2009 Presentations

Keynote: Matt Blaze

Since 2004, Matt Blaze has been a computer science professor at the University of Pennsylvania; prior to that, he spent a dozen years on the research staff of AT&T (Bell) Labs.   Matt's work focuses on cryptography and its applications, trust management, physical and human scale security, designing secure systems, and networking and distributed computing.  He's particularly interested in security related to public policy, such as cryptography policy (key escrow), wiretapping and surveillance, electronic voting, and secrecy in science.

Are bad times good for security professionals?

G. Mark Hardy, Mark McGovern, Peter Guerra, Bruce Potter

Slides Video

Okay. The economy is in the toilet. Energy markets are volatile. Real estate is a mess, and your 401(k) looks like a 201(k) or 101(k). Is your job next?

Maybe not. Government and businesses keep spending money on security. New products are rolling out, and many security jobs remain hard to fill. IT security spending seems to be holding steady for now. Will we remain recession-proof? This panel discussion will offer government, military, law enforcement, and business insights into the current state of the security marketplace, and where it's headed. They'll discuss their views on what's keeping the market afloat: regulatory pressures, increased threats, poor security technologies, or plain old fear. Bring your questions, your resumes, and your open reqs to what's sure to be an interesting conversation.

G. Mark Hardy, CISSP, CISM, CISA has been providing information security expertise to government, military, and business since 1976, and founded National Security Corporation in 1988. His background includes information security planning and policy development, managing security assessment and penetration teams, breaking commercial encryption codes, and writing risk assessment software. The author of over 100 security presentations and articles, he is a graduate of Northwestern University, and also serves as a Captain in the Navy Reserve.

Mark McGovern leads In-Q-Tel's Digital Identity and Security practice. In-Q-Tel is the strategic investment firm that supports the U.S. Intelligence Community. Mark has extensive experience developing, securing and deploying data systems. Prior to joining In-Q-Tel, Mark was Director of Technology for Cigital Inc. He led Cigital's software security group and supported a Fortune 100 clientele that included Microsoft, MasterCard International, CitiBank, Symantec, Pfizer, the UK National Lottery and the Federal Reserve Banks of Richmond, New York and Boston. Earlier in his career, Mark worked for the Central Intelligence Agency. He holds a B.S. in Electrical Engineering from Worcester Polytechnic Institute and an M.S. in Systems Engineering from Virginia Polytechnic Institute.

Peter Guerra is currently working as a security consultant to government and commercial organizations. His diverse IT career has focused on cyber crime, malicious code analysis, incident response, web applications, and airplane messaging. He is currently getting his MBA and studying the relationship between economics and information security as related to cyber crime. He can be reached at peterguerra.wordpress.com.

Bruce Potter (gdead@shmoo.com) is the founder of The Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, and advanced IT defense techniques. Mr. Potter has co-authored several books and is a regular speaker at security conferences. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks and is currently the CTO of Ponte Technologies.

802.11 ObgYn or "Spread Your Spectrum"

Rick Farina

Slides Video

Tired of cracking your neighbour's wep key? Yearning for a new challenge?  What if someone could show you how to tune your wifi card to operate on licensed frequencies? Welcome to the seedy underworld of licensed wifi usage.  Here you can learn how to tune your wifi cards to pick up on big brother and see what they are really doing with those security cameras. After we enjoy a quick trip to 4.8GHz, we can move right along to learn about US Government type 1 encryption for wifi.  If you don't know what type 1 crypto is, come to the talk and learn. If you already know what it is, please don't send me to Gitmo. Last but not least, you can learn how the watchers are watching you. You will learn about Wifi Intrusion Detection and Prevention Systems, what they are, how they work, and how to cause utter chaos with them.  Remember, it is all fun and games till the microwaves fry your brain.

Fresh from microwaving his laptop's real time clock to death and losing his slides at defcon, Rick Farina aka Zero_Chaos is back in action (with three backup copies of his slides).  Currently Zero is working on Aircrack-ng and the Pentoo Penetration Testing LiveCD.  In his spare time he rewrites wifi drivers (poorly) to add in new features, and generally enjoys sending out any kind of 802.11 packet which causes something amusing to happen. Previously Zero has worked on multiple layer 2 project such as ettercap and enjoys throwing lemon parties for friends as well as leading the remote-exploit crew in peer justice.

All your packets are belong to us - Attacking backbone technologies

Enno Rey and Daniel Mende

Slides Video

The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, PBT). A new tool suite automating some attacks against BGP and MPLS will be released.

Daniel and Enno are long time network geeks who love to explore protocols and to break flawed ones.

Automated Mapping of Large Binary Objects

Ben Sangster, Roy Ragsdale and Greg Conti

Slides Video

File sizes are increasing on a daily basis and today's best tools are ill suited to cope with the growing analytic load. Most tools are designed to identify just file formats or crudely extract strings and match patterns, but our approach looks inside large binary objects, such as complex files and memory dumps, to find interesting, but similar regions, such as text, code, variable and fixed length data structures as well as the use compression and encryption,. As a result, an analyst needn't examine the entire file, but instead can hop from identified region to identified region, greatly speeding their work. This talk will also include the release of an extensible binary mapping tool that you can try out on your own.

