Monthly Archives: October 2013

Applications of Artificial Intelligence in Ad-Hoc Static Code Analysis

During a recent engagement, I was faced with *reviewing* 2.6 million lines of C#/ASP.NET code. After several hours of line by line, file by file, review, I decided to write a script to look for problems. It became apparent that the script needed a little more intelligence so I found myself applying methods from AI to tracing through source code. The end result is a static code analysis tool aptly named scat that does a parallel analysis of C# using state space search algorithms.

Also, I like cats 🙂

I work as a Sr. Security Engineer at Security Innovation, based out of Seattle. I have a Masters in Software Engineering and an undergrad in computer science. Before joining SI, I worked at Microsoft, Disney, Harris, and Symantec (formerly Veritas) hacking code.

Rickrolling your neighbors with Google Chromecast

The Google Chromecast is a handy, user friendly, little gadget that allows users to play video to HDTVs from a variety of sources, wirelessly. What could possibly go wrong? There’s been some research into modifying the software that runs the Chromecast, but what I really want is to Rickroll my neighbors.

This presentation will demonstrate how to hijack a Google Chromecast on any network to play videos of your choosing. Let no TV be safe.

Dan “AltF4” Petro
Dan Petro is a Senior Security Analyst at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on application penetration testing and secure development.

Dan has presented at numerous conferences, including DEFCON and BSides, and is the founding member of the Pi Backwards CTF team.

Prior to joining Bishop Fox, Dan served as Lead Software Engineer for a security contracting firm. Dan holds a Bachelor of Science from Arizona State University with a major in Computer Science, as well as a Master’s Degree in Computer Science from Arizona State University.

Dude, Where’s My Car? Reversing Tire Pressure Monitors with an SDR

Automotive tire pressure monitoring systems have been studied from a security and privacy perspective. This talk will take TPMS down — addressing specifics like radio modulation and packet schemes, and *code*. I will demonstrate the process I used to receive, identify, and decode the various tire pressure monitoring signal types. From what I’ve learned, I’ll discuss the implications of driving around with the simplest of wireless endpoints dangling from your vehicle.

Jared Boone
Jared is a life-long hardware hacker who is InfoSec-curious. Ordinarily, he’s experimenting with new radio or embedded microcontroller or FPGA hardware, but can’t help from wondering what secrets are hiding in the electromagnetic spectrum we’re all swimming in.

Making Attacks Go Backwards

Imagine a pentest where there is no scope, no time restraints, and no budget. How would you do it? Would you write your own tools? Would you get detected? And if you did would they know what you stole and what was owned? As time went on, would you get lazy?

It sounds like a dream gig for most pentesters out there and lucky for some threat actors, this is the 9 to 5 job. By now I shouldn’t have to mention the advanced persistent buzzword for you to know what I’m are talking about. Targeted threat actors are people too, they make mistakes, their judgement is bad sometimes, they get lazy, and sometimes their skills are bad and they should feel bad.

In this talk we will cover how attacker tactics can leave behind obvious evidence, how their tools can be identified and analyzed quickly, and how the human side of every attacker can lead to some great lulz. Attendees should leave armed with a variety of examples from the trenches of incident response and malware analysis that will give them an edge against the less advanced of advanced attackers. Key takeaways will include tips and tricks for identifying and reverse engineering malware and utilities used in targeted attacks as well as the forensic evidence they leave behind.

FuzzyNop is a computer who knows how to computer. As a child his computers always told him he should do computers. At his day job he’s a penetration tester, reverse engineer, and incident responder, but above all else… computer.

Bypassing FireEye

I’d like to give a speech over bypassing FireEye – a commercial anti-malware appliance that just went public. 5 methods to employ to defeat a powerful commercial grade security suite.

AverageJoe / Joe Giron
I’m an Arizona native. Born and raised here. I’ve moved elsewhere, but somehow ended up back here. I got into the ‘h4x0r’ scene back in 2003 when was still called HullaBallo, binrev PLA was in full swing, and LSD’s RPCDOM sploit was leaked and wreaking havoc on the windows server populace.

Active Fingerprinting of Encrypted VPNs

Suppose there is a stream of packets coming through your gateway, their contents apparently encrypted. They may be from a standard VPN such as OpenVPN or an IPSec implementation running over some non-standard ports or protocol, but you missed the initial negotiation that could tell you what sort of a VPN that might be. Can you still find out what software stack and what cipher are being used?

