Conference

The conference will kick off with a reception on Friday, September 26th and will be followed by one day of 50 minute talks and a second day of 20 minute talks. Pre-registration is now Closed. Onsite registartion only. We can not accept credit cards at the door, please have cash or a check.

Register Today >>

Conference Lineup

Friday - San Diego Convention Center Rm 22

As always, Friday night we will be opening registration at around 7:00pm at the San Diego Convention Center and hosting a reception there at around 7:30pm. Some snacks and drinks will be provided.

Saturday

Saturday kicks off the conference with talks starting in the morning at around 10:00am and 50-minute talks the rest of the day until around 7pm. We will also be hosting a party at Sin Nite Club in downtown San Diego with some of the alcohol being covered by Microsoft.

Sunday

Sunday starts late (Noon) to give people a chance to nurse their hangovers and get back to the border before showing up to give their talks. All day Sunday the talks are 20-minutes in length and we will be providing a long lunch break at 2:30pm to give people a chance to get some food in the middle of the day. For those of you who are leaving on Monday, please stick around to hang out with us at our Sunday night after party. We'll be providing info on the party during the closing ceremonies.

Black Ops of DNS 2008: Its The End Of The Cache As We Know It

DNS is at the heart of every network -- when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct -- but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

Dan Kaminsky

Dan Kaminsky has spent the better part of a decade analyzing computer security issues with the Fortune 500. Formerly of Cisco and Avaya, Dan is presently the Director of Penetration Testing for IOActive, Inc., where he consults for a wide range of companies, including Microsoft. Dan is a well known public speaker, with his “Black Ops of TCP/IP” presentations being well attended at many conferences.

Dan focuses on design capabilities and vulnerabilities within many protocols, including DNS, and has used his knowledge of these protocols to detect everything from rootkit distributions across the globe to the presence of web vulnerabilities being injected by ISPs. Most recently, Dan led the charge to repair a significant design issue in the Domain Name System, working with engineers around the world on an unprecedented Massive Multivendor patch.

How To Impress Girls With Browser Memory Protection Bypasses

Over the past several years, Microsoft has implemented a number of memory protection mechanisms with the goal of preventing the reliable exploitation of common software vulnerabilities on the Windows platform. Protection mechanisms such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory corruption vulnerabilities.

This talk will present the limitations of all aforementioned protection mechanisms, specifically focusing on flaws in their implementation in popular browsers on the Windows platform. I will demonstrate a variety of exploitation techniques using popular browser plugins such as Flash, Java and .NET that can be used to bypass the protections and achieve reliable remote code execution.

Alexander Sotirov

Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past ten years he has been working on advanced exploitation, reverse engineering and vulnerability research. His recent work includes the discovery of the ANI vulnerability in Windows Vista and the development of the Heap Feng Shui browser exploitation technique. Alexander is one of the organizers of the Pwnie Awards. He is currently employed as a security researcher at VMware.

Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln

The Debian OpenSSL predictable PRNG vulnerability (CVE-2008-0166) of 2008 was really a bonanza of threats. Some of these have already been explored, including “broken” X.509 certs and cert authorities, “broken” SSH host and identity keys, and “broken” TLS Perfect Forward Secrecy. This talk, instead, will explore the OpenSSL vuln’s implications to SSH2 Diffie-Hellman Group Key Exchange (SSH2 KEXDH GEX).

Ben Feinstein

Ben Feinstein is a researcher on the Counter Threat Unit (CTU) at SecureWorks, working behind the scenes to support Agent Jack Bauer and the GWOT. He first became involved with information security in 2000 while working on a DARPA / USAF contract instead of going to his college classes. Since then, Ben has worked designing and implementing security-related software and appliances at a series of since acquired or failed start-ups. In his spare time Ben authored RFC 4765 and RFC 4767. His experience is in the areas of IDS/IPS, digital forensics, next-gen firewall systems, log analysis and viz, secure messaging, security appliances, small caliber arms and right-wing rhetoric. Ben has presented at Black Hat USA, DEFCON, ACSAC and others.