Ben Sangster is a Computer Science Instructor at the United States Military Academy, West Point, NY. His research includes binary object identification in support of information assurance, behavior-based information security, and virtualization of computer science curriculum.

Roy Ragsdale is a computer science major at the United States Military Academy. His research interests include binary analysis, assembly language, and robotics. Roy is also a member of West Point's Parachute Team.

Greg Conti is an Assistant Professor of Computer Science at the United States Military Academy, West Point, NY. His research includes security data visualization and web-based information disclosure. He is the author of Security Data Visualization (No Starch Press) and Googling Security (Addison-Wesley). His work can be found at www.gregconti.com and www.rumint.org.

Blinded By Flash: Widespread Security Risks Flash Developers Dont See

Prajakta Jagdale

Slides Video

In a rush to adopt the dazzling Flash technology, website developers tend to use quick and dirty hacks to get their applications to work and in the process sidestep any security features provided by the technology. The presentation will look at Flash applications encountered in the wild that are a result of insecure development practices and demonstrate the ease with which they can be compromised.

Prajakta Jagdale is a Research Engineer with the HP Web Security Research Group. Prajakta focuses on automated discovery of Web application vulnerabilities and crawling technologies. Her current research efforts are concentrated towards identifying security risks associated with RIA technologies. This research involves developing innovative techniques to enable automated web assessment tools to crawl and analyze RIA applications through the use of both static source code analysis and dynamic runtime analysis

Building an All-Channel Bluetooth Monitor

Michael Ossmann and Dominic Spill

Slides Video

Monitoring Bluetooth is hard. Hackers accustomed to 802.11 have been spoiled by ubiquitous, inexpensive hardware capable of monitor mode, but similar tools are not available for Bluetooth. Off-the-shelf Bluetooth adapters are capable of monitoring only by actively joining a network, and they are unable to passively collect the information required in order to join. Efforts to build custom monitoring systems to date have been limited by Bluetooth's frequency hopping through 79 channels.

We will review the options available today for passive Bluetooth monitoring with an emphasis on software radio techniques. Although single channel monitoring with software radio has been demonstrated before, we will show how to extend the technique to all 79 channels and how to predict the target network's pseudo-random hopping sequence using passively collected information. The presentation will feature a live demonstration and the release of open source tools.

Michael Ossmann: Michael is a wireless security researcher for the Institute for Telecommunication Sciences at the U.S. Department of Commerce Boulder Laboratories in Colorado. He currently develops software radio tools for security research both as a hobby and for his day job. Michael will travel to Fairbanks, Alaska at the end of February for another episode of his adventures in mechanical ice sculpture.

Dominic Spill: Dominic is a grad student at Imperial College London. Having worked with GNU Radio and Bluetooth security for his undergraduate degree, he released his work to the community in 2007 and continues to actively participate in the gr-bluetooth project. His current research focus is secure communication and efficient key exchange in MANETs.

Building the 2008 and 2009 ShmooBall Launchers

Larry Pesce and David Lauer

Slides Video

Its a series of tubes! Pneumatic tubes!

This talk will describe the infamous 2008 and new 2009 ShmooBall Launchers built by Larry, and introduce Dave's 2009 design. This talk will include all of the steps behind the planning and building process for our launchers, as well as the history, and backgrounds for the design. We'll talk about the methods of building, safety considerations for the operator, target and environment, selection of building materials, design considerations and testing. We'll also discuss some of the construction issues, failures and reasons for what may be considered design flaws. Discussion will also be had about improvements made, and how we can improve for next year.

Larry Pesce (Chief Research Officer, PaulDotCom Enterprises) - In the last 13 years in the computer industry, Larry has become a jack of all trades, most recently focused on the computer security field. In addition to his industry experience, Larry is also a Security Evangelist and co-host for the PaulDotCom Security Weekly podcast at www.pauldotcom.com. Larry is also Co-Author of "Linksys WRT54G Ultimate Hacking" and Contributing author of "Using Wireshark and Ethereal" and "How to cheat at configuring Open Source Security Tools", all from Syngress publishing.

David Lauer has been involved in the computer industry since 1990. His broad background covers a large part of the IT industry. He began his career in programming and database development before he found his calling in networking and security (where his professional strengths and personal preferences mesh seamlessly). He has found that this knowledge of software development and database design often gives him a unique perspective on day-to-day issues. David is also a Co-Host of the SecurityJustice Podcast.

Building Wireless Sensor Hardware and Software


Travis Goodspeed and Joshua Gourneau

Wireless sensors are constructed from little more than a microcontroller and a radio chip. This lecture will give you as thorough an introduction to building and programming such devices as can be had in an hour. You might also learn a thing or two about reverse engineering them.

In 2007, Travis Goodspeed presented the first public example of a stack pointer overflow attack against a wireless sensor. In 2008, he authored a reverse engineering toolkit for MSP430 firmware and a side-channel timing attack against the MSP430 bootloader.

Joshua Gourneau dreams of a belt buckle, but not just any belt buckle. Ask him to tell you about it.

