendors and consultants often recommend business-level defenses but then make horrible technical mistakes, and very often the overall defense strategy boils down to "DBAs do not understand the business" comedy. When it comes to crypto, hilarity ensues: shared private keys and broken algorithms become the norm, with self-proclaimed "experts" proving to have problems with exotic concepts like "hash function" and "birthday paradox", leading CISOs to a false sense of security that only makes things worse.

Our presentation is a mix of attack and defense, combining descriptions of business-level and tech-level threats with crypto-based countermeasures. It is the result of a project we have been working on for the past year, with the goal of using crypto to secure our payment applications.

The target is anyone dealing with such applications, from CIOs and CISOs down to security techies, as long as they have a good grasp of the technical implications of the problem and of public key cryptography.

The presentation will start describing how payment applications work, what is their workflow, what a payment file "really looks like", how it is created, handled and processed. We will then describe the attack surface of the whole process, how an employee in the right role can easily steal large amounts of money, and what checks and countermeasures he/she would need to bypass.

We will then include some examples of badly flawed (but fantastically entertaining) "solutions" proposed by vendors and "top" consultants.

In the second part of the presentation, we will then describe a real-world example of how to properly employ crypto (via an HSM-based infrastructure) to greatly reduce the risks, and how to integrate such a solution with existing applications. We will also include some examples of things that are easy to get wrong while designing the solution.

MARK SWIFT & ALBERTO REVELLI BIO

Mark Swift

Mark has worked in IT for 20 years, and in security since the late 1990s when he joined the IBM Internet Incident Response Team. After that he spent ten years in the Investment Banking sector with ABN Amro BV and UBS AG setting up and running their global security organisations. For the last two years he has held the Group CISO role at Trafigura AG, a private commodities company, as well as having CIO responsibilities in some of its asset divisions.

Alberto Revelli

Alberto has been tinkering with infosec for more than a decade.

He is the author of sqlninja (http://sqlninja.sf.net), an open source toolkit that has become a weapon of choice for penetration testers (and other less respectable folks) when exploiting SQL Injection on web applications based on SQL Server.

He is a contributing author of both editions of the book SQL Injection Attacks and Defense, published by Syngress, and a co-author of the OWASP Testing Guide. He has been invited as a speaker to several conferences, including SOURCE, EuSecWest, RSA, ShakaCon, AthCon and CONFidence, where he presented material on web exploitation and data exfiltration techniques.

He is currently based in London, enjoying its awful weather and crazy nightlife.

PETER SZABO

50 Shades of Oddness - Inverting the Anti-Malware Paradigm

Traditional anti-malware technologies attempt to characterize malware by matching patterns of `Odd` features, such as an unexpected API or instruction sequence, derived or extracted from an existing corpus of malicious samples. This technique works as long as the malware authors do not rapidly alter or introduce features, as has become common by increasingly industrialized attackers.

In this technical presentation, we demonstrate an alternative way to identify and encode these `Odd` features based on statistical analysis of `clean` files, explore their structure-free aggregation, discuss both the short and long-term false-positive risks and show how this methodology is utilized as part of a heterogeneous anti-malware strategy.

Sub-topics discussed include:

• Contrast with a typical file-based white-listing approach
• Data derivation and field testing
• Maintenance
• Additional benefits of clean-corpus based feature extraction

We'll also present actual data gathered over the past 18 months to fortify or dispel various assumptions about the odd-by-exclusion concept, made at the onset of this research.

In closing we consider the use of exclusion-based Odd properties as a viable complement to the existing anti-malware arsenal.

PETER SZABO BIO

Peter Szabo has been working as a Senior Threat Researcher at SophosLabs since 2003 (both Sydney and Vancouver Labs). Peter's specialties include deep reversing, developing new generic detection strategies, unpacking, training other analysts, and considers himself somewhat of an IDA and x86 expert. Peter has presented at RuxCon security conference on a number of occasions and enjoys a few beers with the Australian computer security scene. Prior to joining SophosLabs Peter was a software engineer working on reversing and writing protocol drivers for photocopiers. Peter has a BDigSys (Hons) from Monash University.

Numaan Huq has been working at SophosLabs Canada since 2007, and is currently a Senior Threat Researcher. Numaan became interested in tech security after spending a lot of time researching VoIP phone vulnerabilities in one of his internship jobs. Numaan's current interests include APTs, web threats and vulnerabilities. Beyond the realm of malware, Numaan likes to drive around aimless in the countryside, experiment with cooking, and read fantasy novels. Numaan holds a BSc and an MSc in Computer Science from the University of Victoria, BC.

DANNY QUIST

Visualization For Reverse Engineering and Forensics

Visualization is a field that has broad applicability to many areas of security. It is very well received among customers and management, but is very easy to get wrong. This talk will discuss some of the inherent problems visualizing large security data sets. There will be examples of improving the reverse engineering and forensics processes, as well as some examples of negative sides of visualization.