Knowing and Enjoying the Cold Boot Attack

Until April, 08 there was, from the most experts in forensic area, an idea that the memory DRAM is automatically erased when the computer is turned off, or is very hard to recovery even with special equipments. A group of researches in Princeton changed this view, they demonstrated that we can dump DRAMs after powered off and we can retrieve important data from them (like passwds, hmmm) for forensic or fun. When we freeze the memory we keep the data safe (sure, with dependencies) or if we just let, in the boot, the memory safe (w/out clear or hard disk boot) we can dump them too. This presentation has a goal to demonstrate how it does work and maybe alive show the cold boot attack.

Bruno G Oliveira

Bruno Goncalves de Oliveira, 23, Security Analyst from Altatech, computer engineer degreed in Unopar/Londrina-PR, has already worked in security area since 2000, done a lot of jobs in network, infrastructure and security area. Today works in a private company, Altatech. Mac big fan (not big mac fan, arghh!), lives with friends in Londrina, always in parties, loves beer, speaker at H2HC IV and tasks accepted in anothers hacking conferences.

Jake Appelbaum

Jacob Appelbaum is a resident of San Francisco California and both a photographer and independent computer security hacker. He currently is employed by the Tor project. He is ambassador for the art group monochrom and known for his research on the cold boot attack amongst other things.

Your risk is not what it used to be

Yesterday was the second Tuesday of the month: Microsoft’s patch Tuesday. Today, the security officer gets the “exploits feed” from his pen-testing service and after some experimentation he realizes that all his Windows servers were vulnerable for the last 5 months (because he keeps virtual-machine snapshots for all the different types of servers he has and uses the exploit against these). He gets down to analyze his network diagram, plays with a pencil and realizes that someone could have hacked into the SQL server that he uses for the corporate web application, pivoted within the DMZ to the email server, or leveraged privileges to get into the administrator’s computer and from there temporarily open firewall ports and get to the credit-cards databases. This type of analysis can be done whenever new vulnerability information is published. It provides security officers with better security assessment data over their systems. In particular, it shows that information from old vulnerabilities can change his perception of the risks he assumed in the past; it will provide realistic information for threats his systems faced and might help him to design a better protection; it may point him to certain logs from the past that he must read to check whether the threats were actually exercised; and, might give him a good reason to keep logs for some time. During this talk we will demonstate how you can use modern technology to make this analysis efficiently and accurately, and discuss some applications mentioned above.

Ariel Waissbein

Ariel joined Core Security Technologies as a researcher in 1999. He started working on a new public-key cryptographic scheme, cryptanalyzed protocols in popular software products such as SSH and MySQL and designed a cryptographic attack method against polynomial-based public-key schemes. During 2003 he worked in digital rights management projects and developed a provably secure software protection method. Since 2004 he leads a research group which has been tasked with research in web-application, using simulation technologies for attack analysis and penetration testing.

Ariel gave presentations in RSA, WOOT, Black Hat, PacSec, FIRST Technical Workshop, etc. He graduated in Maths from Universidad de Buenos Aires and is a Ph.D candidate at this same university. He’s been teaching to undergraduates in maths and computer science since 1995 and now teaches (and coordinates) the computer security department in the Ph.D in Engineering at ITBA.

Targeted VoIP Eavesdropping: An Attack From Within

VoIP is an exciting application that leverages the existing network infrastructure to deliver inexpensive phone calls.  But what happens when the wrong "trusted insider" has access to an organization's VoIP infrastructure? What security measures are in place to make sure sensitive materials are not tampered with or stolen? What tools can be used to prevent and warn against such attacks?

This session delves into new concepts, methods, and techniques that increase the effectiveness of attackers using one of the oldest VoIP attacks - eavesdropping on private VoIP calls.  Existing methods to eavesdrop on VoIP calls usually result in random audio streams being captured, without an automated way to look at specific traffic patterns or victims.  Imagine, if you could target this eavesdropping on conversations between specific users. This session will revisit a VoIP attack with a new and fresh perspective that is focused on Unified Communication applications and introduces the new concept of ‘Targeted VoIP Eavesdropping.’  This new blended threat and attack will be delineated in detail, as well as reviewing the mitigating controls and best practices for preventing VoIP eavesdropping.  Finally, a new UC Sniffer (UCSniff) assessment tool will be introduced that will help organizations understand their vulnerabilities in this area and ensure rapid remediation.  Some key features of this new assessment tool include the following:

* UC Sniffer integrated with an ARP Poisoner
* 802.1q VLAN Support
* The ability to Sniff IP Phone traffic across Ethernet Switches
* Automated Voice VLAN discovery
* The ability to record and save specific user conversations to wav files
* Track, trace, and call recording of targeted users

Any supporting materials, links, outlines, etc
Sipera VIPER Lab: http://www.sipera.com/index.php?action=resources,default

Jason Ostrom

Jason Ostrom, CCIE #15239, is Director of Sipera VIPER (Voice over IP Exploit Research) Lab.  Jason is a graduate of the University of Michigan, Ann Arbor and author of the “VoIP Hopper” Assessment tool.  His past stints include Vigilar and International Network Services (INS).

Arjun Sambamoorthy works in the Sipera VIPER Lab as a Vulnerability Research Engineer while pursuing his Master's in Computer Science from the University of Texas at Dallas.

Freifunk in the USA: Leveraging Community Organizations to build Neighborhood Wireless Networks

Is community wi-fi really dead?  HacDC thinks not!  This talk will give an overview of the phased approach to building the Columbia Heights Wireless Network, a neighborhood wireless network in Washington, DC.  With an eye on helping bridge the digital divide in one of DC's poorer neighborhoods, this talk mixes technical details with community building and strategies for sustainable network operation.  This talk will also include a brief historical overview of community wireless networks throughout the world.

Nick Farr & Eric Michaud

Nick Farr and Eric Michaud are co-founders of HacDC, a hackerspace in Washington, DC.  They are actively involved in the global hackerspace community, frequently dragging hackers from Europe to the US and vice-versa.  Closer to home, they are both involved in bringing together hackers and community organizations to bridge the "digital divide".

Active Fingerprinting of 802.11 APs

Wireless devices that speak 802.11a/b/g differ, among other things, in their responses to non-standard and malformed frames. We show that these differences suffice to distinguish between APs and other devices from different vendors and will demo a tool that fingerprints APs by their responses to such frames. Our method is active and therefore ``noisy'', but works without either establishing or observing established associations (unlike other previously presented fingerprinting methods). We also explore timing characteristics of the responses to refine our fingerprint, in particular the clock skew of beacon frame timestamps.

Our tool can be used as a prelude to any other interaction with an AP when one wants to assure that the AP is what it claims to be. This tool will be useful when one does not trust the suspicious AP (or one's own driver/OS) enough even to engage in a cryptographic exchange to authenticate it.

Sergey Bratus

Sergey Bratus is a Research Assistant Professor at Dartmouth College. He is interested in information theory applications to traffic analysis, log analysis, and reverse engineering, as well as in wireless hacking and Linux kernel rootkits. Before coming to Dartmouth, he worked at BBN Technologies on machine parsing and understanding of natural English text. He has a Ph.D. in Mathematics from Northeastern University.

Cory Cornelius

Cory Cornelius is a recent graduate of Dartmouth College. Cory became interested in reverse engineering and security by way of emulating Blizzard’s Battle.net. He now works for ISTS on various projects related to security and privacy, and is planning to attend graduate school.

Daniel Peebles

Daniel Peebles graduated from Dartmouth College in June 2007. He is an active member of the iPhone developer team and was a central contributor to the current jailbreak technique. He currently works for the Institute for Security Technology Studies at Dartmouth on various security projects.

Axel Hansen

Axel Hansen is an intern at the PKI/Trust Lab at Dartmouth College, working on several network security projects. He contributed to several conference publications, in particular VizSec08. He plans to major in Computer Science.

Advanced SQL Injection

SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.

Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.

The key areas are:

       * IDS Evasion
       * Privilege Escalation
       * Re-Enabling stored procedures
       * Obtaining an interactive command-shell
       * Data Exfiltration via DNS

Joseph McCray

Currently teaching the following courses at Johns Hopkins University (JHU), University of Maryland Baltimore College (UMBC), CEDSolutions.com, TrainAce.com, LearnSecurityOnline.com and at various other universities, colleges, and training centers around the country including CISSP, Certified Ethical Hacker, Certified Hacking Forensics Investigator, Security+, Network+, Linux+, Hacker Techniques and Tactics.

