ShmooCon 2009 - Speakers

Speakers

Speaker Selection

We promised to list our CFP selection commitee. This team reviewed a ton of quality papers. A true thanks goes out to these folks: 3ric, Bob Fleck, cazz, cowboym, freshman, gdead, Johnny Long, Ken Caruso (ipl31), Shmoo Manchu, w0mbat

Keynote Speaker - Avi Rubin

Bio

Dr. Aviel D. Rubin is Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University. Professor Rubin directs the NSF-funded ACCURATE center for correct, usable, reliable, auditable and transparent elections. Prior to joining Johns Hopkins, Rubin was a research scientist at AT&T Labs. He is also a co-founder of Independent Security Evaluators (securityevaluators.com), a security consulting firm. Rubin has testified before Congress on several occasions, and he is author of several books including Brave New Ballot (Random House, 2006) Firewalls and Internet Security, second edition (with Bill Cheswick and Steve Bellovin, Addison Wesley, 2003), White-Hat Security Arsenal (Addison Wesley, 2001), and Web Security Sourcebook (with Dan Geer and Marcus Ranum, John Wiley & Sons, 1997). He is Associate Editor of IEEE Transactions on Software Engineering, Associate Editor of ACM Transactions on Internet Technology, Associate Editor of IEEE Security & Privacy, and an Advisory Board member of Springer's Information Security and Cryptography Book Series. In January, 2004 Baltimore Magazine name Rubin a Baltimorean of the Year for his work in safeguarding the integrity of our election process, and he is also the recipient of the 2004 Electronic Frontiers Foundation Pioneer Award. Rubin has a B.S, ('89), M.S.E ('91), and Ph.D. ('94) from the University of Michigan.

OLPC Panel - Sean Coyne, Ivan Krstic, Jason Scott, Scott Roberts

A Plenary Session on the Security and Social Impact of the One Laptop Per Child program

The Children's Machine, also known as the XO-1 and previously as the $100 Laptop, is a low-cost, power-efficient and durable machine developed by faculty members of the MIT Media Lab at the One Laptop per Child non-profit organization (OLPC). The laptop's purpose is to redefine learning for children in developing countries, particularly those living in the most remote areas and in the poorest of countries, by providing them with access to knowledge and modern forms of education. The laptops contain flash memory instead of hard drives and use a custom operating system based on Fedora Core Linux, which includes a new security architecture called Bitfrost. They are built to utilize wireless mesh networking, a form of mobile ad-hoc networking, to allow machines to communicate without requiring configuration by the user. The laptops will be sold to governments and issued to children by schools on the basis of one laptop per child.

What may be the consequences of such a massive distribution of computers to children in developing nations? A much larger Internet population in a few short years appears to be a certainty. Will tens or hundreds of millions of computers running Linux drastically alter the computer security landscape? What is the potential for the laptops to be abused by criminals or closed and oppressive governments? And how will the Internet affect millions of children who find themselves with access to a world decades ahead of their own culture?

Bio: Sean Coyne

Beginning his career as the only Business School member of Penn State's NSA Center for Information Assurance Excellence, Sean is now is a sought after consultant at Booz Allen Hamilton specializing in Information Security for government clients. Sean's technical know-how coupled with a big picture view has led him to help found the Vulnerable Minds think tank, studying the impact of information security on society.

Bio: Ivan Krstic

LiveJournal doesn't have an angry mood anymore, as Ivan Krstić used it all up. Ivan has been angry on all seven continents.

Bio: Jason Scott

Jason Scott runs TEXTFILES.COM, an online collection of the last 30 years of Bulletin Board System-era history, files and artifacts. He is also the director of "BBS: The Documentary" (www.bbsdocumentary.com), a 3-DVD, 8-episode documentary about the BBS, a project 4 years in the making. He has begun production on GET LAMP (www.getlamp.com), a documentary on text adventures. He speaks on topics of computer history and social commentary at various conferences, including Shmoocon 2006, where he presented a history of hacker conferences. Jason currently lives in Massachusetts, and is secretly in love with Bruce Potter.

Bio: Scott Roberts

An up and coming member of the DC InfoSec community. Scott began his interest in Information Security trying to get access to the Internet in 9th grade computer classes and it has lead him to a position as a Global Security Analyst at Symantec Managed Security Services. Along with Vulnerable Minds, a think tank he helped found, Scott is also involved in various projects involving Snort, large scale architectures, and teaching information assurance.

Ofir Arkin

Bypassing NAC Systems (Part II)

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software (Sygate, Vernier Networks, Microsoft, etc.) and hardware (Cisco) solutions from a variety of vendors has emerged recently. All are tasked with one goal controlling the access to a network using different methods and solutions. This presentation will examine the different strategies used to provide with network access controls. Flaws associated with each and every NAC solution presented would be presented. These flaws allow the complete bypass of each and every network access control mechanism currently offered on the market.

Bio

Ofir Arkin is the CTO of Insightix, leading the development of the next generation of IT infrastructure discovery, monitoring and network access control systems for enterprise networks. Ofir holds more then 10 years of experience in data security research and management. He had consulted and worked for multinational companies in the financial, pharmaceutical and telecommunication sectors. Ofir is the author of a number of influential papers on information warfare, VoIP security, network discovery and network access control and lectures regularly at security conferences. Ofir is the founder of Sys-Security Group, a computer security research group.

Eoin Miller and Adair Collins

Auditing Cached Credentials With Cachedump

Our presentation will be on auditing cached Windows credentials using a combination of the cachedump tool and a custom Visual Basic script. The default behavior of Microsoft Windows domain members is to cache the last 10 different login credentials in the registry. One of the easiest ways to obtain Domain Administrator privilege on a Windows Domain is to compromise a desktop, laptop or member server and use the cachedump tool to reveal the cached domain credentials. The attacker will then launch a brute force or dictionary cracking attack against the cached credentials. This can lead to complete compromise of the entire domain if the cracked password corresponds to an account that is a member of the Domain Admins group.