DANNY QUIST BIO

Danny Quist is a staff member at MIT Lincoln Laboratory. He holds a Ph.D. from the New Mexico Institute of Mining and Technology. Previously, Danny founded Offensive computing, an open malware research site. His interests include reverse engineering, software and hardware exploitation, virtual machines, and automatic executable classification systems. He has presented at Blackhat, the RSA Conference, Defcon, and Shmoocon.

VANESSA TEAGUE

Electronic Voting Security, Privacy and Verifiability

After a rather surprising 2013 Senate outcome, there's been much discussion of changing our voting system. Computers could potentially help disabled voters to vote independently, give everyone the chance to check all 97 preferences, and count votes fast. There's just the little detail of ensuring that they cast the vote the voter asks for and send it accurately into the count.

Surely Clive Palmer and Malcolm Turnbull couldn't both be wrong. So will our future leaders be chosen by a free and open contest among electoral commission sysadmins, or worse, or can cryptography and common sense help us to do a little better?

This talk will survey some of the promise of end-to-end verifiable cryptographic voting schemes, which give each voter evidence that their vote has been cast as they intended and properly included in the count, then provide a public cryptographic proof of correct decryption and tallying. We'll explain what can be achieved and why verifiable Internet voting is still too hard, using examples from academia, a partially verifiable Norwegian Internet voting system and a not-at-all verifiable NSW one.

We'll discuss the practical implementation of attendance end-to-end verifiable voting in Victoria, then conclude with some low-tech options involving polling-place computers and a human-readable paper trail.

VANESSA TEAGUE BIO

Vanessa Teague is a research fellow in the computing and information systems department at the University of Melbourne. She's worked on cryptographic protocols for electronic voting ever since finishing a CS PhD at Stanford on cryptographic protocols for economic games. Australia's unusual voting system constitutes a special challenge.

She also spends a lot of time explaining to parliamentarians and electoral officials that requirements for transparency, privacy and verifiability apply to computerised voting too.

VLADIMIR KATALOV

Cracking and Analyzing Apple iCloud Protocols: iCloud Backups, Find My iPhone, Document Storage

Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user.

Backups: iCloud suggests backing up iMessage, SMS, photos and videos,device settings, documents, music and other things on-the-fly which is useful for syncing or restoring in case your iDevice is lost or damaged,  however there is only one way to access iCloud backup data by organic means - you can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now we can show you a method to simply download everything onto any desired computer at hand, provided we have Apple ID and password.

Find My iPhone: this application was also meant to help you track your own iDevices geographically and should be available strictly to the user under his/her own Apple account, however there is a way to get geo-location data having neither Apple device tethered to that account readily available nor access to iCloud website. If location services are switched on, geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other), which I'm also ready to demonstrate.

Storage: apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage, for example, some application files (e.g. data generated by SoundHound) you may have on your iPad or whatever won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly and even without launching a work session in iCloud.

Conclusion: iCloud stores large amounts of information and before now access to this info was restricted either by the necessity to have iDevice available or by using Internet and web-browser (knowing Apple ID and password is required). Now, that we have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and download iCloud data and its changes in standalone mode.

This is the first report on Apple iCloud communication protocols. No details on these protocols or their encryption are publicly available, that is why they had to be reverse-engineered. Up to this day, nothing similar has been made (that we know of) which makes it innovative. Results of the research of protocols bring more light to iCloud specifics and allow us getting and processing its contents in alternative ways.

VLADIMIR KATALOV BIO

Vladimir Katalov is CEO, co-founder and co-owner of ElcomSoft Co.Ltd. Born in 1969 and grew up in Moscow, Russia. He studied Applied Mathematics in Moscow Engineering-Physics Institute (State University). Vladimir works in ElcomSoft from the very beginning (1990); in 1997, he created the first program the password recovery software line has started from: Advanced ZIP Password Recovery. Now he coordinates the software development process inside the company and constantly calls in question new appearing security tools and services.

Vladimir manages all technical researches and product developments in the company. He regularly presents on various events and also regularly runs it security and computer forensics trainings both for foreign and inner (Russian) computer investigative committees and other law enforcement organisations.

MICHELE ORRU

Buried by time, dust and BeEF

For those who do not listen Mayhem and black metal, the talk title might seem a bit weird, and I can't blame you.

You know the boundaries of the Same Origin Policy, you know SQL injection and time-delays, you know BeEF. You also know that when sending cross-domain XHRs you can still monitor the timing of the response: you might want to infer on 0 or 1 bits depending if the response was delayed or not.

This means it's possible to exploit every kind of SQL injection, blind or not blind, through an hooked browser, if you can inject a time-delay and monitor the response timing.

You don't need a 0day or a particular SOP bypass to do this, and it works in every browser.

The potential of being faster than a normal single-host multi-threaded SQLi dumper will be explored. Two experiments will be shown: WebWorkers as well as multiple synched hooked browsers, which split the workload communicating partial results to a central server.

