HackCon #8 - 2013

HackCon #8 - 2013

Mandag og Tirsdag (8|4 - 9|4|2013)

09.00 - 17.00 PreHackCon#8

1) Kurs I Websikkerhet og remote exploits - del II (Blackbelt edt)
2) Kurs II Operativ sosial penetrasjonstesting

17.00 - 18.30 Registrering HackCon#8

Onsdag 10|4|2013 (beskyttelse av org. mot trusler)

08.15 Dørene åpnes

08.15 - 09.00 Registrering HackCon#8

09.00 - 09.15 Administrativ informasjon
Gjennomgang av agenda for HackCon#8 og praktisk informasjon.

09.15 - 10.00 Can you hear me now? Leveraging Mobile Devices on Penetration Tests - US

BYOD is not a new concept. From contractor laptops to an employee's game console in the break room, a compromised device in the corporate environment can lead to all sorts of bad things.

 

In this talk we will look at the unique threats that BYOD for mobile devices brings to the table. The most security conscious corporations are deploying the latest devices and policies to stop attackers from breaching the perimeter and if they do to stop data exfiltration. We will discuss how mobile devices on a corporate network and/or handling company data undermines these efforts.

 

We will look at multiple mobile platforms gathering sensitive information, attacking other devices such as other mobile devices, servers, and workstations, and using out of band communication to perform data exfiltration and communicate with internal devices. Multiple live demo scenarios will be shown and some useful code for pentesters will be released.

 

Presentation will be held by Georgia Weidman. Georgia is a penetration tester, security researcher, and trainer. She holds a Master of Science degree in computer science, secure software engineering, and information security as well as holding CISSP, CEH, NIST 4011, and OSCP certifications.

 

Her work in the field of smartphone exploitation has been featured in print and on television internationally. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security, culminating in the release of the Smartphone Pentest Framework (SPF) which allows pentesters to assess the security of mobile devices in an environment.

 

You can find more information about Georgia on http://www.youtube.com/watch?v=m1WSEeTwXHU, http://georgiaweidman.com/wordpress and https://twitter.com/georgiaweidman.

10.15 - 11.00 All Your Faces Are Belong to Us - Breaking Facebook's Social Authentication - Italy

Two-factor authentication is widely used by high value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos.

 

In this presentation we will study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implemented a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluated it using real public data collected from Facebook.

 

Under the assumptions of Facebook's threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of the tagged friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing.

 

Additionally, we simulate the scenario of a determined attacker placing himself inside the victim's social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when as little as 100 faces per friend are accessible by the attacker.

 

Presentation will be held by Stefano Zanero. Stefano received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an assistant professor with the Dipartimento di Elettronica e Informazione. His research focuses on intrusion detection, malware analysis, and systems security.

 

Besides teaching Computer Security at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 40 scientific papers and books. He is an associate editor for the "Journal in computer virology". He's a Senior Member of the IEEE (covering volunteer positions at national and regional level), the IEEE Computer Society (for which he is a member of the Board of Governors), and the ACM.

 

Stefano co-founded the Italian chapter of ISSA (Information System Security Association), of which he is a senior member. He sits in the International Board of Directors of the same association. A long time op-ed writer for magazines (among which "Computer World").

11.15 - 12.00 Mastering Master-Keyed Systems - US

You've all seen discussions about the nuance and finesse of lockpicking with specialized tools. Maybe you've even learned how these tactics work and you've hardened your mechanical locks against manipulation. Would it surprise you to learn that many popular and effective attacks against mechanical locks do not employ pick tools at all?

 

Something as innocuous as blank keys themselves can be used as implements of entry... and WITHOUT the benefit of a professional key-cutting machine and WITHOUT access to a working key. Some of you may have already heard of (or even tried) bumping as a means of opening locks. But how many of you have tried impressioning? How many of you have decoded a master key to escalate your privileges within a given system?

 

This talk will show what can be accomplished with a blank key, a file, along with simply some time and dedication. You might be surprised at how vulnerable you are, and how innocent an attacker and their tools might appear!