One XSS To Rule The Enterprise

This talk continues the research into using an enterprises single sign-on against itself. For years internal web vulnerabilities have been tossed off as "not that big a deal" unless they're sql injections (and sometimes even those are tossed off). By using the Squirtle API an attacker can use something as simple as a reflected XSS to gain access to secured files, administrative functions, corporate e-mail, etc.

grutz

As a corporate penetration tester, grutz has built, supported and broken stuff for the financial institution of the United States and the power grid of northern California. He has presented at OWASP, Syscan and Defcon.

hackerspace:FAIL

For over nine thousand years, humans have been building communities: From the first prehistoric tribes up to the Roman Empire, from IRC to the widths of /b/. Folks have faced the dramatics of the principle of rise and fall. But throughout times, there has always been the strongest will to organise and unite.

All around the globe, we can recently see a huge movement towards building communities and hackerspaces. Unfortunately, in most of the cases these fresh-water space founders come across problems they often have no idea of how to deal with - problems that, again in most of the cases, have been solved by other hackerspaces before.

In the hackerspace:FAIL panel we would like to discuss the challenges an emerging hackerspace has to face nowadays. We will present a couple of issues, that shall also be worked out in the upfollowing workshop on Sunday morning with interested hackerspace founders-in-spe at ToorCon's Hackerspace Village. This includes themes as the founding process itself, team organisation, possible space requirements, funding, meetings, troubleshooting and the like.
Workshop attendancy will be for free, but limited to a restricted number of attendees.

Astera

Lolly lolcat lovin' Europeans and serious Americans who've built or run hackerspaces and encountered FAIL on multiple occasions, but nevertheless succeeded in the end ;)

a 30,000 feet look at wi-fi, the freezing spot

inflight wee-fee is nothing new... some airlines have it for a while, some already gave-up on the service, and, lately, there is a big fuzz about it again, since it's been implemented in the US. So, why not revisit data from the past, from the wireless stuff, through auth/ session persistance/ proxy, to the point that it actually hits the "tubes". More data will be collected until TCX, so, maybe some other interesting stuff will pop-up for the talk.

Luiz "effffn" Eduardo

LE has been dealing w/ infosec for a while, mostly dedicated to wireless security, protocol fuzzing and incident response. He's somewhat known for being the wifi-monkey for several security conferences. LE has spoken at Toorcon, DefCon, Layerone, Hack in the Box, Shmoocon and others..and, he is the head of the YSTS http://ysts.org conference in Brazil.

Googless

Demonstration of the "Speak English" Google Translate Workaround and "TCP Input Text" PoC that implement the Google SOAP Search API to extract TCP Ports from Google Search Results as input for nmap and nc aka netcat.

Christian Heinrich

Christian Heinrich aka "cmlh" is the Project Leader of the OWASP "Google Hacking" Project and the Thought Leader on Security within the Australian Media and Entertainment Industry with over twelve years of "end user" experience.

cmlh has presented at the recent OWASP Australian and USA Conferences, RUXCON 2K5 (AU) and RUXCON 2K6 (AU) and is scheduled to present at the upcoming SecTor 2008 on 7-8 October in Toronto, Canada and RUXCON 2K8 on 29-30 November in Sydney, Australia.

cmlh has a Public Profile on LinkedIn at http://www.linkedin.com/in/ChristianHeinrich

Breaking UNIX crypt() on the PlayStation 3

A UNIX crypt() password bruteforcing tool has been developped and optimized for the Cell B.E. processor. The major advance resides in a new set of "S-Boxes circuits" that have been created for a DES bitslice implementation that exploit all the features of the instruction set of the SPU cores found in the Cell processor. The perf/price and pref/watt ratios of this password cracking tool running on the PlayStation 3 is respectively 2x and 1.6x better than the current best implementation known so far (John the Ripper on quad-core x86-64 processors).