We found out that, if you introduce a periodic disturbance to an encrypted VPN connection, you can fingerprint the VPN and, in particular, the cipher using nothing but packet timings of typical file transfers. We found out also that many things we take for granted aren’t necessarily true – e.g., that double encryption may not be better for resisting fingerprinting, and that the most common encryption algorithms differ more in performance than one would think they do.

We believe that the fingerprinting signatures are due to the interactions between the cryptographic and the network layers of the VPN, the cross-layer effects that have been largely overlooked to date. Our findings suggest that these interactions between the layers of a VPN implementation should be studied and taken into account to protect implementations against information leaks.

Anna Shubina
Anna Shubina chose “Privacy” as the topic of her doctoral thesis and was the operator of Dartmouth’s Tor exit node when the Tor network had about 30 nodes total. She is currently a research associate at the Dartmouth Institute for Security, Technology, and Society.

I Can Haz DarkNet & MeshNet Best Practices? : Helping making better decentralized networks, one beer at a time

Remember back in the day when Governments, ISPs and People where good friends and we all held hands singing Kumbaya? Yeah… Neither do we. People are now realizing that we should really start building decentralized Meshnets and Darknets. The push to build Meshnets/Darknets started coming from the community when SOPA and ACTA came onto the playing field and now with the leak of large spying programs. Unfortunately with all this effort going into current Meshnet/Darknet projects, there still has not been one single good white paper that covers some best practices when setting up and/or participating in a Meshnet and/or Darknet. Come join us in folding up some tin foil hats, drinking a few beers, and helping the community build a better Meshnet as we discuss our research into Meshnet/Darknet best practices.

Drew Redshift Porter
Drew is a Senior Security Analyst at Bishop Fox,. In this role, he focuses on wireless assessments, hardware security, penetration testing, and cellular research. Prior to joining Bishop Fox, Drew worked as a Mobile Security Exploit Engineer for a defense contractor and a System Security Architect for an EMR Software Company. Drew is a sought after speaker, and has presented at ToorCon, BlackHat, ICDW and other conferences.

Managing your pentest data with Kvasir

We’ve all done it a few times. Lost that nmap scan, can’t recall what file had that accout and password combination, sat in front of a screen for a few days while your co-worker gathered tons of data and didn’t share because he’s a big fat jerk.

Kvasir is a centralized, pentration tester-focused data homoginizing application to help collect, unify and make sense of the important data gathered during tests. It’s a small footprint application designed for quick deployment. It integrates directly with NeXpose and Metasploit (for now).

This application is used daily by Cisco Systems engineers on customer penetration tests. It hasn’t solved the big fat jerk problem but it has helped us work better as a team.

grutz has been in the penetration testing game for far too long. He recalls the time when Windows actually spit out account names when asked and SADMIND was running by default. While not officially an ‘old man’ yet there is more gray and less hair on top of his head.

grutz is currently a member of the penetration testing team for Cisco Systems and has worked for Pacifc Gas & Electric and the Federal Reserve System crashing power grids and money processing systems with a mighty nmap scan.

Clowntown express, interesting bugs and running a bug bounty program

Facebooks bug bounty program has discovered a number of serious, wacky, interesting and hilarious bugs. This talk will mostly be about those bugs and the lessons we can learn from them. Will also speak to the process of setting up and running a bug bounty program and how it compares to the alternatives (hiring, static/dynamic analysis tools, consultants, etc).

Collin Greene
Collin works on product security for facebook and enjoys carne asada fries

Multiplexed Wired Attack Surfaces

Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We’ll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.

Michael Ossmann
Michael Ossmann is a wireless security researcher who makes hardware for hackers. He founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.

Kyle Osborn is the lead security engineer at an electric car manufacturer in Silicon Valley where he manages web application, network, and product security. He plays a bad guy at the Western Regional Collegiate Cyber Defense Competition, and has developed a CTF, with his team, for the United States Cyber Challenge “Cyber Camps”, which a number of campers competed in. Osborn has previously discussed browser and mobile security at prominent conferences such as BlackHat USA, DefCon, Toorcon, DerbyCon, Hacker Halted, and more.