Conference Schedule 2013

Track 1 Track 2
9h30‐10h25 Angelo Brancato — How to increase the chance to detect and stop a Targeted Attack AKA Advanced Persistent Threat (APT) Richard
Lane — ISC2 : Safe & Secure Online Initiative — Educating Children and Preparing Your Future Workforce
10h30‐11h25 Mario Heiderich — XSS from 1999 to 2013: The “Doctrine Classique” of Websecurity Ian Pratt — The Soul of the New Machine: The Role of Hypervisors in Next Gen Information Security
11h45‐12h40 Ruchna Nigam — Guns and Smoke to fight Mobile Malware Eloi San Felix – Modern embedded systems analysis
13h30‐14h25 Stephen Ridley & Stephen Lawler – Advanced ARM exploitation Patrick Trinkler & Matthieu Legré — Boîte à outils de l’espion à l’heure des communications par fibre optique
14h30‐15h25 Bruno Kerouanton & F6ITU — Software Defined Radio “hacks” Mario Heiderich — The innerHTML Apocalypse — How mXSS attacks change everything we believed to know so far
15h45‐16h40 Charlie Miller — Hacking phones with Near Field Communication Paul Rascagneres – Le projet Malware.lu
16h45‐17h40 Pascal Junod — Chasse à l’Hash-DoS François Deppierraz & Nicolas Desir – Comment j’ai créé un ISP dans mon garage

Charlie Miller

Charlie Miller is currently on the Product Security Team at Twitter. Previously he had been a consultant at Accuvant Labs and Independent Security Evaluators. Before that, he spent 5 years at the NSA. He was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has hacked batteries, Second Life, and iOS codesigning. He has authored three information security books and holds a PhD from the University of Notre Dame

Hacking phones with Near Field Communication

Near Field Communication (NFC) has been used in mobile devices in some countries for a while and is now emerging on devices in use in the United States. This technology allows NFC enabled devices to communicate with each other within close range, typically a few centimeters. It is being rolled out as a way to make payments, by using the mobile device to communicate credit card information to an NFC enabled terminal. It is a new, cool, technology. But as with the introduction of any new technology, the question must be asked what kind of impact the inclusion of this new functionality has on the attack surface of mobile devices. In this talk, we explore this question by introducing NFC and its associated protocols.

Next we describe how to fuzz the NFC protocol stack for two devices as well as our results. Then we see for these devices what software is built on top of the NFC stack. It turns out that through NFC, using technologies like Android Beam or NDEF content sharing, one can make some phones parse images, videos, contacts, office documents, even open up web pages in the browser, all without user interaction. In some cases, it is even possible to completely take over control of the phone via NFC, including stealing photos, contacts, even sending text messages and making phone calls. So next time you present your phone to pay for your cab, be aware you might have just gotten owned.

Ian Pratt

Ian Pratt is Chairman of Xen.org, the organization that leads development of the open source Xen hypervisor. He has led the architecture and development of Xen since 2001. He was a co‐founder of XenSource, which was acquired by Citrix, and where as VP of Advanced Products he led development of XenServer and XenClient/XT.

Ian held a tenured faculty position at the University of Cambridge Computer Laboratory for 10 years, where he led Systems Research. He holds a PhD in Computer Science, is a Fellow of the Institute of Engineering and Technology, and a Fellow of the Royal Academy of Engineering, which awarded him its Silver Medal in 2009.

The Soul of the New Machine: The Role of Hypervisors in Next Gen Information Security

The software on modern PCs and mobile devices has become too large and complex to secure via conventional means, making it an easy target for malware. In parallel, virtualization has become ubiquitous as a means of secure multi‐tenancy in cloud environments. This talk presents the evolution of virtualization techniques to bring multi‐tenancy concepts to PCs and mobile devices, as they remain the weakest link in the security chain.

