Ruxcon

SHUBHAM SHAH

International Voicemail Security And Bypassing 2FA For Fun And Profit

Voicemail systems have been broken into for years. Whether it be through spoofing attacks or social engineering, the general security of voicemail systems around the world has been regarded as some of the weakest. Whilst only fully exposed to the public during the famous News International phone hacking scandal, it seems that a large number of providers are still vulnerable today not only to the techniques already revealed, but also through newer methodologies such as those involving the visual voicemail protocol.

In addition to this, our reliance on telephony as an additional verification factor is also questioned, as through the vulnerabilities discussed, its integrity is lost.

In this talk, we reveal how we:

• Broke Optus’s voicemail security via spoofing to vulnerable old endpoints
• Obtained any Vodafone customers voicemail pin through bruteforcing Vodafone’s visual voicemail system
• Identified overall vulnerabilities in voicemail systems, including vulnerabilties to test for to see if your telco is vulnerable
• Bypassed 2FA through the leveraging of voicemail vulnerabilities

We’ll be presenting PoC’s, live demonstrations and new techniques to break into modern voicemail systems around the world.

SHUBHAM SHAH BIO

Shabham

Shubham Shah is a Sydney based web application penetration tester currently studying Computer Science at the UNSW part time. Growing up as a teenager watching videos from Defcon and Blackhat, Shubham has participated and reported vulnerabilities to companies such as Google, Facebook, Paypal, Adobe, Microsoft, LinkedIn and more. Whilst deeply invested in penetration testing, Shubham is also an active developer contributing to the security of many open source projects.

Huey

Huey Peard is a student and part-time security researcher who is currently completing his final year of high school. As one of the founding members of the security group Gibson Security, which was made famous last year for exploits found in Snapchat, he enjoys reverse engineering applications and protocols as well as writing his own tools to automate this process.

SILVIO CESARE

Recapping: Breaking the Security of Physical Devices

This is a recap and extended work of the presentation breaking the security of physical devices. From owning, cloning, and honing in on Australia's public transport cards, home alarms from Bunnings, baby monitors from E-Bay, and automotive keyless entry, find out what's secure, what's not, and what you need to do to protect yourself when you're buying or using such systems.

Specifically, I'll look into:

1) The state of RFID-based security in public transport cards within Australia, and how many states are considered vulnerable to card cloning. A $300 proxmark3 is capable of performing such cloning attacks.

2) Eavesdropping on analog baby monitors using a $15 software defined radio.

3) Defeating wireless controlled home alarms using software defined radio and replay attacks. For under $50, an Arduino combined with wireless rx/tx modules can implement the attack.

4) Defeating the keyless entry of a popular 2000-2005 vehicle, allowing an attacker to unlock the car using a bruteforce attack in an average time between 1 minute and 1 hour. A $1000 USRP can implement this attack.

Don't miss out on this entertaining, yet somewhat scary talk.

SILVIO CESARE BIO

Silvio Cesare is a researcher, writer, and presenter in industry and academia. He is the author of the academic book "Software Similarity and Classification" published by Springer. He has spoken at multiple industry conferences including Black Hat, Ruxcon, Auscert, and Cansecwest. He holds a Doctorate from Deakin University in Australia. He has also worked in industry within Australia, France, and the United States. This work includes time as the scanner architect of Qualys - now the world's largest vulnerability assessment company. At present, he is again at Qualys in developing next-generation malware protection based on his University research.

PETER SZABO

Ransomware - A Study of Evolution

RansomWare is not new, from the very early FAT scramblers to the poorly implemented crypto schemes and public-private key systems.

Pete will examine various ransomware samples examining how the malware authors have slowly learnt to utilize public-private key cryptography, and the mistakes they made along the way.

Part of the examination will involve CryptoLockers' call-home feature, the difficulties of detection due to repackaging, and use of PowerShell to carry out the file-encryption.

Some key aspects about mitigation and data recovery are discussed, including use of the DGA to prevent call-home.

