Archives of POC 2013
Inkook Kim (pr0neer) - Anti-Anti Digital Forensics / Nov 5-6
[Trainer] 2008.03-2011.02 고려대학교 정보보호대학원 석사 2001.03-2009.02 강원대학교 컴퓨터정보통신공학전공 학사 2013.08-현재 (주)플레인비트 대표 2013.02-2013.07 프리랜서 2011.08-2013.01 안랩 A-FIRST, 침해사고 포렌식 분석 업무 2011.03-2011.07 프리랜서 2008.03-2011.02 정보보호기술연구센터(CIST) 연구원, 디지털포렌식 기술 연구 2013.08-현재 KITRI BOB 디지털포렌식 멘토 2013.07-현재 포렌식 표준화 포럼 회원 2012.12-현재 제 5기 민관 합동조사단 전문가 2012.08-현재 에이콘 출판사 디지털포렌식 시리즈 에디터 2011.11-현재 포렌식 인사이트(F-INSIGHT) 운영 2010.10-2012.04 코드게이트 2011, 2012 운영 2010.01-2010.04 : 코드게이트 2010 문제출제 그 외 삼성그룹, 경찰수사연수원, 법무연수원, 국방부 등 다수의 민,관,군 강의 경험 [Course] 본 과정은 다양한 실전 디지털포렌식 케이스를 중심으로 실무에 적합하도록 구성된 과정입니다. 본 과정의 수강생은 기본적인 포렌식 아티팩트는 숙지한 것으로 판단하고 진행합니다. 본 과정의 모든 세부 주제는 실습 위주로 진행됩니다. ------- [1일차] ------- 1. 데이터 파괴 기법 - 데이터 파괴 기법 소개: 다양한 데이터 파괴 기법을 소개한다. - 파일 일반 삭제와 대응: 파일 일반 삭제 시 나타나는 변화를 살펴보고 삭제된 파일 복구를 실습해본다. - 파일 완전 삭제와 대응: 파일 완전 삭제 시 나타나는 변화를 살펴보고 파일 카빙 기법을 실습해본다. - 사용 흔적 삭제와 대응: 사용흔적 삭제 시 나타나는 변화를 살펴보고 대응 방안을 고민해본다. - 실전 케이스 분석: 실전 케이스 분석을 통해 학습한 내용을 실습해본다. 2. 데이터 변형 기법 - 데이터 변형 기법 소개: 다양한 데이터 변형 기법을 소개한다. - 데이터 암호화와 대응: 디스크, 파일 등의 암호화 기법 및 도구를 실습해보고 대응 방안을 고민해본다. - 데이터 인코딩과 대응: 다양한 인코딩 기법과 도구를 실습해보고 대응 방안을 고민해본다. - 실전 케이스 분석: 실전 케이스 분석을 통해 학습한 내용을 실습해본다. ------- [2일차] ------- 3. 데이터 은닉 기법 - 데이터 은닉 기법 소개: 다양한 데이터 은닉 기법을 소개한다. - 슬랙 공간 은닉과 대응: 파일시스템의 슬랙 공간을 이용한 은닉 기법을 실습해보고 대응 방안을 고민해본다. - 파일 구조 은닉과 대응: 파일 구조를 이용한 은닉 기법을 실습해보고 대응 방안을 고민해본다. - 스테가노그래피와 대응: 스테가노그래피 기법과 도구를 실습해보고 대응 방안을 고민해본다. - 실전 케이스 분석: 실전 케이스 분석을 통해 학습한 내용을 실습해본다. 4. 데이터 조작 기법 - 데이터 조작과 흔적 최소화 기법 소개: 다양한 데이터 조작 및 흔적 최소화 기법을 소개한다. - 시간 정보 조작과 대응: 시간 정보 조작 기법과 도구를 실습해보고 대응 방안을 고민해본다. - 로그 조작과 대응: 로그 조작 기법과 도구를 실습해보고 대응 방안을 고민해본다. - 실전 케이스 분석: 실전 케이스 분석을 통해 학습한 내용을 실습해본다. 5. 흔적 최소화 기법 - 포터블/라이브CD/가상머신 이용과 대응: 포터블/라이브CD/가상머신 사용에 따른 흔적을 살펴보고 대응 방안을 고민해본다. - 실전 케이스 분석: 실전 케이스 분석을 통해 학습한 내용을 실습해본다. # Junbo Shim (Passket) - Writing Toolkits for Finding Zero-day Flaws With PinTool / Nov 5-6 [Trainer] 2012, 2013 Best of the Best mentor 2011 PADOCON CTF online make a challenges, administration 2010 PADOCON CTF online & offline make a challenges, administration 2010 PADOCON Maintainer 2006 PADOCON CTF online & offline make a problem, administration 2005 UDCSC Hacking Contest make a problem, administration 2005 AHF make a problem, administration 2005 ARGOS chief 2012 Codegate 2012 announcement(Flow Based Vulnerability Discovery) 2012 Codegate 2012 Training Course(effective vulnerability discovery) 2012 KISA workshop announcement(about APT) 2011 POC 2011 announcement(Special Tricks for Exploiting) 2011 POC 2011 Training Course(Finding 0-day) 2011 KAIST Cybersecurity Workshop(Advanced 0-day Detection) 2011 PADOCON 2011 announcement(Hunting Trip - Automated vulnerability finding) 2010 CodeEngn 2010 announcement(Taint Analysis for Vulnerability Discovery) 2010 PADOCON 2010 announcement(Exploiting Windows Vista Kernel : SMB Case Study) 2009 SecurityProof.org 2009 1st Offline Seminar(CPU Bugs Return!) 2009 PADOCON 2009 announcement(A Practice of Remote Code Execution using CPU bugs) 2006 PADOCON 2006 announcement(White-Bot Project) 2005 CONCERT tech workshop demonstration(about newal BOT) 2005 KISA Workshop about homepage demonstration(hacking from china) 2005 2nd AHF announcement(I don't remember the topic) 2005 PADOCON 2005 announcement(Honeynet based University) 2004 1st AHF announcement(Zero-effort attack) 2012 KISA 8th HDCON silver prize 2011 Codegate YUT Challenge 3th 2010 ISEC CTF 3th 2010 KISA 7th HDCON silver prize 2009 Codegate 2009 Hacking Contest 5th 2009 JFF Hacking Contest 4th 2008 HITB Malaysia CTF 4th 2008 WISC National Hacking Defence Contest 1st [Course] Offensive security의 정점에는 0-day 취약점이 있다고 해도 과언이 아니라고 생각한다. 이 트레이닝 코스에서는 Intel x86 binary에서 0-day 취약점을 찾고자 할 때 사용하는 여러가지 도구들을 Intel Pintool을 사용하여 제작해보고 이를 통해 0-day취약점을 효율적으로 찾을 수 있는 방법을 알아보고자 한다. 