Programs

SyScAN'04 Day 1 - 16th December 2004

EXPLOITS MITIGATION TECHNIQUES
Theo de Raadt - Project Leader, OpenBSD

OpenBSD has been auditing software for nearly 10 years, and while we have had significant success, it is clearly not enough. In the last 3 years a new view on preventing attacks has surfaced in the mindset of our group.

A software exploit author starts by finding an interesting bug. Writing an exploit is easy because he can rely on a variety of system behaviours, which are very deterministic. Many of these behaviours are not required for proper operation. Recently we have developed many new techniques, which combine to thwart the attacker, without affecting regular software. We make the Unix process environment difficult to attack much like filling a house full of a variety of burglar traps.

STORAGE SECURITY: SECURITY THREATS AND BEST PRACTICES FOR FIBRE CHANNEL SANS
Himanshu Dwivedi - Regional Director, @Stake

The presentation will be a formal knowledge transfer session to discuss tactical methods and high-level strategies to adequately secure storage infrastructures.

The presentation will begin with a discussion on the several security issues associated with Fibre Channel Storage Area Networks (SANs). The session will highlight specific issues and flaws associated with storage and how attacks may expose critical vulnerabilities. The session will then progress to a discussion on the tactical methods and strategies to mitigate identified security problems.

The presentation will cover three to five security topics and specifically discuss a tactical solution for each of them. The standard and best practices discussed in the session will focus on authentication/authorization, segmentation, device configuration (lockdown), auditing/logging, and encryption. Each topic will be discussed along with a tactical security solution to fully describe the defensive measures that can protect against storage attacks.

Lastly, the session will highlight the effects of default settings on networks storage devices, such as SAN switches, which can negatively impact the security posture on storage infrastructures.

THE ART OF DEFILING: DEFEATING FORENSIC ANALYSIS ON UNIX FILE SYSTEMS
The Grugg

The rise in prominence of incident response and digital forensic analysis has prompted a reaction from the underground community. Increasingly, attacks against forensic tools and methodologies are being used in the wild to hamper investigations. This talk will: familiarize the audience with Unix file system structures; examine the forensic tools commonly used, and explore the theories behind file system anti-forensic attacks. In addition, several implementations of new anti-forensic techniques will be released during the talk.

Anti-forensics has cost the speaker one job. This material has never been presented in the North American continent because anti-forensics scares the feds. Find out why

ABOUT SHELLCODE
Philippe Biondi

In this presentation we will see why and how to make unix shellcodes, the different programs that exist, the different shapes we can give to them, from raw binary to ascii only, and the different things we can have them do, from simply exec'inc /bin/sh to complex loads that can jump from one process to another.

NETWORK FIRELINES
Paul Watson

The traditional network perimeter defense of firewalls and IDS is intended to restrict unwanted network activity from entering or exiting the corporate network, but it falls short as a reliable defense for larger business networks. Secondary defenses, or Firelines, can be utilized by network security firefighters to improve the overall defense of the corporate network. This talk will discuss several strategies and methods devised to identify and respond to internal threats, anomalies, and misconfigurations without the use of traditional IDS or Firewalling methods.

OPEN SOURCE VULNERABILITY DATABASE
Jake Kouns

The Open Source Vulnerability Database (OSVDB), a project to catalog and describe the Internet's security vulnerabilities, opened for public use on 31 March 2004. The OSVDB project was launched in 2002 following a realization in the security community that no independent, community-operated vulnerability database existed. There were, and still are, numerous vulnerability databases. Some of these databases are managed by private interests to meet their own requirements, while others contain a limited subset of vulnerabilities or have significant restrictions on their content.
None are simultaneously comprehensive, open for free use, and answerable to the community.

This talk will focus on the successes of the project to date as well as many new developments that are underway, including the ability to provide active integration to help improve and analyze open source security tools.

BUILDING AN EARLY WARNING SYSTEM IN A SERVICE PROVIDER NETWORK
Nico Fischbach

Service Provider networks and systems are, by definition, a forced point of transit for most of the attacks we see nowadays on the Internet.

Combining data from exposed systems (like DNS and SMTP servers), BGP updates, Netflow accounting, uRPF, ACLs and interfaces counters helps to build a network's behaviour baseline and to detect activities like DDoS attacks, worms, covert channels, hacked systems, open proxies, etc. This can even be compared to a high bandwidth, distributed, low-cost IDS.

To improve the quality of the anomaly detection one can add sensors in the network, mainly composed of low-interaction honeypots and sinkholes. Additional deployments, like honeybots (running DDoS zombies in a sandbox to gather attack data) and honeyrouters (to catch BGP speaking routers hunters) are more resource intensive but broaden the scope of the EWS.