A pure JavaScript approach will be exclusively presented during this talk, including live demos. Such approach would work for both internet facing targets as well as applications available in the intranet of the hooked browser.

The talk will finish discussing the implications of such an approach in terms of Incident Response and Forensics, showing evidence of a very small footprint.

MICHELE ORRU BIO

Michele Orru a.k.a. antisnatchor is an IT and ITalian security guy. Lead core developer of the BeEF project, he mainly focuses his research on web applications security and related exploitation techniques. He is a frequent speaker at hacking conferences, including CONFidence, DeepSec, Hacktivity, SecurityByte, AthCon, HackPra, OWASP and more we just can't disclose. Besides having a passion for hacking and being a Senior Spider (for Trustwave SpiderLabs), he enjoys leaving his Mac alone, whilst fishing on salted water and praying for Kubrick's resurrection.

MICHAEL SAMUEL

Under the Hood Of Your Password Generator

Password generators are one of the best ways we have for improving account security. If done properly, the passwords will resist offline dictionary attacks far better than passwords you can remember, and when combined with a good storage mechanism they allow us to create a unique password for each account we have.

Unfortunately, not all password generators are implemented properly. In this presentation I will examine the failings of a few password generators, and how an efficient attack has been constructed against them.

Also presented will be a practical attack on RFC2289 (aka S/Key) one-time passwords, demonstrating how the whole system as described in the RFC can be compromised with a pre-computed attack.

MICHAEL SAMUEL BIO

Michael has been a Systems and Network Administrator in the Melbourne ISP and Telecommunications industry for over 15 years. He makes small contributions to open source projects whenever he can, and has a keen interest in cryptography and infosec.

JONATHAN BROSSARD

Malware, Sandboxing and You: How Enterprise Malware and 0day Detection is About To Fail (Again)

The most notable trend in the AV industry over the past couple years is the increasing use of sandboxing to help move from a signature based detection paradigm - now essentially understood to fail due to the exploding number of malware variants - to a behavioral based detection mechanism based on sandboxing. If such technologies do help researchers detect and analyse 0day vulnerabilities in the wild, the push for full automation of malware analysis at network perimeter - being it MTAs, corporate proxies or other sources of file downloads - also have a great potential to backfire. This talk will attempt to demonstrate why, in the author's view, such technologies can actually do more harm than good in an enterprise context, not simply by looking at some easy to fix bugs, but really by questioning the very fundamental architecture and design of sandboxing in the context of 0day detection and malware analysis.

JONATHAN BROSSARD BIO

Jonathan Brossard is an established security researcher based in Sydney. His previous work included finding and reporting vulnerabilities in complex low level software such as Microsoft Bitlocker, McAfee Endpoint, Truecrypt as well as most BIOSes available in the market (Defcon 2008). He also contributed a disruptive debugger aiming at proving exploitation of invalid memory writes (Blackhat USA 2011), and more recently a proof of concept firmware backdoor to exemplify the risk of state backdooring at supply chain level (Blackhat 2012). Jonathan is also a recurrent speaker at Ruxcon, and the co-founder/co-organizer of the Hackito Ergo Sum as well as NoSuchCon conferences in Paris.

KAYNE NAUGHTON

Espionage: Everything Old Is New Again

Running a big organization and keep getting attacked by Muslim kids who wear masks and allegedly smoke too much pot? So did the Crusaders in the 11th century. Nearly everything we strike in modern cyber crime and intelligence has a historical antecedent. This presentation will explore some of the ‘new’ trends in cyber security and show their origins, from ancient times up until World War 2

KAYNE NAUGHTON BIO

Kayne is a technologist and security researcher with 15 years’ experience across education, government, finance industry and now running a start-up, Asymmetric Security. He’s currently focused cyber crime, malware and open source intelligence but draws on experience in system administration, coding, teaching and finding bad 0day.

FATIH OZAVCI

VoIP Wars: Return of the SIP

NGN (Next Generation Network) is modern TDM/PSTN system for communication infrastructure. SIP (Session Initiation Protocol) Servers are center of NGN services, they provide signaling services. SIP based communication is insecure, because of protocol implementation. Based on this fact, NGN is not actually Next Generation. It can be hacked with old stuff, but a few new attack types will be demonstrated in this presentation.

This presentation includes that basic attack types for NGN infrastructure, old school techniques for SIP analysis, a new hacking tool to analysis of SIP services and SIP Trust Hacking technique. Also a few fuzzing techniques will be explained in this presentation.

SIP networks provide its services based on Trust Infrastructure. SIP Soft Switches trust each other and accept calls from trusted SIP servers. A new technique will be demonstrated in this presentation, Hacking Trust Relationships Between SIP Gateways. SIP trust will be detected and hacked with a sip trust analyzer tool. For explaining basic attack types, a few tools will be demonstrated such as footprinting, register, enumerator, bruteforcer, call analyzer and SIP proxy.