제작하는 툴킷에는 use-after-free 탐지, dangling pointer 탐지, reachability 해결을 위한 도구, 상호성 문제를 통한 버그 탐지 등의 툴킷 개발이 포함된다. [Schedule] 2일 과정(10:00-17:00) # Adam Laurie - RFID: Soup to Nuts / Nov 5-6 [Trainer] Adam "Major Malfunction" Laurie is the author of the open source RFID python library 'RFIDIOt' (http://rfidiot.org), which is widely used by the hacking and research community, and comes pre-installed on distributions such as Backtrack/Kali. He is also responsible for many of the breakthrough 'hacks' on RFID devices, such as credit cards, access control systems and passports, and has a working knowledge of implementation as well as theory. His company, Aperture Labs Ltd., have recently launched a Kickstarter project to create a Software Defined RFID reader 'RFIDler'. (http://www.kickstarter.com/projects/1708444109/rfidler-a-software-defined-rfid-reader-writer-emul) [Course] This course will cover everything from basic theory of how RFID works 'under the hood', to actual use cases and current exploits and tools. Topics covered: LF (125/134 kHz) theory & practice: Modulation schemes, Tag types, reading, writing, emulating, cracking. HF (13.56 MHz) theory & practice: Modulation schemes, Tag types, reading, writing, emulating, cracking. RFID crypto: Some worked examples of implementations and where they went wrong. e.g. Passports, DESFire Access Control, Mifare payments, Hitag2 vehicle keys. Who should attend: Anyone interested in RFID, whether they have a basic knowledge or none at all, will come away with a better understanding of how this stuff really works, and useful 'hands-on' experience of RFID hacking. What should they bring: Students should bring a laptop with USB and DVD drive. Most tools work best under Linux, but many are multi-platform so can be run under Windows or Mac. Students should be prepared to install drivers and/or software, or to run a pre-packaged distribution such as Kali.RFID readers, example cards and other devices will be provided. [Schedule] 2 Days(09:00-18:00) # ExodusIntel - Peter Vreugdenhil(@WTFuzz) / Nov 5-6 [Trainer] Co-Founder and VP of Operations at Exodus Intelligence [Course] This two day class, taught by a former Pwn2Own winner and pioneer in the art of client-side vulnerability development, is a highly interactive, hands-on training delving into the intricacies of browser exploitation. This course starts by introducing the methods used to uncover some of the most impactful recent browser vulnerabilities, and then quickly moves into the processes of in-depth analysis and vulnerability comprehension, revealing the tools and techniques used by the Exodus team to transform crashes into reliable exploits, bypassing modern protections such as DEP and ASLR along the way. Students will develop a working familiarity with the concepts presented through hands-on exercises, applying the course material to exploit modern vulnerabilities such as MS012-063. This course focuses on Internet Explorer, but students will leave equipped with a foundation of knowledge and insight applicable to exploiting any modern browser. Requirements for the training: 1) Laptop capable of running a windows 7 VM, this will be in VMWare Workstation 6 format. 2) IDA 6+ 3) Basic assembly knowledge 4) Knowledge of HTML and Javascript would make things a lot easier. [Schedule] 2 Days(09:00-18:00)
Events of POC2013