Such an approach is not CAPEX/OPEX intensive, and comes with nearly zero impact on the infrastructure thanks to the re-use data and statistics that are already available from monitoring, security and management systems. When combined with real-time traffic diversion techniques the macroscopic (high level flows and anomalies) view can become a microscopic one (full header and payload).

Most of these concepts and ideas also apply to internal IT networks and can be really helpful when it comes to detect rogue activities like worm breakouts or unusual traffic flows.

NETFLOW BASED NETWORK SECURITY ANALYSIS
Yann Berthier

Up until recently, security measures have been enforced at the perimeter, while ubiquitous deployments of remote access links and wireless networks were eroding the network boundaries thus defined. Recent worms history has clearly demonstrated the fact that the threat is now in the inside, and that the border defenses are getting circumvented. As this trend is not going to fade away, large networks must be somewhat domesticated to permit monitoring.

While Network Flow data, as exported by routers, were designed for accounting, they represent an efficient way to record transactions occurring on a network for real time or forensic analysis. This talk will focus on the security applications of Network Flows, and how they can be used to detect and analyze network misuses in corporate and service providers' networks.

SYNSCAN - NEW TOOL FOR OS FINGERPRINTING
Greg Taleck

OS fingerprinting, both passive and active, has many uses in network security, forensics, and intrusion detection and prevention. A new tool, SYNSCAN, has been developed to make OS fingerprinting more accurate by providing more information about the remote network stack implementation.

Greg will be describing this tool and it's applications in network security and specifically for uses with intrusion detection and prevention.

RELIABLE WINDOWS HEAP EXPLOITS
Matt Conover

PHREAKING: PAST, PRESENT AND FUTURE
Emmanuel Gadaix

Before hackers became a media fixture, there was a time when phreakers were all the rage and abusing CCITT#5 phone switches was open to anybody with a blue box. As most Telcos upgraded their equipment to support the new, out-of-band, digital SS7 signaling protocol, blue boxing was slowly but surely phased out. Phreakers went legit or quiet. The Internet and its lot of script kiddies became the center of interest.

Is phreaking dead? We beg to differ!

This presentation will focus on advanced phreaking techniques for the 21st century warrior. After a short presentation of current digital telecommunications network (with a focus on GSM/GPRS/EDGE and CDMA/3G) we will study how each element can be compromised for fun and profit. Nothing will be left untouched:

. Core Switching
. Radio Networks
. GPRS infrastructure
. 3G data
. Messaging
. Roaming
. Fraud management
. Customer care systems
. Billing systems
. Mediation systems
. WAP servers
. Intelligent Network services
. Legal interception gateway
. Signaling devices
. Content aggregators
. Network Management Systems

INFORMATION SECURITY IN BANKING: THE ILLUSION OF SAFETY
Anthony Zboralski

This presentation will focus on ways to defeat a bank's security by ways of deception, taking advantage of specific subtleties in human behavior and the bank's network of trust. This session will include three real-life case studies:

Penetration testing major Asian banks; the speaker will show why most security mechanisms can give a false of safety and demonstrate how an attacker can ensure "rapid ownership" of the most "up to date", "patched" and "secure" systems without using a single 0 day exploits.

Auditing the security of core banking systems. The speaker will give real examples of insider hacking and fraud (erasure of loan files, manipulation of interest rate and foreign exchange data, vendor tempering with production environment, ATM backdoors, bypassing AS/400 security, etc.

Finally, the speaker will present the results of his Jakarta/RI Wireless Security Survey 2003 and 2004 including disturbing screenshots of ATM transactions and multi-million dollar wire transfers which broadcasted in clear text over wireless networks without the bank's knowledge.

NETWORK SITUATIONAL AWARENESS
Dug Song

Fine young gentleman of monkey.org humbly presents a free suite of tools to be used in concert or individually to provide a highly integrated view of the network, its participants, their peculiarities, conversations, and interactions.

THE SURPRISINGLY COMMON NTLM AUTHENTICATION PROTOCOL AND ITS WEAKNESSES.
Jesse Burns

This talk examines NTLM as a mechanism for network authentication and discusses why it has been slow to be phased out despite known weaknesses and the release of NTLMv2. I will then present my results on NTLMs resistance to active attacks, including precomputed dictionary attacks, and middle person attacks. I will discuss aspects of its structure, its relationship to the broken DES cipher, and how the storage of it's authenticators represents a poorly understood security threat.

I will demonstrate some tools, which validate the attacks I am discussing, and practical solutions for working around NTLM authentication in either a Windows or SAMBA environment.