Another dangerous thing is outdated software in NGN infrastructure. VoIP devices have responsibilities to serve signaling such as MSAN, MGW and Soft Switches. They support SIP protocol with vulnerable software which should be analyzed. New fuzzing techniques such as Response based fuzzing, MITM fuzzing and proxy tool usage will be explained.

FATIH OZAVCI BIO

Fatih Ozavci is a Security Researcher and Consultant with Sense of Security. He is the author of the Viproy VoIP Penetration and Exploitation Testing Kit, and has also published a paper about Hacking SIP Trust Relationships. Fatih has discovered many unknown security vulnerabilities and design and protocol flaws in VoIP environments for his customers, and analyses VoIP design and implementation flaws which helps to improve VoIP infrastructures. While Fatih is passionate about VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. Fatih presented his VoIP research and tool this year at Defcon 21 (USA), Blackhat Arsenal USA 2013, Cluecon 2013 (USA), and Athcon 2013 (Greece).

JOHN BUTTERWORTH

BIOS Chronomancy: Fixing the Static Root of Trust for Measurement

We will start by giving the necessary background in Trusted Computing Group (TCG) terminology. We will in particular focus on how of the 3 primary roots of trust(RTs) enabled by a TPM (RT for Reporting, RT for Storage, RT for Measurement(RTM)), it is only the RTM which exists outside the TPM itself. This means that attacks on the TPM itself (such as Tarnovsky's) do not compromise the RTM, and vice versa. We will then focus on the *Core* RTM, which is most often implemented in the BIOS as code that measures itself and other portions of the BIOS. The CRTM is the foundation on which the Static Root of Trust for Measurement (SRTM) is build. The SRTM is what enables boot-time measurements (in contrast to the Dynamic RTM which allows limited on-demand measurements through technologies such as Intel TXT or AMD SVM, things attacked in the past by ITL.) We will discuss how the BIOS and therefore the CRTM can be vulnerable to manipulation either by a) a BIOS that does not support/require signed updates, b) a BIOS that supports signed updates but where that option is disabled, or c) a BIOS that is enabled to require signed updates, but that can be modified nonetheless by a signed-update-bypassing reflash such as ITL's BH09 talk, or a new exploit which we have found.

We will then go into great detail about the bug which we found in the Dell legacy BIOS (i.e. non-UEFI) codebase. We will not be releasing details before the conference. We have disclosed the bug to Dell and we expect a patch will be available before the conference. We will also not be releasing our PoC.

We will then describe some post-BIOS-manipulation actions an attacker could take. The obvious ones such as bricking the computer (per CIH) or just using a normal bootkit (per Mebromi). But we will also show how a more sophisticated attacker could install a "tick", which modifies the CRTM to replay clean self-measurements to the TPM. This is a fundamental breakage of the root of trust right at the core. This ends up being a violation of the assumptions by subsequent security software that the CRTM can provide change detection in the presence of an early boot adversary. We will then expand the notion of a tick to a "flea", which can also hide its presence while "hopping" from the current BIOS into a new BIOS update which is pending write to the SPI flash chip. In this way we show that the likely mitigation of "reflash the BIOS with a clean copy" is not viable; and why turning on signed updates and reflashing BIOSes after the fact in an environment may not remove an existing adversary.

We will conclude the talk by describing how we've applied our previous work (IEEE S&P/Defcon 2012) at the BIOS level to attempt to combat this type of attacker. Our work (built on a decade of academic work) operates under the assumption that an attacker exists at the same privilege level as the defender and the attacker can take arbitrary action before self-measurement begins. But once measurement begins, a special software construction seeks to measure system elements that are relevant for the attacker manipulating our self-measurement software. The goal of the construction is to make it so that if the attacker wants to make our software lie, he must add extra instructions of logic (e.g. an "if" check) to our code. These extra instructions will then be multiplied by millions of iterations of self-measurement, leading to millions of instructions worth of timing overhead. And specifically, in order to gain trust at boot time, when we don't expect our implementation to communicate with a 3rd party for timing measurement, we use a little-known capability of the TPM to provide a trustworthy timing of our runtime.

JOHN BUTTERWORTH BIO

John Butterworth

John Butterworth is a security researcher at The MITRE Corporation who specializes in low level system security. Currently he is using his electrical engineering background and firmware engineering background to investigate UEFI/BIOS security.

Corey Kallenberg

Corey Kallenberg is a MITRE researcher who specializes in low level system security. He is currently using his background in operating system development, firmware security and trusted computing to investigate BIOS/UEFI security issues.

Xeno Kovah

Xeno is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker.

JOSH YAVOR

The BYOD PEAP Show: Mobile Devices Bare Auth

The onslaught of Bring Your Own Device(s) in recent years places a new focus on the security of wireless networks. In "The BYOD PEAP Show", Josh Yavor explores fundamental flaws in one of the most common and widely supported 802.1x authentication protocols used by countless corporate WPA2-Enterprise networks today. A series of events in the recent past created a situation in which PEAP can no longer be used safely. In this updated talk, we will re-trace this path and investigate how the combination of BYOD, new technology and new tools led to this situation. New content includes a look at how industry and the media responded to initial reports of this problem, deeper comparison of alternate EAP types and "how-to" instructions. Attendees will leave with an understanding of the underlying flaws, methods of exploitation, a set of tools and most importantly, how to secure WPA2-Enterprise networks that currently support PEAP.

