Nytro

[h=1]DEFCON 19: Cellular Privacy: A Forensic Analysis of Android Network Traffic[/h]Speaker: Eric Fulton Director of Research, Lake Missoula Group, LLC People inherently trust their phones, but should they? "Cellular Privacy: A Forensic Analysis of Android Network Traffic" is a presentation of results from forensically analyzing the network traffic of an Android phone. The results paint an interesting picture. Is Google more trustworthy than the application developers? Are legitimate market apps more trustworthy than their rooted counterparts? Perhaps most importantly, should you trust your passwords, location, and data to a device that shares too much? For more information visit: DEF CON

[h=1]DEFCON 19: Building The DEF CON Network, Making A Sandbox For 10,000 Hackers[/h]Speakers: David M. N. Bryan Penetration Tester at Trustwave's Spiderlabs | Luiz Eduardo We will cover on how the DEF CON network team builds a network from scratch, in three days with very little budget. How this network evolved, what worked for us, and what didn't work over the last ten years. This network started as an idea, and after acquiring some kick butt hardware, has allowed us to support several thousand users concurrently. In addition I will cover the new WPA2 enterprise deployment, what worked, and what didn't, and how the DEF CON team is has mad the Rio network rock! For more information visit: DEF CON

[h=1]DEFCON 19: Three Generations of DoS Attacks[/h]Speaker: Sam Bowne Instructor, City College San Francisco Denial-of-service (DoS) attacks are very common. They are used for extortion, political protest, revenge, or just LULz. Most of them use old, inefficient methods like UDP Floods, which require thousands of attackers to bring down a Web server. The newer Layer 7 attacks like Slowloris and Rudy are more powerful, and can stop a Web server from a single attacker with incomplete Http requests. The newest and most powerful attack uses IPv6 multicasts, and can bring down all the Windows machines on an entire network from a single attacker. I will explain and demonstrate these tools: Low Orbit Ion Cannon, OWASP Http DoS Tool, and flood_router6 from the thc-ipv6 attack suite. This deadly IPv6 Router Advertisement Flood attack is a zero-day attack--Microsoft has known about it since June 2010 but has not patched it yet (as of May 4, 2011). Audience Participation: Bring a device to test for vulnerability to the Router Advertisement Flood! Some cell phones and game consoles have been reported to be vulnerable--let's find out! If your device crashes, please come to the Q&A room so we can video-record it and arrange disclosure to the vendor. For more information visit: DEF CON

[h=1]Hacktivity 2010: Hijacking Public Hotspots[/h] Speaker: Zsombor Kovács

[h=1]Hacktivity 2010: Post Exploitation Techniques in Oracle Databases[/h] Speaker: László Tóth

[h=1]Hacktivity 2010: Buffer Overflow step II .- ASLR and DEP Eveasion Techniques[/h] Speaker: András Kabai

[h=1]Hacktivity 2010: Buffer Overflow Workshop[/h] Speakers: Zoltán Pánczél, Ferenc Spala

[h=1]Hacktivity 2010: Router exploitation[/h] Speaker: FX

[h=1]Hacktivity 2010:"Rootkits vs. Anti-Virus Developers[/h] Speaker: András Tevesz

[h=1]Hacktivity 2010: Evolution of Rootkits[/h] Speaker: Robert Lipovsky

[h=1]Hacktivity 2010: Metasploit Workshop[/h] Speaker: Buherátor

[h=1]DEFCON 17: CSRF: Yeah, It Still Works[/h]Speakers: Mike "mckt" Bailey ASS Russ McRee ASS Bad News: CSRF is nasty, it's everywhere, and you can't stop it on the client side. Good News: It can do neat things. CSRF is likely amongst the lamest security bugs available, as far as "cool" bugs go. In essence, the attack forces another user's browser to do something on your behalf. If that user is an authenticated user or an administrator on a website, the attack can be used to escalate privilege. We've identified an endless stream of applications, platforms, critical infrastructure devices, and even wormable hybrid attacks, many of which require little or no Javascript (XSS). The key takeaway is this: a vulnerability that is so easily prevented can lead to absolute mayhem, particularly when bundled with other attacks. Worse still, identifying the attacker is even more difficult as the attack occurs in the context of the authenticated user. The presentation will discuss a variety of attack scenarios, as well as suggested mitigation. For more information visit: DEFCON

[h=1]DEFCON 17: More Tricks For Defeating SSL[/h]Speaker: Moxie Marlinspike This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves. For more information visit: DEFCON