# Choo Choo Pwn - Organized by PHDays 'Choo Choo Pwn' challenges the participants' skills in exploiting various vulnerabilities in industrial equipment which provides automation and control of technological processes. The contestants will be offered to choose from access to communication systems of industrial equipment or HMI systems access. The goal is to independently obtain access to a model of a system which controls a railroad and cargo loading by exploiting vulnerable industrial protocols or bypassing authentication of SCADA systems or industrial equipment web interfaces. The Industrial Control System (ISC) of the railroad will include video surveillance, and, as an additional task, the competitors will be offered to disable the surveillance system. - Website: http://phdays.com/program/contests # Power of XX - Organized by SISS & HackerSchool Who can show the power of XX this year? 'Power of XX' is the only one hacking contest for women. Especially, the winner(s) of Power of XX this year, can get a chance to participate in PHDays2014 CTF final round in Moscow, Russia. Also, air tickets and hotel accomodations for 4-5 members will be offered by PHDays, too. We hope you can have the chance. - Qualification Round: Oct 5, Sat 10:00 - 20:00 (KST) / Online - Final Round: 11.8, Fri 10:00 - 18:00 / The-K Seoul Hotel POC Event Hall, South Korea - Twitter: @power_of_xx - Facebook: https://www.facebook.com/sm.siss - Website: http://www.powerofxx.com # KIDS CTF - Organized by SISS & Hackerschool 'KIDS CTF' is a hacking contest for kids: Elementary school & middle school students in Korea. This event encourages young boys and girls to study information security and make ethical attitudes themselves. - When: Oct 5, Sat 10:00 - 20:00 (KST) / Space POC, South Korea - Facebook: https://www.facebook.com/sm.siss - Website: http://www.cdctf.com # Hack The Packet - Organized by Hack the Packet 'Hack The Packet' is a game about digging for packets. Tt is more advantageous to get the keys (answers) quickly as much as you can. There are various challenges of security, programming, IT knowledge or so. Points are awarded according to the level of difficulty. Different bonus points on a first 3 solve basis. - Twitter: @hack_the_packet - Facebook: https://www.facebook.com/HackThePacket - Email: events@hackthepacket.com - Website: http://www.hackthepacket.com # Binary 369 - Organized by Layer7 'Binary 369' is a mini-game, but you may need to be a human PC! The rule is very simple. Just playing 369 game, but on binary numbers 0 & 1. There are two game types. One is a battle with real PC and another is multi-participants game. Some good stuffs will be presented for winner. Organizing team, Layer 7, is a hacking team of Sunrin Internet High School. - Facebook: http://www.facebook.com/Layer7 # SSLStrip for POC - Organized by gilgil Be careful! 'SSLStrip for POC' captures inbound and outbound HTTP traffic, analyzes in plain text format and notifies that important private information can be disclosed. # PUMP? PUMP! - Organized by SecurityFirst Retro Play! Do you remember 'PUMP'? Yeah, PUMP game was sensationally popular, but these days, it is only available in some arcades. Just move your steps and show your dance talents with cool music. If you are a good dancer, a secret stuff will be awarded. - Website: http://securityfirst.co.kr # Codename, POC - Organized by SecurityFirst 'Codename, POC' is a puzzle game. Pieces are hidden in event hall. Put the puzzle together. Then it turns up 2D bar code, QR code, etc. And guess each code meaning. - Website: http://securityfirst.co.kr # Simple Coding Contest - Organized by SecurityFirst If you are a good programmer, participate this 'Simple Coding Contest'. Random subject and programming language(!) will be suggested. Make clear and simple code lines, as fast as you can! - Website: http://securityfirst.co.kr # Hack My Mind - Organized by YOU & M3 'Hack My Mind' is a quiz contest. Anyplace but around POC event hall, access 'Hack My Mind' page with your web browser and answer quizes. All POC participants will be your competitors. Quizes cover hacking & security, programming, common senses, even some ridiculous problems. # Breaking LoL Nexus - Organized by Kroot You can play world hottest online-game, LoL at POC. 