WINDOWS KERNEL EXPLOITATION
SK Chong

The presentation will highlight mechanisms to exploit the Windows Kernel for useful local privilege escalation. Unlike "Shatter Attack" which usually only useful if attacker has physical access of the computer, Kernel exploitation will escalate the attacker to the highest level as the kernel itself without any restriction. The presentation will include usage of undocumented API, memory corruption on device driver, kernel 'shellcode' as well as other relevant tricks to find and exploit the Windows kernel-land for a successful privilege escalation.

This page will be updated regularly. Look out for the latest program….

Speakers

Some of the speakers…..

Jesse Burn
Jesse Burns is a Managing Security Architect with @stake, the premier digital security company. Jesse is a member of @stake's Wireless and Application Centers of Excellence, a software developer, and a security consultant. Jesse's recent work focuses on application security, cryptography, and network infrastructure. Prior to working for @stake Jesse was a developer working on the backend business applications and trading systems of a major financial services corporation.

Yann Berthier
Yann is a network security consultant working for HSC <http://www.hsc.fr/>, a french consulting agency. The need to dig through big amounts of network traces during forensic analysis led him to look at the tools used for years by the network community. His interest for NetFlow applications has not diminished since then. He his a member of the French Honeynet Project <http://honeynet.rstack.org/> where he has also the opportunity to do network forensics.

Philippe Biondi
Philippe Biondi is a security expert and a security consultant working for Arche Omnetica Group in France. He is member of the French Honeynet Project. He was co-author of LIDS (http://www.lids.org). He is the author of Scapy (http://www.secdev.org/projects/scapy) and Shellforge (http://www.secdev.org/projects/shellforge) and a lot of other tools (http://www.secdev.org/). He wrote several article for MISC, a french security magazine.

Matthew "shok" Conover
Matthew is a senior security researcher at Symantec and a student of mathematics and computer science at the University of California. He is well respected as a long-time security researcher, and a pre-eminent authority in the field. He has previously presented at CanSecWest, SANS, and the University of Utah.

Himanshu Dwivedi
Himanshu Dwivedi is the Regional Technical Director in the San Francisco office of @stake, Inc. At @stake, Himanshu leads the Storage Center of Excellence (CoE), which focuses research and training around storage technology, including Network Attached Storage (NAS) and Storage Area Networks (SAN). Himanshu is considered an industry expert in the area of SAN security, specifically Fibre Channel Security. Himanshu has given numerous presentations and workshops regarding the security in SANs, including the SNIA Security Summit, BlackHat Security Conference, Storage Networking World, TechTarget, the Fibre Channel Conference, SAN-West, SAN-East, etc.

Himanshu currently has a patent pending on a storage design architecture that he co-developed with other @stake professionals (U.S. Patent Serial No. 10/198,728). Additionally, Himanshu has written two published books and has written a storage security chapter on a third. The book titles include The Complete Storage Reference - Chapter 25 (McGraw-Hill/Osborne), Storage Security Handbook (Neoscale Publishing), and Implementing SSH: Strategies for Optimizing the Secure Shell (Wiley Publishing). Furthermore, Himanshu has also published two white papers. The first white paper Himanshu wrote is titled "Storage Security" (http://www.atstake.com/research/reports/index.html) and "Securing Intellectual Property" (http://www.vsi.org/cgiscripts/ippwp3request.htm).

Nicolas Fischbach
Nicolas Fischbach is a Senior Manager, in charge of the European Network
Security Engineering team at <A HREF="http://www.colt.net/">COLT Telecom</A>, a leading pan-European provider of end-to-end business communications services.
He holds an Engineer degree in Networking and Distributed Computing and is a recognized authority on Service Provider infrastructure security and denial-of-service attacks mitigation.

Nicolas is co-founder of http://www.securite.org/, a French-speaking portal on computer and network security, of, an informal security research group and of the http://www.frenchhoneynet.org/ of http://www.honeynet.org/. He has presented at numerous technical and security conferences, teaches networking and security courses at various universities and engineering schools, and is a regular contributor to the French security magazine http://www.miscmag.com/.

The Grugq
The Grugq has been researching anti-forensics for almost 5 years. Grugq has worked to secure the networks and hosts of global corporations, and he's also worked for security consulting companies. His work as a security consultant was cut short by the publication of an article on anti-forensics. Currently, he slaves for a start-up, designing and writing IPS software. Grugq has presented to the UK's largest forensic practitioner group where he scared the police. In his spare time, Grugq likes to drink and rant.

Jake Kouns
Jake Kouns is the leader of the Open Source Vulnerability Database project. In this role Jake focuses on the strategic direction the project, works to streamline many processes, and is also acting as lead backend moderator. In addition, Jake is co-founder and President of the Open Security Foundation.