The presentation will show how to utilize the cachedump utility in conjunction with a Visual Basic script to remove cached credentials from systems based upon the group membership of the user in Active Directory. This will be illustrated in a test domain environment using VMWare and all source code for the Visual Basic script will be provided. The circumstances under which credentials are cached will be listed (console login, runas, RDP, etc) along with the current configuration options available to stop them from being cached. Lastly, suggestions will be presented for Microsoft to update their login process and group policy settings to allow for more granular control of which credentials will be cached.

Bio: Adair Collins

Adair has over twelve years of experience in the information technology industry. He is a multiplatform tester with expertise performing network, host, wireless, and web application vulnerability assessments and penetration tests for commercial and government clients. He has led and performed tests within a broad range of environments, including Supervisory Control and Data Acquisition (SCADA) and government classified (SCI, Top Secret, and Secret) networks. Adair has developed several highly successful network and wireless penetration testing methodologies and toolkits. He has identified several previously undiscovered critical vulnerabilities in a wide variety of commercial products and applications. In addition, Adair has been a frequent speaker at several security conferences.

Bio: Eoin Miller

Eoin has 8 years of experience in the information technology industry. His security experience is rooted in his strong Windows and UNIX system administration background. In recent years, his career has been primarily focused upon performing product vulnerability assessments for the Intelligence Community. Through the course of his assessments, he has identified hundreds of previously undiscovered critical vulnerabilities in a wide variety of products and applications. Eoin has reviewed many complex systems including highly customized Windows and Linux based embedded operating systems. Eoins findings have led to the removal of systems that were deployed in war zones and installed on sensitive government networks.

Presmike and Cygnus

Designing and Responding to Targeted Network Attacks Against the Enterprise

Corporate networks are under attack by increasingly sophisticated attackers. Gone are the days of simple port scans and misconfigured firewalls. The usual suspects associated with internet attacks are on the forefront of every security practitioners minds. Todays custom targeted attacks will become common place in the next 5 years. Current targeted attacks can only be handled by advanced Incident Response Teams who are aware of the threats and capable of detecting them. Understanding these attacks provides a future prospective to network defense. We will discuss targeted attack design principles and a walkthrough of a targeted attack from inception to the final IR process.

Bio: Presmike

Presmike is has held various IT positions since he was old enough to fill out a W4. He currently runs the Incident Response team for a very large and active network here in DC. He is most happy with a little bit of network data and a hard drive full of secrets.

Bio: Cygnus

Cygnus has held positions in several fields performing security work and sees users as a root cause of most incidents and believes the best way to deal with them is with a wiffleball bat, duck tape, and a bag of Oreos. He is as an IR analyst in the DC area and is most interested in creating and defending networks.

Presmike and Cygnus are both members of the Hacker Pimps

Joe Stewart

My Company's Trade Secrets Went to China and All I Got Was This Lousy Pink Slip" - Defending Against Data-Exfiltrating Malware

For over three years, a concerted effort has existed to use malware to exfiltrate data from companies and governments in the USA and Europe. Although little is known about just who is bankrolling these efforts, it is clear that they are after trade and state secrets, and the end destination for most of these documents is somewhere in China. At the same time, Eastern European hackers use malware in a similar fashion to steal banking and other credentials from end-users to commit fraud.

Little defense against these schemes is provided by conventional anti-virus, as the bad guys evade the anti-virus signatures as quickly as they are written. Extrusion detection and prevention is proving itself to be more valuable by detecting the exfiltration of data by the unique fingerprints of traffic generated by the malware - something that changes less often than with each variant. But, if the bad guys have access to the same signature set, they can evade network detection as well.

This presentation is designed to give network administators the tools to develop their own private extrusion detection ruleset by expanding on the concept of the sandnet as presented by this speaker at last year's ShmooCon. This year, speed is the focus of our automated malware analysis and Snort-based extrusion detection rules are the product. With a relatively simple one-system sandnet, time from obtaining a malware sample to packet capture can be measured in seconds, allowing custom Snort rules to be written with minimal effort.

Bio

Joe Stewart, GCIH - Senior Security Researcher with SecureWorks, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. He is a SANS Global Information Assurance Certified Incident Handler (GCIH) and has been in the information security field for six years. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit, Phatbot, SpamThru and other cyber-threats and attack techniques.

Renderman, Al Potter, and Russ Housley

Standard Bodies... What are these guys (drinking)?

This panel discussion is intended to recreate and expand on a conversation originally between RenderMan and Al Potter, which occurred during The Summit, the 2006 EFF fundraiser at DEFCON 14 (2006).

Render, a frequent critic of the fruit of standards body efforts (think IEEE 802.11 et al) and Al, a former member of the IEEE 802.11i working group and an occasional IETF visitor, had a frank and honest discussion centering on what motivates folks (positively and otherwise) in standards bodies, what really goes on in their heads, why standards development takes so long, etc. We intend to expand this conversation by adding Russ Housley, also an IEEE 802.11i member, a long-time participant in numerous IEEE, IETF and other standards efforts, and currently one of he two Security Area Directors in the IETF, and inviting the audience assist Render in posing pointy questions.

Bio: Renderman

RenderMan has been a fixture in the wardriving community for many years. He never seems to be out of crazy projects and ideas, never very far from wardriving news, often causing it himself. He spends his time working on things like the 'stumbler ethic', Worldwide wardrive, 'the warpack' and the Church of Wifi. When not working to make wardriving an acceptable hobby, he can usually be found taking something apart, creating an army of cybernetic stuffed animals, running the Defcon wardriving contest, or more likely, at the hotel bar.

