ekoparty Security Conference 8° edition

DAY 1 /// Wednesday 21 /// Room 'A' Auditoriumclick here for info

1. 11:00 - 13:00

   Acreditación

2. 13:00 - 13:15

   Wellcome & Introduction

3. 13:15 - 13:50

   hackers, privacy, makers: Politics

   

   Gerardo 'gera' Richarte, Core Security Technologies.

   Master the technology, we like, and we like the taste of power have. Speaking the language of microprocessors, which are involved everywhere, until, as I said Futo, a bluescreen fridges. But that technology is pervasive, and that everything now is connected, is not free. My cousin of 19 makes an internship at Movistar can see where located, in real time, any phone. It right? No matter: it is possible. Our technology stocks have indeed almost straight at all, and we can not take the jerks, we must be aware of, and do. Keep learning and helping others to learn, because start zero, so to master, it is increasingly difficult. And if not mastered technology, we simply dominates. In the talk, more thoughts, some questions and some ideas things to do. We'll see what comes out, we'll see if we take care of it our part, or if we wait.

4. 14:15 - 16:15

   Workshops

   See full list

5. 16:15 - 16:45 --- COFFEE BREAK

6. 16:45 - 18:45

   Workshops

   See full list

DAY 2 /// Thursday 22 /// Room 'A' Auditoriumclick here for info

1. 8:00 - 8:45

   Acreditación

2. 8:45 - 9:00

   ekoparty Round Two

3. 09:00 - 09:50

   Exprimiendo la web: obteniendo datos de a gotas para ownear a cualquier argentino

   

   César Cerrudo, CTO at IOActive Labs.

   Today, any Internet user is registered in a dozen web sites and the ongoing computerization more services, the number of sites I checked grows day by day. We all know that many sites do not have good security, but sometimes we ignore small sites neglect to reveal data about us drops. These data may seem unimportant, but by combining data from different sites makes it possible to extract even more data from other sites and convert them into valuable information, and then make specific attacks against people. This presentation is not about how to exploit common vulnerabilities in web sites or information on how to make social networks, but as abusing mechanisms for user authentication to allow minimum data mining (sometimes many) and then use them with good or bad intentions. It is an entertaining presentation with many practical examples that can scare more than one, and that I hope will serve to open our eyes and take more precautions, either as users or managers to develop or secure web sites.

4. 09:55 - 10:45

   Setting The Evil Bit: Malicious Traffic Hiding In Plain Sight

   

   Alex Kirk, Sourcefire Vulnerability Research Team.

   Building on the research I presented at You Sh0t the Sheriff in May, this presentation will explore ways to detect traffic generated by malware-infected hosts in a broad, generic fashion - instead of looking for traits specific to a given piece or family of malware. Specifically, my talk will explore: * HTTP protocol breakage - much of the HTTP traffic generated by compromised hosts ignores or violates key parts of the RFCs, breaking the protocol in ways worse than even Internet Explorer 6. * Legal WTFs - other times, malware generates traffic that is technically legal per the RFCs, but simply makes no sense in the real world. This includes items such as POSTs to image URIs, blatantly malicious User-Agent strings (i.e. "GBot/2.3"), mismatches between declared Content-Types and actual data returned, etc. * Spam blasts - after realizing that the hosts in my malware zoo have been blacklisted at all the major mail providers, I\'ve set up an outbound mail honeypot to make sure all of that traffic is captured as well. Techniques for detection ranging from simple flow analysis on port 25 to inspection of SMTP headers and bodies will be based on this new data. * General "Ha Ha" - malware does ridiculous things all the time, and the presentation will be full of the funniest and most ludicrous examples I can find from my malware zoo.

5. 10:45 - 11:25

   The Benefits of Making a Good Impression

   

   Deviant Ollam, Board of Directors of the US division of TOOOL.

