RUXCON 2006 slide material is archived here.
2006 Presentations
- Java Class Deobfuscation - Chris Mitchell
- Mechanics of the Objective-C Trifecta - Reversing, Runtime Antics, & Exploit Development - Neil Archibald
- Exploiting OpenBSD - Ben Hawkes
- Anti-Forensic Rootkits - Darren Bilby
- Access over Ethernet: Insecurites in AoE - Morgan Marquis-Boire
- Attacks Against RFID - Josh Perrymon
- Unusual Bugs - Ilja van Sprundel
- A Quantitive Time Series Analysis of Malware and Vulnerability Trends - Craig Wright
- IPv6: Under the Hood - Mark Dowd
- Software Vulnerabilities - Daniel Hodson
- PE Packers Used in Malicious Software - Paul Craig
- Web Services: Teaching a New Dog Old Tricks - Daniel Grzelak, Colin Wong
- Bypassing Corporate Email Filtering - Simon Howard
- Hit By A Bus: Physical Access Attacks with Firewire - Adam Boileau
- Metafuzz: Building Boring Fuzzers Faster, Using Metadata - Ben Nagy
- Dynamic Port Scanning - AR, HK
- The Common Vulnerability Scoring System (CVSS) - Christian Heinrich
- Ajax Security - Andrew van der Stock
top ^
Presentation Details
This is the finalised list of presentations for RUXCON 2006
- Java Class Deobfuscation - Chris Mitchell
A breakdown of a technique that can be used to aid in reverse engineering a popular java obfuscation method, without touching the actual byte code. Includes live demo. Knowledge of the Java Class File format is recommended but not required.
Bio:
Chris Mitchell, age 24, originally from Melbourne (yeahhhh), now in Sydney, been reversing since a teenager and works as virus analyst for Sophos.
top ^
- Mechanics of the Objective-C Trifecta - Reversing, Runtime Antics, & Exploit Development - Neil Archibald
Have you ever wondered what's under the hood of your favorite Mac OSX application? The recent advent of Objective-C as the primary language on Mac OSX has left many people without sufficient knowledge to peek.
This talk aims to provide attendees with a brief insight into the Objective-C language, before delving into more complex topics such as reverse engineering, runtime analysis of binaries, the manipulation of live objects in memory, and exploit development.
Bio:
Neil Archibald is a security professional from Sydney Australia. He has a strong interest in programming and security research. Neil is employed by Suresec LTD as a Senior Security Researcher. He has coauthored two books published by Syngress - "Aggressive Network Self Defense" and "Nessus, Snort & Ethereal Power Tools".
top ^
- Exploiting OpenBSD - Ben Hawkes
Free, functional and sort of secure. This presentation explores the cutting edge of exploit development on an OpenBSD system. Topics discussed will include the stack-smashing protector (SSP/ProPolice), Address Space Layout Randomization (ASLR), the custom OpenBSD malloc implementation, and various other points of interest. Both previously known and unknown attacks will be covered. Some prior exploit development knowledge is assumed.
Bio:
Ben Hawkes is a security researcher for Suresec PTY LTD. He was previously a student of mathematics and computer science at Victoria University of Wellington, New Zealand. During this time he developed the Patch Integration Engine project and researched methods of exploit defense.
top ^
- Anti-Forensic Rootkits - Darren Bilby
Incident response and digital forensics are fast moving fields which have made significant progress over the last couple of years. This means new techniques and tools, one of these is live forensic capture. Live forensics capture means taking an image of a machine while the machine is still running, this is brilliant for the investigators and is becoming common practice.
Unfortunately the rootkit premise of "whoever hooks lowest wins" kicks in. So, despite assurances from major forensics software vendors it is possible to give an investigator seemingly valid but completely spurious data.
To prove this isn't just theoretical (as has been claimed) I created an implementation called "ddefy" which is a kernel mode anti-forensic rootkit for Windows systems. This talk will be relatively low level, covering NTFS internals, NT storage architecture, Windows kernel rootkit methods, forensic techniques and their corresponding anti-forensic counterpart.
Bio:
Darren Bilby is a principal consultant at Security-Assessment.com and is currently based in Auckland, New Zealand. Darren has worked in a variety of places from Linux development houses to banks. When he isn't performing intrusion testing for clients, he is regularly involved in incident response in both UNIX and Windows environments and is technical lead for the Security-Assessment.com CSIRT team. This means bit wrangling with all forms of custom and targeted malware, and gathering evidence for presentation in court.
BR> He is an active researcher and codesmith and his current projects include new forensic and anti-forensic techniques as well as VoIP hacking tools.
top ^
- Access over Ethernet: Insecurites in AoE - Morgan Marquis-Boire
SAN Technologies provide the backbone of many an Enterprise infrastructure. Not only do SANs store the critical data which compromises an organization's intellectual property, in many cases they are the disk which runs the operating systems of many mission critical applications. An organization's SAN provides a single point where the compromise of many machines may be accomplished.
AoE is a SAN protocol which is gaining more and more industry recognition. From being recently Slashdotted to it's use by many top US government organizations such as NASA to it's incorporation into the mainstream Linux kernel, it looks as though AoE is here to stay. This presentation will address many of the inherent insecurities in the AoE protocol and how you can deploy AoE infrastructure without worrying about a widescale compromise.
Bio:
Morgan Marquis-Boire is a Security Consultant with Security-Assessment.com where he focuses on forensics, unix, and networks. In his previous employments he's worked for a linux firewall vendor and as a unix consultant for both the New Zealand public and private sector. He has also been part of a start-up company involved in secure mail deployment in Japan. He likes cryptography, big iron and anonymous technologies.
top ^
- Attacks Against RFID - Josh Perrymon
The talk I will be giving at RuxCon will be focused on identifying known and potential threats using RFID as an attack vector. The presentation will begin with a brief history on RFID followed by an in-depth technical overview before discussing the exploitation of RFID environments. Recently, several researchers have posted details on specific attacks such as Passport Cloning and session replay. This presentation will cover all of the previously disclosed risks, including projected and theory RFID attacks of the future. An in-depth security overview of the GEN2 RFID protocol proposed by EPC Global will be included at the end of the presentation including PoC exploits if time and legalities permit.
Bio:
For more than ten years, Joshua (Josh) Perrymon has been involved in penetration testing, ethical hacking, security auditing and research. Josh has held senior positions and overseen network security at several Fortune 500 companies in America, including banks, chemical manufacturers and federal government agencies.
For the past three years, Josh has specialized in wireless and RFID security and has recently released a first-to-market hands-on RFID audit targeting Management, Operational, and Technological risk. Josh is also writing the RFID chapter for "Hacking Exposed-Linux Edition".
In January 2006, Josh moved to Australia and joined leading Internet security company, Pure Hacking, as a senior security consultant performing global penetration tests in 14 countries worldwide. Josh also owns PacketFocus, ( www.packetfocus.com ) An independent security research company. Josh uses this as a Internet medium to publish un-biased, independent research, including the new Live Linux OS ( Labrat v0.8 ) for OWASP used for application penetration testing. This will be released at this years OWASP conference in Seattle, Washington.
Outside of work, Josh throws himself into Australia life. He is learning to surf and enjoys traveling in his spare time.
top ^
- Unusual Bugs - Ilja van Sprundel
In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them.
What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
Bio:
Ilja van Sprundel holds a high school degree from the highly distinguished Koninklijk Technisch Atheneum Deurne. He loves to watch programs crash, burn and aim for something expensive in the process and is by no means an expert in anything. He's been known to wake up half naked in a strangers backyard with a screaming headache realizing he just lost his glasses after a night of heavy alcohol consumption.
top ^
- A Quantitive Time Series Analysis of Malware and Vulnerability Trends - Craig Wright
The presentation will present the results from a study of Malware trends and show that time series analysis is a valid method of predicting trends in malicious code incidents. The results have applications to operational risk in general and further development of models and risk engines is warranted from the findings.
To effectively protect against attacks to the computers systems and network architecture, we need to understand the threats and to be able to create predictive models for them. Viruses, worms, malware and represent a staple in the Information Security Professional.s daily routine. So far, little emphasis has been placed on the formal quantitative analysis of the intelligence for the purpose of risk and threat management. The creation of Quantitative Risk models in Information Systems Security is a field in its infancy. The prediction of threats is oft touted as being too difficult due to a shortage of data and the costs associated with collecting an analysing data for a site.
