Schedule

Day 1: Sessions (Thursday 03 Jun 2010)

The first day of AthCon is the day  of the conference. The conference consists of  sessions, running in a single track. Year 1, number of tracks: 1.

  • “Extrusion Testing – One Step Beyond”, by George Fekkas

Underground community has changed the security paradigm in the last decade. Sophisticated attackers do not focus on external perimeter anymore as traditional security is working well nowadays. Currently professional intruders are targeting directly internal users within the corporate perimeter, using mainly “web-born” attacks for taking control over the Internet of internal workstations. Attackers take advantage of applications and protocols that allow outbound access in order to perform inside out attacks for exfiltrating data and more.  Our experience shows that it’s only a matter of determination for gaining remote access/control to an internal workstation, and then it takes a few days, or even hours, to “stealthily” take control of critical internal business systems and data, if not of the entire network, and thus being able to conduct fraud, industrial espionage, sabotage, you name it. However, most companies and large organizations still don’t seem to realize the potential threat and corresponding business impacts of client-side attacks and in essence that the difference between outside and inside the Internet perimeter is a “click away”. In this talk the following topics will be covered:

* Description of the methodology on how to perform this kind of attacks

* ENCODE’s experience on real client-side (managed) attacks (during Penetration Testing engagements) including statistical information from these engagements and lessons learned

* Why client-side attacks are successful…explaining the vulnerabilities and what kind of “attacking” infrastructure is needed

* Problems that can arise during the attack phase due to “known unknowns” or “unknown unknowns”

* How this kind of attacks can be a “transformed” to a global cyber weapon, what this means for critical infrastructure and possible countermeasures

  • “Fuzzing – The past, the present and the future”, by Rodrigo Marcos

Fuzzing is now a well understood and mainstream technique, but it hasn’t been always the case. This presentation highlights the evolution of fuzzing testing techniques, types of fuzzers, fuzzing projects and the establishment of fuzzing as part of software testing assurance in corporates development life circles.

  • “Alice Shares, Eve Reads: Enumerating File Hosting Services”, by Nick Nikiforakis

File hosting services are used daily by tens of thousands of people as a way of sharing files. Almost all such services, use a security-through-obscurity method of hiding the files of one user from others. For each uploaded file, the user is given a secret URL which supposedly cannot be guessed. The user can then share his uploaded file by sharing this URL with other users of his choice. Unfortunately though, a number of file hosting services are incorrectly implemented allowing an attacker to guess valid URLs of millions of files and thus allowing him to enumerate their file database and access all of the uploaded files. In this paper, we study some of these services and we record their incorrect implementations. We design automatic enumerators for two such services and a privacy-classifying module which characterizes an uploaded file as “private” or “public” using the results of a search engine. Using this technique we gain access to thousands of private files ranging from classified documents to personal photographs. We present a taxonomy of the private files found and ways that the users and services can protect themselves against such attacks.

  • “Got database access? Own the network!”, by Bernardo Damele A. G.

The presentation highlights techniques to exploit a database server in practice: how to spot useful information amongst tons of data instantaneously, how to get control of the operating system and escalate to system administrator making the life of the forensics analyst a little bit harder in post-exploitation investigation.

  • “Attacking VoIP and understanding what cyber-crime is doing”, by Sandro Gauci

VoIP security is largely misunderstood. This presentation will show how many VoIP systems are exposed and insecure against attackers on the Internet. We will see how attackers and cybercrime is quickly catching up. Sandro will show how to scan for VoIP, fingerprinting and enumerating a PBX and how the protocols themselves have security issues. We will also show how by making use of a honeypot, we’re learning more about what cyber-criminals are doing with these vulnerable VoIP services.

  • “Cyber[War|Crime] – Connecting the dots”, by Iftach Ian Amit

CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime’s best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.