   Lockpicking is a terrific skill to have, and it can allow you to open doors, cabinets, and chains with relative ease and speed. However, there is no getting around the fact that to pick a lock open you need to crouch down next to it with very conspicuous looking tools... and you have to do this /every time/ you want to open the lock. What if i told you there was an attack that you could perform ONE TIME against a lock and then own it forever? And what if this attack was relatively innocent looking when you stood near the door or padlock in question? Welcome to the world of impressioning... with the right tools and a bit of time, you can turn a blank key into a totally working key for just about any lock in common use today. Pin tumbler locks, wafer locks, even many styles of rotating disc locks and more can be attacked in a way that is hard to notice and which results in amazing access if successful. This talk will show you how it is done and give you some useful tips and tricks if you plan to try it out later on.

6. 11:25 - 11:55 --- COFFEE BREAK

7. 12:00 - 12:50

   Attacking the Webkit Heap

   

   Agustín Gianni, Immunity.

   WebKit provides the backbone for an increasing number of Web Browsers, including Safari, Chrome and the Android browser. Within these browsers we see it coupled with the TCMalloc allocator to manage dynamic memory allocation. This common combination means that understanding of WebKit heap manipulation techniques and TCMalloc heap management algorithms and structures is very useful for reliable exploit development. In this talk we will explain the TCMalloc allocator from the point of view of heap manipulation and exploitation. We will discuss techniques for crafting its internal layout accurately through WebKit's Javascript engine with the aim of setting up the heap for exploitation. Due to the similarities across browsers this information is quite portable and will give base primitives for exploit development. As is often the case with custom heap allocators, TCMalloc has far weaker (or entirely absent) protections than those offered by the core Windows, Linux or OS X allocators. Finally, in an illustration of exploit dev necromancy we will plunder TCMalloc and resurrect some of your favourite exploitation strategies from allocators-past.

8. 12:50- 13:40

   our crown jewels online: Attacks to SAP Web Applications

   

   Mariano Nuñez Di Croce, CEO at Onapsis.
   

   "SAP platforms are only accessible internally". You may have heard that several times. While that was true in many organizations more than a decade ago, the current situation is completely different: driven by modern business requirements, SAP systems are getting more and more connected to the Internet. This scenario drastically increases the universe of possible attackers, as remote malicious parties can try to compromise the organization\'s SAP platform in order to perform espionage, sabotage and fraud attacks. SAP provides different Web interfaces, such as the Enterprise Portal, the Internet Communication Manager (ICM) and the Internet Transaction Server (ITS). These components feature their own security models and technical infrastructures, which may be prone to specific security vulnerabilities. If exploited, your business crown jewels can end up in the hands of cyber criminals. This talk will explain how remote attackers may compromise the security of different SAP Web components and what you can do to avoid it. In particular, an authentication-bypass vulnerability affecting "hardened" SAP Enterprise Portal implementations will be detailed. You will understand the real business implications of the exploitation of these technical weaknesses. We will present several LIVE demos, from remote command execution shells through Web interfaces up to unauthorized access to sensitive business information such as credit card transactions and financial data.

9. 13:40 - 14:40 --- LUNCH BREAK

10. 14:40-15:00

    Análisis Forense en dispositivos iOS

    

    Jaime Restrepo, Comunidad DragonJAR.

    This highly practical talk is intended for forensic analysts, companies and users who want to understand the personal information is stored on your iPhone / iPhone / iPod Touch (IOS devices) and how to recover it. This talk will reveal the enormous amount of personal information stored on Apple devices and techniques / software for the retrieval of this information.

11. 15:00 - 15:50

    Leveraging MSR's for Fun and for Profit

    

    Ryan MacArthur, iSIGHT Partners.

    I will introduce the audience to MSR's, how they have been abused in the past, and what role they play today. Then I will get into leveraging MSR's to do our bidding, including the following: 1) A small amount of assembly to detect ALL virtualization/emulation environments 2) How to implement a stealthy and low-latency execution tracer, win32 I will demo the use of these live, successfully tracing PE's that employ anti-tracing techniques.

12. 15:50 - 16:10

    Virtual Cash, Show Me The Money: Debugging Facebook Flash Games and Getting Some Real Bucks

    

    Marcos Nieto, Independent researcher.