JOSH YAVOR BIO

Josh Yavor (@schwascore) is a Senior Security Engineer at iSEC Partners, an information security firm specializing in application, network, and mobile security. Josh holds a MS in Computer, Information and Network Security from DePaul University. At DePaul, he focused on network security while also developing an interest in incident response and SCADA/ICS. Prior to working at iSEC, Josh operated an independent IT consulting and managed services business with a special focus on security related projects.

ALEX "KUZA55" KOUZEMTCHENKO

Bypassing Content-Security-Policy

Content-Security-Policy is gaining more traction as a way to mitigate XSS with major websites with sites such as Twitter, GitHub and Yandex implementing blocking policies and other sites such as Facebook implementing report-only policies.

 This talk will examine how to write exploits for XSS bugs in the presence of a variety of CSP policies by taking advantage of loose CSP policies, application-specific weaknesses, javascript frameworks and browser oddities.

ALEX "KUZA55" KOUZEMTCHENKO BIO

Alex has been finding webapp vulnerabilities and giving talks much like this one about the results for the better part of a decade. His interest in XSS once earned him a nomination for "Most narrowly directed researcher" from the prestigious internet publication zf04.

He is currently a Security Researcher at Coverity where he helps make static analysis find vulnerabilities in real software.

MARK 'C01DB33F' BRAND

Deus Ex Concolica - Explorations in end-to-end automated binary exploitation

The field of automated vulnerability discovery has seen a lot of interest in recent years; Static analysis tools have been getting a lot better, even against compiled binary code, and vendors such as Microsoft are running huge fuzzing farms and internal tools in order to discover and fix vulnerabilities in their software before they are exposed. Dumb fuzzing has had its day in core codebases and we need to step up our game if we're going to find interesting bugs without manually auditing all the bytes.

Concolic execution is a powerful technique for automated vulnerability discovery and analysis - and while there are existing tools using this technique (CUTE, KLEE, BitBlaze) they are mostly limited to source-level analysis, or somewhat difficult to get hold of, rendering them of limited use to an offensive researcher.

This talk will cover my experiences developing a cross-platform framework for concolic analysis of x86 and ARM binaries, based on the REIL language. I'll be covering briefly the key concepts of concolic execution, and the REIL language, the potential and limitations of the technique, and of course the pitfalls I've fallen into along the way.

Having developed a tool that could automatically find several classes of vulnerability in binaries, I got distracted from the goal of closed source auditing by the fun of fully automated exploitation, so the tool is now also capable of rudimentary analysis on the vulnerabilities it discovers, and full exploit generation for simple vulnerabilities.

I'll be demoing the tool live on both x86 and ARM binaries, including fully automated vulnerability discovery and exploitation of some binaries, and if I'm feeling brave might even run a demo on binaries from the Ruxcon CTF if there's anything suitable...

MARK 'C01DB33F' BRAND BIO

Mark is a recovering Brit who moved out to Australia about a year ago. He's now a security consultant and researcher for the Canberra-based Datacom Technical Security Services, with interests ranging from Android and mobile device security to more-or-less anything binary.

MEDER KYDYRALIEV

Mining Mach Services within OS X Sandbox

With the recent rise of sandboxing technologies and their increasing adoption by major software vendors, the day when memory corruption vulnerabilities will be used primarily for cookie stealing are not that far away. In the meantime, there are still interesting avenues for reaching "hidden" attack surface from within sandboxed applications to achieve a sandbox escape. After a brief overview of OS X sandboxing I will cover one such avenue and will release fuzzing tools for it.

MEDER KYDYRALIEV BIO

Meder has been working in the area of application security for nearly a decade. He's poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few). Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier.

PETER FILLMORE

Top of the Pops: How to top the charts with zero melodic talent and a few friendly computers

Paying for music has become an interesting proposition in our modern times. This talk will educate the layman on how you can make money via the interwebs with no musical talent or instruments with just a few credit cards. An overview of the different services available, how you can get your awesome composition on them and start making mucho dinero. I'll show you how you can get yourself to #1, get banned and more importantly; confuse the living heck out of random people while ruining the system for hard working artists.

Zero Zero Days discussed!
Absolutely no popped calcs!
APT (Advanced Persistant Trolling) attacks will be demonstrated using advanced Cloud Computing resources.

PETER FILLMORE BIO

Principle Consultant at Payment Systems Consulting. Presented at Ruxcon 2011 on Contactless Payments. During the day he assists clients in secure product development and preparing for certification their systems. During the night he produces albums that deserve to be burned in large bonfires to ecstatic crowds.

