|Speakers||Speaker Bios & Topics|
Adam Laurie，a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. Since the late Nineties he has focused his attention on security, and has been the authorxs of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID.Adam is a Director and full time researcher working for Aperture Labs Ltd., specialising in reverse engineering of secure systems.
RFIDler - A Software Defined RFID Reader/Writer/Emulator
Software Defined Radio has been quietly revolutionising the world of RF. However, the same revolution has not yet taken place in RFID. The proliferation of RFID/NFC devices means that it is unlikely that you will not interact with one such device or another on a daily basis. Whether it's your car key, door entry card, transport card, contactless credit card, passport, etc. you almost certainly have one in your pocket right now! RFIDler is a new project, created by Aperture Labs, designed to bring the world of Software Defined Radio into the RFID spectrum. We have created a small, open source, cheap to build platform that allows any suitably powerful microprocessor access to the raw data created by the over-the-air conversation between tag and reader coil. The device can also act as a standalone 'hacking' platform for RFID manipulation/examination. The rest is up to you! In this talk I'll cover the fundamentals of Software Defined Radio, and then show how low-level RFID communications could be considered in the same light. I will then go on to demonstrate the RFIDler prototype in action, reading, writing and emulating some common tags.
Chengyun Chu is a Senior Security Development lead of MSRC Engineering defense and detection team. He joined Microsoft in 2001. He and his defense team generate mitigations and workarounds for use in the monthly Microsoft security bulletins, provide detailed vulnerability documentation for MSRC cases, and act as the engineering technical lead for the Microsoft company-wide Software Security Incident Response Process (http://www.microsoft.com/security/msrc/incident_response.mspx#ESB).
Microsoft's Counter-Zero Day Strategy part III
Zero day attacks represent one of the most difficult classes of issues for both Microsoft customers and the company's response teams. Four years ago at XCon 2009, Microsoft presented its strategy for countering threats from zero day vulnerabilities by increasing attacker costs and diminishing their returns. Two years ago at XCon 2011, Microsoft presented part II as the follow-up talk to discuss the progress Microsoft has made since then. As we are facing the ever changing security challenges, today we will present the part III of our strategy to cover the latest progress Microsoft has made in the past two years, including SDL, PKI, EMET 4.0, Advanced Security mitigation, etc.
David Wang (@planetbeing)is a member of the iPhone Dev Team which has been researching iOS security and cracking it open since 2007. He is a founding member of the evad3rs. and former developer of many iOS jailbreak tools including redsn0w, xpwn, and QuickPwn. He is also the first to have ported the Linux kernel and Android to iOS devices. More recently, he worked actively on Corona and Rocky-Racoon, the latests public jailbreaks for iOS. Lastly, he has found and successfully exploited several vulnerabilities in iOS 6, leading to an untethered jailbreak.
Exploiting the iOS Kernel
In the iOS jailbreak evasi0n, the evad3rs team used a large arsenal of techniques in order to side-step mitigations Apple had added to iOS 6 and iOS 6.1. Before the evad3rs had settled on the set of vulnerabilities and techniques used in the final product, other potential avenues had been explored with difficult to exploit vulnerabilities that had already been previously disclosed, in case Apple was not prompt in closing non-remotely exploitable vulnerabilities. This is an examination of an exploit created with copyin/copyout bug disclosed by Mark Dowd of Azimuth Security, later assigned CVE-2013-0964. The vulnerability allows the reading and writing of arbitrary data into an early page of kernel memory. By triggering allocations of I/O buffers by the HFS filesystem driver and overwriting those buffers, it is possible to take control of the kernel from within an App Store sandbox.
Zheng Huang, now working at Baidu security team as a Senior Security Development Engineer. Main research areas: automatic analysis of malware, phishing web page detection.
Analyze massive 0day samples and malware based on DBI and taint
Machine analysis of unknown samples is the key technology to defend against APT attacks.In this subject, I will talk some technology about dynamic binary instrumentation and taint ,and share an idea to analyze 0day samples from the viewpoint of instruction.
nEINEI is one of the core members of ByteHero team,he is a security researcher of McAfee Labs.He has many years of experiences on Anti-virus techniques research and be interested in virus research/anti-virus engine design,vulnerability research, network attacks, reverse engineering and has spoken at security conferences such as XCon2010,AVAR2012 etc.