Marc Bevand

I've been involved in computer security and open source projects for about 9 years. I am the author of OpenSSL's MD5 x86-64 implementation, and have written the world's fastest RC4 routine for x86-64. I have published several security advisories, the most recent ones concerning Apache (CVE-2008-2939) and the Flash Player Plugin (R7-0026). The latest open source project I have been working on is Qemudo.

RFD (Remote File Downloading) using Blind Techniques

The first word about SQL Injection was in December 25th 1998, it means, almost ten years. Since that time a lot of information about how to avoid sql injection vulnerabilities has been released. However, SQL Injection and Blind SQL Injection vulnerabilities are a common security risk in web applications. In September 2007, OWASP (Open Web Application Security Project) published a document titled “Top tep vulnerabilities” about the top ten security risks in web applications and in it, Code injection vulnerabilities were rated at second position.

Chema Alonso

Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politécnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines as “Windows TI Magazine”, “PC Actual” or “Hackin9”. He is currently working on his PhD thesis under the direction of Dr. Antonio Guzmán and Dr. Marta Beltran. Recently spoke at BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks and in Defcon 16 (August 2008) about Time-Based Blind SQL Injection using heavy Queries. More info: http://mvp.support.microsoft.com/gp/mvpInsider_2006-08

Jose Parada

José Parada is an IT Pro Evangelist in Microsoft. He is a very famous speaker in Spanish conferences about IT Infrastructures, Microsoft Technologies and Security. He has been working in the Microsoft Technet Program from 2005 delivering conferences, webcasts and technical information.

New School Information Gathering

Network information gathering is changing; the days of getting everything you need for footprinting from whois are dead. This talk is about using current open source tools to generate a detailed target footprint without sending "non-standard" traffic to the organization. This detailed information includes network ranges, hidden company affiliations, hostnames, dns information, public documents with their metadata and email addresses for client side attacks.

Chris Gates

Chris Gates (CG). For his day job, he currently works as a full spectrum penetration tester for a large government contractor. Side projects include LearnSecurityOnline.com and his blog carnal0wnage.blogspot.com.

Anatomy of the Asprox/Danmec Botnet

The year 2008 has seen the rapid and pervasive rise of large-scale SQL Injection attacks as a mechanism for distributing malware.  One of the most successful and interesting parties using this technique are the people behind the Asprox (aka Danmec) botnet.  This presentation will discuss the reasons why the Asprox botnet is so successful and will lay bare the botnet in its entirety, explaining its structure, command and control architecture, describing executed attacks and diving into other aspects and details of this threat.  Techniques to profile and detect infections and activity will be discussed, and code to detect & track the threat will be distributed.

Dennis Brown

Dennis Brown is a Security Intelligence Engineer with VeriSign Managed Security Services.  Dennis has six years of experience in security operations and research, helping enterprise and mid-size customers around the globe detect and remediate threats to their environments. Dennis' current area of focus is on threat intelligence research, working closely with VeriSign iDefense and Security Operations Centers to identify noteworthy threats and devise response strategies and solutions for organizations of varying sizes and complexity.

Why your mother will never care about Linux (a rant)

Hackers are people, not machines.  Unlike machines, hackers are susceptible to the insecurity and fear that regular people experience as well.  The social manifestations of these problems are familiar cliches: groupthink, fanboyism, hatred for anything popular, and a desire to be seen as unique and offbeat -- and it is these very things which are stunting the growth of the hacker community, making us no better than a bunch of cliquey high school students.  This talk will humorously explore the problem, poking fun at the sacred cows of the community, and give attendees some painfully useful insight into how they can help the community mature.

Strom Carlson

Strom Carlson is an experienced technical trainer and telecommunications specialist.

Hacking SharePoint

I will discuss and demonstrate:

1. Network fingerprinting of Windows SharePoint Services (WSS) servers

2. Attack and defense of the WSS administrator port

3. An Elevation of Privilege attack available in some legacy environments

4. Automated scanning and detection of these and other findings

Dan Griffin

Dan Griffin is a software security consultant based in Seattle. A list of his previous publications and presentations can be found at http://www.jwsecure.com/articles.shtml.