Jake is a business-focused network security and information risk management specialist with an extensive knowledge base and international experience. Mr. Kouns is currently a Senior Network Security Manager for a Fortune 200 financial institution, where he provides technical management, consulting, architecture and design implementation for a wide array of security mitigating strategies. He holds both a Bachelor of Business Administration with a concentration in Computer Information Systems and a Master of Business Administration with a concentration in Information Security from James Madison University. He also holds numerous certifications including ISC2's CISSP, ISACA's CISM, Cisco's CCNA, Check Point's CCSPA/CCSA/CCSE and Planet3's CWNA.

Theo de Raadt
Theo de Raadt has been involved with free Unix operating systems since 1990 (Minix!) and then became one of the founders and prime developers of NetBSD. In 1995 Theo created the OpenBSD project, creating a free Unix that focuses primarily on security technologies. A few years later he also started the OpenSSH project (the most deployed Open Source software). Theo works full time on advancing OpenBSD, OpenSSH, and any technology, which enhances free Unix security.

Dug Song
Dug Song is Principal Security Architect at Arbor Networks, where he is responsible for the research and development of Arbor's network security products deployed at Tier 1 service provider, Fortune 100 enterprise, and government and defense networks around the world.

Before joining Arbor, Dug was a Research Scientist at the University of Michigan's Center for Information Technology Integration, where his work focused on distributed file systems, security middleware, and network auditing and penetration techniques. Previously, he was Senior Security Engineer at Anzen Computing, where he led the development of a network anomaly detection system, and consulted for various Fortune 100, government, and defense clients.

Dug is the author of several popular network penetration-testing tools, and a contributor to other open-source security software projects. He is also a founding member of monkey.org, an international online monkey cult.

Greg Taleck
Greg has worked in a number of network/security-related positions, most currently, has been with NFR Security since 2001 as the primary developer of the network stack for its intrusion detection sensors product line. He has a B.S. Computer Engineering, University of Washington, 1998 and a M.S. Computer Science, University of Washington, 2001. He is a instructor for Networking Technologies Class at U of W, and has presented at RAID 2003.

Paul (Tony) Watson
Paul made headlines not too long ago when he discovered and published a critical vulnerability in TCP which allows remote attackers to terminate network sessions. Paul has been involved in Information Security for more than a decade, performing Infosec work for a variety of employers including the US Air Force, Iridium LLC, CapitalOne Financial, VeriSign, and Rockwell Automation.

ISACA - CISSP, ISC2 - CISM, MCSE+Security, CCSP, CCSA/CCSE, CCNA, etc.

Anthony Zboralski
Anthony Zboralski leads Bellua Asia Pacific, an Information Security consulting company based In Jakarta, Indonesia. He has more than 9 years of experience performing penetration tests, assessments, forensics and related services for some of the largest banks in Asia and a dozen Fortune 500 companies including Aerospatiale, Air France,
Allianz, AXA, Electricite de France, Lagardere-Matra...

Also known as "gaius", cofounder of the Hacker Emergency Response Team (hert.org); Anthony got involved into security & hacking back in 1989 (x25, social eng., etc.)

Emmanuel Gadaix
Emmanuel has been involved in the information security and telecommunications fields for over 12 years. Originally from western Europe, Emmanuel has been living in Southeast-Asia since 1993. After few years spent at Nokia commissioning mobile networks' NMS and IN systems, he started his own security consulting company in 1997, which eventually got acquired by TruSucker^H^H^H^H^Hecure in 2001. Emmanuel now runs the Telecom Security Task Force, a specialized research firm focusing on GSM, GPRS and 3G/UMTS security. Personal interests included SS7 signalling, VoIP protocols and legacy X.25 networks. "

SK Chong
SK is the Co-Founder and (a) Security Consultant of SCAN Associates. Hacking into banks, ISP, military and government sectors is part of his job. He wrote a few security whitepapers on how to break network with SQL Injection, Buffer Overflow, Shellcode and stuff, including one of which published in Phrack E-zine #62. His presentation was heard in Blackhat (Singapore) 2003, RuxC0n2004 (Australia) and XCon2004 (China). He enjoy playing Capture the Flag game, and was in a team that won several CtF games from HITB2002 and Blackhat Asia 2003.

More to come…Look out for updates….

Diamond Sponsor:
Gold Sponsor:
Silver Sponsor:
Luncheon Sponsor:
Cocktail Sponsor:
Officially Supported by:
Supporting Organisations:
Patron of SyScAN:
Unofficial Media: