From BruCON 2011

Back to Schedule

[edit] Keynote Speakers

[edit] Haroon Meer (, South-Africa) -- You and your research

Haroon is a well-known security researcher who has recently started his own venture with, an applied research company. He is also involved with ZACON, a security conference in South-Africa. Haroon is a frequent speaker at conferences such as Blackhat, Defcon, etc.

What does it take to do quality research? What stops you from being a one-hit wonder? Is there an age limit to productive hackery? What are the key ingredients needed and how can you up your chances of doing great work? In a talk unabashedly stolen from far greater minds we hope to answer these questions and discuss their repercussions.

[edit] Alex Hutton (United States) - Why Information Risk Management Is Failing, Why That Matters to Security & What You Can Do About It

In many organizations, you don't have to be a rocket surgeon to figure out that there's a disconnect between operational security and risk management. Nor do you have to be Myron Tribus ( to figure out what's wrong with the way we currently discuss and model the world around us. So what do we do about it? Is there any way to have these machinations actually, you know, stop bad guys? Because that would probably be a good thing.

My name is Alex Hutton, and I'm Director of Operational Risk for a financial institution in the United States. In this talk, I'll be discussing what's wrong with information security and risk management, how something we might refer to as "science" can help (I hear it's big in most enlightened countries), and after all this fun and drinking is over, what we can go back to our desks at work and do about it.

[edit] Aluc (Germany) - Incident response : the good the bad and the ugly or how to keep your face after a security breach.

Security breaches occur every day and we have to get used to it. But our Customers will be not- happy if their data are published. Now the question is how do we handle such a breach, which data should we offer to the public. How do we create a incident response plan and how to work with our forensic partner. Which data should you give to the Police and what should we be quiet about. All these and more will be discussed on real life examples.

Aluc started in the mid '70s to play with computers and was fas drawn into them. Later run only on *nix systems. in the mid '80s start in the Information Security from 1987 'till 2002 working in the Information Business in both hostile and non-hostile environments. Became freelancer in 1993 -2010 and now CIO in a mid-size company (11000 people in 36 branches).

SideProjects: Host of Aluc.TV/Aluc.Radio, organizer of the BerlinSides.

[edit] Dan Kaminsky (United States) - Black Ops of TCP/IP 2011

There's what networks are supposed to do, and then there's what they're actually capable of. In this talk, I'll discuss some interesting findings in BitCoin, UPNP, and TCP. I'll also discuss a (probably inadvisable) mechanism for password based authentication via public key cryptosystems. Finally, I'll talk about N00ter, a mechanism I'm developing to expose biased networks.

Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft. Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases.

Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.

[edit] Workshops

[edit] DJ Workshop (Joernchen and Mumpi of Phenoelit)

Joernchen and Mumpi will give you an introduction to what it takes to entertain a crowd with the magic of music. This is very much a hands-on workshop so all attendees will get ample time to put the theory into practice guided by two of the best hackers/dj's we are aware of.

Special Guest : DJ Keith Myers

That's to say, you will learn from the complete DJ crew that will blow the roof off the Havana Club later that day :-)

Add your name to the workshop registration list

[edit] Agnitio: the security code review Swiss army knife (David Rook - Security Ninja)

Teaching developers to write secure code, helping security professionals find security flaws in source code, producing application security metrics and reports with integrity checks and audit trails. If you want to implement an SDLC that produces secure software with the audit trails and reports frequently demanded by auditors and management you need to acknowledge that these are key constituents and implement them in a form that is both easy to understand and use.

This is far easier to talk about than it is to implement in the real world where well structured SDLC’s are rare and application security programmers are usually under funded. Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a free tool in late 2010.

In this demonstration filled workshop I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 60 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.

Add your name to the workshop registration list

[edit] Collective Malicious PDF Analysis (Brandon Dixon - x0ner)

This class will cover the analysis of PDFs like many others have previously done, but it will also go further by helping users setup their own analysis engine. Users will use PDF X-RAY to help with analysis and setup their own local malware repository using open source tools that power PDF X-RAY including MalPdfObj and MongoDB. Users will leave with a new analysis approach and method to tackling the detection of malicious PDF documents instead of a glossing over the specification.

Add your name to the workshop registration list

[edit] Script Kiddie Hacking Techniques (Ellen Moar & Colin McLean)

In April at BSidesLondon, Ellen Moar & Colin McLean demonstrated how effectively a person with just a little coding knowledge could copy and paste their way to a Trojan which was undetected by antivirus. In this workshop they intend to go much further; expanding more on the techniques used, showing many additional tricks that the script kiddie can use, providing exercises so that participants can see how somebody could create their own malware in minutes and leading a discussion on effective countermeasures.