SILVIO CESARE

A Beginner's Journey into the World of Hardware Hacking

In this talk Silvio will introduce the novice to the world of hardware hacking. Did you ever want to - interface with an ADSL router via a serial console to drop into a rootshell and crack some passwords, or clone an infrared remote control that disarms a home security system, or even perhaps build your own computer controlled backyard irrigation system using an Arduino? If so, then this is the talk for you.

SILVIO CESARE BIO

Silvio Cesare is a security researcher at Volvent and a PhD student at Deakin University. His thesis is currently under examination. His research is supported by a full scholarship under a Deakin University Postgraduate Research Award and two publication scholarships. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at industry conferences including Blackhat, Cansecwest, Ruxcon, Breakpoint, AusCERT and has published in academic journals such as IEEE Transactions on Computers. He is also author of the book Software Similarity and Classification, published by Springer. He is one of the organisers of Ruxmon Canberra. He has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of Qualys – now the world's largest vulnerability assessment company. In 2008 he was awarded $5000 USD tied 3rd prize for the highest impact vulnerability reported to security intelligence company IDefense for an implementation specific IDS evasion bug in the widely deployed Snort software. He has a Bachelor of Information Technology and a Master of Informatics by research from CQ University where he was awarded with two academic prizes during his undergraduate degree, a University Postgraduate Research Award full scholarship during his Masters degree, and a school of IT award during his PhD candidature for the student of highest merit.

SUELETTE DREYFUS & KEN DAY

Underground: The Julian Assange story (with Q&A)

Screening of 'Underground: The Julian Assange Story'. Q&A session to follow with Suelette Dryfus and Ken Day. 

A look at the early career of Wikileaks founder, Julian Assange.

 Julian Assange is one of the most significant figures of the twenty first century. But before he was famous, before WikiLeaks, before the internet even existed, he was a teenage computer hacker in Melbourne. This is his story. In 1989, known as 'Mendax', Assange and two friends formed a group called the 'International Subversives'. Using early home computers and defining themselves as 'white hat hackers' - those who look but don't steal - they broke into some of the world's most powerful and secretive organisations. They were young, brilliant, and in the eyes of the US Government, a major threat to national security. At the urging of the FBI, the Australian Federal Police set up a special taskforce to catch them. But at a time when most Australian police had never seen a computer, let alone used one, they had to figure out just where to begin. Police ingenuity and old-fashioned detective work are pitted against nimble, highly skilled young men in this new crime frontier. What follows, is a tense and gripping game of cat and mouse through the electronic underground of Melbourne. (Taken from IMDB)

SUELETTE DREYFUS & KEN DAY BIO

Suelette Dreyfus

Author of "Underground", book about early hackers, translated into 7 languages. Research Fellow, University of Melbourne, Australia, Dept of Computing and Information Systems. Studying the impact of technology on whistleblowing. Principal Researcher on the World Online Whistleblowing Survey, the first online survey about public attitudes to whistleblowing to be run in 10 other languages. I also do work in the e-health and e-education areas.

Key Day

Ken Day spent 15 years with the Australian Federal Police (AFP) as a Federal Agent. During his time there he founded the first Computer Crime Team in Australia and obtained the first criminal convictions within the country for computer crime offences. During his 9 years leading this team Ken pioneered computer crime (technology) investigations and technology forensics for the AFP. After leaving the AFP spent time consulting, worked as a Risk Manager within the financial services industry and he now he runs his own business.

HUBERT SEIWERT

Wardriving in the cloud: A closer look at Apple and Google location services

Apple's and Google's WiFi and location data collection practices have been in the spotlight in recent years, with researchers highlighting privacy concerns and the public left wondering what information is really being collected and how it's being used. This talk gives an overview of the current state of play and presents findings about how Apple harvests WiFi and location data. During this talk, tools will be presented which can be used to query WiFi location databases in order to:

• Locate any WiFi-enabled computer you have remote access to
• Map out WiFi routers across a neighborhood or city and filter by manufacturer, without leaving the house
• Find out what brand of WiFi router is used at The White House and other interesting locations
• Perform Samy Kamkar's "How I met your girlfriend" WiFi positioning attack using Apple's location service, after Google prevented it

HUBERT SEIWERT BIO

Hubert is an experienced penetration tester and security consultant with over 8 years of industry experience in the UK and Australia. His main interests are web and mobile application security and mobile privacy issues. He has previously presented tools and given talks exploring iPhone security and privacy issues at CCC, Blackhat and SyScan.

GOLAM 'BABIL' SARWAR

AntiTraintDroid - Escaping Taint Analysis on Android for Fun and Profit

We investigate the limitations of using dynamic taint analysis for tracking privacy-sensitive information on Android-based mobile devices. Taint tracking keeps track of data as it propagates through variables, inter-process messages and files, by tagging them with taint marks. A popular taint-tracking system, TaintDroid, uses this approach in Android mobile applications to mark private information, such as device identifiers or user's contacts details, and subsequently issue warnings when this information is misused (e.g., sent to an undesired third party). We present a collection of attacks on Android-based taint tracking. Specifically, we apply generic classes of anti-taint tracking methods to a mobile device environment to circumvent dynamic taint analysis. We have implemented the presented techniques in an Android application, ScrubDroid. We successfully tested our app with the TaintDroid implementations for Android OS versions 2.3 to 4.1.1, both using the emulator and with real devices. Finally, we have evaluated the success rate and time to complete of the presented attacks. We conclude that, although taint tracking may be a valuable tool for software developers, it will not effectively protect sensitive data from the black-box code of a motivated attacker applying any of the presented anti-taint tracking methods.