Ian will present a powerful architecture called “micro‐virtualization” that uses hardware‐assisted virtualization on PCs and mobile devices to retrofit robust isolation and protection at a granular level within any client OS. The approach relies on the use of a lightweight hypervisor to enforce run‐time isolation between user tasks: every document, email attachment, web site etc is a different task and will open in its own isolated environment with access to just the resources necessary to complete the task.

The hypervisor has been collaboratively developed by the open source community as an extension of the Xen hypervisor – already proven in the world’s largest public clouds. The hypervisor is the most privileged software in the system and ensures its own integrity and that of all virtualized tasks, even in the presence of a malicious host OS, making it well suited to protecting privileged data in “Bring Your Own Device” scenarios.

A task that is compromised by malware, including kernel exploits and root kits, is confined to its own isolated environment, with least‐privilege access to files, networks, and devices. Tasks execute Copy‐on‐Write and are discarded, together with any malware, when the task completes. The use of virtualization hardware for isolation ensures that isolated tasks run with native performance, a critical requirement for a device offering a graphically rich user experience.

The application of micro‐virtualization is set to have a profound impact on the way that client systems defend themselves – shifting away from a failing “detection‐based” approach towards a more proactive “isolation‐based” approach.

Mario Heiderich

Mario Heiderich is a Microsoft security contractor and founder of the German/UK pen‐test outfit Cure53. He focuses on HTML5, SVG security and believes XSS can be eradicated by using JavaScript. Maybe. Some day.

Mario invoked the HTML5 security cheat‐sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and security consultancy for larger German and international companies for sweet sweet money and the simple minded fun in breaking things.

Mario has spoken on a large variety of international conferences, co‐authored two books, several academic papers and doesn’t see a problem in his one year old son having a tablet already.

XSS from 1999 to 2013: The “Doctrine Classique” of Websecurity

XSS attacks were first documented about 15 years ago. Since then, the attack technique has undergone an evolution, that resembles the classic dramatic theory — including catastasis, heroism, villainy and peripeteia.

Now, HTML and JavaScript enter the world of operating systems and the XSS tragedy is on the verge of becoming a nightmare beyond human control. The once harmless “alert” is now a black swan of code execution, the phantom of the browser, Gretchen and Mephistopheles at the same time.

This talk attempts to go back into the early past and unveil the causes for XSS, point fingers at the true evil that made the Internet what it is today, outline our mistakes and the general failure of the fat‐bellied websecurity community and try to leave the hope, that not all will be lost in the realms of the WWW.

The innerHTML Apocalypse — How mXSS attacks change everything we believed to know so far

This talk introduces and discusses a novel, mostly unpublished technique to attack websites that are applied with state‐of‐the‐art XSS protection. This attack labeled Mutation‐XSS (mXSS) is capable of bypassing high‐end filter systems by utilizing the browser and its often unknown capabilities — every single one of them.

We analyzed the type and number of websites that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to be understood and researched even further.

The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step‐by‐step guide on how to protect against this kind of mayhem — with a strong focus on feasibility and scalability.

Stephen Ridley & Stephen Lawler

Stephen Lawler is the Founder and President of a small computer software and security consulting firm. Mr. Lawler has been actively working in information security for over 7 years, primarily in reverse engineering, malware analysis, and exploit development. While working at Mandiant he was a principal malware analyst for high‐profile computer intrusions affecting several Fortune 100 companies. Prior to this, as a founding member of the Security and Mission Assurance (SMA) division of a major U.S. Defense contractor where he discovered numerous 0‐day vulnerabilities in “Commercial‐Off‐The‐Shelf” (or COTS) software and pioneered several exploitation techniques that have only been recently discovered and published publicly. Prior to his work at a the major defense contractor, Stephen Lawler was the lead developer for the AWESIM sonar simulator as part of the US Navy SMMTT program.

Stephen A. Ridley is a security researcher with more than 10 years of experience in software development, software security, and reverse engineering. Before becoming an independent researcher, Mr. Ridley served as the Chief Information Security Officer of a financial services firm and prior to that was a Senior Researcher at Matasano. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. intelligence community. He has spoken about reverse engineering and software security at BlackHat, ReCon, CanSecWest, EuSecWest, Syscan and other prominent information security conferences. Mr. Ridley currently lives in Manhattan and frequently guest lectures at New York‐area universities such as NYU and Rensselaer Polytechnic Institute.