Bio: Al Potter

For the past 10 years, Al has worked in various technical and management roles at ICSA Labs, testing commercial information security products, and participating in standards bodies, including IEEE 802.11i . Previously, Al provided information security services to the US DoD as a contractor for SAIC, and was an Artillery Officer in the US Army.

Bio: Russ Housley

Russ Housley has worked in the computer and network security field since 1982. Before starting Vigil Security, Russ worked at the Air Force Data Services Center (AFDSC), Xerox Special Information Systems (XSIS), SPYRUS, and RSA Laboratories. In March 2003, Russ accepted the position of Security Area Director in the Internet Engineering Task Force (IETF), which makes him a member of the Internet Engineering Steering Group (IESG). Previously, Russ chaired the IETF Secure MIME (S/MIME) Working Group, was editor for several cornerstone Internet PKI standards (including RFC 3280), and was recognized by the IEEE 802.11 working group for significant contributions to IEEE 802.11i.

Matt Fisher, Cygnus and PresMike

Web Application Incident Preparation

As a result of mandates, e-gov and e-com initiatives, web applications are being rolled out with increasing speed and frequency. Naturally a new set of security concerns accompany these (see F1sh's talk last year) but there's a real challenge in the area many don't see: Incident Response. Come learn how web application attacks can frustrate your IR efforts, and some simple best practices you can take to be more prepared for the inevitable attack and subsequent IR and forensics. This talk will identify the issues surrounding web app incident response and things to look for during an investigation. We will also examine some things that should be done up front to lower your attack surface and provide an investigator the best evidence.

Bio: PresMike

Bio: Matt Fisher

Matt Fisher is a Senior Security Engineer for SPI Dynamics. As an actual local he frequently consults to the .mil and .gov, and is registered as a subject matter expert to the Defense Information Services Agency, and has trained/consulted to staff at several scary agencies. He has spoken at ShmooCon, ToorCon, DallasCon, CSI, MISTI, and countless other conferences. He likes long walks along the beach, poorly written PHP applications and knows why TLA is recursive.

Bio: Cygnus

Cygnus has held positions in several fields performing security work and sees users as a root ca use of most incidents and believes the best way to deal with them is with a wiffleball bat, duck tap e, and a bag of Oreos. He is as an IR analyst in the DC area and is most interested in creating and defending networks.

Richard Bejtlich

The Pain of Network Intrusion Detection/Prevention

Four years ago Gartner declared intrusion detection systems a "market failure," saying they would be obsolete by 2005 and that "money slated for intrusion detection should be invested in firewalls." Gartner was wrong about the firewall aspect but right that traditional IDS should be dead.

This presentation will examine why popular alert-centric systems, whether IDS, IPS, or SIM/SEM/SIEM are doomed to be a source of frustration. I draw conclusions based on trying to use open source and commercial tools during recent incident response engagements. In brief, effective network defense requires understanding the network, not necessarily buying another tool.

I will present a method of looking at the intrusion resistance, detection, and response problem that combines intelligent inspection of live network traffic with layered collection of network forensics data. Attendees will be able to leave the talk and immediately implement these ideas using open source tools on commodity hardware.

Bio

Richard Bejtlich is founder of TaoSecurity. He was previously a principal consultant at Foundstone. Richard created network security monitoring operations for ManTech and Ball Corporations. From 1998 to 2001 then-Captain Bejtlich defended global American information assets in the AFCERT. Formally trained as an intelligence officer, Richard is a graduate of Harvard University and the United States Air Force Academy. He wrote "The Tao of Network Security Monitoring" and "Extrusion Detection," and co-authored "Real Digital Forensics."

Hank Leininger and Klayton Monroe

Home-grown Crypto (aka Taking a Shiv to a Gun Fight)

From the perspective of application and infrastructure security assurance testing, this technical presentation takes attendees through a range of case studies that illustrate the all too common problem of using home grown crypto. Each of the case studies examines the logic that led the developers to use flawed crypto; how the flaw was detected, screenshots of the flaws, and the impact to the system it served. The case studies range from traditional financial services applications to the unique challenges posed by mobile applications as follows

Obfuscation Gone Bad
Keys? We Don't Need No Stinking Keys
We Dont Need Logic, Weve Got Crypto!
No Worries, We are using 3DES
We Have Both Kinds: AES and XOR
The House Always Loses?
Can't Crack SSL? Just Talk Plaintext!
Take My Data. Please!
Mobile Application Security-A Target Rich Environment

The presentation also introduces the concept of Session ID pre-hash analysis based on research done by Klayton Monroe.

Bio: Klayton Monroe

Klayton has over 12 years of experience in network security, computer forensics, incident response, reverse engineering, software development, and training. He is the developer of numerous security tools including FTimes, HashDig, and WebJob. In 2006, he helped win the Digital Forensic Research Workshop (DFRWS) 2006 File Carving Challenge. Prior to founding KoreLogic, he worked as a security engineer at META Security Group, Cable & Wireless, Exodus Communications, Arca Systems, and the National Security Agency.

Bio: Hank Leininger

Hank is a KoreLogic founder and has over 10 years of experience in network security, Linux security, incident response, security assessments, and penetration testing. He is a author of numerous Dragon IDS signatures and manages http://marc.theaimsgroup.com - a respected security mailing archive. Prior to founding KoreLogic, he worked as a security engineer at META Security Group, and the Securities and Exchange Commission (SEC).

Sergey Bratus

Simple entropy-based heuristics for log and traffic analysis

I argue that introducing entropy-based features to log and traffic analysis tools allows the admins to quickly notice otherwise hidden anomalies and organize the data in ways that best show off the overall structure and peculiarities of each input data set.

