44CON 2012 Presentations

44Con 2012 has two tracks, with different themes depending on the day. Day 1 is Fast track day, consisting of an info sec track covering the softer and more business-focused side of security and a turbo track, containing full info sec talks and busy reader turbo talk editions of the next two day’s research, pitched at managers and advisors who might not have the time or technical focus for the full talks, but may need to take action based on the research being presented.

The second and third days consist of technical talks. Where possible, more hard-core or less accessible but technically interesting talks will be paired with more accessible talks.

As well as this, workshops will run across all three days pitched at their respective audiences.

The talks listed below are split into the first day and the remaining two, so that when it comes to buying tickets you’ll know what to expect. More talks will be added as they’re accepted. The Call For Papers closed at the end of May 2012.

Day 1 talks

Software Security Austerity – Software security debt in modern software development

Presented by: Ollie Whitehouse

What happens when you’ve implemented your SDLC or started your security mindfulness activities and got good at finding security issues? Typically you won’t be able to fix them all and as a result you start to accrue vast amounts of known security debt. This is compared to doing another and having large amounts of latent security debt.

The concept of technical debt within software was first introduced in 1992 by Ward Cunningham. This presentation outlines the general problem of software (or application) security debt while also outlining a number of considerations and strategies for managing the problem. The presentation will discuss the business realities when dealing with security debt, how these realities can be balanced and why there are parallels with the recent financial austerity measures we’ve seen and what we should learn from recent events.

Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention)

Presented by: Jayson E. Street

YAY I broke________<-Insert protocol, device, OS or Internet if you’re Dan.

My question though is great! Now how do we not go about fixing it but actually go about communicating these issues to upper management & end users? I will talk about three points

  1. Getting upper management involved and behind your security initiatives.
  2. Educating, empowering & enforcing your workforce to be a part of your INFOSEC team not the core weakness of it.
  3. How the INFOSEC echo chamber is not helping the situation and how we can take a moment from being awesomely right to being helpful and gracious.

Security Architecture & SMART

Presented by: Phil Huggins

Security Architecture & SMART

What is security architecture?

Security architecture principles and approaches

What are the SMART concerns?

How can you address those in your security architecture?

Terrorism, tracking, privacy and human interactions

Presented by: Daniel Cuthbert, Glenn Wilkinson

Numerous governments have initiated (or already deployed) plans to monitor citizens’ online activity. The monitoring ranges from mobile phone calls and SMS messages, to email, social network interaction, and general browsing habits. Such initiatives are touted under the guise of “anti-terrorism” – with governments advocating its necessity for state security. State security bodies propose access to massive databases detailing citizens habits – and from such raw data they anticipate the ability to profile suspected terrorist behavior.

Our project goal is to create a similar database (on a much smaller scale) in order to determine both the feasibility of profiling citizens.  In order to achieve such monitoring numerous wireless access points (APs) will be setup in several cities.

I’m the guy your CSO warned you about

Presented by:  Gavin Ewan

Although you may find the following questions simple to answer, ask yourself this –

Have you read an e-mail recently?

– Can you be sure everything is as it seems?

Had a conversation on the phone?

– Was that really your bank on the line?

Have you ever clicked a link?

– Did that go where you expected?  You sure?

Have you ever plugged in a USB stick?

– Who had it before you?

Too many speak of the importance of what hand you use to hold a pen or what direction your eyes look when accessing your brain being some metric in gauging how people fall victim to social engineering.

Very good, thanks for that, but so what?

Psychology won’t defend you against google hacking, whether you hold a pen with your right or left hand doesn’t make your public image any more secure.  This talk focuses on the ‘hypothetical bad guy’ and the ‘weapons’ of choice he has in front of him.

In this talk I will take you through the main arsenal of weapons the bad guy has at his disposal.  Gone are the maybes, probablys and percentages of the population given to us by pure psychology.  In are the real tools of pwnage the bad guy will use without ever having to wear a boiler suit and a fake moustache.

The talk will include demos of the tools being used and leave attendees with enough information to know how to implement these attacks themselves and better able to defend against them.