'Breaking LoL Nexus' is literally breaking Nexus as many as you can(of course, limited time). You have to battle with 5 AI computers. Get more 'Golds' and 'KDA'. If you are a good LoL player, why don't you come and try? # Security Marble Games - Organized by APNG Korea Local When marble game meets hacking & security...? 2-4 players choose up 1 team and play marble board game. As your character moves ahead, there will be some interesting quizes: Guessing return value outputs with codes, hacking team name, security topical, etc. When out of luck, you can be breached and shutted down cause of DoS attacks or memory damage. Enjoy 'Security Marble Games' and test your hacking and security common sense! - Facebook: https://www.facebook.com/APNGkorea - Website: http://www.apngcamp.asia
Andrei Costin, "Poor Man's Panopticon - Mass CCTV Surveillance for the Masses"
Andrei Costin is a Computer Science graduate of the Politehnica University of Bucharest where he did his thesis work in Biometrics and Image Processing. While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and also was a senior developer at a specialized firm programming various GSM/UMTS/GPS sub-systems. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family and is known as the "printer guy" for his "Hacking MFPs" and "Hacking PostScript" series of hacks & talks at various international conferences. Lately he was spotted security-harassing airplanes with ADS-B hacks, though no planes were harmed during the experiments. He is passionate about security in a holistic fashion. Currently he is a PhD candidate with EURECOM in field of "Security of embedded devices". [Abstract] Video surveillance, along with CCTVs (Closed Circuit TV) and VRs/NVRs (Digital/Network Video Recorders) at its heart, has become over time an important, omnipresent, ubiquitous and sometimes feared technology. Its initial purpose is to provide increased physical security and safety, while at the same time trying not to compromise on privacy. This kind of technology was massively deployed worldwide in the last 10 years or so, which lead to creation of nearly a "gazillion" products and vendors. In that respect it deserves for good reasons Schneider's term of "wholesale surveillance". As many times have been previously proven with similar devices like Wi-Fi/adsl routers/modems, these kinds of embedded systems are far from being secure and it looks like the state of affair didn't improve on security much, quite the opposite. On top, the "gazillion" of products and vendors and their market and price competition always tend to compromise on quality and by side effect on security. It is clear that many categories of embedded devices, among them very important being the video surveillance systems (CCTVs, DVRs, NVRs), are still vulnerable to many primitive attacks thus posing a security threat to the internal networks where these are used. However, an additional highly important implication of video surveillance exploitation is complete loss of privacy due to directly person-identifiable information leaking. Both implications lead to complete loss of trust (and potentially safety as well), thus defeating the primary goal of these systems. This research summarizes the security aspects of video surveillance systems/CCTVs/DVRs/NVRs as well as introduces and presents new insights and techniques applicable to this vast embedded devices population. If you ever have been intrigued by video surveillance and it's (in)security and whether someone is watching you, you don't want to miss this talk!