Entropy and related information measures provide a way to describe the overall shape of data distributions in logs. This makes it easier to notice anomalous values, to cluster and summarize records for convenient browsing, and to notice correlations that may be hard to find otherwise. For large logs, it is easy to get lost scrolling down many screens of records; with entropic measures one can get the general idea of the composition of a data set and the most likely places to look for an anomaly. Together, these simple heuristics can significantly speed up log analysis. I will show of a prototype log viewing tool that incorporates them.

To demonstrate this approach for packet data, several new panes and a number of new functions are introduced into Ethereal (to be demoed).

Bio

For the past five years, Sergey Bratus post-doc research at Dartmouth's Institute for Security Technology Studies was related to application of information theory and machine learning to log analysis and other security topics. Before that, he worked as a research scientist at BBN on applications of similar techniques to Natural Language Processing, English text and speech.

Simple Nomad

Hacker Potpouri

This is a talk about numerous little projects that have been worked on that are not long enough or perhaps even interesting enough for a full talk, but strung together should be interesting. Topics covered will include firewall detection, IPS fingerprinting, spam, Dish Network DVR hacking, an update from last year's ShmooCon talk "Hacking the Friendly Skies" and a few other tidbits. Imagine a Dan Kaminsky talk except a lot more ghetto given by an old guy. Get off my lawn!

Bio

Simple Nomad is one of the world's most intriguing hackers. Intriguing means old, right? Working for Vernier Networks by day and hacking for NMRC by night, he lives in his own world of wonder and intrigue, conspiracy and paranoia, deathand taxes. He has done hackerish things for years, enjoys a good Vodka, and regularly speaks at security conferences and speaks to the press about security issues.

Seth Fogie

Abusing Windows Mobile Software or Windows Mobile Software: Raw and Exposed

For years, PC software has been poked, prodded, and scrutinized for security bugs. As a result, desktop based software is slowly becoming more secure. Unfortunately, Windows Mobile (AKA Pocket PC or Windows CE) software has avoided this same level of scrutiny...until now.

This talk will expose Windows Mobile software for what it is - a bunch of buggy and insecure code. In the time allotted, we will look at several different programs (or genres of programs) and demonstrate why Pocket PC security must be taken seriously. From poorly designed software, to traditional local and remote buffer overflows, and back around to program abuses, we cover it all. If there is an attack vector, we will probably be discussing it from the mobile perspective.

The point of the talk is simply to raise awareness. When it comes to mobile device security - size shouldn't matter.

Bio

Seth Fogie is the VP of Airscanner Inc., a security software company that focuses on protecting devices that run the Pocket PC/Windows Mobile platform. Seth has co-authored several security books (Aggressive Network Self Defense, Security Warrior, etc.), numerous articles, technical reviews, and has presented at national security conferences, such as BlackHat, Defcon and RSA. In addition, Seth is a security co-host for InformIT.com, where he maintains a Security Reference Guide and writes and reviews articles and books.

Katie Moussouris (Moderator/Instigator)

Vulnerability Disclosure Panel Palaver (or 0-day: OK, No Way, or For Pay!)

There have been many panels and discussions on Vulnerability Disclosure at the major security conferences recently. I think that there's room for one more, but this one will be a bit different. For one, it will have ShmooBalls. For another, and equally important, it will feature a panel moderator (myself) who is the only person in the security industry actually qualified to be objective in all this.

Bio

It was the fall of 2004. I was a Senior Security Architect at @stake when I found myself suddenly acquired by Big Yellow. I made Big Yellow Lemonade in the form of founding the first program in Symantec's history to allow researchers employed by Symantec to publish their vulnerabilities. I lead Symantec Vulnerability Research (www.symantec.com/research).

I bring a unique perspective of having fulfilled three different roles in the Responsible Disclosure process at one time or another. At TurboLinux, I acted in the role of "Vendor" when I founded their security response group, receiving vulnerability reports from researchers and the security community and rolling the patches, which I then released via an advisory to our customers and to the bugtraq mailing list. I have also been a Researcher (the role of "Finder") myself, releasing one of the last advisories from @stake before we were acquired by Symantec. Now I serve in the role of "Coordinator", where I take vulnerabilities that Symantec employees find and coordinate joint public disclosure with the vulnerable Vendors. I still find a few myself, to be released through the SVR program I created.

David Hulton

Hacking the Airwaves with FPGAs

This talk will cover some of the new advancements for OpenCiphers with newly added support for cracking WEP, WPA, and now Bluetooth and Mac OS-X! Since the WEP and WPA cracking has been talked about heavily at other conferences, this talk will focus on the aspects of Bluetooth PIN cracking and will release open source code for cracking Bluetooth PINs on your PC (at ~50k/sec) or using an FPGA (at ~10m/sec) and will demo a handful of FPGA cracking applications that OpenCiphers has to offer including support for cracking Mac OS-X FileVault images and Salted SHA-1 hashes.

Bio

David Hulton has been hacking with wireless and embedded devices for the past 5 years and actively involved in the security industry for 10. After helping start and run various security meetings and ToorCon back in the late 90's, he switched focus and became credited with designing open source tools such as bsd-airtools, doing extensive security research with Wireless, Smart Cards, GSM, and most recently with revolutionary high-speed crypto cracking applications for FPGAs.

Chris Paget

WPAD: Attacking the proxy

WPAD, the Web Proxy Automatic Discovery protocol, does exactly what the name says - finds web proxies on the LAN. Unfortunately, WPAD is based on a number of other protocols which are widely known to be insecure, ultimately leading to by-design pwnership of an entire corporate network with just two packets.