PETER SZABO BIO

Peter has been in the anti-malware industry for over a decade applying his reverse engineering to analysis and detection of malware. During this time Peter has found many interesting samples and techniques employed by the malware authors, and has also devised ways of turning some of those into defensive technology, some of which he's happy to share :)

PETER FILLMORE

Crash & Pay: Reading, Cloning and Fuzzing RFID Payment Cards

So, we all know you can clone your building pass, and you can clone you old mifare cards - so why hasn't your paypass/paywave card been cloned yet?  This talk will endeavour to answer this question by showing you how to clone a card. I’ll also be discussing what tools i use to do RFID testing. We'll also show you how to use cheap hardware to create malicious cards to "fuzz" RFID readers (thanks google!), and the results of fuzzing different RFID hardware out there. Areas this talk will cover are NFC, RFID, EMV, ISO14443 and the ever so exciting world of credit-card fraud.

PETER FILLMORE BIO

Peter is payment security consultant who assists clients in the design and certification of payment systems.  A former #1 "musician" who composed such hits as "I Have to Remind you Sully, this is my weak arm" and "O Little Town of Pyongyang" has decided to go to where the money is - by actually looking at money. Other interests include taking things apart, loosing the screws and collecting broken things(that he broke).

DAVID LITCHFIELD

Exploiting SQL Race Conditions and Other Oddities

This talk will examine SQL race conditions and numeric lateral injection and how to exploit them to gain full control over the database server using real world examples in Oracle 12c.

DAVID LITCHFIELD BIO

David Litchfield is a veteran computer security researcher and a recent immigrant to Australia, working for Datacom TSS out of their Perth office. He's co-authored several books such as the Shellcoder's Handbook, the Database Hacker's Handbook and the Oracle Hacker's Handbook. He has found hundreds of critical security flaws in enterprise products from Microsoft, IBM, and Oracle, breaking the "Unbreakable" - cough - finding the flaw that Slammer exploited and devised the techniques to bypass MS' stack protection and SafeSEH back in the day. These days, you're more likely to find him spending time with his family or diving with great white sharks.

DAVID JORM

Write Once, Run Anywhere: A Tour Of Java Remote Code Execution Vectors

Java applets run in a browser within a sandbox provided by the Java Security Manager (JSM). Flaws that allow malicious code to bypass the restrictions of the JSM are well known and numerous. Less well known are the myriad vectors that can be used to achieve remote code execution on server-side Java applications, including web applications. This presentation will provide a tour of these vectors, with practical examples of each one, along with advice on how to avoid exposing similar flaws in your applications. The examples will include a mix of flaws I have found myself and those found by others. The vectors include:

• XSL Java extensions
• Expression language interpolation
• Binary Deserialization
• XML Deserialization
• XXE + Gopher

DAVID JORM BIO

David has been involved in the security industry for the last 15 years. He currently works as a manager for Red Hat's product security team, focusing on cloud and middleware products. He has been quoted in a major national newspaper as saying North Korea's nuclear program is "ready to rock".

ADAM DANIEL

The Devil in the Detail - Advanced Forensic Artefact Analysis & More Tales From the Coalface

In this talk I will provide brief history and overview of Computer Forensic tools and techniques, including some of the latest advances in the field of forensic artefact analysis and well as an interesting case study into a sophisticated online theft of a rather large amount of money that used some very  techniques.

ADAM DANIEL BIO

Adam is a Computer Forensics and eDisocvery specialist with over 18 years of experience in fields of data recovery, data conversion, computer forensics and electronic discovery. He is currently employed at one of Australia's largest and longest running insolvency firms. He also specialises in computer based expert witness and testimony as well as Electronic Discovery and litigation readiness consulting. He dresses like a teenager, loves smoking fine cigars and listens rap music.