Gabor Pek, "Technical Trends in Recent Targeted Attacks"
Gabor Pek is a PhD student of CrySys Lab (Laboratory of Cryptography and System Security).He obtained MSc diploma in computer science at the Budapest University of Technology and Economics in 2011 and being a PhD student there since then. He has been doing research in the CrySyS Lab. under the guidance of prof. Levente Buttyan since 2008 in the field of malware analysis and virtualization security. He also completed internships at iSecLab at Eurecom, France in 2012 and Technical University of Vienna in 2009. He participated in several industrial and academical projects including penetration testing, malware analysis (e.g., member of the Duqu, Flame, Miniduke and Teamspy investigation team), securing/exploiting hardware virtualization (e.g., XSA-59). He was also the member of the 2009 UCSB iCTF We 0wn Y0u team (2nd position) and one of the main organizers of various Hungarian CTF teams (e.g., CrySyS.iCTF, !SpamAndHex). He co-founded a spin-off called Ukatemi Technologies with some of his colleagues from the CrySyS Lab in December 2012 to mitigate current targeted attacks. [Abstract] In recent years, the number of uncovered targeted attacks created and sponsored by different threat actors exceeded every expectation. While these targeted cyber-attacks mainly use known techniques to infect or stay silent, they are still interestingly successful against high-profile victims. In my presentation, I give technical background information on the trends we saw in the evolution of recent campaigns focusing on techniques and tricks used by adversaries. Interestingly, adversaries don't use exceptionally sophisticated methods in recent campaigns, rather, they come up with quite rough solutions. I will disclose the following observations of CrySyS Lab in more detail: there are a limited number of (high-profile) victims, there is no server-side polymorphism, the goal is data exfiltration (e.g., Duqu, Flame, Teamspy etc) or destruction (e.g., batchwiper), there is a tradeoff between persistency and stealthiness. At the same time, attackers increase their speed of reconnaissance and lateral movement. When an incident happens, they first look at system administrator documents and network topologies to discover and identify valuable assets. Finally, the collected data is transferred via the relay nodes of the C&C infrastructure. My presentation includes concrete examples to confirm all the statements above.
Jonas Zaddach, "An Amazing Journey into the Depth of My Hard Drive"
After having completed his bachelor degree on robotics at Technical University of Munich, Jonas Zaddach spent one year at the Univsite Laval in Quebec. He finished his Masters in a double-degree program between Technical University of Munich and TelecomParisTech at Institut Eurecom doing research on the security of prepared virtual machine images provided on Amazon EC2 (This work was presented at ACM SAC '12 and BlackHat '12). Now he is a PhD candidate at Institut Eurecom and TelecomParisTech and looking at the security of embedded devices. The academic paper "Implementation and Implications of a Stealth Hard-Drive Backdoor "that this talk is related to will be presented at ACSAC '13. [Abstract] This talk presents several novel reverse engineering techniques and attacks applicable to a wide range of embedded (ARM) devices, and practically demonstrated on a popular hard drive. The talk will take the audience step by step through the whole process from physical level to software level reverse engineering up to the development of a firmware backdoor.
# Marion Marschalek & Moti Joseph, "What Happen in Windows 7 Stays in Windows 7"
Marion Marschalek (@pinkflawd) works at IKARUS Security Software GmbH based in Vienna, Austria. Her main fields of interest are malware research and malware incident response. Besides that Marion teaches basics of malware analysis at University of Applied Sciences St.Polten and writes articles for a magazine. In March this year Marion won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. You can find her report here. Moti Joseph has been involved in computer security. In the last few years he has been working on reverse engineering exploit code and developing security products. Moti is a former speaker at Black Hat 2007, USA CONF2009, Poland Warsaw, POC 2009 & 2010, South Korea, ShakaCon 2009, USA, CONF2010, Poland Karkow, CONF2010, Poland Karkow, CHINA 2011 at Shanghai Jiao Tong University Turkey Istanbul, 2012 and SysCan2010 Taiwan,Taipe. [Abstract] Systems evolve over time, patches are applied, holes are fixed, new features are added. Windows8 is the new flagship product of Microsoft, and as prepared as it can be for a world of white-, grey- and black-hat hackers. System components underlie a tough vulnerability assessment process and are updated frequently to sort out security problems even before they arise. But just too often it happens that these clever fixes are not applied globally to all components, but just to the newest version of a library. Now we want to make use of exactly that fact to uncover potential vulnerabilities. What we aim for are the forgotten treasures in Windows7 libraries, holes that got fixed for the bigger brother at some point - but stay unfixed in Windows7 until today. We will present a tool that makes it easy to spot these forgotten vulnerabilities. We can keep track of different versions of libraries of different operating systems and automate the analysis process of a big file set. The focus lies on safe functions, which indicate a potential weakness when missing. The tool and its sources will be published for use of the community along with the conference talk.
Maxim Goncharov, "Shopping Global Cybercrime Underground"
Maxim Goncharov is a senior security virus analyst in Trend Micro responsible for security consulting to business partners (internal, external), creation of security frameworks, designing technical security architecture, overseeing the build out of an enterprise incident response process, and creation of the enterprise risk management program. He also participated as a speaker in various conferences and training seminars on the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc. like BlackHat, DeepSec, VB, APWG etc. [Abstract] Online fraud has long since moved from being a mere hobby to a means for cybercriminals to earn a living. Daily we see lots of activity in social networks, blogs and forums, but this is the part of the internet visible to everyone. There is another side to the internet however - its criminal underbelly - and here just like on the blogs and forums, communication is key. In this talk we will cover the principles of underground information exchange, ways to secure money/goods in underground transactions and basic cyber hierarchy. We will also talk about underground products and services. Crypt services, DDoS attacks, Traffic resale, Bulletproof servers, SMS Fraud, Spam services and Credit card Hijack- these will be covered with pricing comparisons shown over the last 2-3 years. We will go through the typical pricing steps of a crimminals attack - from buying software, all the way to monetize the volumes of infected victims.
MJ0011, "Defeating Windows Security Features via Underlying Hardware Way"
MJ0011 has been dedicated in the development of kernel security product as well as the research on finding system security vulnerabilities and kernel security attack and defense. He is currently working for 360safe, the most widely used security software in China. He has spotted large amount of kernel vulnerabilities in Windows operating system and third party software. [Abstract] Starting with Windows Vista, Microsoft introduced many security features in the operating systems which were further improved upon in Windows 7 and Windows 8, some well-know security features, such as DEP, ASLR, and other security features which use against specific attack method is less know. In this talk, MJ0011 will discuss a security feature introduced from Windows Vista which is against admin-to-ring0 attack, and how to use an unpublished underlying hardware protocol implementation bug to bypass this security feature in Windows Vista/7/8 and 8.1.
Nikita Tarakanov, "Exploiting Windows Kernel Vulnerabilities in Hard Conditions"
Nikita Tarakanov is an independent information security researcher who has worked as an IS researcher in Positive Technologies, VUPEN Security and CISS. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation. [Abstract] This topic covers exploitation tricks to exploit vulnerabilities in Windows kernel when attackers are in hard situations, for example when attackers have tiny or no control of values that overwrite memory.
SCADA StrangeLove, "Techniques of Attacking Real SCADA & ICS Systems"
SCADA StrageLove is a group of security researchers focused on ICS/SCADA security to save Humanity from industrial disaster and to keep Purity Of Essence. In spare time. During working hours we works for research/security assessment in Positive Technologies. [Abstract] This talk will share SCADA StrangeLove team experience in penetration testing in ICS environment. From network level to application and from 0-day hunting to project management. Toolkit/tip and tricks/real world examples. What you should do and what you do not ever have to do. SCADA StrangeLove hopes this talk will help you to win Choo Choo Pwn prize. 1. Tilting at windmills: ICS pentest project management a. ICS security assessment projects goals: declarations and reality b. Thread modelling: traditional vs ICS c. Between Security, ICS team and Vendor d. Choosing the right approach: from hardcore hacking to paparazzi-style audit 2. Playing with networks a. ICS protocol overview b. Toolkit c. Cases 3. Rooting the PLC: don't even try 4. OS/DB/Application a. Why you don't need Magic SCADA Exploit Pack b. How to find SCADA 0day c. Toolkit 5. I'm the Lord of the SCADA a. Ok, I god it. What can I do? b. Owning ICS stuff 6. Hunting the operator: ICS network "forensic" 7. Jumping to business level a. Knockin 'on management team b. BUZZness case: fraud, shmaud and figaud c. Pentest to regulatory compliance mapping d. Ashes and Hopelessness
Sergey Gordeychik & Alexey Moskvin, "Automatic Exploit Generation for Application Source Code Analysis"
Sergey Gordeychik is a director and scriptwriter of the Positive Hack Days forum, and a captain of SCADAStrangeLove.org team. He is also a member of the Web Application Security Consortium (WASC). Alexey is coauthor of research and will join us via Skype to provide some mathematical hardcore. [Abstract] There is no silver bullet for automation of application security testing. Attempts to combine SAST and DAST in one tool or to correlate results by "hybrid analysis" may expand dynamic coverage but does not reduce false positive rates. To provide simple to understand results and low level of false positive the method of automatic exploit generation for source code analysis was developed. By using state of the art mathematical methods this approach can use power of SAST to create ready for use exploits (e.g. input data to trigger attack via detected vulnerability) for most common application flaws such as SQL Injection, XML External Entity, Cross-Site Scripting, Remote and Local File Inclusion and so on. During practical testing of the method, ability to highlight backdoors or application specific flaws, such as hardcoded passwords or "hidden" execution paths was detected. To prove efficiency of the method, several vulnerabilities in widely deployed applications will be disclosed.