  • “Mobile privacy: Tor on the iPhone and other unusual devices”, by Marco Bonetti

Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Unfortunately, with the new features of HTML5 and browser built-in geolocation being pushed into the Web2.0 world and on mobile phones and browser, it’s becoming harder and harder to keep the users’ privacy safe. This presentation will describe the problems which are arising around the use of these new technologies and how they can be (ab)used to attack Tor users. It will also describe where the development is going to protect mobile phone users privacy and let them survive their own devices.

  • “Context-Keyed Payload Encoding: Fighting the Next Generation of IDS”, by Dimitrios Glynos

Exploit payload encoding is a technique used by attackers for hiding malicious payloads from modern Intrusion Detection Systems (IDS).  Although metamorphic and polymorphic encoding allow such payloads to be  hidden from signature-based and anomaly-based IDS, these techniques fall short when the payload is being examined by IDS that can trace the execution of malicious code. Context-keyed encoding is a technique that allows the  attacker to encrypt the malicious payload in such a way, that it can  only be executed in an environment (context) with specific characteristics. By selecting an environment characteristic that will not be present during the IDS trace (but will be present on the vulnerable host), the attacker  may evade detection by advanced IDS.

This talk will present the state of the art in context-keyed encoding, featuring (previously unpublished) metasploit code for two of the most popular methods found in the literature, along with code for a third novel method that surpasses many of its predecessors’ limitations. The presentation will also include a best-practices guide for applying context-keyed encoding to exploits for local and remote vulnerabilities.

  • “Authorization Attacks using Session Hijacking”, by Andreas Venieris

Most of authorization methods are based on the (user, password) pair, provided by the user. The stateless nature of the Internet requires the server to remember every user that has logged in. Web applications create a unique session for every user. This session is stored somewhere on the server, usually in a database and on users’ box (usually) via cookies. How possible is, for a malicious user, to use these cookies for impersonation? In this paper we will try to explore some methods that used very often by malicious persons in order to impersonate users. We are not trying to find a totally new world, but to uncover, or better, to formulate, the most recent methods used against current web applications that allow malicious attackers to believe that they are successful. Cookie attacks formulation, Session Prediction and Cross Site Request Forgery are a some of the methods that will be described with real examples.

  • “How to present a new release of a SQL Injection tool without talking about SQL Injection at all”, by Alberto Revelli (aka icesurfer)

Description n/a

  • “Abusing JBoss”, by Chris Papathanasiou

JBoss Application Server is the open source implementation of the Java EE suite of services. It’s easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform. The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges. A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated. Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques.Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.

  • “BNF (Backus-Naur Form) based blackbox fuzzing”, by Chariton Karamitas

Fuzzing is considered a well established technique used very  often by IT people to test an application for the presence of  critical bugs. In this presentation, a new idea is described,  BNF based fuzzing, whose goal is to propose a generic way of  defining the syntax of a fuzzer’s output. Backus-Naur Form (or BNF for short) is a formal notation used to describe the syntax  of context-free grammars (e.g C, C++ and most of the programming  languages out there). Although not obvious, BNF can be used to  describe any kind of structured information, including protocols  (both plaintext and binary) and files (XML, PE executables etc).  In the conference I will present a new tool called bnffuzz, coded  in python and C, that uses Sulley (http://code.google.com/p/sulley/)  in order to produce fast and reliable fuzzers that produce test inputs based on a given BNF grammar.

  • “Abusing Network Protocols”, by Fotis Hantzis

This presentation will focus on the area of exploiting inherent protocol flaws. By inherent we mean that the vulnerabilities are mostly independent of specific implementations and thus ubiquitous, since the design of the protocol itself is flawed. As a result, network protocol flaws affect a multitude of systems and are not as easily fixed as simple implementation bugs. The talk will mainly revolve around the relatively new XMPP (Extensible Messaging and Presence Protocol) that has gained quite some large popularity lately. Cisco has acquired Jabber Inc (creators of first commercial XMPP product), Google Talk is based on it, Facebook Chat provides an interface to it and a lot of IM clients now support it. Being an emerging and most-promising technology, makes it important to address some of the security issues that are implied by its widesperad use. Our talk will also analyse how other network protocols that interact with each other and XMPP, can be used as attacking vectors resulting in some chain-reaction form of exploitation.

