Speaker Workshops at DEF CON 22
The Art of Botnet Tracking and Attribution
Jozef Mlodzianowski, Malware Researcher at Sub0Day
This talk explores modeling and tracking the criminals running botnets, tracking click-fraud profiteers. Botnets are large problem for large corporations and most ISP's from a spam and Denial of Service perspective. Botnets are being used to disseminate spam email, used as proxy networks, credit card capture and password info collection and large click fraud operations. Criminals capitalize on using botnets to perform fraud on massive scales. Short of getting control of the C&C servers and being able to reverse the system controls, current methods do not allow an accurate way of determining how large a botnet really is, many sec companies use magic* methods to determine how large a botnet is, adding a host to the botnet does not provide you with enough information to extrapolate real numbers. cedoxX will be releasing a tool that he developed to analyze and help with attribution of bad actors, using packet captures on Hadoop and big data analytics infrastructure.
Jozef Mlodzianowski (Twitter: @cedoxX)
Data Hiding: A Peek at the Latest Innovations
Michael Raggo, Security Evangelist at MobileIron
Chet Hosmer, Founder & Chief Scientist at WetStone Technologies, Inc.
As malware grows in sophistication, current techniques reveal that malware variants are employing more covert functions. Additionally, corporate espionage is at an all-time high as evidenced by all of the alleged Chinese cases in 2013. If the newswire is any indication, corporate espionage, covert communications, and evidence concealment continue to plague corporations, investigators, and the military.
This presentation will highlight some of the latest research of the 21st century involving data hiding techniques over the network and with data-at-rest. The highlights will demonstrate new techniques for hiding data on mobile devices, operating systems, VOIP, virtual images, social networks, and other dominating technologies in today's world. Having demonstrated the latest data hiding techniques, detailed analytical methods for enumerating hidden data, as well as jamming methods for disrupting data hiding operations will be outlined. We will then consider emerging technologies and attack methods, including cloud considerations, privacy protection, and derivative data hiding and detection theories.
The concepts will provide corporate, government and military personnel with the knowledge to investigate and defend against insider threats, spy techniques, espionage, advanced malware and secret communications. By understanding the plethora of threats, one can gain an understanding of the methods to defend oneself from these threats through detection, investigation, mitigation and prevention.
Michael Raggo (CISSP, NSA-IAM, ACE, CSI) (Twitter: @DataHiding) Michael applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo's technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. In addition, Mr. Raggo conducts ongoing independent research on various Data Hiding techniques including steganography, as well as Wireless and Mobile Device attack and countermeasure techniques. His publications include books for Syngress titled "Data Hiding" and McGraw Hill as a contributing author for "Information Security the Complete Reference 2nd Edition", as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.
Chet Hosmer (Twitter: @ChetHosmer) Chet is the Founder and Chief Scientist at WetStone Technologies, Inc. Chet has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss steganography and data hiding cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Prime Time Thursday, NHK Japan and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year and has numerous publications including the books "Data Hiding, Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols, co-authored with Mike Raggo" and "Python Forensics: A workbench for inventing and sharing digital forensic technology".
Chet also serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program.
Exploit Development for Beginners
Sam Bowne, Instructor at CCSF
Learn how to weaponize a simple crash of a vulnerable application and turn it into a remote control exploit, using Kali Linux, Metasploit, the Immunity debugger, and some very simple Python code.
No experience needed. Recommended: bring a laptop with two virtual machines: Kali Linux and Windows.
Sam Bowne (Twitter: @sambowne) Sam has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEF CON, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences.
He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign.
How Machine Learning Finds Malware Needles in an AppStore Haystack
Theodora Titonis, Vice President of Mobile Security at Veracode
Machine learning techniques are becoming more sophisticated. Can these techniques be more affective at assessing mobile apps for malicious or risky behaviors than traditional means? This session will include a live demo showing data analysis techniques and the results machine learning delivers in terms of classifying mobile applications with malicious or risky behavior. The presentation will also explain the difference between supervised and unsupervised algorithms used for machine learning as well as explain how you can use unsupervised machine learning to detect malicious or risky apps.
What you will learn:
- Understand the difference between advanced machine learning techniques vs. traditional means.
- Recognize different types of algorithms used to improve mobile security.
- Understand how you can use unsupervised machine learning to detect malicious or risky apps.
Theodora Titonis Theodora is an innovative entrepreneur whose passion for technology began when she started programming computers at the age of seven. While pursuing computer science at The Ohio State University she focused her efforts on the challenging field of security. During the dotcom-era, Theodora architected systems and provided security expertise to federal government intelligence and defense agencies, leading financial institutions and Fortune 500 Companies.
Theodora served as the Founder, CEO, sole investor, and a patent assignee of Marvin Mobile. Veracode, Inc., the leader in cloud-based application security testing, acquired Marvin in September 2012. Ms. Titonis now serves as Veracode's Vice President of Mobile Security.
iOS Attachment Vulnerability
Michael Raggo, Security Evangelist at MobileIron
In April of 2014, a vulnerability was discovered in iOS 7.1.1 and older that leaves email attachments unprotected on the iPhone 4 and later, iPod touch (5th generation) and later, and iPad 2 and later. Apple's "iOS Security Update for February 2014" security guide details that "the mail app implements complete protection for messages and attachments." So, while although emails and attachments are supposed to be encrypted with iOS Data Protection, the vulnerability leaves email attachments exposed, even when a PIN or Passcode is used.
Using techniques outlined by mobile security research Andreas Kurtz, we will revisit the steps necessary to access these exposed email attachments by presenting a Walkthrough Demo of an iOS device in DFU mode with a custom ramdisk to understand the extent of the exposure, and then review a number of countermeasures that can be implemented to protect email attachments from a number of attack vectors.
Michael Raggo (CISSP, NSA-IAM, ACE, CSI) (Twitter: @DataHiding) Michael applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo's technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. In addition, Mr. Raggo conducts ongoing independent research on various Data Hiding techniques including steganography, as well as Wireless and Mobile Device attack and countermeasure techniques. His publications include books for Syngress titled "Data Hiding" and McGraw Hill as a contributing author for "Information Security the Complete Reference 2nd Edition", as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.
MetaData: PII at Risk
Sudesh Gadewar, Information Security Engineer at Cisco
Sudesh will demonstrate MetaData - PII (Personally Identifiable Information) at Risk and various ways of PII at risk with the Web Services Description Language (WSDL) spoofing, and content spoofing.
Sudesh Gadewar Sudesh is Information Security Engineer has passion into web architecture Security, and cloud service provider security.
Mobile Network Forensics
Michael Raggo, Security Evangelist at MobileIron
Traditional methods of network forensics no longer apply in today's world of mobile. A plethora of new vulnerabilities have been introduced by tablets, smartphones, and other mobile computing devices exposing end-user data, corporate network credentials, and allowing corporate network infiltration and exfiltration. Therefore, mobile network forensics requires a revised approach. This presentation will expose the latest mobile attack vectors and provide a revised approach to threat monitoring focused on mobile.
Using an "attacks and countermeasures" approach, the session will then uncover lessons learned through real-world examples to provide the basis for appropriate detection, mitigation, remediation, as well as revised prevention techniques specific to mobile. By understanding the anatomy of the attacks and the perpetrators, the session will then outline Live and Post-Mortem Forensics steps, as well as techniques for fortifying end-user Mobile Devices; and the corporate networks to which they connect. Sources for additional information will also be referenced and cited.
Michael Raggo (CISSP, NSA-IAM, ACE, CSI) (Twitter: @DataHiding) Michael applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo's technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. In addition, Mr. Raggo conducts ongoing independent research on various Data Hiding techniques including steganography, as well as Wireless and Mobile Device attack and countermeasure techniques. His publications include books for Syngress titled "Data Hiding" and McGraw Hill as a contributing author for "Information Security the Complete Reference 2nd Edition", as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.
Mobile SSL Failures
Tony Trummer, Senior Information Security Engineer, Vulnerability Research and Assessment at LinkedIn
Tushar Dalvi, Senior Information Security Engineer, Vulnerability Research and Assessment at LinkedIn
Organizations are all so anxious to reach their "mobile moment", but are failing miserably at securing the mobile application traffic, in a variety of ways. We will review some of the common pitfalls with mobile application traffic encryption, how to test for vulnerabilities and a fool-proof method on how to prevent your organization from falling victim to these all too common errors. We will also be presenting a novel SSL/TLS attack, which could be used for a semi-permanent, nearly undetectable MitM attacks.
Tony Trummer (Twitter: @SecBro1) Tony has been working in the IT industry for nearly 20 years and has been focused on application security for the last 5 years. He is currently an in-house penetration tester for LinkedIn, running point on their mobile security initiatives. When he's not hacking, he enjoys thinking about astrophysics, playing devils advocate and has been known to dust his skateboard off from time-to-time.
Tushar Dalvi (Twitter: @tushardalvi) Tushar loves breaking web applications and ceramic bowls. Tushar Dalvi is a security enthusiast, and currently works as a Senior Information Security Engineer at LinkedIn. He specializes in the area of application security, with a strong focus on vulnerability research and assessment of mobile applications. Previously, Tushar has worked as a security consultant at Foundstone Professional Services (McAfee) and as a Senior developer at ACI Worldwide.
Network Based File Carving
GTKlondike, Independent Security Researcher
File carving is the name of the technique of pulling files out of a stream of bytes without the use of a particular file system; much like finding a word in a word search puzzle. Network based file carving is used to extract files from saved network traffic data that has been collected from tools such as Wireshark or TCPdump. This is useful for extracting viruses to be analyzed, identifying exfiltration, and forensic investigations.
GTKlondike (Twitter: @GTKlondike) GTKlondike is a hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working in the industry as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
One Social Profile To Rule Them All
Joseph Muniz, Consulting Security Engineer at Cisco
Aamir Lakhani, DrChaos.com
Tools and Techniques Used at the Wall of Sheep
Ming Chow, Wall of Sheep
Ming will demonstrate how to capture and analyze packets using the tools that are used by the shepherds at the Wall of Sheep. The tools include Wireshark, tcpdump, dsniff, and ettercap. Attendees do not need to have any networking or security experience but are expected to bring their own laptop. For the purpose of this session, a *nix environment will be used (e.g., Linux, Mac OS X). There will be no presentation slides used for this session.
Ming Chow (Twitter: @0xmchow) Ming has been involved with the Wall of Sheep since DEF CON 15 (2007).
Vaccinating APK's and even Android
Milan Gabor, CEO of Viris Ltd.
Danijel Grah, Consultant at Viris d.o.o.
Number of mobile applications is rising and Android still holds large market share. As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that they are allowed to do and if they are really secure when transmitting our personal information to different servers. In the presentation some runtime techniques will be discussed and a tool will be released that offers two approaches to analyze Android applications. Basic principle of first approach is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work. The second approach offers much the same functionality, but can be used without modifying an application. It uses Dynamic Dalvik Instrumentation to inject code at runtime so that modifying of APK's isn't necessary. Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.
Milan Gabor (Twitter: @MilanGabor) Milan Gabor is a Founder and CEO of Viris, Slovenian company specialized in information security. He is security professional, pen-tester and researcher. Milan is a distinguished and popular speaker on information security. He has previously been invited to speak at various events at different IT conferences in Slovenia and loves to talk to IT students at different Universities. He also does trainings regarding ethical hacking. He is always on a hunt for new and uncovered things and he really loves and enjoys his job.
Danijel Grah (Twitter: @alm8i) Danijel Grah has a Bachelor degree in Computer Science at the University of Ljubljana, Slovenia. He is a Security Consultant at Viris for some time and is involved in penetration testing, security reviews, programming, consulting and research. He has deep understanding into threats, vulnerabilities and trends. He likes to practice Information Security in everyday life. Danijel is devoted to his work, open minded, enjoys new challenges and he never stops studying.
Violent Python
Sam Bowne, Instructor at CCSF
Hands-on workshop using Python to make simple hacking tools, including:
- Port scanning
- Login brute-forcing
- Port knocking
- Cracking password hashes
- Sneaking malware past antivirus engines
No programming experience required. Recommended: bring a laptop with Kali Linux.
Sam Bowne (Twitter: @sambowne) Sam has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEF CON, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences.
He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign.
ZitMo NoM (ZeuS-in-the-Mobile No More)
David Schwartzberg, Senior Security Engineer at MobileIron
A world without malware is ideal but unlikely. Many of us would prefer not to install another layer of protection on their already resource constrained handheld mobile device. Alternatively, Android malware detection sans anti-virus installation has become a reality. Learn about how it's possible to detect mobile malware using simple text messages with ZitMo NoM. ZeuS in the Mobile, known as ZitMo, is infamous for intercepting SMS transmissions then redirecting them to a Command & Control in order steal banking and personal information. Research with SMS transmissions directed at mobile malware has resulted in the ability to detect ZitMo's presence without anti-virus applications installed. Turning cybercriminals tools against them makes this even more of a rewarding endeavor. We are looking for malware researchers to contribute to the continued development of this open tool. The presentation will include the research, the infrastructure and a demonstration of ZitMo NoM. Live malware will be used during this presentation, assuming we get it to behave.
David Schwartzberg (Twitter: @DSchwartzberg) Dave is a Senior Security Engineer at MobileIron, a mobile security company where he specializes in mobility and network security. Utilizing his 6 years accounting experience and combined 17 years information technology and information security experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. In his spare time he blogs for Barracuda Labs (@BarracudaLabs) and speaks at some conferences. David has earned several certifications in the field of information technology and information security. If you need to know the list of certificates, that's what Linkedin is for.
