There are more than a dozen LPAN radio protocols in the Sub-GHz and 2.4GHz ISM bands, used for everything from home and industrial automation to toy communications. Some have halfway decent cryptography, but most are left unencrypted, relying upon the obscurity of encoding to protect packets from listeners. By use of an in-circuit debugger and some machine-readable chip documentation, it is possible to hijack the radios of development kits and children's toys. These can then be used as intelligent packet sniffers and injectors, already having the proper analog chain and being reprogrammed with any of several digital configurations. The required soldering is minimal, and the hardware can be purchased cheaply once the toys go out of style.

This lecture presents a new implementation of such a radio framework, targeting Python through the GoodFET as well as a self-contained packet sniffer in embedded C for the Girltech IM ME toy. Additionally, methods for locally extracting keys for use with the sniffer will be covered.

Virtualization and its natural evolution, cloud computing, are young yet pervasive technologies. A fast-changing environment, where rules are rewritten every time a vendor releases a significant upgrade. Private Clouds are a relatively recent evolution, yet their management and deployment models have a significant impact on the security they can achieve at the moment and the level of security they will be able to offer in the future.

In this talk, we will explore the virtualization security domain through the custom tools we've developed in the vasto suite and by a detailed analysis of existing technological solutions and their features... and failures.

Network reconnaissance is an art as old as hacking, but the days of dumpster diving and fingering your away around the 'net are long in our past. In the world of Google, Wolfram|Alpha and Shodan, target acquisition is king: there's a new exploit every day, who's going down after you've finished your first cup of coffee tomorrow?

In this presentation, Metlstorm examines the practicality, implementation and effect of datamining country-scale network targeting databases. Building on the experience of spending the previous year mapping the New Zealand internet for his Kiwicon 2009 talk "Do Your Fruit Hang Low", Metlstorm deploys the Low Hanging Kiwifruit toolchain against its newest target: Singapore.

So, Singapore, are your networks open? How many open DSL routers are there in Singapore? Which ISP has their blade switches open for you to telnet to? Just how useful is it to full text search every SSL certificate name, 302 Redirect target and DNS entry?

When an attack is detected on a web server, some defenders try to handle that incident, by getting rid of the intruders and by hardening their infrastructure so that they won't be owned again. Sometimes they get enough spare time to analyze what happened exactly, by doing some kind of forensics actions, or by contacting remote administrators and authorities, etc. But recently, attackers might not really be afraid of the consequences of their digital crimes.

This talk proposes to think further and to re-balance the Internet war between the light side and the dark side. We will add a new way to behave when evil hackers are caught on a host. Indeed, TEHTRI-Security will explain how to strike back against your web assailants, so that you would be able to: get more information about them or identify them, steal their tools and methods, or sometimes to penetrate back their own computers too. Of course those technical initiatives might lead to legal issues, depending of the international and local laws (self defense, etc). But this talk will focus on tactical issues, to show real life examples when it might be possible to hack the web hackers.

Rich Internet Application, known as RIA, is a new concept of modern web2.0. Moving logic from the server to an untrusted client may open up security holes that never present in the page-oriented "Web 1.0" architecture. (Adobe?) Flash and PDF are 2 of the most important RIA formats and are most widely used by internet users. During past 2 years hackers have pay more attention to RIA exploits especially to Adobe's vulnerabilities through internet, Adobe software was believed to be the 2nd Microsoft.

In this presentation, we will start with the threat trend of SWF and PDF applications, various kinds of attacks rely on vulnerabilities through web browsers spreading to in the internet. Followed by showing how AV handles and how hackers manage to bypass them. We'll then demonstrate technical details on the format change and advancement of the malicious SWF and PDF files aimed to bypass antivirus software. To fight against these Web2.0 based attacks, we will present a research project on an analysis tool for malicious content parser. In the end, we will present a frame of real-time RIA scanner between gateway and user browser.

This presentation has never been published to public before.

If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing. In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines which is optimised for fuzzing. Last year we released some metrics, then MS released better ones. So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using magic, funky graphs and compression before comparing them side by side with the clean run. Our diff files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.