In research employed ARIMA models to forecast short-term malware trends. The numbers of incidents are modelled and the incident data are input into the software package for future analysis. Monthly trend patterns are derived from statistic procedure. Although it is widely touted in the industry and by anti-malware vendors, it is demonstrated that the seasonal effects of malicious code incidents were found not to be significant in developing our models.
Bio:
N/A
top ^
- IPV6: Under the Hood - Mark Dowd
For years, Internet communications have relied upon the IPv4 protocol as an underlying transport facility to allow data exchange between distant nodes. Although it has enjoyed immense success, IPv4 fails to meet some requirements for modern communications due to changing needs and technological advancements. As such, a new IP protocol (IPv6) has been under development for quite some time to address some of the shortcomings of IPv4. Specifically, IPv6 boasts speed enhancements, security improvements, configuration improvements, and larger address spaces. However, these improvements don't come at no cost; they introduce a large amount of functionality that might be of interest to hackers wishing to subvert firewalls, create covert communication channels, and discover information about other hosts. Furthermore, most IPv4 stacks have undergone major scrutiny for security problems and are at a fairly mature stage in their life cycles. IPv6 stacks, conversely, are in their infancy and haven't stood the rigorous test of time. In this speech, I will outline some of the basics of IPv6 functionality and discuss some potential problem areas that abusing these features might cause. In addition, you will see some of the common types of implementation flaws that can be made when developing IPv6 protocol stacks and how these problems might be leveraged to attack unprotected hosts or firewalls.
Bio:
Mark Dowd is a Principal Security Architect at McAfee Inc. and an established expert in the field of application security. His professional experience includes several years as a Senior Researcher at ISS (Internet Security Systems) X-Force, and the discovery of a number of high profile vulnerabilities in ubiquitous Internet software. He is responsible for identifying and helping to address critical flaws in Sendmail, Microsoft Exchange Server, OpenSSH, Internet Explorer, Mozilla (Firefox), Checkpoint VPN, and Microsoft's SSL implementation. In addition to his research work, Mark has presented at several conferences on the subject of application security, including Blackhat USA, BlackHat EU, and Ruxcon.
top ^
- Software Vulnerabilities - Mercy
Software vulnerabilities have been the cause of the worlds most destructive worms, notorious hacks, and the creation of the IT security industry. This presentation will take the audience through a look at common vulnerability classes, post exploitation payloads, and technologies being deployed to tighten OS security.
Bio:
Mercy is a security enthusiast who studies offensive computing in his spare time. He is involved with several online communities (pulltheplug & felinemenace) who encourage security research by hosting war games and technical articles.
top ^
- PE Packers Used in Malicious Software - Paul Craig
Hackers commonly compile custom backdoors and applications to use on a compromised host. These custom applications can contain sensitive information about the attacker himself, even his own IP address. Disassembly of the trojan binary would reveal this information easily, but when the executable is PE packed, what path do you next take?
This presentation aims to debunk the PE packing myth, showing just how easy unpacking a PE packed binary can be.
Bio:
Paul Craig is a security consultant with Security-Assessment.com where he is kept busy performing software and network based security reviews.
Paul co-authored the best selling Stealing the Network: How To Own The Box, and Stealing the Network: How to Own A continent from Syngress publishing.
Paul is an active security researcher with a focus on binary analysis and disassembly techniques.
top ^
- Web Services: Teaching a New Dog Old Tricks - Daniel Grzelak, Colin Wong
In recent times web services have seen increasing adoption across the enterprise sector and beyond. Many of these leverage the Internet or extranet communications links, exposing their functionality to external attackers. The security implications of this exposure are not well understood given the relative immaturity of the technology.
Furthermore, existing web application testing methodologies are incongruent with web services specifics. We present a web services security testing framework to address this issue.
Although web services are a relatively new technology, the same attacks are applicable. While web application security practices have evolved and are now readily adopted, the defensive principles have not been transferred to the web services realm. We will discuss and demonstrate new and interesting uses of traditional offensive techniques against web services.
Bio:
Daniel Grzelak is a technical analyst and security researcher at Australian information security consulting firm, SIFT. He has a strong background in software development and a passion for information security research. Daniel holds a Bachelor of Computer Science and Information Technology from the University of Sydney. He continues his education both formally and informally, recently gaining a GIAC Security Essentials (GSEC) certification and becoming a Certified PGP Engineer. Additionally, he has achieved a 4th place in his third grade athletics carnival, narrowly missing out on a ribbon.