[h=1]DeepSec 2010: OsmocomBB: A tool for GSM protocol level security analysis of GSM networks[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Harald Welte, hmw-consulting The OsmocomBB project is a Free Software implementation of the GSM protocol stack running on a mobile phone. For decades, the cellular industry comprised by cellphone chipset makers and network operators keep their hardware and system-level software as well as GSM protocol stack implementations closed. As a result, it was never possible to send arbitrary data at the lower levels of the GSM protocol stack. Existing phones only allow application-level data to be specified, such as SMS messages, IP over GPRS or circuit-switched data (CSD). Using OsmocomBB, the security researcher finally has a tool equivalent to an Ethernet card in the TCP/IP protocol world: A simple transceiver that will send arbitrary protocol messages to a GSM network. Well-known and established techniques like protocol fuzzing can finally be used in GSM networks and reveal how reliable and fault tolerant the equipment used in the GSM networks really is. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo

[h=1]DeepSec 2009: A Practical DoS Attack against the GSM Network[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Dieter Spaar GSM is riddled with security issues. Dieter Spaar talks about design flaws of the GSM protocol and how they can be exploited to shut down GSM base stations. The talk includes a live demonstration. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2009 on Vimeo

[h=1]DeepSec 2007: The Three Faces of CSRF[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Martin Johns, University of Hamburg Even though Cross Site Request Forgery (CSRF) vulnerabilities have made it into the OWASP Top 10 [1], this vulnerability class is still often ignored and almost always belittled. While in 2006 alone 1282 XSS vulnerabilities were collected by the CWE project, only 5 (!) CSRF issues were recorded in the same timeframe [2]. This talk will discuss the various existing CSRF attack vectors and exemplify the issues with real world examples: * Executing arbitrary actions on the web application using the attacked user's identity and authentication context * Subverting the company's firewall and exploring the intranet * Leaking sensitive informations via hijacking JSON data Furthermore, we will demonstrate how a simple CSRF exploit can be created semi-automatically in less the 5 minutes. The last quarter of the talk will be devoted to a brief overview on our client side CSRF protection tools RequestRodeo [3] and LocalRodeo [4]. [1] OWASP Top 10: http://www.owasp.org/index.php/Top_10_2007 [2] Vulnerability Type Distributions in CVE: CWE - Vulnerability Type Distributions in CVE [3] RequestRodeo: RequestRodeo [4] LocalRodeo: databasement.net For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Oracle Security: Orasploit[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Alexander Kornbrust, Red Database Security Orasploit is an Oracle exploit framework which automatically exploits vulnerabilities in Oracle databases. With orasploit it is possible to exploit an (unprotected/unpatched) database. Orasploit supports various exploits, privilege escalation techniques and many different payloads. We show different possibilities to create / write / read files, D.o.S., new ways to send data via HTTP requests from the database, ... It's possible to extend orasploit with own/custom exploits. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Web 2.0 Application Kung-Fu - Securing Ajax & Web Services[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Shreeraj Shah, Net Square Solutions Pvt. Ltd. With Web 2.0 applications being adopted by businesses at a very quick pace, security concerns around these technologies too have grown. Ajax and Web Services are key components in the Web 2.0 framework. Understanding new technology key components vis-à-vis attack vectors is imperative if the security concerns are to be adequately addressed. Financial services companies such as Wells Fargo and E*Trade are adopting Web 2.0 technologies by building next generation Enterprise 2.0 solutions. Ajax fingerprinting, crawling and scanning are key aspects for Web 2.0 threat profiling. It is possible to identify XSS and XSRF vulnerabilities and likely weak entry points on the basis of proper threat profiles. As ethical hackers, scanning and fuzzing must be accomplished before attackers have the chance to exploit vulnerable Web Services running on XML-RPC, SOAP and REST. This presentation is going to reveal methodologies, techniques and tricks to hack Web 2.0 applications and defense strategies to secure them. The presentation includes a number of demonstrations and real-life cases encompassing next generation attacks and defense. The speaker has already authored several tools -- wsChess (Web Services hacking toolkit), Ajaxfinger, ScanAjax and MSNPawn -- that will be demonstrated in detail. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Fuzzing and Exploiting Wireless Drivers[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Sylvester Keil | Clemens Kolbitsch, Vienna University of Technology, Sec Consult This paper documents the process of identifying potential vulnerabilities in IEEE 802.11 device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number of non-trivial requirements on regular 802.11 protocol fuzzers. This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and open source MADWifi drivers. Furthermore, to document the process of exploiting 802.11 wireless device driver vulnerabilities, the issues of executing arbitrary code in kernel-mode on Linux and Windows systems will be addressed as well. We will present an Metasploit exploit implementation similar to the stager-approach taken in Metasploit's Windows kernel-mode exploits. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Breaking and Securing Web Applications[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Nitesh Dhanjani The application layer exposes an organization to a huge attack surface. A single coding error within millions of lines of code can deem disaster for organization. Security products and consultants are trying hard to keep up with the new attack vectors, but so are the attackers. Few security vendors will admit the class of vulnerabilities that cannot be scanned, parsed, or fuzzed for. There are the categories of extremely high risk vulnerabilities that continue to plague web applications because organizations do not realize the root cause of these vulnerabilities while commercial product vendors continue to promise a one-click-and-scan solution. This talk will focus on the discussion of high risk vulnerabilities that plague web applications today, including the following: Cross Site Scripting (XSS), Cross Site Request Forgery (XSRF), (anti) DNS Pinning, Browser plugin hijacking, and more. This talk will also discuss how these vulnerabilities can be abused by an external entity to launch attacks against a company's internal network. These attacks are lethal because they can be abuse a a legitimate user's browser to act as a proxy between the attacker and the company's internal network. In other words, stop believing the security vendor hype. Your applications are more vulnerable than ever before, it has become much harder to secure them, and your 'enterprise' crown jewels are most likely hanging out in the open. For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2007: Intercepting GSM traffic[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Steve This talk is about GSM security. We will explain the security, technology and protocols of a GSM network. We will further present a solution to build a GSM scanner for $900. The last part of the talk focuses on cracking a GSM converstation. http://wiki.thc.org/gsm For more information visit: Speakers - DeepSec IDSC 2007 Europe - Vienna, November 20-23, 2007 To download the video visit: DeepSec 2007 on Vimeo