GOLAM 'BABIL' SARWAR BIO

Babil (Golam Sarwar) has recently submitted his PhD thesis from National ICT Australia (NICTA) as an enhanced cotutelle PhD candidate under Department of Electrical Engineering & Telecommunications in University of New South Wales (UNSW) and in Université de Toulouse. He is currently working with the Engineering and Technology Department (ETD) at NICTA. His research interests include - reverse engineering, cryptography, network and operating system security, kernel development and exploitation techniques, radio technologies such as GSM, LTE and short-range NFC, RFID etc.

ADAM DANIEL

The Art Of Facts - A look at Windows Host Based Forensic Investigation

With companies facing ever increasing problems with employee misconduct, Intellectual property theft, industrial espionage and all manner of fraud, host based forensics has become the focus of many investigators, companies and law firms in recent times. The old forensic adage of "Every touch leaves a trace" is taken to new levels on Windows based systems where all kinds of relevant data can be recorded in all manner of places.

This talk will take look at host based forensic analysis on Windows systems, including an overview of some of the common and not some common metadata and artifacts that can make or break a case and the emerging techniques and tools used to access, parse and review them.

ADAM DANIEL BIO

Adam is a Computer Forensics and eDisocvery specialist with over 18 years of experience in fields of data recovery, data conversion, computer forensics and electronic discovery. He's previously worked with Deloitte and EY and is currently employed at one of Australia's largest and longest running insolvency firms. He also specialises in computer based expert witness and testimony as well as Electronic Discovery and litigation readiness consulting. He dresses like a teenager, loves smoking fine cigars and listens rap music.

ALBAN DIQUET & MARC BLANCHOU

Introspy : Security Profiling for Blackbox iOS and Android

In 2013, assessing the security of iOS and Android applications still involves a lot of manual, time-consuming tasks - especially when performing a black-box assessment. Without access to source code, a comprehensive review of such applications currently requires in-depth knowledge of various APIs and the ability to use relatively complex, generic tools such as Cycript and Cydia Substrate - or just jump straight into the debugger.

To simplify this process, we are releasing Introspy - an open-source security profiler for iOS and Android. Introspy is designed to help penetration testers understand what an application does at runtime. The tool comprises three separate components: an iOS tracer, and Android tracer, and an analyzer. The iOS and Android tracers can be installed respectively on a jailbroken iOS device and a rooted Android device. Both tracers hook and record security-sensitive APIs called by a given application at run-time: function calls related to cryptography, IPCs, data storage or data protection, networking, and user privacy are all recorded and persisted in a SQLite database on the device. This database can then be fed to the Introspy analyzer - which generates an HTML report displaying all recorded calls, plus a list of potential vulnerabilities affecting the application.

This presentation will first briefly introduce general concepts and current methodologies for mobile black box testing, as well as a cursory review of classic vulnerabilities affecting iOS and Android applications. We will then demonstrate how Introspy can greatly simplify the process of vulnerability discovery and how to use it on every day mobile assessments.

ALBAN DIQUET & MARC BLANCHOU BIO

Marc Blanchou

Marc Blanchou is a Principal Security Consultant at iSEC Partners, an information security firm providing security assessments on multiple platforms and environments. At iSEC, Marc worked on a wide variety of products ranging from mobile, desktop and web clients as well server-side and kernel related components. Marc has recently presented at Black Hat, RSA Conference, Hack In The Box and OWASP on various topics including compiler/hardware induced bugs in OSes/VMs, building better browser-based botnets and how to audit enterprise class products on Android and iOS.

Prior to iSEC, Marc was a lead application developer on a wide variety of projects and worked on several products involving low-level legacy code for a financial and a game company. For his master's thesis at EPITECH, Marc developed a multiplatform flash file system in C which resulted in several commits to the Linux kernel.

Alban Diquet

SEAN PARK

Inside Story Of Internet Banking: Reversing The Secrets Of Banking Malware

People talk about malware stealing your money during online banking. Media talks about billions of dollars financial loss every year directly caused by banking malware. Many articles talk about Zeus, Spyeye, Carberp, and so on. The question is, 'Is it real?'

As a professional security expert and reverse engineer with many years of fighting against banking malware, Sean will take you closer to what is happening by introducing the real battle between the malware and the banks. You will access the core of the secrets with him showing various information stealth mechanisms deployed in the latest banking malware families. More importantly you will be able to get your hands dirty back at your home after learning how to crack modern commercial underground banking malware.