    Nowadays, social networks get their peak visitors into a somewhat complex gaming hierarchy, where they get involved in playing with or against their friends, but in these games there\'s always a constant: to succeed faster, to better improve the gaming experience, to acquire the latest items, whether outrun, out-stand, outwit other players, and get a high position in the coop, many on-line gaming companies have created virtual cash to purchase premium items and services otherwise unachievable. This simple procedure not only covers how to get our hands on that precious virtual cash without directly spending any real cash, but also how to stock it and even act as unofficial resellers, should it become a prosperous dark venture. The approach of my presentation aims towards demonstrating with very simple steps and tools how to trick an on-line game server to deliver some cash, masked under achievements during game-play, which everyone would fairly get; this particular scenario cuts that time window, boosts it by storming a set of genuinely recorded session back to the server in large number of iterations for each created phantom account. For each clone that has been tested with this procedure, the amount of generated virtual cash could be worth 50 US Dollars, once drained from there to a central account. On a daily basis, two clones can be set-up and drained from a fairly low-profile connection, since this can be performed from a 32KBps upload link with no problems, without triggering any alarm either. So, there are these power boosts that can be acquired with money via pay-pal, etc. That cyber cash acquisition is also achieved by genuine hard work, which in this case, supervised drones storm the servers mocking real players to get the virtual game money, transferred and redeemed, no different from a normal product sold by the company that creates it, since what is resold, for a lower price is, actually a product acquired legitimately from them.

13. 16:10 - 17:00

    Deep Boot

    

    Nicolás Economou, CORE Security Technologies.

    This presentation will unveil a newly developed relatively generic technique to control the boot any operating system running on x86-x64, taking control of the CPU from the first instruction executed by the BIOS boot mechanism to complete the OS boot , ending with the kernel takes control of it. Similar techniques can be found in rootkits and the first version of Computrace. There will be a simulation of a real attack "rootkit" a Windows Live (possibly with an AV running), to achieve persistence, and then demonstrating how the same "rootkit", using this technique (Deep Boot), regain control of the OS from boot.

14. 17:00 - 17:30 --- COFFEE BREAK

15. 17:30 - 18:20

    Snakes on a Payload: Bundling Python with your shellcode

    

    Pedro Varangot , Core Security Technologies.
    Fernando Russ, Core Security Technologies.

    Traditionally understand 'binary operation' as the discipline to turn a vulnerability in the ability to run arbitrary code on the CPU about the victim. If we consider this as the "stage 1" then one can think of different ways to move to a "stage 2", this being able to use services that gives the operating system to any process, such as managing memory, sockets, the system files, etc.. The restrictions of the current Stage 2 technologies in commercial products are well described by Dino Dai Zovi WOOT in a publication in 2007, as a solution proposes a sketch of stage 2 then bootstrapea a VM. Motivated by this, and given the current restrictions of these techniques when developing tools for post-operation, began to investigate the problems and possibilities to develop a payload that bootstrapee a VM. In this talk we will tell about the problems of development of the payload using a VM that runs a subset of Python, and how we solved that. Also we will be releasing a license opensource toolchain needed to build a payload using this technique, and demonstrate how we use it to build the prototype on an exploit payload.

16. 18:20 - 18:40

    (Pr0n=>CTC) => (P=NP)

    

    Ariel Futoransky, co-founder of Core Security Technologies.

    In "Feeling the future", an article controlversial Journal of Personality and Social Psychology, are formally described several simple experiments that would allow an elementary form of precognition. All you need is apparently several people, computers and some erotic photos!? What would be the implications of these results confirmed? In this talk we show how different variants of these expermimentos could be used to build cryptographic primitives attacks, showing for example RSA, and invite the audience to participate in an attempt to attack live.

17. 18:40 - 19:30

    SCADA Trojans: Attacking the grid

    

    Rubén Santamarta, Consultor independiente.