[h=1]DeepSec 2010: Android Reverse Engineering and Forensics[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Raphaël Rigo, French Network and Information Security Agency (ANSSI) While Android security architecture is now well understood and has been presented over and over, the details of actually reversing software running on it are scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth. For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo

[h=1]27c3: Wideband GSM Sniffing (en)[/h]Speakers: Karsten Nohl, Sylvain Munaut GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year -- like wide-band sniffing and real-time signal processing -- will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones. For more information visit:Welcome - 27C3 public wiki To download the video visit: Index of /CCC/27C3

[h=1]25c3: Running your own GSM network[/h]Speakers: Dieter Spaar, Harald Welte This presentation will mark the first public release of a new GPL licensed Free Software project implementing the GSM fixed network, including the various minimal necessary functionality of BSC, MSC, HLR. It will introduce the respective standards and protocols, as well as a short demonstration of an actual phone call between two mobile phones registered to the base station. On the Ethernet/IP based Internet, we are used to Free Software and general-purpose hardware. The worlds second largest communications network GSM couldn't be any more different. Even though the protocols are standardized and publicly available at the ETSI, all implementations are highly-guarded proprietary secrets of a few major players in the industry. The hardware is even more closed, as there is not a single GSM subscriber or base station chipset with even the least bit of publicly known information. Nonetheless, in recent years there are a number of different projects working on driving a wedge of Openness into this world. You might have heard about other projects like the THC GSM sniffer project (pure wireshark-like functionality) and OpenBTS (a software defined radio based GSM base station interfacing with the Asterisk VOIP server). This presentation is about yet another new GSM related Open Source project. A project that follows the GSM specs more closely and actually aims at interoperability with existing equipment such as hardware BTS hooked up via S2M interface to a Linux-running PC. As part of the presentation we plan to show a live demonstration of a phone call using our own GSM network. More information about the 25th Chaos Communication Congress can be found via the Chaos Communication Congress website: 25C3: 25th Chaos Communication Congress Source: Conference Recordings - 25C3 Public Wiki

[h=1]DeepSec 2010: Targeted DOS Attack and various fun with GSM Um[/h]Thanks to the DeepSec organisation for making these videos available and let me share the videos on YouTube. Speaker: Sylvain Munaut, Independent Researcher Recent years have seen a dramatic drop in the barrier to entry into GSM research. A couple of years ago, tools like OpenBTS & OpenBSC have appeared, allowing anyone to run an experimental GSM network with a relatively low budget. Much more recently, Osmocom-BB bringed MS-side experimentation at an even lower budget. This talk presents an exploit discovered while working on those projects that allows to perform a DOS on a specific target: from its first inception to its actual implementation on a TI Calypso based phone with a custom firmware. This talk will also cover other interesting tricks possible with modified phones, like using them as a cheap alternative to USRP for passive listening for instance For more information visit: Schedule - DeepSec IDSC 2010 Europe - Vienna, November 23-26, 2010 To download the video visit: DeepSec 2010 on Vimeo