At BSides London we covered the following: - Creating the basic Trojan - Avoiding defences - Persistence - Backdoors - Avoiding someone erasing our stuff - Building the installer - Countermeasures

In the workshop we'll dig deeper into each section, looking at code samples, testing what we need to do to get past AV at each stage. We'll show how a skript kiddie could build their own malware and just how easy it can be. We'll discuss countermeasures in depth, and discuss just what the risk level is from a script kiddie.

This should be a very interactive session. When we presented at BSides we prompted loads of discussion, hopefully at BruCON we can continue that discussion in a workshop setting.

Add your name to the workshop registration list

[edit] The Web Application Hacking Toolchain (Jason Haddix - jhaddix)

There exists many tools for a web pentesters job; proxies, scanners, scripts, etc, but so many of the tutorials or classes on the net leave much to be desired, especially in areas where the tools fail. We aim to show how to effectively chain and use an industry standard web pentest toolset.

The workshop contains:

- Winning by chaining proxies and scanners - Common headaches with SQL injection through sqlmap - Advanced burp and fiddler - Leaving tools behind, the fuzzdb - Metasploit and beef, practical clientsides - more

Add your name to the workshop registration list

[edit] White Hat Shellcode: Not for Exploits (Didier Stevens)

In this workshop, we will present shellcode designed to protect systems, in stead of attacking systems. Some examples: - shellcode to unload a DLL - shellcode to enable DEP - shellcode to patch a vulnerability - shellcode to prevent heap sprays (from my HeapLocker tool)

Participants to the workshop are best to bring a virtual WIndows XP machine. Other tools will we provided during the workshop.

Add your name to the workshop registration list

[edit] WiFi malware for Fun and Profit (Vivek Ramachandran)

In this workshop, we will explore the fun new world of Wi-Fi Malware!

We will look at how one can abuse perfectly legitimate and useful features like Hosted Network and Ad-Hoc modes to create pure Wi-Fi Backdoors, Worms and even short range Botnets! We will learn how to program/script these malware using various APIs and command line utilities available natively on Windows. We will see how effective these malware can be in beating conventional forms of host and network based intrusion detection. We will also discuss how you can use your newfound knowledge for fun and profit :)

This session will also see the release of new tools and scripts which you can play with later.

Hardware/Software Requirements:

Attendees must get their own laptop with Windows 7 and a working internal Wi-Fi card or external Adapter. Also, please get along Backtrack 5 installed in the Windows 7 laptop using Virtualbox along with a USB based Wi-Fi card which supports packet sniffing / injection (like the Alfa Network AWUS036H card). However, if you do not have the external card, you should still be able to follow the workshop, though not be able to participate in all labs.

Add your name to the workshop registration list

[edit] Cisco VoIP insecurity workshop (Sandro Gauci and Joffrey Czarny aka Sn0rkY)

The workshop will consist of technical details, demonstrations and practical sessions targeting both the basics of testing the security of Cisco based VoIP solutions and also attacks specific to such products. We will cover scanning and attacking signaling protocols used in Cisco VoIP networks. We will especially focus on toll fraud and confidentiality attacks. Then we will focus on attacks on the phones themselves such as grabbing credentials, SIP digest leakage and remote wiretapping. Discussion of mitigation or solutions will follow.

Add your name to the workshop registration list

[edit] Beer brewing workshop (Machtelt Garrels)

The beer brewing workshop is a blitz course demonstrating the brewing process. During these 2-3 hours you will be introduced to the different steps involving the brewing of a lager beer of double fermentation. We will demonstrate that you can brew beer using simple DIY tools and household equipment. You will get a taste, feel and smell of all the ingredients, and of course of the finished product, as the workshop includes a tasting session. Participants can take home a unique beer that they have bottled themselves during the workshop.

Add your name to the workshop registration list

[edit] Lockpicking (Walter Belgers,TOOOL)

Just like last year Walter Belgers of TOOOL NL will introduce you to the wonders of lock picking. Besides it being a handy skill when you get locked out of your house, you will find it a highly addictive hobby that will push you to your limit on several levels. This should be the perfect place to escape from the overload of technical madness and find a Zen place. Learn from the master and try your own luck at opening locks without a key.

Add your name to the workshop registration list

[edit] Hacking your conference badge (OpenAMD Crew)

For the first time in Brucon history we will have an electronic badge, thanks to the OpenAMD (Open Attendee Metadata) project. Your badge includes an RFID chip and the OpenAMD infrastructure will gather data on where you go, which groups you hang (or move) with, etc. Since it's an electronic badge, there's ample ways to do your own things with it. In this workshop, the OpenAMD will introduce you to the technicalities of the badge and how to start tinkering with it.

Add your name to the workshop registration list

[edit] Presentations

[edit] Attacking SAP's J2EE Engine (Alexander Polyakov and Dmitriy Chastuhin)

Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It’s becoming popular security topic but still not covered well.

This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.

I will explain architecture of SAP’s J2EE engine and give a complete tour into its internals. After that I will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform. Finally it will be presented chained attack which use multiple logic vulnerabilities and give a full control on SAP’s J2EE Engine. A free tool will be presented to automatically scan custom applications against this attack.

[edit] Andreas Bogk - Certified programming with dependent types Because the future of defense is liberal application of math

Dependent types expand the concept of types in programming languages by arbitrary predicates depending on the value of the type. This lecture will introduce the necessary fundamentals using code examples, and show how dependent types can be used to develop formally verified and thus more secure code.

Andreas Bogk has been a member of the Chaos Computer Club for more than two decades, and has served the Club as member of the board, CEO and press speaker. He got involved in compiler and language theory after realizing that strict language semantics are the only way to eliminate classes of bugs like buffer overflows completely. He is making a living doing regular boring IT security consulting, but has been known to work for compiler manufacturers too.

[edit] Pentesting High Security Environments (Joe McCray and Chris Gates)

This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests. This presentation picks up where Joe left off in last year’s Def Con presentation “You Spent All That Money And You Still Got Owned” and takes it to the next level. Joe will also be releasing a new tool as well.

[edit] Abusing Locality in Shared Web Hosting (Nick Nikiforakis - nikifor)

The increasing popularity of the World Wide Web has made more and more individuals and companies to identify the need of acquiring a Web presence. The most common way of acquiring such a presence is through Web hosting companies and the most popular hosting solution is shared Web hosting. In this presentation we investigate the workings of shared Web hosting and we point out the potential lack of session isolation between domains hosted on the same physical server. We present two novel server-side attacks against session storage which target the logic of a Web application instead of specific logged-in users. Due to the lack of isolation, an attacker with a domain under his control can force arbitrary sessions to co-located Web applications as well as inspect and edit the contents of their existing active sessions. Using these techniques, an attacker can circumvent authentication mechanisms, elevate his privileges, steal private information and conduct attacks that would be otherwise impossible. Finally, we test the applicability of our attacks against common open-source software and evaluate their effectiveness in the presence of generic server-side countermeasures.

[edit] Botnet Identification and remediation (Barry Irwin)

Modern botnet trends have become increasingly sophisticated both in terms of the techniques used to avoid detection on compromised endpoints, but also in their varied communication channels. The use of IRC as the communications medium of choice for Command & Control (C2) activities has been replaced with sophisticated use of IP and domain fast-fluxing to avoid detection and increase resilience. These techniques largely bypass traditional network security detection and mitigation approaches such as blacklists and intrusion detection systems.

In the ongoing defence against these networks, a number of novel approaches are presented in order to allow an organisation to perform near realtime analysis of network traffic with very low system load. The intention of these is that an organisation or ISP could use the tools as a means of early identification of compromised hosts participating in the botnet. This paper is comprised of three components, the first two relating to detection mechanism, and the final one providing a console which can be used to tracking and information aggregation.

The first detection technique utilises passive analysis of DNS traffic collected from the network. Due to its tight integration with the TCP/IP suite, it serves as an ideal transport mechanism for communications. Using a combination of classifiers, a high degree of accuracy is obtained in the identification of fast flux domains, using at most a single DNS packet query. This is in contrast to work done by other researchers which required multiple queries. The detection techniques are tested against sample traffic and it is shown that malicious traffic can be detected with low false positive rates. This can be combined with a more heavyweight scoring system which utilises other metadata such as registrar, domain age and ASN data to further support scoring.

The second component applies a lightweight mathematical classification to observed URLs contained in network traffic. This can either be via a network tap, or integrated into a proxy server solution such as squid. The methods used are able to identify malicious urls with a high degree of accuracy, while maintaining a low false positive rate. This lightweight solutionc an be further supported by active queries relating to target ASN, Domain registrar, and other existing blacklists and dnsbl systems.

The final component provides a web based management and visualisation system providing integration between the above two classes in order to allow for ease of notification of malicious activity. The anticipated target for theses solutions are Academic networks, ISPs and to a lesser extent corporate networks. The intention being that by providing suitable monitoring and analysis of traffic egressing ones network, re-mediation can be carried out by the organisation closest to the infection – in effect cleaning up ones own back yard. A role that this can play other than the operational one described, is to provide researchers with access to suitable data (either live networks or even malware labs) to have an automated means of identifying potentially malicious activity, with very low resource requirements.