    How, when, where, why and who can attack industrial control systems, specifically the management of energy, are some of the issues that will lead the discussion. It will be a tour on the theoretical attacks, adding new methods of attack vectors and more practical. The talk will have a significant practical content, exposing 0days SCADA software and hardware. Finally, modeled an attack intended to "turn off" a country.

18. 19:00 - 24:00

    GetTogether by Onapsis

    

    After the conference we get together on a pub for share a beer.
    One round is on the house!

DAT 3 /// Friday 23 /// Room 'A' Auditoriumclick here for info

1. 8:00 - 8:45

   Acreditación

2. 8:45 - 9:00

   ekoparty Final Round

3. 09:00 - 09:50

   Reversing the State: gastopublicobahiense.org

   

   Manuel Aristaran, Independent researcher.

   Computers are getting political. The flood of information available these days has made people aware that their governments are not releasing the enormous quantity of data they generate. When they do, it's usually under poorly made websites or formats that don't allow for automated processing. The Open Data movement is now demanding governments to release their information in standard and open formats. We will present the case of gastopublicobahiense.org , a site that put public procurement information published by the government of Bahía Blanca (Argentina) under a new light.

4. 09:55 - 10:45

   Cloud and Control: Factoring and Cracking

   

   Tom Ritter, Gotham Digital Science.

   Other people have presented on operating 'in the cloud': running jobs on a few nodes in EC2. This talk is about how to control 2000 instances as easily as 2 using BOINC, the open source software behind SETI@Home, ClimatePrediction.net, and other volunteer distributed computing projects. Setup and administration of BOINC is shown with the context of examples: factoring RSA keys and cracking passwords. A new approach to hands-off password cracking was developed and benchmarked against Korelogic’s Defcon 2010 Crack Me If You Can contest, using three different password crackers across seven hash formats. Private keys for 512 bit SSL Certificates are recovered in under two days using open source software; and analysis is shown on the necessity of 'good' polynomial selection and oversieving.

5. 10:45 - 11:25

   Design and implementation of a voice encryption system for telephone network

   

   Fabián Valero Duque, Security consultant and researcher.

   It has developed an encryption system real-time voice that works on fixed telephony, combining two types of encryption. The first type, a protocol called Rabin public key (asymmetric encryption algorithm based on the problem of computing square roots modulo a composite) to exchange private keys, and the second is based on a protocol called TEA private key (tiny encryption algorithm, encryption system small e.) also made ​​a masking procedure of the algorithm encryption keys private. XTEA_E (TEAX_E) is a contribution given to the project based on the algorithm XTEA (TEAX). (Small encryption algorithm). The system allows a telephone conversation in which the voice is transmitted encrypted digital modem through to users without compromising the readability of the message.

6. 11:25 - 11:55 --- COFFEE BREAK

7. 12:00 - 12:50

   Virtualised USB Fuzzing using QEMU and Scapy

   

   Tobias Mueller, Chaos Computer Club.

   The talk will be about Virtualised USB Fuzzing using QEMU and Scapy. It will be shown how QEMU can be modified so that it allows to attach a virtual USB device which is backed by an external process. This allows to implement USB behaviour easily and cheaply and thus allows to test USB stacks, USB drivers and applications on top.

8. 12:50 - 13:40

   Bosses love Excel, Hackers too.

   

   Chema Alonso, informatica64.

   Remote applications published in companies are around us in the cloud. In this talk we are going to add ICA and Terminal Server Apps to fingerprinting process, automating data analysis using FOCA. It will allow attacker to fingerprinting internal software, internal networks and combine the info in PTR Scanning, evil-grade attacks and command execution trough Excel files. In the end, we are going to play with a tricky feature in security policies about remote excel that will allow hackers to bypass macro restrictions.

9. 13:40 - 14:40 --- ALMUERZO

10. 14:40 - 15:30

    iOS Code Injection and Function Hooking

    

    Michael Price, McAfee Labs.