LION GU

Mobile Underground Activities in China

The mobile Web is significantly changing the world. More and more people are replacing their PCs with various mobile devices for both work and entertainment. This change in consumer behavior is affecting the cybercriminal underground economy, causing a so-called “mobile underground” to emerge. This presentation provides a brief overview of some basic underground activities in the mobile space in China. It describes some of the available mobile underground products and services with their respective prices

I'd like to introduce some underground products and services one by one, including:

1. Premium Service Numbers
2. SMS Forwarders
3. SMS Spamming Services and Devices
4. iMessage Spamming Services and Software
5. Phone-Number-Scanning Services
6. App-Rank-Boosting Services.

LION GU BIO

Lion is a threat researcher at Trend Micro, Inc. His research focuses on malware analysis, mobile security, and the underground cyber criminal economy. He holds a Bachelor of Electronic Information Engineering from Tianjin University of Technology.

MICHAEL SAMUEL

Bolt on some Crypto

Adding cryptography to your datacenter or application doesn't need to be hard, but people still consistently make simple mistakes that render their hard work worthless.

This talk aims to be an accessible introduction to using cryptography, including the simple concepts that cryptographic protocols provide, picking the right applications and libraries, and testing for the simple mistakes that commonly appear in real-world implementations.

MICHAEL SAMUEL BIO

Michael Samuel is a systems and network engineer by day, and an open source developer and security researcher whenever he has some spare time.

MARK BRAND

Finding Bugs The Rube-Goldberg Way

Then we'll take a look at some real-world reverse engineering using this technique, looking at some interesting pieces of widely used code using a more practical toolset for debugger integrated concolic execution.

MARK BRAND BIO

Mark is a recovering Brit who moved out to Australia about two years ago. He's a security consultant and researcher for the Canberra-based Datacom Technical Security Services, and spends his office hours doing penetration testing or auditing client's code, and his spare time writing tools to audit everyone else's code...

ALEC STUART-MUIRK

Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure

When Super Mario looks at your average network topology diagram he sees opportunity in those bricks and adventure in those pipes! Join Mario as we target the Cisco ASA firewall on our way to rescue Princess Peach from Bowser's Castle.

Chaining no less than three previously unknown exploits we will remotely compromise the perimeter Cisco ASA firewall. Then, using the
firewall's built-in NAT functionality will explore the possibility of moving laterally while evading anomaly and flow analytics based network intrusion detection.

This talk will explore the inner workings of the Cisco ASA appliance and present opportunities for further exploit development and reboot persistent rootkits. Overall it will have you question the security of your network security devices and leave you asking if we should hold security vendors to a higher standard.

ALEC STUART-MUIRK BIO

Alec has been working in the network security industry for more than ten years. For the first five years, he worked on the front line acting as level three support for clients often troubleshooting obscure bugs and issues alongside the major firewall vendors. Since that time he has continued working with these vendors and their products as a network security architect, designing end to end solutions in the enterprise. All the while Alec has never stopped questioning the underlying technology, what makes these products tick and what secures the security product.

ROBERT WINKEL

Image and Video Forensics – An image is Worth 1000 Frauds

Magazines with photo shoots of super slim super models…
Dictators releasing images that show their military might…
YouTubers releasing unbelievable videos of UFOs…
Cyber terrorists hiding their plans to bomb the Playboy mansion within their Facebook profile picture...
Presidents providing copies of their birth certificates to prove they weren’t born overseas...
Newspapers capturing front-page worthy photos that defy belief...
“Amateur” videos capturing amazing stunts using construction site tools...
Hundreds of people claiming they won the $100 million lotto, with photos to prove it…
Professionals displaying a copy of their credentials, certifications, or qualifications on line…

With the prevalence of CGI, photo and video manipulation tools, and photo and video sharing sites, we are exposed to more and more images and videos where we are doubtful of their authenticity.

In this presentation, I will cover the more popular techniques to uncover fake images and videos. For my examples and demonstrations, I will use topical, humorous, and even Ruxcon-related images and videos. Techniques I will cover include:

• Finding the original, unaltered image, e.g. through Google reverse image search.
• Eyeballing “obvious” Photoshopped images, e.g. the phantom hand syndrome, missing limbs, anything from Photoshop Disasters website (http://www.psdisasters.com/).
• Examining metadata, e.g. “Created by Photoshop v5.0”
• Statistical methods, e.g. histogram analysis, error-level analysis, principle component analysis, noise level analysis, wavelet transformations.
• Analysis of objects and their shadows to detect light source inconsistencies.
• Hand-held camera jitter analysis in videos to detect unhuman-like motion.
• Motion tracking of moving objects within videos to detect violations of Newton’s laws.

I will also cover other uses of image and video forensics, such as:

• Detecting steganography.
• Geolocation of a camera through reflections in windows, and through geometry using Google Earth and Streetview.
• Deblurring images to extract intelligence, e.g. licence plates.
• Metadata contained in photos, e.g. geolocation, orientation.

ROBERT WINKEL BIO

Jr'er ab fgenatref gb ybir. Lbh xabj gur ehyrf naq fb qb V. N shyy pbzzvgzrag'f jung V'z guvaxvat bs. Lbh jbhyqa'g trg guvf sebz nal bgure thl.
V whfg jnaan gryy lbh ubj V'z srryvat. Tbggn znxr lbh haqrefgnaq.
Arire tbaan tvir lbh hc. Arire tbaan yrg lbh qbja. Arire tbaan eha nebhaq naq qrfreg lbh. Arire tbaan znxr lbh pel. Arire tbaan fnl tbbqolr. Arire tbaan gryy n yvr naq uheg lbh.
Jr'ir xabja rnpu bgure sbe fb ybat. Lbhe urneg'f orra npuvat, ohg lbh'er gbb ful gb fnl vg. Vafvqr, jr obgu xabj jung'f orra tbvat ba. Jr xabj gur tnzr naq jr'er tbaan cynl vg.
Naq vs lbh nfx zr ubj V'z srryvat. Qba'g gryy zr lbh'er gbb oyvaq gb frr.
Arire tbaan tvir lbh hc. Arire tbaan yrg lbh qbja. Arire tbaan eha nebhaq naq qrfreg lbh. Arire tbaan znxr lbh pel. Arire tbaan fnl tbbqolr. Arire tbaan gryy n yvr naq uheg lbh.

JOHN LOUCAIDES

BIOS and Secure Boot Attacks Uncovered

A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and OS loaders. Windows 8 Secure Boot provides an important protection against bootkits by enforcing a signature check on each boot component.

This talk will detail and organize some of the attacks and how they work. We will demonstrate some of these attacks including user-mode bypasses of secure boot. We will describe underlying vulnerabilities and how to assess systems for these issues using chipsec (https://github.com/chipsec/chipsec), an open source framework for platform security assessment. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. In addition, we will explain why exploits against systems firmware, which were supposed to require kernel mode privilege, in many cases could be done from user mode.

JOHN LOUCAIDES BIO

Authors: John Loucaides, Andrew Furtak, Oleksandr Bazhaniuk, Alexander Matrosov, Yuriy Bulygin (Intel Security)

John Loucaides is a security researcher who is currently focusing on responding to platform security issues. He has performed security analysis for a wide variety of targets from embedded systems to enterprise networks, developing repeatable methods for improving assurance.

TTY0X80

Android Forensics: The Joys of JTAG

 JTAG provides a standard interface with the ability to debug and determine faults in integrated circuitry but when mobile devices leave the factory floor with it enabled, this opens up an entirely new way to acquire raw data from devices that incorporate NAND or NOR flash memory. With mobile devices, manufacturer components vary greatly between models, which creates a huge challenge for forensic examiners to soundly acquire their memory due to their differing components as well as the need for expensive, customised hardware and software. The biggest hurdle being locked and encrypted devices. This talk will focus on the forensically sound acquisition of NAND memory in Android devices via JTAG, the extent of what can be uncovered in the investigation of such a device and industry developments in the area of mobile device forensics.