The Day Spam Stopped (The Srizbi Botnet Takedown)

Julia Wolf


The Srizbi botnet was responsible for about 75% of all of the spam on Earth. All of it's command and control servers were hosted in downtown San Jose, CA. Once this was pointed out to McColo's peers, they stopped routing that AS. As a backup, the botnet was designed to connect to deterministically generated DNS names, which at the time were not registered... So we registered them, blocking the spammers from regaining control of the botnet, and getting a list of every bot-infected source IP.

Julia Wolf tracks botnets, reverse engineers malware, writes IDS signatures, and performs low-level bit-twiddling. She likes mathematics an photography, and she has purple hair.

Decoding the SmartKey

Shane Lawson


This is a brief introduction to the Kwikset SmartKey and how it has been designed to combat certain bypass methods while leaving itself open to others that are just as effective at opening a lock. The decoder itself was created in a garage with nothing more difficult to use than a dremel. The total cost of materials is under $5 and is able to yield a decoded lock in under five minutes with a proficient operator.

valanx is a member of the Fraternal Order Of LockSport (FOOLS) and is responsible for creating several FOOLS projects and displays. A firm believer that hacking requires more imagination than budget, most projects he takes on involve readily available material for little to no money. He has given demonstrations on lockpicking and pick design at DEFCON and NOTACON.

Enough with the Insanity: Dictionary Based Rainbow Tables

Matt Weir

Slides Video

Here at Florida State University we modified a popular program, rcrack, so that it can create Rainbow Tables by mangling dictionary words. This allows us to attack strong passwords such as 'P@ssword!2' which would not be vulnerable to normal Rainbow Tables. In this talk, not only will we discuss our attack but also methods to protect against it. People have known for at least twenty years how to protect against hash lookup attacks, but the password hashes used by Microsoft Windows and many websites are still vulnerable to it. We will also release our tools along with some custom Rainbow Tables we have generated to attack Windows NTLM, (aka not LANMAN), password hashes.

Matt Weir is a PhD student at Florida State University. Before his journey back into academia, he worked as a network security engineer for Northrop Grumman. The projects he's been a part of have ranged from providing first responders with wireless access, to assisting the Defense Department with computer forensics. Why he decided to go back to school no one knows (including him sometimes). It wasn't the pay that's for sure!

EDL Cloning for $250

Chris Paget


$250 on eBay buys the necessary kit to clone the Electronic Drivers License and US Passport Card. This talk covers everything you'll need for a homebrew EDL and PASS cloner, as well as a fair bit of info on the EPC Gen2 RFID tags used.

Chris Paget decided a while ago that being sued for doing security research is no fun, so it's safer to target government systems instead. His previous hacks include HID cloners, WPAD-based LAN hijacking, GDI messaging attacks, and out-drinking Dan Kaminsky. Chris spends most of his days trying to break into eBay faster than the bad guys, and in his spare time likes to hack into just about anything he can legally get his hands on.

Exploring Novel Ways in Building Botnets

Enno Rey and Daniel Mende

Slides Video

Botnets are widely regarded as the most imminent threat to the internet's infrastructure security. While a bot's lifecycle has mostly stayed the same (initial infection, C+C contact, download of payloads/instructions, performance of malicious actions) for some time now, the communication structures are currently undergoing a shift in direction of P2P methods. In this talk we will cover some novel ways in mobilizing well-known and not-so-well-known protocols within botnets. Amongst others we will show how to perform quite efficient DoS attacks without prior OS exploitation and how to abuse some servers run by Microsoft itself for downright untraceable C2 communication and payload distribution.

Daniel and Enno are long time network geeks who love to explore protocols and to break flawed ones.

The Fast-Track Suite: Advanced Penetration techniques made easy.

David Kennedy

Slides Video

Fast-Track is a widely popular open source arsenal of custom coded tools that is included in the Back|Track 3 distribution. Fast-Track combines multiple old, new, and complex attacks in a framework that can easily be used by penetration testers to test the overall security of their network. Fast-Track incorporates new methods never before seen in delivering payloads, including bypassing the 64kb payload restrictions in windows debug. The presenter will discuss these attacks in details, how a penetration tester can use it in their own environment. What would a con be without popping multiple boxes and getting shells, shells, and more shells? In addition to this presenter, the author will be releasing a new version never before released until the presentation.

David Kennedy, CISSP, GSEC, MCSE 2003, is a principal and practice lead for the profiling group at SecureState. Prior to SecureState, David worked for the National Security Agency (N.S.A.) and has worked with some of the nations most elite security groups. David is the author of Fast-Track, an open-source penetration testing suite available in Linux. David has previously presented at Defcon and is a contributor to the Back|Track distributions.

Fail 2.0: Further Musings on Attacking Social Networks

Nathan Hamiel and Shawn Moyer

Slides Video

We've spent a lot of time ranting about and / or embarrassing various Social Networks last year already. Still, we wanted to share with the Shmoo audience some further silliness, social experiments, and good old-fashioned Fail 2.0 that's popped up since we last looked at this topic. We'll also cover some of the new countermeasures and counter-countermeasures that have showed up on various SocNets in the past few months.

In light of some recent mass pwnage occurring over Social Networks this past year, we explicitly promise NOT to say "we told you so", and definitely won't be performing our patented synchronized stage-left Electric Slide followed by some pop-locking and Nathan's famous Gloating Robot.