This presentation is in two parts. First, I'll explore the WPAD protocol, explaining and demonstrating its weaknesses as I go along. The focus will be on IE (which has WPAD enabled by default, and extends the protocol in a number of insecure ways) although other browsers will be considered, as well as a number of other non-browser products which use WPAD. The intent will be to prove how easy it is for someone to become your proxy server on any LAN (corporate network, cable modem segment, etc). The two-packet attack will be demonstrated and explained in detail.

The second part of the presentation goes on to explore what can be done once you have established yourself as someone's proxy server. Much more than just sniffing traffic, I'll explore SSL attacks, social engineering, credential harvesting (with a unique implementation of rainbow tables), page manipulation, browser-specific attacks, and more - all with working code.

Bio

Chris Paget is the Director of Research and Development for IOActive Inc, currently setting up offices in Pennsylvania. Best known for his research into Shatter Attacks, Chris recent activities include code-reviewing Windows Vista, demonstrating RFID bombs on TV, and penetration testing Fortune-100 companies. Chris is an expert on Windows architecture and security, a privacy advocate, an electronics geek, and a C fanboy.

Scott Moulton

ReAnimating Hard Drives for Data Recovery

Every hard drive will die a quick and sudden death sooner rather than later. What happens after that death can be very important to your data and become the deciding factor in its survival. I will display the inner workings of a hard drive in a beautiful animation and discuss the successes and failures in rebuilding a hard drive and recovering the data. I will teach you what to look for and how to accomplish this task on your own so you might be able to recover your own data without sending it to an expensive recovery house. We will delve into the platters and heads to show you when there is a good probability of success. The animated presentations will make it clear how a hard drive works and how you can save your data and your money!

Bio

Scott Moulton is the president of Forensic Strategy Services and began his forensic computer career after being the first person arrested for port scanning. One of his specialties is rebuilding hard drives for investigation purposes and he has rebuilt hard drives for several murder investigations. While testifying, Scott was questioned about forensic people having to maintain a PI license. He is currently combating against computer forensics and security people having to be a PI.

Adam Laurie

RFIDiots

RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....

This talk will look at the underlying technology, what it's being used for, how it works and why it's sometimes a BadIdea(tm) to rely on it for secure applications, and, more worryingly, how this off-the-shelf technology can be used against itself... Software and Hardware tools and techniques will be discussed and demonstrated, and a range of exploits examined in detail.

Bio

Adam Laurie is a Director of The Bunker Secure Hosting Ltd. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings.

Billy Hoffman

JavaScript Malware for a Grey Goo Tomorrow

Aren't Cross Site Scripting vulnerabilities lame? All they can do is display annoying popups that say 'xss' in them. Oh, and hijack your HTTP sessions... and detect every website you have visited... and port scan and fingerprint your internal network... and reconfigure your routers... and brute force usernames and passwords... and capture all the words you search Google for. And I almost forgot, they can self propagate too. Wait, maybe XSS isn't so lame after all.

This presentation will examine all the nasty things JavaScript can do that most people don't know about. What's that? The masses desire the sweet taste of 0-day? No problem.

I'll give a live demo of Jikto, a complete web application vulnerability scanner written entirely in JavaScript. Jikto silently crawls and audits any public website and sends the results to a 3rd party. Jikto can be embedded into any website or XSS payload turning website visitors into accomplices that will scan and attack webservers on the Internet.

Bio

Billy Hoffman is lead researcher at SPI Dynamics. He first became interested in web security on November 5th, 1955 when he was standing on the edge of a toilet hanging a clock. The porcelain was wet, he slipped, and hit his head on the edge of the sink. When he came to he had a picture in his head of destroying the Internet with JavaScript. Billy is currently writing a book on Ajax security for Addison Wesley.

Joel Bruno and Eric Smith

VOIP, Vonage, and Why I Hate Asterisk

Asterisk, the Open Source PBX, is highly regarded and heralded by masses of eggheads as the next killer DIY app. You've been to their presentations and have overheard their conversations at the bar: "Imagine having all the power of a large commercial PBX in your home. Asterisk gives you this power --- Multiple extensions, advanced call routing, separate voice mail boxes -- plus a lot more." This presentation will take a look at the potential business and home uses of Asterisk. We will then consider the many security issues inherent to most VoIP deployments and showcase the SIPinator, our appliance created to exploit one of our favorite vulnerabilities.

Bio: Joel Bruno

Joel Bruno is a software developer for a large information technology company you've probably heard of. He has some certifications you probably haven't heard of. He has said and done things he isn't proud of. He is easily amused by shiny objects and, hence, was quickly drawn to VOIP technology by the tales of wonderment. Joel's interests center around hacking consumer devices and voiding warranties.

Bio: Eric Smith

Eric Smith is the Network Administrator for Bucknell University, located in Lewisburg, Pennsylvania. He has over 10 years of field experience in network and systems administration, with a meandering focus in security. He has provided consultation services in places such as Research Triangle Park and New York City. Eric is a founding member of PreSet Kill Limit, the security research group which has won the Defcon Wardriving Contest for the past two years.

Ryan Clarke

Extend Your Code into the Real World

We are taught as children to 'fear' electronics- that is if it is electronic it must be expensive, fragile, and you shouldn't touch/play with it. Hardware is actually quite easy to get involved with. With a fundamental knowledge set and a curious mind, it is simple to begin building basic electronic devices. This presentation will be structured to give a glimpse into how easy it can be to build cool projects, and be the 'shove' many need to get going. Not quite as much a 'how-to' as a 'where to start' presentation, it is assumed the audience can take topics presented and with Google, run with them.

Bio

Former applications engineer for Parallax, Inc., Ryan is currently the Professor of Robotics and Embedded Systems for the University of Advancing Technology. His robots and projects have been pictured in Servo and Nuts and Volts Magazines, and were on display at the first annual O'Reilly Maker Fair. As LosT, he holds a black badge from Defcon, and runs the LosT @ Con Mystery Challenge each year, a hardware based competition.