TTY0X80 BIO

tty0x80 is a deep space photon searching for the meaning of cats. When not distracted by what quantum superposition he is in, he spends his time diving into a variety of Information Security fields and conducting research, all the while aspiring to become a security researcher.

MATT HALCHYSHAK & JOE TARTARO

Cyber Necromancy: Reverse Engineering Dead Protocols

Reverse engineering is not all binaries and byte-code. The black art also extends to networks and unobtainable game servers. In this talk we go into the gruesome details of how we dug through the graveyards of console binaries and mausoleums of forgotten network protocols in order to stitch together the pieces necessary to bring our favorite game Metal Gear Online back to life. This talk will be examining the process of reverse engineering the games custom network protocols in all angles from packet logs to low level disassembly of client code.

MATT HALCHYSHAK & JOE TARTARO BIO

Matthew Halchyshak is a security technician for Security Innovation with experience performing penetration tests and code reviews on applications ranging from mobile to server-side applications. Though having been interested in computer security from his youth he has moved through a number of career paths before finally getting into the security field including work as a magician and a field artillery soldier with the Canadian Army Reverse. In his off-time he enjoys the challenge of breaking captchas and writing bots for various applications and services.

Joseph Tartaro is an experienced Senior Security Consultant at IOActive, where he proves his talents working with clients on network and application penetration tests. Tartaro is highly experienced with a wide range of security practices, passionate about hardware hacking, programming and all manners of exploitations. As a member of telephreak, he helps manage a VoIP PBX system for free public conferencing and communication. In his off time he enjoys working on emulations and ROM hacking of retro-video games.

DANIEL CHECHIK & RAMI KOGAN

Bitcoin Transaction Malleability Theory In Practice

A mysterious vulnerability from 2011 almost made the Bitcoin network collapse. Silk Road, MTGox, and potentially many more trading websites claim to be prone to "Transaction Malleability." We will shed some light and show in practice how to exploit this vulnerability.

Additional Info: http://youtu.be/fmlzXztvh2Q

DANIEL CHECHIK & RAMI KOGAN BIO

Daniel Chechik

Daniel Chechik is a senior security researcher at Trustwave's SpiderLabs. Among other things, he specializes in malware analysis, web exploits detection, Trojan and botnet detection and neutralizing and defining security requirements for the Secure Web Gateway product.

Prior to that, Daniel served in a technological unit as a security specialist in the IDF. During the service, Daniel specialized in CheckPoint Firewall equipment, AntiVirus products and other IT security products.

Daniel, among other things, has spoken at the BlackHat, RSA, DefCon, OWASP conferences, holds CEH and CCSE certificates and has a patent pending for 'Detecting Malware Communication on an Infected Computing Device'.

Rami Kogan

Rami Kogan is a security researcher at Trustwave’s Spiderlabs. Rami’s average day is full of obfuscated web pages, exploit kits and coffee. He believes that PDFs are evil!!

Last year, Rami gave a presentation on “Web Malware Outsmarting Security Products” at the First conference in Bangkok, which dealt with the various evasion techniques used by the web criminals. This is probably a big part of the reason for his strong beliefs regarding PDFs.

BRIAN GORENC & MATT MOLINYAWE

Blowing up the Celly - Building Your Own SMS/MMS Fuzzer

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (incorrectly) handle a large number of data types, including various picture, audio, and video formats. To make matters worse, you are relying on the carriers to be your front line of defense against these types of attacks. Honestly, the mobile device sounds like it was custom built for remote exploitation.

The question you should be asking yourself is: How do I find weaknesses in this attack surface? This talk will focus on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer. We will take an in-depth look at exercising this attack surface virtually, using emulators, and on the physical devices using OpenBTS and a USRP. To help ease your entry into researching mobile platforms, we will examine the messaging specifications along with the file formats that are available for testing. The value of vulnerabilities in mobile platforms has never been higher. Our goal is to ensure you have all the details you need to quickly find and profit from them.

