|
DAY 2 - 2nd September 05
START |
END |
TOPIC |
COMPANY |
| 08:00 |
09:00 |
Attacking Web Services
Web Services represent a new and unexplored set of security-sensitive
technologies that have been widely deployed by large companies, governments,
financial institutions, and in consumer applications. Unfortunately, the
attributes that make web services attractive, such as their ease of use,
platform independence, use of HTTP and powerful functionality, also make
them a great target for attack. In this talk, we will explain the basic
technologies (such as XML, SOAP, and UDDI) upon which web services are
built, and explore the innate security weaknesses in each. We will then
demonstrate new attacks that exist in web service infrastructures, and
show how classic web application attacks (SQL Injection, XSS, etc…)
can be retooled to work with the next-generation of enterprise applications.
Strategies for properly designing and protecting web service enabled applications
will also be discussed.
The speaker will also demonstrate some of the first-time
publicly available tools for finding and penetrating web service enabled
systems. |
|
Alex Stamos
iSecPartners |
| 09:00 |
10:00 |
|
Cedric Blancher
EADS Corporate Researcher Center |
| 10:00 |
10:15 |
Coffee Break |
|
| 10:15 |
11:15 |
Profiling Rootkits and Malware through Executive Objects
This talk will focus on a new method to profile user-mode and kernel-mode
activity by hooking executive objects in the Windows kernel. It is a nice
alternative to traditional API hooking and can be used to detect all current
rootkits. Virtually all important operations in Windows are associated
with an executive object--be it drivers, devices, files, sockets, registry
keys, etc. By hooking these objects, we can observe the behavior of the
kernel or user-mode application at a very low level, making it far more
difficult for malware/rootkits to hide. |
|
Matthew "Shok" Conover
Symantec |
| 11:15 |
12:15 |
Attacking Internet Banking Applications
The general public sentiment is that the banks, having always been the
guardians of our money, are expert at safeguarding it. Unfortunately,
internet corporate banking and personal banking applications are usually
ridden with bugs. Internet Banking Applications development is nowadays
out-sourced to third party software vendors
that have poor understanding of security, and incomplete quality management
processes. Most of the time the applications are extremely insecure before
they get audited by security professional third-parties.
This presentation will demonstrate the various attacks that almost always
work (and those that do not), on your “bank-next-door” internet
banking application, illustrated with real life statistics. We will outline
the regular technical attacks and will focus on a hit parade of business
logic attacks. We will steal money from other customers, buy shares for
free, and spy on other customers bank records among many other frauds.
This demonstration will highlight the solutions to some of the challenges
the banks will face online to ensure that their data handling practices
are compliant with their country’s privacy regulations and banking
regulations among others. |
|
Fabrice Marie
FMA-RMS |
| 12:15 |
13:15 |
Lunch Break |
|
| 13:15 |
14:15 |
Exploiting kmalloc overflows to own j00
This talk will focus on a mechanism to exploit the Linux kernel for local
privilege escalation. We will start off discussing the internals of the
Slab Allocator, followed by an overview of possible exploitation techniques
that we have researched. Lastly, we will end the presentation with a case
study of a 0day exploit for a Linux kernel integer-related vulnerability.
|
Clflush and Amnesia
Kernsh Security Research |
|
| 14:15 |
15:15 |
Bluetooth Hacking-Full Disclosure
In November 2003, Adam Laurie discovered serious flaws in the authentication
and data transfer mechanisms on some Bluetooth enabled devices, and, in
particular, mobile phones including commonly used Nokia, Sony Ericsson
and Motorola models. Shortly thereafter, Martin Herfurt of Salzburg Research
Forschungsgesellschaft mbH expanded on these problems, and teamed up with
Adam to investigate further. At EuroFoo in August 2004, Adam and Marcel
Holtmann met, and agreed to collaborate on looking into the underlying
causes of the problems, as well as sharing information and resources to
try and gain a better foothold for the Open Source community within the
official Bluetooth organizations.
This talk will cover the issues arising out of the flaws, as well as the
actual stack methodologies and tools used, and an update on the industry's
response and progress since the original discoveries.
This will be a fun talk and a real eye-opener for those with Bluetooth
enabled devices, and will start with an introduction into the Bluetooth
architecture and the security mechanisms offered by it so that it is possible
to understand how and why the different attacks are working. Further there
will be an introduction into the Linux Bluetooth stack BlueZ that will
be used for doing the attacks and showing exactly how these attacks are
working. |
Adam Laurie
The Bunker Secure Hosting |
|
| 15:15 |
15:45 |
Coffee Break
| |
| 15:45 |
16:45 |
.Net Web security-Attack and Defense
Web security is becoming very critical as .Net framework is evolving.
New set of vulnerabilities are coming up at web application level. Web
Services are also becoming integral part of web application and creating
next generation threat for emerging web application layer. There are new
set of methodology is required to attack .Net applications and to provide
defense new strategies are evolving. This presentation will brief about
both attacks and defense with new set of tools. |
|
Shreeraj Shah
NetSquare |
| 16:45 |
17:45 |
|
SAN
XFocus |
| 17:45 |
18:45 |
Old Skewl Hacking-Infrared – How to Break into the Hotel System
"The telecommunications landscape is undergoing multiple revolutions,
from analog to digital, from simple mobility to complex roaming, from
TDM to VoIP, from centralized to distributed, from proprietary systems
to open standards and more importantly, from a closed environment to an
increasingly interconnected world. Those changes are creating new security
challenges, and the battle between privacy advocates and law enforcement
is far from being over. As legal interception techniques become more ubiquitous,
solutions to counter them such as cryptography and distributed non-standard
protocols, are increasing in popularity. Similarly, hacking techniques
and countermeasures for the new communications protocols such as VoIP,
3G/4G, IMS, WiMAX and others, are gaining in complexity and are becoming
a growing concerns for authorities, operators and subscribers alike." |
|
Major MalFunction |
| 18:45 |
19:00 |
Closing Speech
and Lucky Draw |
Dr. Komain Pibulyarojana
Head of Thai Computer Emergency Response Team |
| |
|
End of Day 2 |
|
| |
|
|
|
DAY 1 - 1st September 05 |
| Powered by SyScan © 2009 SyScan'09 |
|