A few things we'll be covering this time around: SocNets as Attack Platform, SocNets-As-Botnets, new developments in SocNet Applications, Alex Sotirov's cell phone number on Twitter, some new impersonation excercises, bypassing CSRF protections, and thoughts (and potentially some tools) for practicing "safe" Social Networking.

Nathan Hamiel and Shawn Moyer are WebAppSec security monkeys who spend far too much time on social networks, and far too much time worrying about whether that's a bad idea, a really bad idea, or a really, really bad idea.

The Gentlemen's Agreement - Pwning Friends Legally for Fun, ????, and Profit!

Zachary Fasel, Matthew Jakubowski, and Josh Krueger


What's better than shaming and bragging to other hackers that you rooted their box and pulled their info? Alas, we must do so in agreement to terms and protect ourselves legally incase we kill our friends egos and they decide to turn vengeful. The Gentlemen's Agreement provides rules, scenarios, and legal mumbo-jumbo to keep on pwning friends safely throughout the night, day, and months to come.

MobileDisco, a group of security enthusiasts (adj. see hackers) from Chicago, focuses on the research and practical use of vulnerabilities and education of others in security vulnerabilities and remedies while staying active in the local Chicago and national security scene through conferences and local meet-ups. Formally known as Team Chicago Minus Steve, this group of approximately 15 members meet weekly for burgers, beer, and a dose of hax. Visit them at hax.by/mobiledisco/.

Hack the Genome! The Age of Bimolecular Cryptology

R. Mark Adams

Slides Video

As we enter an age in which the genome for any organism or individual can be obtained automatically and at rapidly-decreasing cost, a unique opportunity has developed for those interested in decoding the layers of hidden meaning within this data. The ready availability of tools, data and hardware provide a means for those interested in exploring this resource, and discovering its hidden meaning.

In particular, practitioners of conventional (and applied) cryptology may have unique insights about how to go about this task, and represent an underutilized community that could potentially make substantial contributions. This talk will present an outline of the problem, the current state of the art, and a discussion of the tools and resources available to researchers, with a focus on data and software that is open and readily available to the conference participants.

The human genome project, and other similar programs are the key "big science" project of our generation, and unlike other large-scale scientific activities, there is a real opportunity for the interested lay-person to contribute to our understanding of the data, as well as experience the rush of breaking new scientific ground. This talk will hopefully infuse the group with a sense of the excitement and fun to be had hacking the genome.

R. Mark Adams is a computational biologist in the Washington, DC area where he leads the biomedical informatics group for a multinational consulting company. He has a longstanding interest in the exploration of bimolecular data, especially the prediction of three-dimensional protein structure. Mark holds a Ph.D. in cell biology from Baylor College of Medicine, and studied biology and computer science at Oberlin. He is currently composing a symphny generated from DNA data.

Jsunpack: A Solution to Decode JavaScript Exploits as they Rapidly Evolve

Blake Hartstein

Slides Video

JavaScript is an advanced programming language that has many capabilities and libraries. Many attackers use JavaScript to exploit browsers because it allows them to dynamically control content, make additional HTTP requests and otherwise hide their activity. Attackers who exploit browser vulnerabilities quickly find new and clever ways to alter their code to subvert the latest defenses and make it more difficult or time consuming to decode. JavaScript exploits often affect users visiting infected or malicious sites. Usually, SQL-injection vulnerabilities that insert malicious scripts infect these sites. Less commonly, cross-site scripting (XSS) vulnerabilities, a less-serious type of vulnerability, deliver exploits to infect website visitors. The current state of JavaScript obfuscation and exploitation is difficult for analysts to keep up with. As a solution to this ongoing problem, jsunpack is one new tool that analysts can use to automatically unpack JavaScript.

Blake Hartstein works on the Rapid Response team at iDefense, a Verisign company. At iDefense, he is responsible for analyzing and reporting on samples of unknown malicious code and other suspicious activity. Prior to iDefense, Blake was an author of intrusion detection signatures and contributed to Emerging Threats, an open source community project that promotes a diverse Snort Signature set.

Man in the MIddling Everything with the Middler

Jay Beale


Middler is an open source, plugin-extensible attack tool for man in the middling (AKA middling) TCP applications, particular those using HTTP. We'll demonstrate attacks on a series of web applications, including Gmail, LinkedIn, and LiveJournal. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript, including the Browser Exploitation Framework (BEeF) into browser sessions and demonstrate CSRF attacks.

Jay Beale has created several defensive security tools, including Bastille UNIX and the CIS Unix Scoring Tool, both of which are used throughout industry and government. He has served as an invited speaker at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the "Stealing the Network" series. Jay works as a security analyst at InGuardians.

Next Generation Wireless Recon, Visualizing the Airwaves

Joshua D. Abraham and Ben Smith


Harnessing the power of both current solutions and some fancy work in Perl VS. Python, we have created two new methods that allow you to visualize the information from wireless networks and their relationships. This enables us to map wireless APs and represent the data in flexible and unique ways, full of informational goodness. The next generation of wireless recon looks pretty sweet!