BRIAN GORENC & MATT MOLINYAWE BIO

Brian Gorenc

Brian Gorenc is the Manager of Vulnerability Research in HP's Security Research organization where his primary responsibility is running the world's largest vendor-agnostic bug bounty program, the Zero Day Initiative (ZDI). He's analyzed and performed root cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Brian's current research centers on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Oracle, Novell, HP, open-source software, SCADA systems, and embedded devices. He has also presented at numerous security conferences such as Black Hat, DEF CON, and RSA. Prior to joining HP, Brian worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment. He has in-depth knowledge of software vulnerabilities, exploitation techniques, reverse engineering, and secure coding practices. Brian has a MS in Software Engineering from Southern Methodist University and a BS in Computer Engineering from Texas A&M University. He also holds several certifications including ISC2's CISSP and CSSLP.

Matt Molinyawe 

Matt Molinyawe is a vulnerability analyst and exploit developer for HP’s Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability. He was also part of HP’s winning team at Pwn2Own/Pwn4Fun who exploited Internet Explorer 11 on Windows 8.1 x64. Prior to being part of ZDI, he worked at L-3 Communications, USAA, and General Dynamics – Advanced Information Systems.

In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. He also enjoys video games and has obtained National Hero status in QWOP and beat Contra using only the laser without dying a single time. Matt has a B.S. in Computer Science from the University of Texas at Austin.

DOUGALL JOHNSON

Linux Kernel Futex Fun: Exploiting CVE-2014-3153

DOUGALL JOHNSON BIO

Dougall Johnson works at Azimuth Security in Sydney. Since presenting research on public transport tickets at Ruxcon 2012, he has devoted himself to doing cruel and unusual things to computers. He enjoys reading code, and has a slightly masochistic sense of "fun".

JAY DAVIS AND LUKE JAHNKE

Safecracking on a Budget

This talk will cover the creation of an autodialer capable of opening a group 2 combination lock. It was created using a combination of 3D printing and an Arduino. These were chosen to keep costs low as well as allow for an iterative design process. The project was our first experience with 3D printing and the talk will cover all the lessons learnt along the way.

All source code and design files will be released allowing anyone to replicate the design.

JAY DAVIS AND LUKE JAHNKE BIO

Jay was previously a security consultant that decided it was more fun to go live in the bush. He now runs an IT company helping people with their capslock keys and opening their safes.

Luke is the creator of BitcoinCTF, a set of dificult web security problems released every year. In his spare time he studies April Fools' RFCs and yearns to beat Silvio in a game of pool.

MIMEFRAME & MCGREW

Homebrew Incident Response

In the past three years, Facebook's Incident Response team has grown from a single person to a full-fledged team. We're going to discuss lessons we've learned and open source some of our tooling and techniques. This talk will cover topics like containment, sinkholing, scaling network intrusion detection, and lifecycle improvements we've made as a result of real situations we've managed. Attendees can expect to walk away with tangible, real-world solutions they can deploy in their enterprise. 

MIMEFRAME & MCGREW BIO

@mimeframe is the manager of Facebook's Incident Response team.

@mtmcgrew is a security engineer on Facebook's Incident Response team.

Please see https://speakerdeck.com/mimeframe/homebrew-incident-response for the most up-to-date version of the slides. 

RICKY LAWSHAE

Let's Talk About SOAP Baby, Let's Talk About UPnP

Whether we want it to be or not, the Internet of Things is upon us. Network interfaces are the racing stripes of today's consumer device market. And if you put a network interface on a device, you have to make it do something right? That's where a Simple Object Access Protocol (SOAP) service comes in. SOAP services are designed with ease-of-access in mind, many times at the expense of security. Ludicrous amounts of control over device functionality, just about every category of vulnerability you can think of, and an all-around lack of good security practice about sums it up. 