Nunchaku: Attack, Defense, and a lot of arm flailing

Nunchaku is a proof of concept design and implementation of a compile time fuzzing tool. This tool parses code and automatically generates fuzzing and fault injectors for the Peach Fuzzing framework. Upon finding a fault Nunchaku generates a Metasploit module and a Snort IPS rule. This talk will briefly describe the work and methods used to create this tool.

Adam Cecchetti

Adam Cecchetti is a Senior Security Consultant at Leviathan Security Group in Seattle WA. He is a contributing author to several security guides, projects, and tools. Adam is an active member in the international hacking community. Adam holds a masters degree from Carnegie Mellon University in Electrical and Computer Engineering.

P0wn the Cloud. The good, the bad, and the pugly of Cloud Computing

Cloud computing is all the rage and headlines are a plenty on anything and everything about Cloud Computing. This presentation will discuss and demonstrate how, this throwback to centralized computing, can be used to de-centralize attacks and opens up all new opportunities and threats to security researchers. Demo's will be included.

Dan Hubbard

Dan Hubbard
dhubbard@websense.com
CTO and VP Research Websense Inc
858-414-8519

Owning telephone entry systems (aka why you shouldn't sleep so well)

Often times, renters will pay an extra premium for the added "security" of a gated community. But is this extra fee anything more than at best a way to squeeze some extra money out of you each month? Or, at worst, a false sense of security to lull you into leaving your car and home unlocked?

This talk will examine the most common means of telephone entry access control in apartment complexes: How they work, how they're thwarted, and some hilarious things you can do with them. Such as:

- Getting the phone number of every girl at the complex (and their husbands', too)
- "Backdoor" the front door
- Telestalking: Tracking your neighbors
- Messing with the Mail Man/Newspaper guy/Police
…and more.

Joshua Brashars

Joshua Brashars is a San Diego native and a life long geek. Joshua has presented at several conferences, including Toorcon, Hope, and others. His latest project is his son, Elijah, and his Wife, Elizabeth.

How did that Nigerian do that?! Artificial Intelligence and You

Artificial Intelligence is all around us. Worms evolve their source as they jump from machine to machine. Fuzzers use advanced heuristics to find flaws in software. Spammers use the latest in image-recognition to get past Captchas. Despite this few hackers have active knowledge of the underlying algorithms behind these programs. This talk will cover the whys and hows of making your programs think.

Zax

Zax is a grad student based in the Los Angeles area. He has spoken at Toorcon 9 and the Last Hope. He studies how programming languages can be designed to make writing secure programs easy and intuitive. In the past He have explored the effects of security though use of obscure technologies. These include operating systems, languages, and underused protocols.

Ultimate Script Deobfuscation: Browser Hooking versus simulation

Multiple presentations have been given on JavaScript deobfuscation simulation in order to detect malicious behavior. Counter-arguments have been given that have shown arguments against creating a browser simulator, as malicious attacks and deobfuscation have needed an entire transaction in order to properly deobfuscate the content as well have used minor feature differences between browsers that break simulators.

We'll release code as well as tool that will be able to hook inside of Internet Exploer or Firefox and deobfuscate any obfuscated malicious content. Since the tool uses a real-browser to deobfuscate the content, it will be able to decode any content meant for that particular browser. This tool can be used by researchers when doing malicious website research, it's essential as almost all malicious web content is obfuscated.

Stephan Chenette

Stephan Chenette is a Senior Security Researcher for Websense Security Labs working on malcode detection techniques. Mr. Chenette specializes in research tools ranging from kernel-land sandboxes, to static analysis scanners. He has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security.

Privacy-preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing  Trusted Third Parties with DHTs

We tackle the problem of building privacy-preserving device-tracking systems --- or private methods to assist in the recovery of lost or stolen Internet-connected mobile devices. The main goals of such systems are seemingly contradictory: to hide the device's legitimately-visited locations from third-party services and other parties (location privacy) while simultaneously using those same services to help recover the device's location(s) after it goes missing (device-tracking). We propose a system, named Adeona, that nevertheless meets both goals. It provides strong guarantees of location privacy while preserving the ability to efficiently track missing devices. We build a version of Adeona that uses OpenDHT as the third party service, resulting in an immediately deployable system that does not rely on any single trusted third party. We describe numerous extensions for the basic design that increase Adeona's suitability for particular deployment environments.