Joshua Wright and Mike Kershaw

Extensible 802.11 Packet Flinging

LORCON (Loss Of Radio CONnectivity) has been described as a pseudo underground toolkit for generating and transmitting arbitrary 802.11 frames onto the wireless medium. LORCON has contributed to tools such as Metasploit, Airpwn and several privately-developed testing tools, and has been instrumental in influencing the state of wireless security. In this presentation, we'll explore the multiple uses of LORCON, demonstrate its capabilities, and help you get started writing your own 802.11 analysis tools with practical examples for assessing wireless security and for wireless troubleshooting and analysis.

Bio: Joshua Wright

Joshua Wright is the senior security researcher for Aruba Networks, and the author of several papers on wireless security and intrusion analysis. Joshua has also written several open-source tools designed to highlight weaknesses in wireless networks. When not breaking wireless networks, he likes to work on his house, where he usually ends up breaking things of another sort.

Bio: Mike Kershaw

Mike Kershaw is the author of Kismet and several articles on wireless security. Mike also works for Aruba Networks, where his full-time job is to break things and pick up the pieces.

Michael Schearer

The Church of WiFI Presents: A Hacker in Iraq

What in the world is a U.S. Navy officer (a Naval Flight Officer, no less) doing in the middle of Iraq? Electronic warfare, of course! The Church of Wifi presents an unclassified presentation of theprez98's experiences during his 9-month tour in Iraq. Embedded with Army units on the ground, theprez98 brought his expertise in electronic warfare to bear against the biggest threat to coalition forces - the improvised explosive device (IED). Drawing on his background as an EA-6B Electronic Countermeasures Officer, "he will explain the counter-IED fight in Iraq. Furthermore, he will show how the "hacker mentality" continues to confront the many challenges within Iraq.

Bio

"theprez98" is an active-duty EA-6B ECMO. He flew combat missions during Enduring Freedom, Southern Watch, and Iraqi Freedom. He took his EW specialty to Iraq, where he embedded with Army units. While at Penn State, he is actively involved in IT issues. He is a licensed amateur radio operator, a member of the Church of Wifi and a regular on the DEFCON and NetStumbler forums. He lives in Pennsylvania with his wife and 3 kids.

John Maushammer

Hacking Disposable Digital Cameras

I'll describe the reverse-engineering process of an embedded system in detail, using the Pure Digital Disposable cameras as specific examples. We'll start with finding out what you can learn from just looking at the hardware. After extracting the firmware from the memory chip, I'll show some simple tools I built to help understand the code. We'll get clues from the embedded operating system, and eventually find the security routines. I'll show some specific flaws found in the cameras, and then give an overview of Pure Digital's security overall framework: what worked, what didn't, and how to improve it.

Bio

By day, John (a.k.a. Morcheeba) designs embedded systems. By night, he enjoys taking them apart and breaking them. He has reverse-engineered three models of One-Time-Use digital cameras (including the CVS Camcorder), found flaws in the their security systems, and then hacked them to make them reusable. His most recent project has been building a watch that plays pong.

Raven

Backbone Protocol Fuzzing

While bugs continue to be found in backbone gear on a fairly regular basis, there has been little attention given to protocol fuzzing research on routing and switching infrastructure gear. Given that so many backbone bugs are Denial-of-Service related, this seems a strange omission. Basic errors such as "router catches wrong protocol version number, chokes, dies" are still being found and reported -- these type of errors should be quickly found by an intelligent fuzzer.

This talk will present the author's operational framework implementation for backbone protocol fuzzing, discuss successes and failures in developing a workable fuzzing model, and address kinds of gear yet to be tested as well as further research in this direction. All code used and presented will be open source and available with the presentation.

Bio

Raven is a backbone nerd who's been ~~irritating ISPs~~ helping enhance backbone security for many years. When not either attacking or fixing network infrastructure, she enjoys tea, traveling to countries she's never been to before, and writing sestinas about string theory (or trying).

Michael Rash

Attack Detection and Response with Linux Firewalls

Most people think of iptables as a packet filtering and mangling firewall within the Linux kernel. Although this characterization is true, iptables also provides such a powerful set of features that it can assist in the detection and visualization of network-based attacks. Through the use of the Netfilter string match extension, packet application layer data can be examined and acted upon by iptables. The end result is that a significant percentage of Snort rules can be run directly within the Linux kernel via iptables, and a program called "fwsnort' automates the translation process from Snort rules to equivalent iptables rules. In addition, by combining the "psad" and "AfterGlow" projects, some stunning graphical representations of attacks can be generated due to the completeness of the Netfilter logging format. This talk will present advanced usages of fwsnort and psad, and new versions will be released at ShmooCon.

Bio

Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland. Mr. Rash is the founder of cipherdyne.org, a website dedicated to open source security software, and is a Security Architect for the Dragon Intrusion Detection System developed by Enterasys Networks. Michael is the author of the upcoming book "Linux Firewalls: Attack Detection and Response" published by No Starch Press.

G. Mark Hardy

A Hacker Looks at 50

Take a trip back in time and discover what hacking was like in the pioneer days -- before the Internet, the PC, or even the Commodore 64 or TRS-80. The speaker started "exploring" computer systems in 1973, when the only law about hacking was the hacker ethic itself. Join a humorous reminiscence about what it was like building an Altair 8800, "discovering" the 2600 Hz tone, storing programs on punched cards, cracking bad crypto, and more. You 'll find the people and principles haven't changed, only the speed of the hardware.