Using the Boot emulator - Bootkit detection technology
Over the last two years,The boot stage attack technique has emerged a variety of complex method,such as Win32/Gapz using new hijack boot,TDL4/Rovnix botnet virus,APT attacks using Shamoon/Hastati(DarkSeoul),MBRLock .Bootkit skills have been greatly improved,using structural storage method and hidden,boot stage code of polymorphic,the secret boothijacked,modify BIOS/VGA,MBR,VBR,Bootstrap code etc.In this paper,we will also discuss the other of the two ways of boot hijack technique.At the same time,the attack firmware began to increase,such as UEFI Bootkit by Andrea Allievi,modify Coreboot Rakshasa project,etc. At present,the solution of bootkit is to publish independent repair tool,But,can't identify unknown-bootkit threat.How can the anti-boot technique embedded in anti-virus scan engine? In this paper,I designed the boot emulator running in the real mode and analog Windows startup process, loading BIOS,MBR,VBR,BootStrapcode.So that we can earlier find bootkit behavior.Last,I will show how to use custom loading boot solution to prevent bootkit.
L.NeteagleL.Neteagle, Ph.D., network security engineer, Sniffer Certified Master. being active in participating all kinds of security conference; author of two technical books; spend more than 10 years in “Tom and Jerry on the intranet” games; these years mainly focus on the botnet & anonymous communication networks countermeasure technologies.
"WH-2A"Anti-Tracking Support Platform: Design & Improvement
In recent years, some countries, organizations and commercial companies constantly accused China of "frequently launching APT attack". The so-called "attack proof" seriously damaged China's national image, so we came out today, hope to let everyone know: Relying on strictly-designed anonymous communication networks, any country or individual who launches cyber attacks can hide in the mass of normal traffic, almost impossible to intercept, monitor and trace. The "attack evidence" obtained under the existing technical means may not point to the true hacker; it could be anyone who is behind the platform, and we should not just to let China be the only scapegoat. "WH-2A" Anti-tracking Support Platform is a heterogeneous-multi-botnet based anonymous communication networks of high availability, high scalability, high survivability characteristics; it is designed to support various identity-sensitive network operations; The platform was specially designed to defend malicious creeping infiltration, sybil attack, index/peer-list poisoning, traffic analysis and timing attacks, packet label with watermark attacks and other threats; Furthermore, we also did some useful exploration on the "anti-blocking access", "anti-monitoring & anti-interception", "on-demand routing " and " invulnerability evolution ", etc.
Roberto Salgado As an Information Security specialist, Roberto has always been passionate about his line of work and has had several years of experience researching and experimenting in this field. In saying this, Roberto’s expertise is brought forth by his continuing commitment to exploring the cutting edge of today's security challenges, and finding solutions to these security problems. This driving passion has given him the opportunity to participate and contribute to great projects such as Modsecurity, PHPIDS, SQLMap and the Web Application Obfuscation book.He also created and maintains the SQL Injection Knowledge Base, an invaluable resource for penetration testers when dealing with SQL Injections.In 2010, he founded Websec with two lifelong friends and has enjoyed building the company to what it has become today. Although Websec is currently based in Canada and Mexico, their client base has extended internationally.
SQLi Optimization and Obfuscation Techniques
This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed.This talk will also demonstrate these techniques on both open-source and commercial firewalls and present the ALPHA version of a framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack. Many of the techniques that will be presented were created by Roberto Salgado and are currently some of the fastest methods of extracting information from a database through SQL Injections. Roberto will demonstrate how to reduce the amount of time it takes to exploit a SQL Injection by over a third of the time it would normally take. He will also demonstrate why firewalls and intrusion detection systems are not the ultimate solution to security and why other measurements should also be implemented.
Ryan BaxendaleRyan Baxendale is a Security Consultant with Security-Assessment.com, a security consultancy based in Singapore working across Asia. Ryan lives in Singapore and spends most of his time hacking into banks, financial institutions, and government agencies.
Forgotten Art of Basic Network Penetration Testing
As security researchers we thrive on discovering new and cutting edge methods of breaking down security barriers. We reach for 0day vulnerabilities in new software, 0day techniques to defeat security controls and complex privilege escalation shell code, all in the quest to get the elusive remote shell.But it was not always like this. Compromising security in the early days of the Internet was a simple affair, vulnerabilities revolved around discovering user accounts through services such as finger or smtp, and attempting several weak passwords against a telnet service to get shell. Although the security industry may have advanced greatly, these simplistic attacks are still present today – only as security researchers we have forgotten how to use them, or disregard them as unsophisticated. This presentation will illustrate a new age approach to an old-school style of hacking. Revitalising the attacks of the past with modern technology and proving the fact that history only repeats itself.