Mr. Joshua D. Abraham joined Rapid7 in 2006 as a Security Consultant. Josh has extensive IT Security and Auditing experience and worked as an enterprise risk assessment analyst for Hasbro Corporation. Josh specializes in penetration testing, web application security assessments, wireless security assessments, and custom code development. In the past, he has spoken at LinuxWorld, Comdex and the Boston Linux User Group. In his spare time, he contributes code to open source security projects such as the BackTrack LiveCD, Nikto, Fierce, and PBNJ.

Ben Smith aka "TheX1le" and computer nerd extroidinare. Officially, A self taught network engineer and computer consultant. In his free time, he works on wireless research and client exploits.

Off the Shelf Security - Meeting Crime with an Open Source Mind

Nick Waite, Burke Cates, and Stephen Janansky

Slides Video

In the process of designing sensors to assist in the automated response to violent crimes, a robust multipurpose sensor platform using off-the-shelf hardware was developed. Although not at a final production state (as with most open source projects) the group hopes to open source it to the community at Shmoocon. This talk will detail the system (known fondly as "The System"), the design (hardware and software), the use of other open source projects (OpenWRT etc), and the properties that will make it beneficial to all.

"The System" can be described as a sensor platform that integrates off the shelf hardware to provide 802.11, USB, and Zigbee capabilities among other things while also allowing for modular sensors to be added. Most importantly it has been designed to be low cost by using mostly off-the-shelf products. While the application we will be investigating is that of security, the system can be used in a variety of ways. Of course keeping with the spirit of the community, the more mischievous uses will be demoed also. The goal of this talk is to encourage the community to take a fresh look into hardware while releasing a very useful tool to help them springboard into it.

Nick Waite has been flitting about the edges of academia for years while managing to avoid graduation. During his tenure he has done analog IC design, microcontroller system design, and pcb design projects in support of military, solar, agricultural, and other Important Projects. His interests and hobbies include DIY and low-tech engineering, organic chemistry, genetic algorithms, linguistics, finance, biofeedback, outdoor survival, peace, love, and freedom. He hopes to someday find harmony between machines and nature. Make sure to ask him about Korea!

Burke Cates is a Junior CISC major at UD. He is prone to sudden obsession with obscure computing topics, such as FPGAs, Ruby, and the Cell Processor. Although a knowledgeable programer, Burke has been caught numerous times dabbling and experimenting with hardware. Burke is also known to be a closet audiophile and in his spare time enjoys Stumbling way too much (No seriously, you should see his stats...).

Stephen 'afterburn' Janansky is a Junior CPEG major at UD. He can usually be found getting fellow students involved in various engineering activities/clubs/groups, killing routers and other electronics by the dozens (then asking Nick to resurrect them), and making fun of people who use distros besides Gentoo. He is a member of CVORG, dreams of hardware security, and is one of the most ADD aspiring engineers you will ever meet.

Alex 'honcho' Lindley, Robert 'rob3ar' Rehrig, Josh 'Grungy' Marks, Mike 'surfingcat' Natrin, Rob 'jazzman' Haislip, and Lawrence 'Cuddles' Aiello make up the rest of The Circuit Breakers. The Circuit Breakers is a hacker-space run by Dr. Kiamilev at the University of Delaware. The group figured they would let the other three make fools of themselves and let everyone else just read about them and their work on their site: http://tcb.udarknet.com

Open Vulture - Scavenging the Friendly Skies Open Source UAV Platform

Matt Davis and Ethan O'Toole


OpenVulture is a software application and library designed to to control numerous platforms (land, sea, air) using a simple software framework. During the presentation our vision for having cheap and autonomous craft for the public to play with iand hack upon shall be explained. Unfortunately other factors have prevented us from providing a live demo, however our project plans will be unveiled, including a basic set of hardware that a user can obtain in hopes of creating their own autonomous drone. The concepts illustrated will demonstrate cheap UAV building, however the information and software provided can be tweaked to adhere to other platforms (/me thinks Wal-Mart Buggy).

Matt Davis / Enferex is currently a software engineer from the Hampton Roads region of Virginia (757). He is part of the 757Labs crew, prefers obnoxious music, and imbibing in quantities of coffee that make mere mortals shiver.

Ethan O'Toole / Tele Monster is currently a network and system admin in the Hampton Roads region of Virginia (757). He is part of the 757Labs crew and likes dreaming up wild projects. Every once in a while a few get completed.

OWASP AntiSamy - Picking a fight with XSS

Arshan Dabirsiaghi and Jason Li

Slides Video

"Failure to Avoid Web 2.0" is one of CWE/SANS new highly respected, well-put together, professional, only half plagiarized Top 25 Coding Errors.  Everyone tries to avoid XSS (aka Web 2.0) in their own terrible way - being overly restrictive with input validation, performing total output encoding, building a blacklist, or utilizing hope and prayer. These approaches all either suck for business or suck for security.

AntiSamy uses a positive model for translating horribly broken, unsafe, malicious rich content from users and turning it into safe content without fearing of exposing its users to malicious code. Think of it as a NoScript API for web developers. We invite you to take a look at our approach, our rules, the history, and some interesting attacks we learned along the way.