[edit] Botnets and Browsers - Brothers in a Ghost Shell (Aditya K Sood)

Browsers exploitation is on rise. Botnets in conjunction with Browser Exploit Packs (BEP's) are becoming the source of incredible malware infections. The exploitation revolves around the manipulation of browser architectures thereby infecting victims at large scale. Malware infection is proliferating day by day. In spite of the new advanced protection features, subverting the infections that happen through browsers and take control of the victim's machine remains an arduous task. Exploit packs and attack toolkits play a critical role in the success of malware infections. Browser Exploit Packs (BEPs) are based on the basic philosophy of exploiting the extensibility of browsers by utilizing the technology and developing a code which should work in line with the browser classes.

[edit] TBA


[edit] Myth-busting Risk (Jack Jones)

Risk has become a hot topic in the industry. Unfortunately, there are a lot of misconceptions and myths within our industry about what it is, how to measure it, and even whether it can be measured at all. In this session, Jack will bring clarity to the issue by describing what risk is (and isn't) and exploding common misconceptions and myths. He'll also talk about how a risk-based focus can fundamentally change our value proposition to our employers.

[edit] iOS Data Protection Internals (Andrey Belenko)

Data protection is a feature available for iOS 4 devices with hardware encryption: iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis. This talk will provide in-depth information about iOS 4 Data protection internals.

[edit] The 99¢ heart surgeon dilemma (Stefan Friedli)

Let's assume you need heart sugery. I hope you don't, but let's just stick with it for a minute. How much would you be willing for someone to fix it and who would you hire to do it? If you are a suicidal emo kid, please do not answer, you are ruining the point here. Here's the thing: People want someone suitable and knowledgeable to cut them open and sew them up again and they are willing to pay good money for it. Here are two things you don't want to do:

1) You don't want to hire some old drunk with a pocket knife and a sewing kit from the dollar shop which claims to fix your heart for 100 bucks.

2) You don't want to hire the same guy for 100'000 bucks when he's wearing a white coat and got shiny high tech tools because the last guy paid in advance...

What does this have to do with penetration testing? More than we like, unfortunately. I have met companies that invested thousands of dollars, expecting a pentest and getting a spiced up Nessus report as a result. More subtle nuances of "crappy pentest" might overlook essential threats and leave customers at risk with a false sense of security.

This talk will explore the common mistakes made when performing pentests, which includes the test itself, as well as pre- and post-engagement matters. Also, it applies for testers and customers alike. Also, it might help saving the rainforests.

[edit] Pushing in, leaving a present, and pulling out without anybody noticing (Ian Amit)

The industry is saturated with penetration testing experience and have adapted itself to test organizations using "best practice" methodologies over the past decade or so. With not a lot of changes happening in the field, organizations find themselves on the defense with not a lot to account for when data breaches happen.

In this presentation we will offer an alternative view of how a security test is done, with a strong focus on data exfiltration techniques employed by advanced attackers and criminals. After an overview of how the initial phases of how an attacker would infiltrate a business (common knowledge), we will explore the targeting considerations when choosing what to look after, as well as advanced techniques for getting the data out without being detected.

Finally, some approaches to data monitoring and control would be proposed in order to mitigate the techniques that are already in place and have affected large organizations.

[edit] Social Engineering Like In The Movies (Dale Pearson)

When talking about some of the essential skills of a successful social engineer we regularly discuss body language, the tells of the face and how we can read them, along with how important tonality and commitment are. These are considered common practice, and within the realms of possibility due to popularisation through the media. When we dip our toe further into understanding how the entire body communicates, the secrets of language for manipulating others, all of a sudden it couldn’t be possible, this must be witchcraft.

[edit] Smart Phones – The Weak Link in the Security Chain (Nick Walker - Werner Nel)

One of the most rapidly advancing aspects of technology today is the mobile phone. Use of a smart phone has become commonplace within both business and society, and many people rely on these devices in their day to day lives. As they increase in both power and functionality, smart phones become both a feasible target and a weapon for an attacker. With these mobile devices having more externally facing services than most other systems, a large attack surface is available. As this talk will show that once compromised, a smart phone of an employee is a deadly tool for breaking in and maintaining a foothold on a corporate network. The talk will demonstrate a multi-staged attack on an non-rooted android handset, running the most common stock firmware versions.

Back to Schedule