| 0800 - 0900 |
Registration and Breakfast
|
|
| 0900 - 0930 |
Opening and Welcome Address
|
Thomas Lim
(@thomas_coseinc)
Organiser, SyScan'14, CEO, COSEINC
|
| 0930 - 1030 |
Car hacking is fun. Instead of popping calc.exe, you try to take control of vehicles and crash them. One of the biggest problems
with getting into car hacking is that, while Chrome and Adobe Reader are free downloads, cars are not. This talk goes into detail
on how to get into car hacking even without a car. It discusses getting functional automotive ECU's working on the bench as well as
simulating CAN network traffic so that the ECU believes it is in the vehicle. Whether you want to look at a single ECU, a network of
all the ECU's from a vehicle, or construct an entire automotive testing platform, we'll show you how to do it for less than a tenth of
the cost of purchasing a vehicle.
|
Charlie Miller
(最大的传媒妓女)
and
Chris Valasek
(幸運醉)
|
| 1030 - 1100 |
Coffee Break Sponsored by NSA |
"We are keeping you safe" |
| 1100 - 1130 |
Secure Boot is a new UEFI feature that enforces a signature check on the boot loader
before the firmware transfers control to the boot loader. This feature prevents the
traditional "bootkit" style of attack that infects the MBR in an effort to circumvent
the operating system kernel while it is being loaded. However, UEFI
implementations have added flexibility to how and when this policy is enforced. In
order to be secure, this "flexibility" is typically configured by the OEM. We will show
how the standard UEFI interface provided to the operating system can be abused to
re-configure the secure boot policy such that a malicious bootloader will be called
by the firmware, all while the secure boot feature is still reported as enabled.
|
Corey Kallenberg
Xeno Kovah
John Butterworth
Sam Cornwell
|
| 1130 - 1230 |
Mobile Point-of-Sale (mPoS) systems allow small businesses and drug dealers to accept credit card payments using
their favourite iDevice (Disclaimer: other mobile devices are available). During our research we had a look at the
security of the leading solutions for mobile Chip&Pin payments. If you saw our previous PinPadPwn research, you
won't be surprised to hear we discovered a series of vulnerabilities which allow us to gain code execution on these
devices through each of the available input vectors. We will discuss the weaknesses of current solutions and have
live demonstrations for multiple attack vectors, our favourite being a malicious credit card which drops a remote
root shell on an embedded mPOS device.
|
Nils and Jon Butler
(英国鬼老)
|
| 1230 - 1300 |
This talk will give best-practices approaches for specific, recurrent problems in computer security R&D. Such methods include but are not limited to setup of scientific experimental regimes, statistical framework, machine learning algorithms and data/results visualizations (for an illustrative work see Yamaguchi's 2011 MSc thesis "Automated Extraction of API Usage Patterns from Source Code for Vulnerability Identification" subsequently presented at BH 2011 and WOOT '11). We will discuss suitability and limitations of these methods and offer somewhat of a blue-print.
Concrete current examples will be taken from side channel analysis (see SysCan 2013 Wichorksy "Taming the ROPe on Sandy Bridge") and concurrency attacks (see SysCan 2013 Jurczyk & Coldwind "Bochspwn").
Lastly, in the context of my own research, I may discuss "Natural Laws for/of/ in Virtual Reality" in which I show the challenges of distilling predictive laws for cyber-operational planning using the methods above.
|
Daniel Bilar
|
| 1300 - 1430 |
Lunch Sponsored by GCHQ |
"Welcome to our new cafes - StarBugs |
| 1430 - 1515 |
Malicious hardware is a mature topic but
previous research has focused almost exclusively on theoretical applications.
In this presentation, practical implementations of gate-level backdoors
will be demonstrated using FPGA models for real-time simulation and
finally with the creation of a malicious ASIC design using freely
available sub-micron (180-250 nm) standard cells to implement a malicious
latest-generation ARM CPU, suitable for fabrication and massive
deployment. Additionally, possible side-channel exfiltration techniques for
low-level backdoors will be discussed and demonstrated.
|
Alfredo Ortega
(鳥仇敵)
|
| 1515 - 1545 |
Bar Break Sponsored by ASD |
"Ibu we can hear you.. |
| 1545 - 1645 |
Software Defined Radio has been quietly revolutionising the world of RF.
However, the same revolution has not yet taken place in RFID. The
proliferation of RFID/NFC devices means that it is unlikely that you
will not interact with one such device or another on a daily basis.
Whether it’s your car key, door entry card, transport card, contactless
credit card, passport, etc. you almost certainly have one in your pocket
right now!
RFIDler is a new project, created by Aperture Labs, designed to bring
the world of Software Defined Radio into the RFID spectrum. We have
created a small, open source, cheap to build platform that allows any
suitably powerful microprocessor access to the raw data created by the
over-the-air conversation between tag and reader coil. The device can
also act as a standalone ‘hacking’ platform for RFID
manipulation/examination. The rest is up to you!
In this talk I’ll cover the fundamentals of Software Defined Radio, and
then show how low-level RFID communications could be considered in the
same light. I will then go on to demonstrate the RFIDler prototype in
action, reading, writing and emulating some common tags.
|
Adam Laurie
|
| 1645 - 1700 |
Adjourn to Brewerkz |
"Ibu we can hear you.. |
| 1700 - 1730 |
Now that Apple has kicked gdb 6.3 to the curb, we all have to start using
LLDB. LLDB expressions allow you to write C programs that run inside your target. Expressions
allow you to recreate all the missing functionality, such as listing memory regions and their
permissions, that the Python api is not powerful enough to handle.
|
@Miaubiz
(生日快樂)
|
| 1730 - 1800 |
Everybody is familiar with such a great tools like mimikatz and wce. Everybody knows that
password hashes are stored inside SAM. Fgdump, pwdump are also cool tools. But the sad part
of this story is you need SYSTEM or equivalent privileges on pwned machine to run all
mentioned arsenal.
Unfortunately if you have only user level access to machine inside corporate internal network
that means you have quite limited number of ways to get password of that user which machine
were infected by your tool. Already known techniques require additional access to network or
great amount of luck.
This talk covers a brand new technique to grab credentials from pwned machine even without
admins privileges. Having no access to internal network and absence of admin privileges is
common case during spear phishing attacks and social engineering activities. The technique is
possible due to design flow in Windows SSPI implementation. Proof of concept tool is also
provided.
In the beginning of the talk I will discuss already known techniques and tools to get current
windows user password incase of unprivileged access to victim’s machine. After that we will
dive into security support provider interface (SSPI) and its vulnerability. In the end demo tool
will be shown and different exploitation ways advantages and disadvantages covered.
|
Anton Sapozhnikov
|
| 1800 - 1830 |
We have created a character called failymonster.
he is a worldwide security consultant who contracts to corporations,
government entities and small businesses. We string together InfoSec Fail
events that make the news, tie in absurd storylines full of InfoSec In jokes and
silliness, then present it to hungover hackers (we have been the final Sunday
talk at Kiwicon). We have created a social media presence for him across
LinkedIn (
nz.linkedin.com/pub/faily-monster/85/336/9b7), Twitter
(
https://twitter.com/failymonster)
and Facebook
(
https://www.facebook.com/#!/faily.mon)
|
Dean Carter
and
Shahn Harris
(妖失敗)
|
| 1830 onwards |
Nothing but alcohol and chatters for 5 eyes to pick up |
|
|
|
|