Arshan Dabirsiaghi is the Director of Research of Aspect Security, a company that specializes in application security services. He contributes to many OWASP groups and, not surprisingly, voted for Nader.

Arshan just left PR hack on AOL yesterday and is trying to figure out why alert(document.cookie) is so interesting. He spends most of his work time abusing web applications, teaching classes all over the world and doing research into next generation web application attacks and defenses. He also feels weird about doing the only defensive talk at ShmooCon 2009 and promises to be more offensive than George Carlin next time he comes back. 

Jason Li is a Senior Application Security Engineer at Aspect Security. He serves on the OWASP Global Projects and Tools Committee and also contributes to a number of OWASP projects. He spends most of his time either ballroom dancing or keeping Arshan from destroying the world.

0wn the Con

The Shmoo Group

Slides Video

Once again The Shmoo Group offers up an inside look at the reality of con planning.  Be prepared for a frank discussion about this year's ticket sales, finances and many other behind-the-scenes logistics.  Every year brings new challenges and we certainly had our fair share this go round.  Turning 5 has been has been an adventure we won't soon forget.  Live feedback is welcome.  So is chocolate.

We came. We presented. There were some moose, some swizzle sticks and some super glue. The rest is left up to the reader.

Phishing Statistics and Intuitive Enumeration of Hosts and Roles

Sean Palka

Slides Video

Organizations often shy away from including phishing in their security testing, primarily because it's difficult to get reliable statistics. However, by employing a tagging process, testers can map sent e-mails with received responses, and build useful reports. Additionally, this information can be used to develop knowledge of social roles in the organization, as well as for identifying useful targets.

Sean Palka, an Associate at Booz Allen Hamilton, has contributed as a reviewer to the IEEE Transactions on Pattern Analysis and Machine Intelligence and has published a paper on biometrics vulnerabilities for the IEEE Conference on Biometrics: Theory, Applications and Systems. Mr. Palka has professional experience in a variety of fields, including software development, cryptography, and airspace information management. Mr. Palka currently works as a penetration tester and wargame scenario developer.

Pulling a John Connor: Defeating Android

Charlie MIller


Android is the open source operating system developed by Google currently in use by at least one cell phone provider. It is based on Linux and allows users to easily install software written for it. This talk will describe the security architecture used by android including application sand boxing. Android specific exploitation techniques will be discussed including using the emulator provided by the Android SDK. A remote exploit will be demonstrated against the G1 phone for a recently patched vulnerability.

Charlie Miller is Principal Analyst at Independent Security Evaluators. He was the first with public exploits against Apple's iPhone and first phone running Google's Android operating system. He won the CanSecWest Pwn2Own competition in 2008. He was one of the top 10 computer hackers of 2008 according to Popular Mechanics.

Radio Reconnaissance in Penetration Testing - All Your RF Are Belong to Us

Matt Neely


Tired of boring old pentests where the only wireless traffic you see if 802.11 and maybe a little Bluetooth?  With this amazing new invention, the radio, your eavesdropping options can be multiplied!  Come to this talk to learn techniques for discovering, monitoring and exploiting a wide array of radio traffic with real world examples illustrating how these techniques have been used to gather information on a target's physical security, personnel and standard operating procedures.

Matt Neely is the Profiling Team Manager at SecureState, a Cleveland Ohio based security consulting company. At SecureState Matt and his team perform traditional penetration tests, physical penetration tests, web application security reviews and wireless security assessments. His research interests include the convergence of physical and logical security, cryptography and all things wireless. Matt is also a host on the Security Justice podcast.

Re-Playing with (Blind) SQL Injection

Chema Alonso and Palako

Slides Video

SQL Injections is getting old. The 25th of December 2008 it was ten years since the first word about it, but... ten years after it still works. This session is about how to use SQL Injection techniques in some special scenarios. SQL Injeciton in mathematical functions, SQL Injectios to download quickly the whole database, Time-Based blind sql injection without delay functions and how to use Blind SQL Injections to download files from server. This session have a lot of demos and several tools. It´s cool, is'n't?

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politécnica University of Madrid. He has been working as security consultant last eight years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines as "Windows TI Magazine", "PC Actual" or "Hackin9". He is currently working on his PhD thesis under the direction of Dr. Antonio Guzmán and Dr. Marta Beltran.

Jose Palazon (palako) is responsible for Mobile security worldwide at Yahoo!. He is 8+ years experienced in security advisory and training, covering private companies, government and academics in both areas. His areas of expertise include mobile, web and unix systems security as well as digital forensics.

Reinterpreting the Disclosure Debate for Web Infections

Oliver Day and Rachel Greenstadt

Internet end-users increasingly face threats of compromise by visiting seemingly innocuous websites that are themselves compromised by malicious actors. These compromised machines are then incorporated into bot networks that perpetuate further attacks on the Internet. Google attempts to protect users of its search products from these hidden threats by publicly disclosing these infections in interstitial warning pages behind the results. This paper seeks to explore the effects of this policy on the economic ecosystem of webmasters, web hosts, and attackers by analyzing the experiences and data of the StopBadware project. The StopBadware project manages the appeals process whereby websites whose infections have been disclosed by Google get fixed and unquarantined. Our results show that, in the absence of disclosure and quarantine, certain classes of webmasters and hosting providers are not incentivized to secure their platforms and websites and that the malware industry is sophisticated and adapts to this reality. A delayed disclosure policy may be appropriate for traditional software products. However, in the web infection space, silence during this period leads to further infection since the attack is already in progress. We relate specific examples where disclosure has had beneficial effects and further support this conclusion by comparing infection rates in the U.S. where Google has high penetration to China where its market penetration rate is much lower.