Bio

G. Mark Hardy, CISSP, CISM, CISA, founded National Security Corporation in 1988. Since his first legitimate computer security job in 1976 for $2.10/hour, he has presented several hundred talks on information security. A perennial speaker at major security conferences, he's popular for his entertaining and informative style.

Rob King and Rohit Dhamankar

Encrypted Protocol Identification via Statistical Analysis

End-to-end encryption is often used to circumvent network policy controls and evade intrusion prevention and detection systems. This presentation shows a method for identifying the type of traffic that has been encrypted via a novel method of statistical analysis. This gives network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. A sample implementation of the method is provided.

Bio: Rob King

Rob King is a Senior Security Researcher at TippingPoint, where he researches security vulnerabilities and other topcis with security implications. In addition, he co-authors the SANS Institute's @RISK newsletter, read by over 200,000 subscribers weekly. He also contributes to the SANS Top20 updates.

Bio: Rohit Dhamankar

Rohit Dhamankar is the Senior Manager of Security Research at TippingPoint, where he manages vulnerability research and Digital Vaccine development for the company's Intrusion Prevention Systems. In addition, he co-authors the SANS Institute's @RISK newsletter, read by over 200,000 subscribers weekly. He is the Director for the SANS Top20 updates. He holds an MS in Electrical Engineering from the University of Texas and an MSc in Physics from the Indian Institute of Technology in Kanpur, India.

Dan Kaminsky

Weaponizing Noam Chomsky, or Hacking with Pattern Languages

There is no man page for the English language, but kids pick it up anyway (more or less). There is deep structure hidden inside every human generated language, especially those we intend to fuzz. I will discuss and demonstrate new, useful, and purty purty tools for rendering complex patterns automatically, potentially in realtime, and breaking things with it. New toys will be released, including a generic XML fuzzer (rawk!).

Bio

Dan Kaminsky is the Director of Penetration Testing at IOActive, a Seattle-based security consultancy. Dan has been speaking at conferences for over six years, and has a reputation for doing bad things to packets. He spent two years at Cisco, and another two at Avaya, before spending 2006 consulting at Microsoft analyzing Vista.

Luiz Eduardo

Wireless (and Wired) Networks @ Security Cons

It's not as hard as it sounds, sometimes it ain't that easy either. The idea of the presentation is to give an idea and discuss some of the usual challenges that are faced in these types of gigs and if anything will change in the future.

Bio

Luiz Eduardo has over 15 years of experience working with networking technologies and security. Today, he is a Systems & Security Engineer and Incident Manager for Aruba Networks. Luiz is also one of the DefCon's networking goons, having helped designing and implementing several security events WLAN infrastructures (Defcon, Blackhat, Layerone, CCC, etc). Before the WLAN stuff, Luiz worked with secure service provider networks, as well as possibly all kinds of enterprise networks technologies.

Jesse Krembs and Nick Farr

The Hacker Foundation: The Ethic in Action

This is an "update" to talks THF has given at Defcon, Notacon, etc. ~ The Hacker Foundation supports research projects run by hackers, engages in hacker advocacy, and aims to connect hacker skills with those in our communities who need them most.

Our talk will focus on:

WHY THF was founded (THF aims to be a resource to enable independent hackers to follow their passions and connect with their communities.)
WHAT THF does to help hacker projects raise money, seek grant funding and take advantage of THF's 501(c)(3) tax-exempt status. (i.e. Metasploit Fund)
UPDATE from previous THF talks (THF's new fund-based initiative, allowing hackers to vote directly with their dollars on projects and ideas they want to support.)

Bios: Jesse Krembs and Nick Farr

Jesse Krembs and Nick Farr have spent nearly a decade as Speaker Goons at Defcon. They got together to form The Hacker Foundation in 2003. Jesse works as a wireless network monkey out of Burlington, VT and Nick is approaching professional graduate student status in Grand Rapids, MI.

Deviant Ollam, Noid, and Thorn

Boomstick Fu: The Fundamentals of Physical Security at its Most Basic Level

It seems that at every con nowadays there is at least one talk dedicated to physical security. Our servers and data can be encrypted and passworded with the latest algorithms, but that doesn't do the trick if someone marches them out the door when we're not looking. In the past, many physical security talks have focused on passive defense: locks that resist picking, safes which resist cracking, etc. However, sometimes an intrusion is detected while in progress... and such intrusions - even physical ones - may require immediate countermeasures.

Many of us in the security community own firearms, but few have ever had to use them in a defensive situation. Others have considered gun ownership but lack any experience or foundation in this area. This panel of experts will provide a comprehensive overview of this highly-charged and often-misunderstood topic. Bring any questions you have about hardware, ammunition, tactics, and the law.

Bio: Deviant Ollam

Deviant Ollam is a frequent speaker on the topic of physical security. A graduate of the New Jersey Institute of Technology's "Science, Technology, & Society" program, he is always fascinated by the interplay that connects human values and social trends to developments in the technical world. A gun-owning pacifist, Deviant disdains violence but believes in being prepared to confront it. He has given physical security presentations at ShmooCon, DefCon, HOPE, and West Point.

Bio: Noid

Noid is a recognized member of both the hacking world and the firearm community. A shooting enthusiast who has handled just about every manufactured style of firearm, his encyclopedic knowledge of guns results in a constant barrage of questions from individuals who are considering the purchase of a new piece of steel. During particularly stressful days at the office, Noid considers hanging up his INFOSEC spurs and becoming a range master or armorer for the Feds.

Bio: Thorn

Frank Thornton (a.k.a. Thorn) runs his own technology consulting firm, Blackthorn Systems. In addition to his computer interests, Frank was a law enforcement officer and forensic detective for many years. He has investigated thousands of crimes, been in numerous armed confrontations, and been directly involved in several shootings. Combining both professional interests, he was a member of the workgroup that established ANSI Standard "ANSI/NIST-CSL 1-1993 Data Format for the Interchange of Fingerprint Information."