The aim of this talk is to raise awareness of how much damage a bad guy can do with only a handful of tools and an internet connection, social engineering for the modern age.

SexyDefense – Maximizing the Home-Field Advantage

Presented by: Ian Amit

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that’s hard. Usually after the pentesters (or worst – red team) leaves, there’s a whole lot of mess of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time – can you fix this so your security posture will actually be better the next time these guys come around?

This talk focuses mainly on what should be done (note – no what should be BOUGHT – you probably have most of what you need already in place and you just don’t know it yet).

The talk will show how to expand the spectrum of defenders from a reactive one to a proactive one, will discuss ways of performing intelligence gathering on your opponents, and modeling that would assist in focusing on an effective defense rather than a “best practice” one. Methodically, defensively, decisively. Just like the red-team can play ball cross-court, so should you!

Why Integrity is left alone and not given TLC (Tender, Love and Care) it deserves?

Presented by:  Jitender Arora

Information Security has 3 pillars CIA (Confidentiality, Integrity and Availability). Most organisations spend quite a lot of money in putting Confidentiality (Encryption to secure data in transit or data at rest) and Availability (Disaster Recovery) controls within their environment. For some reason, Integrity controls have been neglected and not many organisations implement Integrity controls to guarantee data accuracy.

Most business processes rely on accuracy of data to take critical and key business decisions but still mostly it is considered adequate to protect confidentiality of data in transit between 2 nodes or systems. How can we ensure Integrity of data that is used in BI tools to make decisions on critical business propositions? Is it acceptable to rely on Encryption controls to guarantee Integrity of data?

  • Explaining importance of Integrity with some real life use cases from Industry
  • Providing pragmatic options on Integrity Controls

The idea is to have a thought provoking discussion involving audience.

House of cards – How not to collapse when bad things happen

Presented by: Rafal Los

An unfortunate number of enterprises build their foundations on a false sense of security.  They’ve implemented technical defensive measures, written policies, and have procedures for response – and they feel ‘secure’.  The problem is – until they’ve actively tested these out in real-world scenarios much like disaster recovery drills, they have no idea how well-prepared they really are for when the worst strikes. Perhaps more importantly, they have no idea where things will strain and break and as a result cannot compensate.

As Information Security leaders often find themselves playing whack-a-mole with compliance, business requirements and resource challenges it can be easy to fall into a sense that everything is under control because on paper the security posture looks good – but how certain are you?  Validating human and technical controls, policy elements and response procedures is vital to the prepared enterprise.  It is true that the only way to design a safe vehicle is to repeatedly crash and re-design it until it meets minimum safety requirements, but all of this must be done before the car is allowed to crash in a real wreck.  Unfortunately, most enterprises simply go by what they’ve planned on paper and it’s not until they wreck in the real world do they find out how poorly prepared they are.

This talk will expose the audience to the issues of having unproven security and untested defenses in today’s threat landscape… and encourage CISOs to “break more” to provide their leadership with a better level of assurance of preparedness than they have today.  We will provide a framework and step-by-step plan to design, test, and learn from ‘crash data’ to build a truly resilient, responsive and ultimately more risk-averse enterprise.

Day 2 and 3 talks

Hacking and Forensics on the Go

Presented by: Phil Polstra

This talk with discuss “The Deck” which a BeagleBoard configured for hacking and forensics on the go.  The Deck will run an Ubuntu-based linux OS with many of the nice tools from Backtrack also present.  Some of the planned BT tools include: wireshark, Metasploit (complete with backend database), Jack the Ripper, remote access tools, nmap, and wifi tools.

I will also discuss a couple of ways to power the Deck using some simple circuits.  Powering options will include USB plugin (which would also allow use of popular USB wall chargers), 9V battery with appropriate circuitry, and Power-Over-Ethernet.

For those only interested in a forensic device, I will present the 4Card.  The 4Card is a forensics device based on the BeagleBone.  The BeagleBone isn’t powerful enough to use a an attack computer, but it is smaller, cheaper, and consumes less power for those that don’t need an attack platform.