Thomas Ristenpart

PhD student at UC San Diego specializing in cryptography and computer security

Advanced Techniques in Automated Web Application Testing

Using regular expressions (or, gasp, simple text patterns) is not a state-of-the-art technique for processing the results of automated web security tests. This presentation will provide an in-dept discussion of several advanced techniques used in, or planned for Grendel (grendel-scan.com). In the past, many of these techniques were rarely seen outside commercial software. This includes quantitatively measuring the similarity of HTTP responses, creating sophisticated logical file-not-found profiles, and using an HTML DOM implementation and JavaScript engine. The usage of Grendel, it's interface, high-level features, etc will not be discussed in this presentation. Don't expect to see a single screenshot of the GUI.

David Byrne

David Byrne has been involved with information security for almost a decade. Currently, he is a consultant in Trustwave's Application Penetration Testing group. Before Trustwave, he was the Security Architect at Dish Network. In 2006 he started the Denver chapter of OWASP. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David has presented at a number of security events including DEFCON, Black Hat, and the Computer Security Institute conference.

Seeds of Contempt

The future of security visualization is not finding new ways to inspect pcap dumps.  The future is in using visual representations of security models to interact with live systems.  Seeds of Contempt is a framework designed to bring together network security auditors and visualization experts.

Contempt is a UI that allows visualization developers easy access to writing visualizations with the prefuse toolkit based on data gathered by the seeds.  Seeds are remote network agents that gather data, and provide a convenient development model for security analysts.

This talk will cover why the security community needs better visual analysis tools, and will demonstrate how easy it is to develop visualization or data gathering modules for the framework.

Dean Pierce

Dean Pierce is an independent computer security researcher in Portland Oregon.  In the past he has worked as a network security analyst at Portland State University, and as a security engineer at Intel.

Mobile Phone Messaging Anti-Forensics

With the increased use of SMS, performing forensics on seized mobile phones to retrieve text and multimedia messages is rapidly becoming a critical investigative requirement. As with other areas of forensics, the mobile phone forensics toolkits available today are not perfect. This talk will seek to inform the audience of various attacks we have discovered against mobile phone forensics software that allow attackers to avoid detection. Additionally, a demo showing attacks against popular mobile forensics software will be presented.

Luis Miras

Luis Miras is an independent security researcher. He has worked for both security product vendors and leading consulting firms. His interests include vulnerability research, binary analysis, and hardware/software reverse engineering. In the past he has worked in digital design, and embedded programming. He has presented at CanSecWest, Black Hat, CCC Congress, XCon, REcon, Defcon, and other conferences world-wide. Recently Luis co-authored "Reverse Engineering Code with IDA Pro" (Syngress/2008). When he isn't head down in IDA or a circuit board, you will likely find him boarding down some sweet powder.

Zane Lackey

Zane Lackey is a Senior Security Consultant with iSEC Partners Inc. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes mobile phone security, AJAX web applications, and VoIP. Zane has spoken at top security conferences including BlackHat, Toorcon, MEITSEC, and the iSEC Open Forum. Additionally, he is a co-author of "Hacking Exposed: Web 2.0" (McGraw-Hill/December 2007) and contributing author of "Hacking VoIP" (No Starch Press/Fall 2008). Zane holds a Bachelor of Arts in Economics with a minor in Computer Science from the University of California, Davis.

The Future of Lockpicking

We've all seen the lockpicking talks and seen how easy it is to get past most locks. We've seen decades of physical security broken by nothing more than inquisitive minds. Is there any hope? This talk will go over much of what is "in vogue" in mechanical access control, some promising technologies, and how lockpicking is changing in order to adapt to these new technologies. With a bit of luck, we'll find one or two types of lock that can withstand the test of time.

datagram

Datagram is a prime example of what the combination of cinnamon rolls, pizza, assembly, lock picking, and tapeworms do to a person. When not eating, lock picking, or programming, he is generally asleep, or otherwise unconscious. Despite constant hate mail and threatening voice mails, he continues to speak at conferences, yell at small children, and write bad biographies.