SEAN PARK BIO

Sean Park is a Senior Malware Scientist for FireEye Labs, responsible for researching on global dynamic threat intelligence and delivering incident response service to FireEye clients in the APAC region. Sean’s primary focus is on malware threat identification, attack campaign scoping, threat containment and remediation strategy development, and digital forensic analysis.

Sean has over 12 years of security research, consulting, and development experience on a wide range of security technologies especially in malware space including Anti-virus, firewall and IPS. Sean has deep understanding of modern cyber-attacks and security technologies, which allow him to analyse and decrypt some of the toughest malware. Sean is an expert at detecting operating system kernel level rootkits and analysing multiple layers of highly obfuscated malware.

Prior to joining FireEye, Sean was Senior Information Security Consultant at Westpac, one of the largest banks in Australia. At Westpac Sean played a key role in identifying financial threats such as phishing and banking malware attacks, consulting on secure banking systems, and developing and delivering critical applications and infrastructure for financial security systems. Previously, Sean has worked as a Lead Kernel Driver Software Developer at PCTools (Symantec).

PATRICK GRAY

Edward Snowden: It's Complicated

While the peoples of the Internet are busy arguing over the morality and legality of covert NSA programs unveiled by Edward Snowden, many of the bigger issues have been missed. Like, for example, how some NSA programs are clearly desperate attempts to stave off the inevitable advancement of technology set to make its life hell.

When Napster first popped up in 1999 the music industry had it covered. Dispatch the lawyers and problem solved, right? Riiiight?

Wrong! In this talk Patrick Gray argues that in the medium to long term the NSA, like the music recording industry, will fail in trying to cripple consumer technology. This leads us to the ultimate question of Life, The Universe and Snowden: How can a government fulfil its obligation to protect its citizens when it can no longer reliably intercept electronic communications?

PATRICK GRAY BIO

An Australian analyst, journalist, and commentator on information security, Patrick Gray has been covering the infosec space for over a decade. He produces and presents Risky Business, an information security podcast that has won four Lizzies (Australia’s premier IT journalism awards) -- including Best Audio Program and Best Technology Title. He has written about the Snowden leaks for Wired.com. Twitter: @riskybusiness.

BRENDAN HOP

Schoolin' In: How to Build Better Hackers

The demand for people who can hack is increasing, and universities are not teaching people the fundamentals a hacker needs to know to start out. In addition, computers are more accessible; people do not need to learn internals in order to have fun with computers, and computer science degrees (in Australia, at least) are missing the conceptual fundamentals required to build a good base for learning offensive security. This talk outlines some lessons learned from five years of teaching hacking (and how to be sneaky) to university students.

Brendan will explain the magic behind UNSW's unique COMP9447 computer security course, which has spawned the next generation of Australia's security talent and brought previously uninterested students into infosec. This course has allowed UNSW to differentiate itself from nearly every other university in the world and is demonstrated by the 9447 CTF team which has won the last two Australian CDUC/CySCA CTFs, 4th in the Korean SECUInside CTF and 10th in the DEFCON CTF.

BRENDAN HOP BIO

Brendan has been pentesting and hanging around the edges of exploit dev scene for a few years now, and also cowrote and coruns several computer security courses (with his associate Fionnbharr Davies) at the University of New south Wales, the most notable of which is the introductory hacking course CS9447, who have had some success in the larger world.

THIéBAUD WEKSTEEN

Roll the Dice and Take Your Chances

Commonly used as session identifiers, CSRF protections or unique hardware references, "random" tokens can easily be underestimated when evaluating the security of any system.

Currently available tools to assess the predictability of tokens are often either not specific enough or use a strip down approach, and as such may miss critical relations on the samples.

This talk will introduce the mathematical theory behind the measure of randomness and how this theory can be applied to tokens. Obscure token formats will be investigated and practical tips on how to carry out your own analysis and avoid common pitfalls will be presented. Finally, from a defender's perspective, best practices and possible improvements will be discussed.

THIéBAUD WEKSTEEN BIO

Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
NameError: name 'personal_biography' is not defined

JOHN BIRD

Cracking, CUDA and the Cloud – Cracking Passwords Has Never Been So Simple, Fast and Cheap

Until more recently graphics cards have been mainly responsible for the drawing of pixels on a screen. Today's cards however have significantly more potential and are in some respects even more powerful than the fastest CPUs with the gap widening quickly. There have also been extensions made to allow these devices to execute user defined code. There are new languages such as OpenCL and CUDA which can be used to solve more general purpose problems.

This talk will cover GPU programming, the GPU enabled tools for cracking passwords, rainbow table generation, cracking in the cloud and more.

JOHN BIRD BIO

John Bird spends his daytime hours as a principle software engineer working at CA Technologies. The evening and early morning hours are used to study anything and everything in computer security. John also enjoys opening up electronics gear to try and figure out how it ticks and if it can be repurposed. Some of the time he even manages to put it back together again afterwards.