V-SAT hacking

Presented by: Paul Marsh

Following on from 44con 2011’s presentation on ‘Satellite Hacking’ this one will concentrate purely on V-Sat hacking, interception and decoding of data. Packet injection will be covered at a high level. The presentation will cover V-Sat topology and real-word implementations, data transmission formats and parsing of off-air data using well known network sniffing tools. Numerous examples will be given of actual off-air signals as well as practical advice on decoding.

Big game hunting

Presented by: Tim Brown

Simple techniques for bug hunting on big iron UNIX.  The talk will build on the work previously done in my “Breaking The Links” paper but will focus on AIX and associated IBM products.  The talk will include some new bugs as well as going through a simple methodology for finding them.

Inside .NET smart card operating system

Presented by: Behrang Fouladi

Reverse engineering methods in hardware and software domains have been demonstrated to dump or model smart cards operating system or on-card applications source code. The hardware reverse engineering methods require specialized equipment and silicon level skills and are generally used by attackers to extract encryption keys or key derivation algorithms which are not the topic of this talk. Instead, I will mainly use code reverse engineering of the vendor’s software development kit (SDK) and card-host communication analysis to document card application file format and relevant runtime bytecode instructions which can then be used to produce effective test cases targeting the interesting instructions of the on-card .NET virtual machine.

Cryptanalysis of the Enigma Machine

Presented by: Bob Weiss and Ben Gatti

The Enigma machine was broken during WWII using an Electro Mechanical device and cribs (or known plaintext.)  A ciphertext only cryptanalysis method for breaking the Enigma was proposed by James Gillogly in 1995, but until now software to implement this type of attack has not been available.  We expect to release software that implements a modified version of what Gillogly proposed.

DGA Detection & Optimization

Presented by: Gunter Ollman

The concept behind domain generation algorithm (DGAs) use for locating crimeware C&C isn’t particularly new, however the current generation as considerably better tuned than those of old and are increasingly incorporated as a backup strategy to the more sophisticated commercial crimeware tools. For the good guys, there are new machine learning and advanced spectral clustering approaches that can automatically detect (passively at the network level) their operation and classify malware families. For the bad guys, there are improved operational methods that guarantee evasion – at both technological and law enforcement levels. This talk covers the state of the art in applying advanced machine learning to network detection, and the optimizations being made by the masterminds behind some of the best crimeware out there.

Passive IPS Reconnaissance and Enumeration – false positive (ab)use

Presented by: Arron Finnon

Network Intrusion Prevention Systems or NIPS have been plagued by “False Positive” issues almost since their first deployment.  A “False Positive” could simply be described as incorrectly or mistakenly detecting a threat that is not real.  A large amount of research has gone into using “False Positive” as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks.  However the very reaction to a “False Positive” in the first place may very well reveal more detailed information about defences than you might well think.

This talk takes a looks at how its is possible to enumerating network defences such as an IPS by very simple and effective means.  A detection system such as an IPS reacting to a set of conditions under the control of an attacker can very well allow them to know what defences they need to overcome to be successful.  With a simple crafted email it is possible to tell that clamAV is running on a mail server, or a  simple fake URL parameter could well inform you that SNORT is defending a web application.  Armed with this type of information an attacker can plan their attack that utilise IPS evasion techniques.  All though this talk uses some very famous “Open Source” security application in its examples the  methodology can easily be used to detect a whole host of commercial security products as well.

There is no hard and fast simple fix to the issues discussed in this talk, the aim is simple; to give the attendees the ability to spot and assess potential “reaction leakages” from a detection system.  You can only really defend against what you can understand and with this information a more fitting solution can be sought.

Hardware security resilience to low-cost attacks

Presented by: Sergei Skorobogatov

With the growing concern about low-cost attacks on secure hardware there is a need for better understanding how those attacks work. Even when the information is encrypted, the determined attacker can learn the key through side-channel leakages or via fault injection attacks. I will present low-cost attack technologies which should be considered by hardware developers.