Richard Lane

Richard Lane is currently the Head of Information Security for one of the United Nations agencies in Geneva, and has been working in the Information Security management field for over 10 years in a variety of industries. He currently sits on the EMEA Advisory Board for (ISC)2, the Chapter Board for the Swiss Chapter of (ISC)2, and is also on the governance committee for the (ISC)2 Foundation – the charitable arm of (ISC)2 that oversees the Safe and Secure Online program (amongst others). He is responsible for introducing the Safe and Secure Online program to Switzerland as part of the global expansion of the program which has been in operation since 2006 and has reached over 85,000 children to date.

ISC2 : Safe & Secure Online Initiative — Educating Children and Preparing Your Future Workforce

With the proliferation of mobile devices and social networking, children are more susceptible to online dangers than ever, and lack the life skills and experience to truly appreciate the consequences of their actions online. This is reflected in the dramatic increase in suicides due to cyberbullying, as well as the increase in the number of children dropping out of, or performing badly at, school due to excessive time spent online outside of school hours. These behaviours quickly become ingrained, and have the potential to translate into future problems for companies with young employees who lack the basic understanding of “cyberethics”. It is of utmost importance to teach children early‐on, how to be safe and responsible digital citizens, and this is the goal of the (ISC)2 Safe and Secure Online program. During this presentation, we will examine some of these critical behaviours and identify how this may translate into organizational security risks, and see how the (ISC)2 Safe and Secure Online program seeks to address these issues in the classroom.

Bruno Kerouanton & F6ITU

Bruno Kerouanton is a former Demomaker and has also worked on electronics a looooong time ago (but still remembers enough, though). During the old’ days, he even used to play with PIC microcontrolers and designed some stuff for fun and for profit for different french companies. His appeal for radio reception was born when he was 8, living abroad in a country without telecommunications except radio. Since then, he spent numerous hours tuning and listening to different worldwide broadcasters, even now that Internet is making webradios available everywhere. And he continues studying radio‐amateur theory and electronics, just because understanding science is much more fun than just clicking on a webradio button.
http://éé.net

F6ITU is a french IT journalist, and incredibly knowledgeable person on all sorts of topics from ancient philosophy, fundamental science and obviously IT. Apart from writing articles for different magazines, his main hobby is into electronics and Amateur Radio, thus his legal handle “F6ITU”. His deep knowledge of analog ciruitry design and (insanely) high‐frequency theory and practice helped him build a very nice lab in his home, where he designs and solders its own RF cards, spectrum analysers and Vector Network Analyzers ! He is also an active member of the Electrolab Hackerspace in Paris/Nanterre.

http://f6itu.wordpress.com

Software Defined Radio “hacks”

Les Software Defined Radio sont une petite révolution. Autrefois nécessitant de coûteux et complexes équipements, l’informatique a permis de transposer sous forme logicielle les technologies de décodage du spectre radio. Du coup, un univers autrefois inaccessible le devient pour de nombreux hackers passionnés. Interception de communications, de protocoles réservés, et autres possibilités intéressantes. Sans oublier qu’il est également possible techniquement d’envoyer des données… Les possibilités sont infinies et on voit tout l’enjeu dans le domaine de la SSI que représente le hack radio, ou plus précisément la démocratisation des SDR.

Pascal Junod

Pascal Junod est cryptographe et professeur en sécurité de l’information à l’HEIG-VD d’Yverdon-les-Bains; il adore passer son temps à jouer avec du logiciel cryptographique, la sécurité logicielle, la protection logicielle et les techniques de (dés-)obfuscation.

Chasse à l’Hash-DoS

Après avoir rappelé ce qu’est un Hash‐DoS et leur historique, nous allons discuter la découverte récente de quelques cas intéressants dans du logiciel open‐source.