Colin is a technical analyst and researcher at Australian information security consulting firm, SIFT, who is heavily involved in application and network penetration testing. His specific security interests include web applications, wireless and VoIP. Colin holds a Bachelor's Degree in Software Engineering from the University of Sydney and a Certificate of Participation in the 1992 Year 4 Mathematics Competition.
top ^
- Bypassing Corporate Email Filtering - Simon Howard
All too often these days people believe that email filtering has been done and dusted. The majority of solutions however are not as robust as they seem.
This presentation will show a number of ways to bypass Antivirus and content filtering products to get your message (with malicious payload intact) to the users desktop.
Bio:
Simon Howard started programming BASIC on a ZX81 with a 16k RAM pack.
Simon is currently employed by DMZGlobal, a MSSP in New Zealand tasked with building and managing secure environments for a variety of customers in the .govt, banking and energy sectors.
Prior to working for DMZGlobal, Simon was a Linux-centric software engineer for a media company in Dunedin.
top ^
- Hit By A Bus: Physical Access Attacks with Firewire - Adam Boileau
Physical access to a general purpose computer is considered a 'game-over' attack scenario, but we still like to pretend that it's not the case. As laptop sales exceed desktops, and public access terminals are commonplace, systems are increasingly exposed to physical access attacks. Most people think of the traditional pop-the-lid-jump-the-cmos-battery technique, but modern interfaces and bus protocols blur the line around physical access. Adam discusses developments in physical access attacks, their legitimate uses in incident response and forensics (especially where cryptography is involved), and presents concrete demonstrations of exploiting Firewire to attack Windows and Linux. Adam will also release tools for performing memory forensics, recovering passwords, and python libraries for implementing your own Firewire attacks in just three lines.
Bio:
Adam Boileau is a Senior Security Consultant with Australasian firm Security-Assessment.com. (Ruxcon 2005 attendees may recall him better as the SSH-Jacking metal-unix-hippy Metlstorm; now a wholly respectable character, Adam gets paid to 'jack things.) Based in Auckland, New Zealand, Adam busts wireless, breaks unix, and menaces people with his Python.
top ^
- Metafuzz: Building Boring Fuzzers Faster, Using Metadata - Ben Nagy
So, let's be clear - talking about 'new' fuzzing techniques is silly. Fuzzing is one of those embarassing things we all do in dark rooms when the occasion demands, but we don't talk about it with our mates. The Metafuzz framework is a protocol metadata based approach, which means that most of the time should be spent describing the protocol elements (packet headers, field types and such) and the protocol operation. Once all that is done, a simple fuzzer can be instantiated with one line.
More specifically, Metafuzz 0.3 features:
- A protocol definition library which can be used for binary or plaintext protocol elements and works pretty well as a generic parser.
- A library for the creation of 'simple yet effective' finite state automata that can be used to describe protocol mechanisms and automatically manage state transitions and stateful protocol elements like nonces, session ids, cookies, encryption keys and the like. It does not use Bachus Naur Form.
- Some funky output generator classes that can be intermixed and combined with output feedback mutators to create all sorts of cool output.
- An 'automatic test case generator' which works out what kind of output to send based on the protocol element being tested. Just like artificial intelligence... except not.
- It's written in Ruby. All the cool kids use Ruby.
So, basically, sit through the examples and the Ruby fanboyism, then you can get your hands on the code and start breaking stuff. Beer will be given away during this talk.- A protocol definition library which can be used for binary or plaintext protocol elements and works pretty well as a generic parser.
Bio:
Australian born Ben Nagy is a Senior Security Engineer and Researcher for eEye Digital Security, currently based in Bangkok, Thailand, which is just as much fun as you would think. Ben has a strong background in most areas of network security, but has been particularly interested in firewalls, cryptography and software vulnerability research, writing several whitepapers and presenting at conferences in Europe and Asia.
Ben enjoys long, obsessive research projects that lead nowhere and drunkenly ranting to friends about the coolness of Ruby.
top ^
- Dynamic Port Scanning - AR, HK
Dynamic Port Scanner [DPS] integrates ARP-Poisoning and Spoofing into Port Scanning to dynamically spoof the source IP of TCP or UDP scan packets. The "dynamic spoofing" means that for each TCP or UDP scan packet, there is a dynamically and randomly generated IP used as the source IP address for the scan packet. DPS can be considered as "Virtual" Distributed Scan, where the scan appears as coming from many scanning machines, while concealing the real IP of the scanning system. DPS is best suited for "inside" penetration-testing or attack.