Hardware assurance is another big area of concern for developers and consumers as modern semiconductor chips are complex enough to become vulnerable to malevolent activities in the form of Trojan and backdoor insertion. An adversary can introduce Trojans into the design during a stage of fabrication by modifying the mask at a foundry. It could also be done by third parties in the design blocks or by malicious insiders at the design house. My recent research demonstrates how such backdoors can be found using side-channel analysis techniques.

I’m the butcher, would you like some BeEF?

Presented by: Thomas Mackenzie, Michele Orru

Recently a lot of focus in BeEF has been towards developing cool new features that help the day to day job of a social engineer, hereafter known as “The Butcher”.

We have been working very hard and secretively in the last months to widen our range of meaty goods within the Browser Exploitation Framework. During this talk we will release new modules and extensions specifically aimed toward automating the technical parts of a social engineer attack.

Employing techniques that are currently used is great, however “The Butcher” wishes to impart knowledge upon the attendees regarding new techniques that employ successful vectors targeting different browser within different security contexts.

After introducing people to the project who may have never heard of it before, we will be sharing information about real social engineering / penetration testing work that we have done recently and how we have advanced BeEF to achieve maximum coverage. This includes:

  • Website Cloning: but you haven’t seen it like this before!
  • Email Spoofing: mass email, easy
  • Browser Control / Pwnage Automation: control BeEF programmatically using the RESTful API
  • Maintaining Connectivity: you have met man in the middle, meet man in the browser

2012 in review: Tor and the censorship arms race

Presented by:  Runa A. Sandvik

Kazakhstan blocked Tor using Deep Packet Inspection in January 2012. China started probing Tor bridges using a system that is aimed directly at Tor, and using code that actually speaks the Tor protocol. Iran started blocking SSL connections on Valentine’s Day, in preparation for its “halal” Internet. Mobile operators in the US and the UK continue to filter and censor websites for customers. The government in the UK proposed plans for mass surveillance. Activists in Iran and Syria were targeted with malware, and the government in Kuwait proposed plans to regulate the use of social networking sites.

These are some of the Internet censorship events we have seen so far in 2012, and we have only scratched the surface. In this presentation,  I will talk about how the blocking is done (in terms of what signatures are filtered in Tor, and how we have gotten around the blocking in each case), and what technologies are being used to filter Internet traffic — including the use of Western technology to operate the surveillance and censorship infrastructure in the Middle East.

I will cover what we have learned so far about the mindset of the censor, as well as the users being censored, and how we can measure and track the wide-scale censorship in these countries using a framework we have developed. Lastly, I will explain Tor’s development plans to continue to evade censorship and enable thousands of users around the world to access a free and open Internet.

Post-Exploitation Tu-Dot-Oh!

Presented  by: Rich Smith

As the technology landscape evolves to embrace new paradigms & usage patterns, consideration must be given to the effects these changes have on the attack tooling and strategies used in the assessment of this dynamic environment. This presentation focuses on how approaches to post-exploitation can be altered to meet these changing technologies,

along with the considerations those undertaking such attack assessments should be aware of.

A novel proof of concept implant will be demonstrated and discussed to show how a number of currently used post-exploitation techniques can be improved upon to better provide the capabilities required for long term, complex attack engagements against todays changing infrastructure.

Security Testing 4G (LTE) Networks

Presented by: Martyn Ruks, nils

4G is here, or more accurately LTE implementations (another way of saying 4G) are being trialled and will be rolled out more widely in the UK in the near future. One of the changes in LTE networks is the use of IP for all communications between components, this improves scalability but does it also increase the risk of successful compromise? MWR have been working with a number of major players in this space and have gained significant experience in the technology, learning how it can be security tested and ultimately how it should be secured. This talk will provide an overview of the security of 4G networks and more importantly how they should be tested. From this talk the audience will take away a better understanding of LTE deployments, how they could be attacked and how we can gain assurances about their security.

What the HEC? Security implications of HDMI Ethernet Channel and other related protocols

Presented by: Andy Davis

VGA is dead (or at least dying), long live HDMI! The VGA socket on the back out your PC is 25 years old and with new PCs and laptops we’re starting to see a change – to HDMI, but under the hood this brings many other capabilities than just displaying video.