Paul Rascagneres

Paul Rascagneres est consultant et chercheur en sécurité. Il travaille pour des institutions financières et européennes au Luxembourg. Il est le créateur du projet malware.lu, spécialisé dans le partage et l’analyse de malware, ainsi que le responsable du premier CSIRT privé luxembourgeois: Malware.lu CERT. Il est également développeur d’exploit et contributeur du projet metasploit.

Projet Malware.lu

La conférence portera sur le projet malware.lu. Elle présentera le projet, ce qui a déjà été fait, son avenir ainsi que l’intérêt du partage d’échantillons de malwares. Le logiciel libre malwasm, un debugger hors ligne, sera également présenté et une démo sera réalisée pendant la conférence.

Patrick Trinkler & Matthieu Legré

Patrick Trinkler est en charge de la Recherché et du Développement chez ID Quantique SA à Carouge. Matthieu Legré est le Principal Scientist d’ID Quantique. Ils ont participé à la réalisation de plusieurs produits pour le chiffrement des réseaux informatiques à haut débit et la distribution quantique de clés de chiffrement.

Boîte à outils de l’espion à l’heure des communications par fibre optique

Petit aperçu de la boîte à outils de l’espion à l’heure des communications par fibres optiques.

François Deppierraz & Nicolas Desir

Nicolas Désir est co‐fondateur du réseau communautaire lausannois Saitis (AS6893).

François Deppierraz est ingénieur télécom. HES. Il est impliqué dans plusieurs associations (GULL, FIXME) ainsi que des projets de logiciels libres.

Ils sont actuellement associés au sein de Nimag Networks Sàrl, société basée à Lausanne, spécialisée en services Internet et infrastructure basé sur des logiciels libres.

Comment j’ai créé un ISP dans mon garage?

Eloi Sanfelix Gonzalez

Eloi works as a Senior Security Analyst at Riscure, a security test lab in The Netherlands. He has an MSc in Telecommunications Engineering obtained at the Polytechnic University of Valencia in Spain. Additionally, he received formal education on Information Security while studying as an exchange student at the Technische Univeristeit Eindhoven. This included background in cryptography, software and operating system and hardware security.

He has over 4 years of professional experience on assessing the security level of a wide variety of software and hardware systems, including smart cards, Pay‐TV chipsets and STBs and smart metering systems.

Outside his daily job, he is also a member of int3pids team. int3pids participates in several online wargames and CTFs, as well as several on‐site CTFs around the globe.

Modern embedded systems analysis

This talk will provide a walk through modern secure embedded systems and present different common security mechanisms implemented to address problems such as code integrity and data confidentiality. This includes implementations of secure boot mechanisms and hardware‐protected secure key storage. We will look at common ways to implement these mechanisms and at different ways to attack them from a ardware perspective. This will cover both side channel analysis (e.g. power analysis) as well as fault injection attacks (e.g. voltage glitching).

Angelo Brancato

Angelo Brancato works as a Senior Solution Architect at HP – Enterprise Security Products – and is responsible for the EMEA region. With an academic degree of science in computer science and 10 years of experience in the it security circus his current area of focus is Intrusion Detection and Prevention Systems (IDS/IPS), Security and Information Management Systems (SIEM) and Source Code Analysis (SCA).

How to increase the chance to detect and stop a Targeted Attack AKA Advanced Persistent Threat (APT)

In this talk and Live‐Demonstration we’ll be plain talking about the marketing term Advanced Persistent Threat (APT) and show a real‐world attack that falls into that definition breaching a live system and look at the countermeasures.

Ruchna Nigam

Ruchna Nigam is a security researcher at FortiGuard Labs and works with PC and mobile malware. She is also interested in aspects of security like biometrics and encryption schemes and is getting used to referring to herself in third person.

Guns and Smoke to fight Mobile Malware

You’ve already reversed Android applications with baksmali and apktool? That’s great! But how about learning a few new tricks with those tools and others? This talk will discuss some advanced features we used to defeat mobile malware received during the last 6 months. Or hacking challenges 🙂