Oliver Day is a researcher at the Berkman Center for Internet and Society where he is focused on the Stopbadware project. He was formerly a principal security consultant for @stake where he focused on web applications and storage area networks. At @stake Oliver also lectured before dozens of Fortune 500 companies and educational institutions about network security. Before @stake, Oliver was an engineer with eEye Digital Security and created automated security checks to find flaws in newly discovered vulnerabilities. He has also been a staunch advocate of the disclosure process and providing shielding for security researchers.

Rachel Greenstadt is an assistant professor of computer science at Drexel University, where she studies issues at the intersection of artificial intelligence, security, and privacy.  She recently completed a postdoctoral fellowship at Harvard's Center for Research on Computation and Society.  She tries to combine her academic work with participation in hacker conferences.

RFID Unplugged

3ric Johanson


RFID system usage is increasing in the transit, access control, and payment sectors, with little to no foresight into effective security. This presentation will cover potential threat and attack models from the business, integrator, and consumer perspective. Beginning with an overview of the systems in place today, we will review specific vulnerabilities - many with demos - and offer potential mitigations. Security implemented in current RFID systems is very reminiscent of early wavelan or SIM technology. This talk will review classes of attacks in detail, including OTA sniffing, MITM, reply attacks, backend wire interception, duplication, data tampering, Denial of Service, escalation of privilege, etc. In addition, the real-world impacts of the cracked NXP-mifare-crypto1 system will be reviewed. Paypass vulnerabilities will also be demonstrated.

3ric Johanson has been breaking things for many years. A Shmoo Group member, he's been involved with several successful projects, including Shmoocon, Hackerbot Labs (A Seattle-based hacker space), vend-o-rand and rainbowtables. By day, he is a security consultant specializing in penetration testing and application assessments; By night, he has been spotted wearing his "so sue me already" t-shirt while drinking over-caffeinated coffees. Some of his recent public work has included "International Domain Name" vulnerabilities. His hobbies include building and breaking things in a secret underground lair in Seattle.

Security vs Usability - False Paradigms of Lazyness

Dead Addict

"It's a trade-off between security and usability." 


Have you ever heard these words, or worse, uttered them?  While we may understand security, we don't necessarily understand how people interact with technology.  For example, merely adding too many words to a dialog box can cause users to not read or understand the warning or the choice before them.  Try this: Without usability there can be no security.  Without users comprehending security related user interfaces and dialogs, there is little chance they will make appropriate decisions. 

I will discuss the impact of usability on end-users (without good questions, there can be no good answers); administrators (ease of administration can mask incompetence); and adversaries (malware usability lowers the bar for attackers).  Practical advice on improving development practices will be given.

Too often either apathy or ignorance creates unusable and insecure software.  If we continue to think that usability and security are opposing forces, we will continue to neglect to do the hard work creating usable systems, and our unusable systems will inevitably remain insecure.  

Dead Addict still uses a silly handle, having missed the memo to come out into the open.  He has had the opportunity to help start and speak at Defcon, as well as speak at Black Hat, RubiCon, Notacon and private security conferences.  He has worked at a major operating system manufacturer, a global financial institution, a leading hardware manufacturer, as well as numerous smaller firms.  He currently spends his winters in Canada, each summer pilgrimiging to the American desert.  He holds no degrees and has as much respect for 'credentials' as the next hacker. 

Solve This Cipher and Win!

Michael "theprez98" Schearer

Despite the application of high power computing, there remains a body of unsolved ciphers that resist exploitation. Some are (in)famous and others obscure, some may be hoaxes and others yet to be discovered, but they share the same fate: they have yet to be solved. This presentation will review a number of unsolved ciphers as well as detail some recent success stories as a means of spurring amateur cryptographers to action.

230 266 239 333 73 20 327 39 173 105 184 185 16 347 131 214 138 48 218 328 101 349 (9) (8) 33 346 28 260 142 167

Recently separated from 8+ years of active duty in the U.S. Navy, theprez98 is fascinated by the application of mathematics to real-world situations. While he will never likely win the Fields Medal or solve P vs. NP, his interests include the history of mathematics, cryptography, probability theory, and graph theory. Michael is an active member of the NetStumbler, DEFCON, and Remote Exploit forums, a football coach, and a father of four.

Storming the Ivy Tower - How to hack your way into Academia

Sandy Clark


Does a Hacker need a college degree? A Ph.D? What's the difference between hacking and research? What can those letters after your name actually do for you? How do you get credit for the skills you already have? How do you get accepted? How do you pay for it? How do you get your research recognized, or published in an academic journal or conference? Let's talk about how to manipulate the 1st Tier University system and the steps you need to take to get yourself a B.S./MSE/Ph.D. to hack.

Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the Hacker community, her professional work includes an Air Force Flight Control Computer, a simulator for NASA and singing at Carnegie Hall. She is currently fulfilling a childhood dream, pursuing a Ph.D. in C.S. at the University of Pennsylvania. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles. Her research explores human scale security and the unexpected ways that systems interact.

Stranger in a Strange Land: Reflections on a Linux Guy's First Year at Microsoft

Crispin Cowan

Slides Video

Dr. Crispin Cowan, famous Linux security guy and vocal Microsoft critic, now works at Microsoft. What? Has Hell opened a ski resort? This talk will reflect on my first year at Microsoft as a Linux guy. Hell has not frozen over, and I'm having a great time. I will talk about how the Linux and Windows communities are more similar to each other than either community cares to admit, for good and bad, as well as highlighting the differences that I have found. I will also highlight the similarities and differences in the security problems faced by Windows and Linux.

Crispin Cowan has been in the computer business for 25 years, and security for 10 years. He was the CTO and founder of Immunix, Inc., acquired by Novell in 2005. Dr. Cowan is now a security program manager in the Microsoft Core Operating System Division, working on security features for Windows. Dr. Cowan developed several host security technologies under DARPA funding, including prominent technologies like the StackGuard compiler defense against buffer overflows, and the LSM (Linux Security Modules) interface in Linux 2.6. Dr. Cowan also co-invented the "time-to-patch" method of assessing when it is safe to apply a security patch. Prior to founding Immunix, he was a professor with the Oregon Graduate Institute. He is the program co-chair for the 2007 and 2008 Network and Distributed System Security conferences. He holds a Ph.D. from the University of Western Ontario and a Masters of Mathematics from the University of Waterloo.

Ten Cool Things You Didn't Know About Your Hard Drive!

Scott Moulton


This speech comprises at least 10 things that are 2+2=5 type situations people do not realize about hard drives. For Example, Data is written in Cylinders on hard drives, all partitions are created on Cylinder Boundaries and that leaves an offset from the end of one partition to the next which leaves a gap between partitions that is unusable or free space at the end of the disk. Since the outer edge of a disk starting at Track 0 is the FASTEST location on the drive, and the first partition is created on a cylinder boundary at the outside edge, then each and every partition you create on the disk is further into the disk on a cylinder boundary. This means the second partition is slower than the first partition due to its location on the disk. So for YOU MAC OSX USERS that created a WINDOW partition on your drive, YOU just installed Windows on the SLOWEST part of your hard drive. If you want to know more, well this is the talk to see!

Scott Moulton is a forensic specialist and runs a data recovery company out of Atlanta called My Hard Drive Died where he uses his forensics experience to recover hard drives, and teach an advanced class in data recovery. He has been running a data recovery company for six years, doing recoveries for some very high profile forensic cases. His specialty is working with damaged hard drives in forensic cases. And yes he does have a clean room onsite! Company Name: Forensic Strategy Services. LLC.

They took my laptop! - U.S. Search and Seizure Explained

Tyler Pitchford

Slides Video

An overview of recent developments impacting the Fourth Amendment and privacy conscious computer professionals: including discussions on the United States Constitution, Federal Statutes, Administrative decisions, and, most importantly, the case laws that interpret and define the Fourth Amendment. Special attention is given to topics affecting computer professionals, including border crossings, foreign nationals, forced disclosures, and the October 2008, Crist decision.

Tyler holds degrees in Software Architecture from New College of Florida and a Juris Doctor from the Stetson University College of Law. He co-founded the Azureus Bittorrent client in 2003 and currently works as CTO for Digome, LLC in Nashville, TN. His work experience includes Florida State Attorney's, Federal Magistrate Richardson, and Justice Anstead of the Florida Supreme Court. Tyler presented at PhreakNic 12 and has taught several courses on computer programming and security.

Watching the Watcher: The Prevalence of Third-party Web Tracking

Brent Chapman, Tera Corbari and Matt Devers

Slides Video

Gone are the days when web surfers only left footprints behind on isolated single-server web sites across the WWW. Today, a significant number of websites now contain tracking code that allows a select few organizations to track individual users, even entire corporate populations, across tens of thousands, sometimes hundreds of thousands of sites. This talk explores the technical methods used to embed tracking code and presents results from our analysis of the top sites in Alexa's website rankings. You'll leave the talk with a better understanding of the problem while learning which popular websites contain tracking code and with whom they are sharing information.

John Brentmore Chapman, Jr. was born in Guyana, South America and raised in New York City. In 2002, he enlisted in the United States Army as a Signals Intelligence Analyst and later entered the U.S. Military Academy in 2005. His professional interests include information assurance, cryptanalysis, and foreign languages. His personal interests include Apple computer and anything related, exploring the Linux environment, penetration testing, graphic design, electronic and mechanical system modification.

Tera Corbari is a senior at West Point. She is majoring in Information Technology and upon graduation will be commissioned as a 2LT in the Signal Corps. Tera is CCENT certified and hopes to complete her CCNA certification before graduation. She is also the head manager of the Army Football Team.

Matt Devers is a student of information technology at the United States Military Academy, West Point, NY. He enjoys long bike rides and a good exercise smoke session before sun rise.