Chuck Willis

Assess the Security of Your Online Bank (Without Going to Jail)

As security professionals and hobbyists, we like to test and break software. For most software, we can satisfy our curiosity by installing it on our own machine and attacking it in a variety of manners. Unfortunately, this is not possible for most Web applications which can only be accessed on someone else's system. Further, security of these Web applications is important because they are used to conduct a variety of critical functions. So how can we satisfy our curiosity without attacking someone else's system and running afoul of the authorities? How can we make an informed decision about whether our bank or other service provider is security conscious enough to justify our business? This presentation will answer these questions by describing how you can legally examine any online Web application and its security features (or the lack thereof) to make a better guess as to the application's security.

Bio

Chuck Willis is a Principal Consultant with MANDIANT (http://www.mandiant.com/), a full spectrum information security company in Alexandria, Virginia, where he concentrates in incident response, computer forensics, tool development, and application security. Chuck has previously spoken at the Black Hat Briefings USA, DefCon, OWASP AppSec Seattle, and IT Underground. Chuck has contributed to several open source security software projects and is a member of OWASP. Chuck's past presentations are available on his Web site at http://www.securityfoundry.com/.

Rodney Thayer, Jon Callas and Ben Laurie

Three Crypto Geeks on the Current State of Cryptography and the Internet

Three grumpy old Shmoo Crypto gurus discuss the state of cryptography on the Internet today. This will be an open discussion (come armed with questions!) on current cryptography issues. We'll discuss what the current threats are, what kinds of lame crypto implementations are being delivered by vendors, unsafe crypto practices in common use, and what we think of emerging crypto technologies such as EV certs, EC cryptography, any any recent interesting crypto vulnerabilities.

Bio: Rodney Thayer

Rodney Thayer is an independent security analyst. He does exploit research, product/technology evaluation, and enterprise network infrastructure defense design. He also writes, lectures, and teaches on a variety of computer security topics. He's a member of the Shmoo Group, the Hacker Pimps, and the Sunnyvale Cryptological Expeditionary Society.

Bio: Jon Callas

Jon Callas is CTO and CSO of PGP, Inc. Mr. Callas served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Mr. Callas served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane's Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force's (IETF's) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Mr. Callas has a B.S. in Mathematics from the University of Maryland.

Bio: Ben Laurie

Ben Laurie is no longer an independent security consultant, having succumbed to the lure of the Big G. He is a founder of the Apache Software Foundation and of OpenSSL. He wrote Apache-SSL (derivatives of which, according to Netcraft, now power over 50% of secure websites) and co-authored "Apache: The Definitive Guide". He is fanatical about security, privacy, civil liberties and beer.

Adam Shostack

Security Breaches are Good for You

Since California's SB 1386 came into effect, we have recorded public notice of over 500 security breaches. There is a new legal and moral norm emerging: breaches should be disclosed. This is the most significant event in information security since Aleph1 published "Smashing the Stack for Fun and Profit," and brought stack-smashing to the masses.

The reason that breaches are so important is is that they provide us with an objective and hard to manipulate data set which we can use to look at the world. It's a basis for evidence in computer security. Breaches offer a unique and new opportunity to study what really goes wrong. They allow us to move beyond purely qualitative arguments about how bad things are, or why they are bad, and add quantifatication. The public awareness of the data lost on laptops is one example of this. There's no doubt that the data we get from these laws is imperfect, but look at the alternative: the FBI/CSI survey.

The talk will cover why breaches are an important opportunity, cover some threts to the emergent data, and discuss what we can do to improve the quality and quantity of the data that can drive security science.

Bio

Before taking a role working on a major vendor's security development lifecycle, Adam was involved in four startups, on vulnerability scanning, privacy, patch management, and program analysis. He helped found the CVE, International Financial Cryptography association, the Privacy Enhancing Technologies workshop, and the Emergent Chaos blog.

Johnny Long

No-Tech Hacking

Hackers know all about torquing technology to incredible ends. This talk focuses on non-technical attacks that are a serious threat to digital security. These tried and true techniques have served me well over the years and it's amazing to me how effective they are after all this time.

Bio

Johnny Long is a professional hacker, security researcher, author, pirate, and (halfway there) ninja. He enjoys hacking stuff, researching stuff, writing stuff, pillaging stuff and sneaking up on stuff. He's been known to lurk around his website at http://johnny.ihackstuff.com.

The Shmoo Group

Dissecting ShmooCon Labs

ShmooCon Labs was a ShmooCon first and as far as we know a security conference first. We invited vendors, 30 attendees, and ShmooCon network geeks to come and spend a day and half building the conference wired and wireless network with all sorts of security geek goodness. Including NAC, VA, WIDS, IPS, and other bad words we can't spell out here, we attempted to do it all in 30 hours to provide you access to your precious wireless 1s and 0s.

Ken Caruso will start the BOF with a quick recap of what happened during the ShmooCon Labs. What went well, what could have gone of better, and how much sleep we didnt get. After that the floor will be open to ShmooCon Labs Vendors and participants to provide input and share their experiences. Of course all ShmooCon attendees are encouraged to take part in the discussion and ask questions.

Bio

The Shmoo Group is a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development and to running this conference. This session will be led by TSG member Ken Caruso.

The Shmoo Group

0wn the C0n

In keeping with tradition, we'll breakdown this year's conference. We'll talk basics, budget, bad decisions and bold moves. If there's time we'll move on to things that start with C (Can you believe we did this a third time) and D (Do we dare try to do it again in 2008). Your input is important and worth ducking a ShmooBall or two, so stop in and let us know what you think.