  • “Gone Rogue: an analysis of the rogue security software landscape”, by Corrado Leita

A rogue security software program is a type of misleading application that pretends to be legitimate security software, such as an anti-virus scanner, but which actually provides the user with little or no protection. In some cases, rogue security software (or rogue AV) actually facilitates the installation of the very malicious code that it purports to protect against. Despite of the effort carried out in the analysis and the study of single campaigns and the characteristics of single rogue products, little or no information is currently available on the global characteristics of this threat landscape, and its differences or similarities with other threat types. This presentation documents the results obtained within the context of the WOMBAT project to attempt to fill this gap through an extensive longitudinal analysis of the infrastructure underneath these threats and the dynamics of its evolution. It will show how we have been able to generate an extensive dataset collecting registration information and network characteristics of a large number of domains, and apply an attack attribution algorithm to identify different malware campaigns. The information generated by this process allows us to characterize the threat landscape associated to rogue AVs and its differences with other threat types. Only through a full understanding of these differences security researchers can successfully target the threat economy and modify its balances to their own advantage.

  • “The real value of Penetration Testing for the Enterprise”, by Notis Iliopoulos

Some people do believe that penetration testing comes to an end, and the service doesn’t provide any real value to the enterprise, in other words it doesn’t pay back the money spent for it. The presentation will prove differently and will provide all the relevant arguments. Penetration testing adapts to the new threats around and it will be still considered as one of the most important tools for every security officer. The presentation will also prove the ROI calculation regarding pen testing, and will answer the question if Penetration tests will die or suddenly turn or become assimilated into something else.

The presentation will also refer to what should be taken under consideration in order to maximize the value of the penetration test.

  • “OWASP Top 10 – 2010: Towards a secure Software Development Lifecycle”, by Konstantinos Papapanagiotou

The threat landscape for Internet applications changes with advances by attackers, new technology, and increasingly complex systems. To keep pace, the OWASP Top 10 is updated periodically. The 2010 release apart from replacing some entries as usual, introduces a risk based approache: the Top 10 is now about the Top 10 Risks, not the Top 10 most common weaknesses. Furthermore, the ranking methodology has been changed in order to estimate risk, instead of relying solely on the frequency of the associated weakness. In this presentation we will go through the application security risks presented in the Top 10’s 2010 release. We will also discuss how the OWASP Top 10 2010 can be used in conjunction with other OWASP tools and methodologies to establish a secure Software Development Lifecycle.

  • Attack CMS system – 0day exploitation“, by Anastasios Stasinopoulos

Content management systems (CMS) are  widely used in enterprise environments to manage work flow in a collaborative environment.  The presentation will illustrate a live example of  attacking a well known Greek CMS system using a bug discovered and a “0day exploit” developed for it.

  • “The DHCP Recession: Extended DHCP Exhausting Attack” , by A.R Samhuri

DHCP is a well-known TCP/IP protocol. It is used within LANs to dynamically assign IP addresses and other IP configurations to client machines. However, the security of the DHCP has always been challenged by various attacks. The most common DHCP attack is called “exhausting attack” where an attacker literally “sucks” all the IP addresses within a pool. This attack can only target ONE pool that is assigned to a particular subnet where the attacker resides. But, is there a way to penetrate ALL DHCP pools regardless of the subnet? The answer is “yes” and this presentation will introduce this new and extended attack vector. This vector is based on exploiting the role of a DHCP Relay Agent that works by default on every LAN router. The talk will cover the theory and practice behind this new attack vector; furthermore, the talk will also describe the mitigation process and how to secure the network against such attack.

Sponsors
Gold Sponsors



CTF Sponsor



Media Contributors

IT Security Professional

commslution

euro2day

Technology Contributors











Contact Us | Tickets
AthCon Copyright (c) 2009-2010, Cyberdefend Limited, Registered in England and Wales, 07038668.

+44 (0)208 123 6509

Developed by iProject