This is going to be a talk about the dangers of insecure SOAP/UPnP interfaces on embedded and "smart" devices. The talk will be divided into two parts: First, "Let's talk about all the good things" - I will start by defining SOAP and its intended use with real world examples. And second, "And the bad things" - This is where I'll give descriptions and demonstrations of the various vulnerabilities to be found therein, including XML parsing and memory corruption, SQL/SOAP/OS command injection, ENTITY tricks and information disclosure, and straight-up unauthenticated device control. This will involve live demos against a small selection of devices. Full details of new vulnerabilities may be given dependent upon vendor disclosures/patches, but I'll at least have demos.

RICKY LAWSHAE BIO

Ricky “HeadlessZeke” Lawshae is a Security Researcher for DVLabs at HP TippingPoint with a medium-sized number of years’ experience in professionally voiding warranties. He has spoken at the Defcon, Recon, and Insomni’hack security conferences, and is an active participant in the extensive  Austin, TX hacker community. When he’s not accidentally DoS’ing his company’s network, he enjoys picking locks, reading comic books, and drinking expensive beers.

RENÉ FREINGRUBER

EMET 5.0 – Armor or Curtain?

EMET (Enhanced Mitigation Experience Toolkit) is an application which can be used to further harden a Windows system by adding additional security protections to running processes. These protections include several ROP (Return-Oriented-Programming) checks, shellcode detection mechanisms, heap-spray mitigations and many more.

Microsoft as well as other vendors typically suggest as a workaround for new memory corruption vulnerabilities to install EMET to protect the application. The aim of the presentation is to show the audience that attackers can still exploit such protected applications by using one of the many existing techniques.

This talk covers new techniques to bypass EMET 5.0 (the current version of it) as well as EMET 4.1.

We at SEC Consult do not believe in putting additional security layers like EMET, DEP, ASLR, application firewalls and so on, on top of applications. Rather we demand from software developers and especially from the software industry itself to focus on secure software development instead of forcing their customers to create a chain of security layers to protect their software product.

Protections such as EMET, DEP and ASLR are useful to add an additional hurdle for attackers but are not unbreakable.

RENÉ FREINGRUBER BIO

René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. During his bachelor thesis he developed hundreds of exploits to study different mitigation techniques implemented by modern operating systems and how they can be bypassed by attackers.

STEFAN ESSER

iOS 8 - Containers, Sandboxes and Entitlements

With the release of iOS 8 Apple introduces the concept of app extensions to iOS. This is the first time in the history of iOS that Apple allows 3rd party developers to extend Apple's own or other parties' applications. This new feature brings not only new opportunities to developers that were previously only possible on jailbroken iOS devices, but also opens up new attack surfaces and requires modifications to application containers.

In this session we will discuss the changes introduced by this new feature and analyse the new attack surface. We will also have a look into other changes introduced with iOS 8 and revisit the application sandbox implementation that was last publicly discussed around the time of iOS 4/5.

STEFAN ESSER BIO

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.

COREY KALLENBERG

Extreme Privilege Escalation on Windows 8/UEFI Systems

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the operating system and the firmware.

This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).

This talk will disclose two of these vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.

COREY KALLENBERG BIO

Corey Kallenberg is a Security Researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012, he co-authored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013, he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Black Hat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture.

Y011 & LIAMOSAUR

Software Defined Radness: HackRF meets +613

Recently we got a few HackRF software defined radios. The HackRF is a new low-cost ($300USD) software defined radio platform that's been under development for a few years and recently made available to the public. The HackRF has a wide frequency range - 10MHz to 6GHz with 20MHz of bandwidth . It's also completely open sourced for both hardware and software. Most interesting to us is that it can transmit as well as receive. Because of this, radio technologies previously impractical to "examine" are now accessible to the everyday hacker.

After a few minutes of screwing around with the HackRF some fun->evil ideas on how to use the HackRF began to present themselves. Looking around (so to speak) we realised there were a lot of unexplored RF-based technologies including some unique to Melbourne. 

Being neighbourly types we're here to share some fun to be had with a HackRF in Melbourne.

Y011 & LIAMOSAUR BIO

Neal Wise ( @y011 [that's with a zero, yo]) runs @assurance and rocks the -vvv.