At Black Hat Europe 2012 I discussed the security of the EDID protocol which allows displays to communicate their capabilities to hosts over interfaces such as HDMI and VGA. I also touched on a number of other, very new HDMI-based protocols: CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel). In this talk I will focus on the security of these protocols, how they will affect consumer network security and also their implications in the corporate world. I will also demonstrate a CEC security testing tool called CECSTeR.

Malware analysis as a hobby

Presented by:  Michael Boman, Siavosh Zarrasvand

How can one with limited time and budget create an environment that analyses suspected sites and software for malicious behaviour at speed? For one thing you need to engineer yourself out of the equation, and this is how we did it.

An Idiot Abroad

Presented by: Don A. Bailey

Travel seems less tedious and scary than ever before in history. We can sit in a temple thousands of years old in east Java while using Java to browse the Internet on our mobile phone. We can MMS photos of ourselves covered in painted spices during Holi in Bombay. But, what about how we feel about our environment beyond the phone and the laptop? Our environment is becoming more entwined with our technological presence. With Zigbee, Low Power Bluetooth, RFID, and NFC, we can integrate our preferred environmental preferences more and more in the modern world, from casinos in Las Vegas to five star villas in Singapore. But, what controls these systems? And how are they affected by security? And how can the security of these seemingly simple devices affect us? “An Idiot Abroad” will demonstrate how the components at the core of traffic control systems, IP cameras, security access units, and electrical control systems, are all affected by security weaknesses. The presenter will demonstrate how patterns can be detected in firmware where symbols and other compilation options are not necessarily present, which allow attackers or reverse engineers to find vulnerabilities and critical sections of code quickly and efficiently. Examples will be given of how to take a little known microcontroller and reverse engineer the firmware, in some cases without even having access to the instruction set. Then, the presenter will demonstrate how vulnerabilities in these simple devices can lead to interesting, and sometimes dangerous, exploits.

Toppling Domino – Testing security in a Lotus Notes environment.

Presented by: Darren Fuller

Although there have been a number of technical papers published by different researchers covering Lotus Notes/Domino security it is rarely covered by the wider pen testing community.  In this presentation I’ll aim to give a general overview of Domino security and demonstrate ways of breaking in.  This will cover security issues from the point of view of the webserver, native Domino server and demonstrate some tricks you can use from the client side of things.


Presented by: nils, Rafael Dominguez Vega

Pin Pads or Payment Terminals are widely used to accept payments from customers. These devices run Payment Applications on top of the device specific firmware. It shouldn’t come as no surprise to anyone that these applications and operating systems are just as vulnerable as any other systems when it comes to handling user input.

As the use of Chip and Pin continues to replace the fairly basic magnetic stripe cards, these devices are handling more and more complex information from untrusted sources; namely the EMV protocol spoken by all major payment smart-cards. On top of this many of these terminals are connected through Ethernet, GPRS, WiFi or phone lines, which add to the overall attack surface.

We will demonstrate that memory corruption vulnerabilities in payment terminals and applications are a reality and that they can be used to gain code execution on the terminals. Furthermore we will demonstrate and discuss potential payloads and how these can profit an attacker.

Surveillance cameras. The real-world has them everywhere, why not your computer?

Presented by: Michael Viscuso

There are hundreds if not thousands of real-time detection and prevention products on the market, all claiming to defend your assets against the most sophisticated attackers.  But the headlines uncover the truth… “75,000 Facebook passwords stolen”, “RSA hacked!”, “Criminals steal $6.7M in cyber bank heist”, “Zappos resets 24 million users’ passwords”. Each one of these companies had firewalls in place, up to date anti-virus signatures, the most sophisticated email filtering, etc.  What’s wrong?  Why are digital assets so hard to protect?

This presentation will take a deeper look into “the hacker problem” – from a hacker’s perspective – and let you in on the secrets that will change your approach to security forever.

There will be further updates – in addition there are still  Fast Track talks and the Workshops that will be happening during 44Con 2012  to be announced.

Note: Talks are subject to change.