Xu Hao & pLL, "Advanced Android Malware Detection Framework"
Xu Hao is currently working on security research and development of OSX/iOS applications, and he also has years of experience in Windows security. His major research covers security of OSX/iOS/Windows, rootkit attack and detection, virtualization technology, reverse engineering as well as PKI. He has presented his research at international security conferences including XCON, POC, SYSCAN. As a PhD student at Shanghai Jiao Tong University in the department of Computer, pLL is focused on program analysis theory and algorithm, including Fuzz Testing, security check, reliability verification and vulnerability automation analysis of programs. [Abstract] Android malware continues growing these years and traditional signature based detection can't protect user from malware effectively. Since it's easy to bypass coexistent antivirus software by simply modifying and repacking the malware, we developed a static data flow analysis engine -aDFAer to solve this problem. Our engine can not only identify malicious operation but also try to establish a data flow path from accessing privacy to leaking, in such way, we can detect zero-day malware according to its behavior. Android malware is now adopting various tricks from the age-old desktops. Reflection technique is one of the tricks used by malware to obscure the control flow to thwart the static code analysis tools. Malware is also preferred to trigger hidden function using reflection technique, manipulating the 3G interface for example. On the other side, more than 73 percent of android APPs are now using reflection mechanism to perform benign action. So, a reasonable methodology is needed to distinguish malware from benign APPs. In this topic, we show how to reveal the real purpose of a reflection invoking based on aDFAer engine. Furthermore, we detect malware actions like sending SMS, turning on/off GPRS, etc. At the end, we show our detection result on over 11,000 malware samples and 6,000 benign APPs.
Yongdae Kim, "Hacking Sensors with EMI"
Yongdae Kim is a KAIST Chair Professor in the Department of Electrical Engineering and an affiliate professor in the GSIS at KAIST. He received PhD degree from the computer science department at the University of Southern California under the guidance of Gene Tsudik. Between 2002 and 2012, he was an associate/assistant professor in the Department of Computer Science and Engineering at the University of Minnesota - Twin Cities. Before joining U of Minnesota, he worked as a research staff for two years in Sconce Group in UC Irvine. Before coming to the US, he worked 6 years in ETRI for securing Korean cyberinfrastructure. He received NSF career award on storage security and McKnight Land-Grant Professorship Award from University of Minnesota in 2005. Currently, he is serving as a steering committee member of NDSS and an associate editor for ACM Transactions on Information and System Security (TISSEC). His current research interests include security issues for various systems such as social networks, cellular networks, P2P systems, medical devices, storage systems, mobile/ad hoc/sensor/cellular networks, and anonymous communication systems. [Abstract] Many of the cyber physical systems (such as smart grid, medical devices, and even small bluetooth headset) take input from sensors and take action based on the input. For example, insulin pump controls insulin injection level based on the amount of sugar in a patient's body. Using a cable between the sensor and actuator, as an antenna, we show how one can inject arbitrary input event to the sensor, which results in malfunctioning of actuator. Taking pacemaker as an example, we were able to inhibit pacing of pacemaker by injecting healthy individual's heart rhythm. We apply the same principle to a bluetooth headset to show that an attacker can inject arbitrary voice to a mike in the headset