Liam O (@liamosaur) is a Senior Consultant with Assurance and duck enthusiast.

VINCENT LO

Windows ShellBags Forensics in Depth

The problem of identifying when and which folders a user accessed arises often in digital forensics. Forensicators attempt to search for them in the ShellBags information because it may contain registry keys that indicate which folders the user accessed in the past. Their timestamps may demonstrate when the user accessed them. Nevertheless, a lot of activities can update the timestamps. Moreover, the ShellBags structure differs slightly between different Windows operating systems. How to interpret ShellBags correctly has become a challenge. This presentation summarizes the details of ShellBags information and discusses various activities across Windows operating systems.

VINCENT LO BIO

Vincent is a digital forensic investigator who has undertaken hundreds of digital forensic and incident response engagements. His expertise includes a wide range of cases including corporate litigation, financial fraud, computer hacking, employee investigations, system intrusion and data recovery. He is also the author of GIAC Gold paper, “Windows ShellBags Forensics in Depth”.

Vincent holds a Masters in Information Technology from the Queensland University of Technology and the industry certifications, CISSP, CCE, GREM, GCIH and GCFA Gold.

JOE FITZPATRICK & MIKE RYAN

Tools of the NSA Playset

The leaked pages from the ANT catalog have given us unprecedented insight into the capabilities of the NSA. The gadgets in the catalog allow the NSA to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, mount Wi-Fi attacks from drones, and even monitor video displays, keystrokes, and ambient audio from a distance.

This inspired several of us to work on recreating lots of these capabilities with open source hardware and software so that anyone can reproduce these abilities. Some of us even introduced some new capabilities of our own, inspired by those found in the ANT catalog. There are currently over half a dozen different toys in the NSA Playset that were released at DEFCON. This talk will review and summarize each of the toys released at DEFCON, including demos of the SLOTSCREAMER for driverless hardware access to system memory over PCIe and TINYALAMO for BLE (Bluetooth Smart) keyboard surveillance and injection. We will also share some of the motivations and objectives of the NSA Playset and its contributors.

JOE FITZPATRICK & MIKE RYAN BIO

SecuringHardware.com. Joe specializes in low-cost attacks, hardware tools, and hardware design for security. Previously, he spent 8 years doing test/debug and hardware pen-testing of desktop and server microprocessors, as well as conducting security validation training for hardware validators worldwide. In addition to side projects on PCIe, RTL security validation, and simple sidechannel attacks, Joe currently teaches "Secure Hardware Development for Integrated Circuits" and Co-teaches "Software Exploitation via Hardware Exploits" alongside Stephen Ridley.

Mike is a Senior Security Consultant at iSEC Partners, an information security firm. At iSEC he performs research on low power wiresless technologies and penetration testing of client software, hardware, and networks. Mike specializes in red team exercises and has a soft spot for embedded platforms. Mike has been doing security in one way or another since 2002 and has a wide arary of skillz, tricks, and leet hax for maximum love in any scenario.

SEAN PARK

Writing Zero Days for Security - APT PenTesting Framework

APT Penetration Testing Framework can help discover vulnerable points of an enterprise through near zero day (but 'controlled') exploits and a custom RAT that bypasses signature based detections. The framework development work essentially consists of zero day exploit engineering, shell code modification, and signature-bypassing RAT development. The ultimate goal is to bypass corporate security defense mechanisms such as web/email gateway, IDS/IPS, firewall/proxy, sandbox solutions, and endpoint security. The presentation demonstrates this new paradigm of APT pentesting through modified CVE-2013-3918 and a custom RAT with remote shell and file management capabilities.

SEAN PARK BIO

Sean has over 14 years of cyber threat research and security technology experiences around kernel mode rootkit, banking malware, APT, zero day exploits, reverse engineering and penetration testing. Sean has been helping fight cybercrimes in many places including Kaspersky, FireEye, Sophos, Symantec, and Westpac.