The presentation will start by covering current methods in performing spoofed scan with their pros and cons. Then, a detailed implementation of DPS followed by a demo will be presented. Finally, the talk will show possible measures to prevent DPS in private LANs.
Bio:
By profession, AR works as IT Security Engineer at Consolidated Contractors Int'l Co. [CCIC] (Athens, GR) that has an IT infrastructure spanning globally. His main tasks are in designing and implementing large-scale security procedures and solutions, such as ASA Firewall, IPS, and DMZ architecture, as well as getting engaged in frequent vulnerability assessment and penetration testing.
Beside his profession, AR is also an independent security researcher, who leads SECUREBITS information security group [www.securebits.org] His main interest is in stretching existing, and researching new, attack and defense methodologies and provides working tools and PoCs demonstrating his researches.
HK is 24 years old, an independent security researcher whose research interests are "secure coding" in different programming languages, especially Web application. He is currently member of SecureBits.org as Web Application programmer and Penetration tester.
Since he was undergraduate student in Computer Science, he was participating in international activities and competitions. His papers were published in international conferences. He also won the Second Place in Lance Stafford Larson Student Scholarship Best Student Paper Competition which is organized by IEEE, Computer Society.
He was also an IEEE Computer Magazine reviewer for network security papers to be published in the magazine.
top ^
- The Common Vulnerability Scoring System (CVSS) - Christian Heinrich
The Common Vulnerability Scoring System (CVSS) is an open set of metrics to quantitatively and qualitatively measure the residual risk of a technical vulnerability based on its severity and urgency in order to priorities the remediation with a patch and/or workaround.
CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST)
This presentation will address the following questions:- What is a Vulnerability Scoring System (VSS)?
- How CVSS is different to AS/NZS 4360 Risk Management?
- What other Vulnerability Scoring Systems are available?
- What was CVSS created when other Vulnerability Scoring Systems already existed?
- What are the Base, Temporal and Environmental Metrics of CVSS?
- How are the CVSS Metrics scored?
- How CVSS applies to Vulnerability Disclosure in the "Real World"?
- Is CVSS the "Silver Bullet" to manage technical vulnerabilities?
- Has [insert Vendor/FIRST Member/End User] implemented CVSS?
Bio:
Christian "cmlh" Heinrich has previously presented at RUXCON 2005 on "Defeating Network Intrusion Detection and Prevention". He has also presented at the Australian Information Security Association (AISA), formerly the Information Security Interest Group (ISIG) and "SecCon 98".
Previously, he was the Technical Lead Engineer for a Defence Signals Directorate (DSD) Certified Gateway Service Provider, as governed by the DSD Gateway Certification Guide (GCG) and completed network security projects for:
- Defence Signals Directorate (DSD)
- Australian Security Intelligence Organisation (ASIO)
- Australian Federal Police (AFP)
In addition to this presentation, Christian Heinrich will be managing the Aruba Wireless Network for RUXCON.
He has a Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich
top ^
- Ajax Security - Andrew van der Stock
-
In ancient Greek mythology, Ajax was a fierce warrior, second only to Achilles in strength and reputation. Towards the end, he occasionally went mad and by some accounts, killed himself in remorse after killing some sheep he mistook for the enemy.
In this presentation, you will learn about the terrible dark security secrets present in most Ajax applications. As Ajax was developed without security in mind, almost every current toolkit and application makes the same few basic mistakes.
All is not lost: we can secure anything given enough time and money. The presentation provides you with robust Ajax security patterns you need to know if you are to prevent your Ajax-enabled applications from stumbling across a nervous flock of sheep
Bio:
Andrew van der Stock is a leading Australian web application researcher and is active in the web application community. He is the Executive Director of the Open Web Application Security Project (OWASP), moderator of webappsec, and author of the forthcoming book "Ajax Security". When not sleeping, he works at the NAB as a webappsec specialist.
Andrew has presented at many conferences including BlackHat USA, OSCON, Ruxcon, linux.conf.au, and AusCERT.
You can read more about OWASP, the Open Web Application Security Project at http://www.owasp.org/ and you can read more about Andrew's (rather dull life) at http://www.greebo.net/