TKThe member of XFocus Team. Work as a senior researcher in NSFOCUS Security Labs. In last 10 more years, focus mainly on security research, which like: APT/0-day attacks detection, exploit technology, vulnerabilities discovery and analysis, mobile security.
DEP/ASLR bypass without ROP/JIT
This talk will present an exploit technology which can almost perfectly bypass DEP and ASLR in 32-bit process in x64 Windows 7 or Vista. It work well with most of use-after-free and vtable-overflow vulnerabilities.
Xingguo Wei, whose nick name is Yunshu, has 12-years experience in network security research. He has worked in Nsfocus and Yahoo for security. Now he is engaged in Alibaba Group as a security senior specialist, responsible for cloud computing security.
Elastic Compute Cloud Security - Reflections and Prospects
This topic will give a detail introduction about the following points: the security risks of Elastic Compute Cloud, security solution implemented in Aliyun, the reflections on the existing shortage of the cloud security and the prospects for the future. Totally based on the cloud computing experience of Alibaba Group, the topic starts from reality, which is practical and feasible.
|Xiao Zi Hang||
Xiao Zi Hang (Claud Xiao), senior researcher in Antiy Labs, focus on Android and Windows platforms anti-virus, software security and protection, as well as open source hardware security. He is one of the first researchers to carry out Android software security and open source hardware security researches. He is a founder and guide of many Chinese mobile security communities; he also initiates and joins two 3D printing project. Speaker of HITCON、MDCC、CNCERT annual meeting and xKungfoo2012.
Analysis of 3D printing security attacks
Recently two years, 3D printing technology has caused widespread concern. With emergence of the hardware and software open source solutions，makers'movement and constant improvement of industrial chain,3D printing will have a far-reaching influence of manufacturing industry and personal life. This is the first topic of 3D printing technology security in the whole world. We will introduce mechanical and electrical structure，hardware design, software tool chain, industry ecology and application scenarios of 3D printing and 3D printer. We will dissect the three-dimensional modeling, rapid prototyping technology and file structure, instruction format, operating environment and processes of its related. We will analyze the security vulnerabilities of 3D printing technology and the actual impact of being attacked. We will also discuss on 3D printer itself and attack ideas, attack methods and attack possibilities of 3D printouts, and to explore the technical difficulties of achieving these attacks.
Yuki Chen, master in computer science, Nanjing University. Currently works as Architect in Trend Micro China Develop Center, and focus on vulnerability hunting, sandbox technique、anti-APT solution。Hardcore ACG otaku.
Vulnerability Hunting in Java Native Layer
Java vulnerabilities are becoming more and more popular because they are feasible, cross-platform, and easy-to-use。According to the code layer where the vulnerability exists, java vulnerabilities may be divided into two categories: the java layer vulnerabilities and the native layer vulnerabilities. For stability and other reasons, most in-wild java vulnerabilities are java layer vulnerabilities. However, some native layer vulnerabilities are also very effective in attacking, e.g., CVE-2013-1491 (used in pwn20wn 2013) and CVE-2013-1493 (used in the target attack). This paper will discuss the techniques for analyzing and hunting java native layer vulnerabilities. This paper contains the following topics: typical types of java native vulnerabilities, analysis & debug environment, 0-day hunting, n-day analysis and fuzzing. To demonstrate our concept，we will also introduce several java native layer vulnerabilities discovered by ourselves, including an array out of bound vulnerability in Java 2D component and a java native font fuzzer。We will also demonstrate a JRE heap overflow 0-day and the full exploit code for the vulnerability.
KEEN Team, (@K33nTeam) is a non-profit security team focusing on OS/Browser/Client vulnerability advanced fuzzing and exploitation research. It is founded by some researchers who have been working in security industry for 10+ years, like wushi, danielwa, lChen, JFang and etc.
Study of Exploit Migitation in Modern Browsers
ASLR and DEP significantly raised the bar of browser vulnerability exploitation on IE/Chrome/Safari in the past years. The major methods bypassing these protection measures includes exploiting “ASLR-free” zones like SharedUserData, or exploiting old plugin like JRE. In this presentation, we will demonstrate tricks to defeat protections on the latest browsers through some showcases, e.g. how to bypass ASLR+DEP in IE9-IE11 with VBArray approach to exploit heap-overflow/type-confusion types of vulnerabilities, and how to bypass protections on iOS to exploit Safari 0day.