    This presentation covers techniques that can be used for injecting dynamic libraries into binaries on disk, or also into running processes (local or remote), as well for hooking standard functions, shared library calls (symbol stubs or lazy pointer table entries) and Objective-C method calls. In the presentation, these techniques are combined to hook SSL functions used by the Game Center support included with iOS for the purpose of obtaining access to otherwise encrypted network traffic. A description of how Game Center center client support handles communication to the backend will be covered. Also, some coverage of ARM assembly is given, including hooking techniques for functions compiled to ARM and THUMB.

11. 15:30 - 15:50

    Experiments using IDA Pro as a data store

    

    Aaron Portnoy, HP TippingPoint DVLabs.

    This talk will cover the TippingPoint security research team's experiments using IDA Pro to mirror a datasource. The ability to harvest attributes and metadata from a binary can allow a reverser to extend their arsenal of approaches to solving their problems. By combining the information available statically with supplemental data collected from a debugger, a reverser can paint a more complete picture of the target application. Additionally, the ability to modify attributes and subsequently query them via a friendly interface can aid in collaborative reversing. This lightning talk aims to demonstrate what other tasks can be accomplished when building functionality on top of a few simple primitives.

12. 15:50 - 16:40

    Defeating x64: Modern Trends of Kernel-Mode Rootkits

    

    Eugene Rodionov

    Aleksandr Matrosov

    Versions of Microsoft Windows 64 bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, today there are examples of malware that use methods to bypass the security mechanisms Implemented. This presentation focuses on issues x64 acquitectura security, specifically in the signature policies kernel mode code and the techniques used by modern malware to sauté. We analyze the techniques of penetration of the address space of kernel mode rootkits used by modern in-the-wild: - Win64/Olmarik (TDL4) - Win64/TrojanDownloader.Necurs (rootkit dropper) - NSIS / TrojanClicker.Agent.BJ (rootkit dropper) special attention is given to bootkit Win64/Olmarik (TDL4) for being the most prominent example of a kernel mode rootkit aimed at 64-bit Windows systems. Detail the remarkable features of TDL4 over its predecessor (TDL3/TDL3 +): the development of user mode components and kernel mode rootkit techniques used to bypass the HIPS, hidden and system files as bootkit functionality. Finally, we describe possible approaches to the removal of an infected computer and presents a free forensics tool for the dump file system hidden TDL.

13. 16:40 - 17:10 --- COFFEE BREAK

14. 17:10 - 17:50

    Open Source Satellite Initiative

    

    Hojun song, Investigador independiente.

    Hojun Song talks about Open Source Satellite Initiative. OSSI promotes private space program by providing DIY tutorials on building a small satellite. After four years of research and one year of experience as a satellite engineer, Song Hojun has found that it is possible to launch and operate a personal satellite at a fairly reasonable price and finally he's waiting for his satellite to be launched in May 2012. In the end, he also talks about how he has been exploring ways to integrate the concept of a personal satellite project into cultural contexts and into his artistic practice.

15. 17:50 - 18:30

    The Baseband Playground

    

    Luis Miras, Consultor independiente.

    Baseband processors control access to the radio hardware on cell phones. There has been published security research and presentations on remotely attacking baseband processors. This talk will take a different approach and focus on code injection into the baseband from the application processor. This is the same method that many unlocks (ultrasn0w) use to bypass carrier restrictions. Interestingly, these unlocks (exploits) can also be used to load your own code onto the baseband. This enables the patching of existing GSM code and other phone functionality :) This talk will cover baseband architecture, setting up a development environment, injecting custom code into the baseband using a variety of exploits, and interesting areas for modification. The case study for the talk will be an iPhone baseband running the Nucleus RTOS, but the concepts will be applicable to other basebands and OS.

16. 18:30 - 19:20

    BEAST: Surprising crypto attack against HTTPS

    

    Juliano Rizzo, Investigador independiente.

    We present a new fast block-wise chosen-plaintext attack against SSL/TLS. We also describe one application of the attack that allows an adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing.

17. 19:00 - 24:00

    Aftercon Party / Fiesta de cierre.