 

The presentation will be held by Deviant. While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. He has written several best-selling books on the topic of Physical Security, and his favorite Amendments to the US Constitution are.

12.00 - 13.00 Lunsj

13.00 - 13.45 Death By Pixels - India

What do you get if you combine art with an exploit? "Death By Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects. This is not another talk about packers and crypters when it comes to exploit delivery. We are talking eye candy, visual appeal, style! A successful exploit is one that is delivered with style.

 

This talk explores several sneaky, funny, silly and creative techniques for delivering exploits right to your doorstep with zero interference from content-filtering or anti-virus.

 

This talk goes beyond the obvious obfuscation. We combine the power of web hacking, the power of sophisticated exploit development and goofball creativity to ensure that exploits get delivered and detonate on time, as planned. Did you know you can literally paint an exploit on canvas? Have you heard of chameleon Javascript? You won't look at RGB the same way as you did before.

 

Demos, demos everywhere. Seeing is believing, and this talk is all about pretty pictures anyway.

 

Thought provoking discussions on newer and more innovative ways of disguising and delivering exploits. The future of browsers. The future of web content. Futility of signature based blacklisting. For the attacker it is all about how to get really sneaky. For the defender it is all about turning what is theoretical into practical reality.

 

This presentation will be held by Samuil Shah. Saumil is an internationally recognized speaker and instructor. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".

 

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.

14.00 - 14.45 Dirty Little Secrets Part 2 - US

This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year's Dirty Little Secrets they didn't teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.

 

Presentation will be held by Chris Gates and Rob Fuller. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD (Department of Denfence) Red Team and other Full Scope penetration testing teams.

 

Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his... redacted...no one cares anyway. In the past, he has spoken at sevreal cons and at the United States Military Academy. He is a Co-Founder of NoVA Hackers and he is a regular blogger at carnal0wnage.attackresearch.com.

 

Rob Fuller (Mubix) is a Senior Red Team member for a Fortune 500. He is a cast member of the video podcast Hak.5, Co-founded the NoVA Hackers group, talked at some cons, and holds 3 certifications Father, Husband and United States Marine. http://www.room362.com, http://twitter.com/mubix.

15.00 - 15.45 Social-Engineering: Not your average cup of Joe - US

Okay Social-Engineering? Really? This started off an epic long time ago but in today's world, could not be more damaging or easy to do. Coupling technology and social-engineering in order to create an avenue of attack that never previously existed can go completely un-noticed. In this presentation, learn from real-world examples on some of the most challenging, most researched, and targeted attacks that we have ever done. We had to overcome every hurdle you could think of in order to compromise some of the worlds most sophisticated security programs. Let's dive deep into human behavior, technology, hacking, and pen testing. It's time to bypass A/V, HIPS, WAFs, IPS, IDS, and go straight for the human element and own everything.

 

Presentation will be held by Dave Kennedy (ReL1K). Dave is responsible for ensuring the overall physical and logical security of a Fortune 1000; publicly traded company. Dave also runs the security consulting practice at Diebold which is focused on enhancing and building security for large and mid-sized organizations. Dave is the creator of the Social-Engineer Toolkit (SET), an open-source penetration testing tool for social-engineering.

 

Dave is the co-founder of DerbyCon, a large-scale security conference located in Louisville Kentucky. Dave is the co-author of Metasploit: The Penetration Testers Guide book which has been number one in security on Amazon for over 6 months. Prior to Diebold, Dave worked for the United States Marine Corps (USMC) and the intelligence field working on information warfare activities.

16.00 - 16.45 Penetration testing from a Hot Tub Time Machine - US

Put on your suit and venture back to 1999! Many penetration testers either forgot what we learned in the 90s or may be too young to even remember the game 12+ years ago. Either way, the Kung-Fu that worked so well back then is still prevalent in today's electronic world. Sure the tools got better; our systems got faster; and *hopefully*, your testers evolved along the way.

 

But the basics that served as such a solid foundation and development platform back then still provides reliable pathways to privileged access in nearly every business in today's world.

 

This talk will not only serve as a nostalgic flashback to those great times but also demonstrate real world attack techniques that work on practically every engagement that we conduct, show why the basics will still get a corporation owned at multiple levels, and illustrate methods of attack that many may think is a lost art or unnecessary. So, put away those 0-days, detach yourself from automated toolsets, step outside of those hypothetical testing chambers, roll up your sleeves and see what attacks from the trenches REALLY looks like.

 

The presentation will be held by Eric Smith. Eric specializes in penetration testing with over 14 years of experience in the IT/IS industry. Eric is well versed in a variety of Risk Assessment services and has extensive experience in network and application penetration testing, insider threat assessments, Social Engineering, physical security and Red Team engagements. When Eric isn?t compromising large scale, heavily protected fortresses, he enjoys long walks through the dark jungles in search of unicorns, horseshoes and hidden treasures that many claim to be "suicide missions". Twitter: @InfoSecMafia.

17.00 - 17.45 Cut the crap; let's create a Phishing and Trojan attack. - US

In this session, Dave Chronister will demonstrate one of his favorite attacks to perform during Social Engineering Audits.

 

In 45 minutes, Dave will show you how to create an attack that consists of a Trojan, Phishing Website, and Phishing Emails; from reconnaissance to successful exploitation. No Power Point slides or Recordings, this will be 100% live. Programming Experience not needed. At the end of this session every attendee will be able to successfully create this attack and modify it to their own needs.

 

With a success rate of over 90% you will see why Dave and the Hacker's at Parameter call this attack 'Old Faithful'.

 

Dave Chronister is a C|EH, CISSP, MCSE, C|HFI. Dave obtained a unique firsthand look at the mind, motives, and methodology of the Hacker. Dave has provided Auditing, Forensics, and Training to clients world-wide. Dave's expertise has been featured in many media outlets including; Computer World, Popular Science, Information Security Magazine, St. Louis Post Dispatch, and KTVI Fox News, to name a few.

18.00 - 23.00 Sosialt arrangement

Her har du muligheten til å knytte kontakter og bli kjent med andre. Lett middag og underholdning med mer. Nettverket sørger for middag med mer.

23.00 Dørene låses.

 

Torsdag 11|4|2013 (beskyttelse av org. mot trusler)

08.15 Dørene åpnes

09.00 - 09.45 Hvordan selge sikkerhet til ledelsen - og få aksept - Norge

Hvordan selge sikkerhet til ledelsen - få aksept for dine behov ved å forstå hva ledelsen ønsker og hvordan de tenker.

 

Lær deg å legge frem dine behov på en måte ledelsen forstår og lytter til. Få gjennomslag for dine ideer, og skap en bedre sikkerhetskultur.

 

Foredraget holdes av Kai Roer. Kai er en management konsulent innen strategisk informasjonssikkerhet, kurs- og foredragsholder med erfaring fra over tyve land. Han jobber med strategisk rådgivning innen ledelse, kommunikasjon og risikohåndtering. Kai er samfunnsengasjert og med global fokus. Han har også være med å gi ut flere bøker om emnet.

10.00 - 10.45 Search Engine Poisoning (SEP) Attacks - US

Search Engine Poisoning is still the #1 vector used by the Malware Delivery Networks (MDNs) that we track, in spite of efforts by the major search engines to keep these links out of their search results. This presentation will analyze MDN tactics, provide head-to-head stats on the effectiveness of major search engines at filtering the bad links and suggest strategies to minimize this risk.

 

Presentation will include:

• Intro: Why it works so well as an attack vector
• Short historical perspective
• How we calculate attack vectors (and SEP emerges as the clear #1)
• Effectiveness of various search engines at keeping SEP out of results
• Common SEP attack categories (i.e., what do they target?)
• Including image searches and non-English searches
• What about "celebrity" and "big event" SEP? (including the 2012 Olympics)
• A look at current data
• Suggestions for improving defenses

 

Session will be presented by Chris Larsen. He's also the main blogger at bluecoat.com/security, which you should bookmark, since reading about malware is lot more fun than cleaning it off your systems, he's also head of the Malware Research team. He stopped playing World of Warcraft with his sons a few years ago, when he decided it was more fun to spend his "gaming time" hunting for more Bad Guy activity in the traffic logs."

 

You can find he's two blog posts at: http://www.bluecoat.com/security/security-archive/2012-08-20/did-we-see-any-olympics-themed-sep-attacks and http://www.bluecoat.com/security-blog/2012-12-10/search-engine-poisoning-holiday-tradition.

11.00 - 11.45 Moloch - your friend in the Dark - US

Moloch is a highly scalable and open source full packet capture system that has just been published to the world in October of 2012 (moloch).

 

Moloch has the ability to parse and index billions of network sessions to provide an extremely fast and easy to use web application for navigating large collections of PCAP based on IP/GeoIP/ASN/hostname/URL/filetype and more. It can capture from the wire live for use as a network forensics tool to investigate compromises.

 

Moloch also serves as a great way for searching and interacting with large PCAP repositories for research (malware traffic, exploit/scanning traffic). Moloch's web API also makes it extremely easy to integrate with existing SEIM's or other alerting tools/consoles to help speed up analysis.

 

Presentation will be held by Eoin Miller. Eoin has been a member of AOL's Computer Emergency Response Team (CERT) for the last 2+ years. His focus is on using network intrusion detection and full packet capture systems to detect (and shut down where possible) malicious online advertising, drive by exploit kits, targeted threats, botnets, clickfraud, webshells and badness in general. He has contributed several signatures for Snort/Suricata to the Emerging Threats group over the past few years. Prior to working at AOL, Eoin worked as a penetration and web application security tester for members of the US DoD/Intel community.

11.45 - 12.30 Lunsj

12.30 - 12.50 Loddtrekning med mer

12.50 - 13.35 Want to control smart phones? - India

Long was the time when all cell phones could do was make a phone call. Smart phones have taken over the market in frenzy. Why shouldn?t they? Today email, social networking, banking everything is possible on the go with smart phones.

 

These smart phones are now equipped with features like data, Wi-Fi, voice and GPS functions. The sudden growth in number of applications available for these smart phones does raise a certain level of concern for the user's security. Due to its need the mobile security field has just begun.

 

According to recent market survey 52% of the devices run Android operating system, 32% use iOS and the rest are shared by Blackberry, Symbian and others. In March 2011, 58 malicious applications were found on Android Market, before Google would remove the application they were downloaded to around 260,000 devices. Lately, HTML5 has been becoming key player in the mobile with all major mobile platforms supporting HTML5 based applications.

 

Presentation will include several different demonstration of mobile attacks on different platforms and with HTML5 based mobile applications. The presentation will show how and attacker can take control of you and your smart phone. Presentation will conclude with checklist for penetratoin testers to perform mobile application security reviews.

 

Presentation will be held be Hemil Shah. Hemil Shah, CISSP, CSSLP, ACP, has published several advisories, tools, and whitepapers, and has presented at numerous conferences. Hemil is expert in Mobile Application Security, Application Security, researching new methodologies and training designs. He has performed more than 1000 security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews and Mobile application security review.

13.50 - 14.35 CSI:Web - These things we've done - US

An overview of AOL (America Online, is an American global brand company that develops, grows, and invests in brands and web sites) developed open source tools [and case studies] that provide advanced defender, incident response and investigative capabilities with a scope that spans general web application and API attack mitigation, the detection of malware via client header anomalies and network forensics. You sould be at this session to learn more about CSI on Internett.

 

Presentation will be held by William Salusky. William has been a member of AOL's Computer Emergency Response Team for the past decade where he has been responsible for skunk works engineering that protects his corporate and production networks. William knows how to share intel, plays well with others yet occassionally runs with scissors.

 

William is an alumni of both the Honeynet Project and Internet Storm Center and was recently taken on as a volunteer member of the Shadowserver Foundation. William is a generally awesome person, just ask him.

14.45 HackCon#8 slutt