Appearances

Upcoming

The Vulnerability Threat Lifecycle

Dan Holden

Oct 9th, Les Assises de la Securite

The threat landscape has changed substantially in recent years. Security attacks have moved beyond traditional worms and viruses, to more dynamic exploitation via botnets and APTs (Advanced Persistent Threats). Attackers are leveraging old and new vulnerabilities in common applications including Web apps, browsers and social networking. These attackers are also using sophisticated social engineering techniques to further exploit the most common weakness: the user. While the modern threat landscape has changed, many enterprises are still budgeting – and using processes – for the threat landscape of 5-10 years ago. This talk will focus on the modern threat landscape, including the changing face of attacks, what we can expect to see in the future and how organizations can protect themselves.

Lecture on Reverse Engineering

Aaron Portnoy

Oct 1st, Polytechnic Institute of NYU

Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.

Exploitation: Past, Present, and Future

Aaron Portnoy

Sep 14th, National Security Agency

Over the past few years exploitation has become increasingly difficult and the days of simple return address mangling have long since past. Vendors such as Microsoft and Apple have been working diligently on mitigation technologies to make the process of weaponizing an exploit a daunting task. With the introduction of DEP, ASLR, /GS, and SafeSEH, attackers are now forced to obtain an intimate understanding of the internals of the target they are attempting to break. When dealing with closed-source software an exploit writer must reverse engineer application-specific data structures as well as gain a much deeper understanding of how to influence runtime state than was previously required. This is a field in which new tools are desperately needed. The problems associated with reverse engineering binary applications have been approached by academia, private industry, and individuals alike. This presentation aims to discuss the history of the requirements needed to achieve reliable weaponized exploits, focusing on what types of tools and techniques will be needed going forward.

Vulnerability Lifecycle for Software Vendors

Dan Holden

Sep 10th, AppSec US 2010

No Abstract available.

Archived: 2010

Electronic Weaponry or How to Rule the World While Shopping at Radio Shack

Tim Otto

Aug 1st, DEF CON 18

Talk will cover electronic weapons, focusing mainly on the ones that target electronic systems.

Through the rabbit hole: An Expose of Darknets and the Onion Routed Underground

Will Gragido

Jul 31st, Security BSides

The Internet and cyberspace are far from what they appear to be. For years an evolution revolution has been underway. This evolution revolution has seen advancement, growth, adaptation and change occur in order to both propagate and defend against new and advanced threat vectors, many of which do not traditionally reside in the realm of the information security warrior but are swiftly becoming more a part of it. Among these, the onion routed anonymous network is playing a greater and greater role. These networks leverage cryptographic ciphers to aid in concealing routing instruction information thus preventing detection by intermediary nodes. They take on many forms some being embraced and celebrated as voices of free press and expression, while others are used for the trafficking and trade of goods and services within the cyber-criminal sub-ecosystem. During this presentation you will gain an insight into the realities of these networks, their owner / operators, the conventional wisdom employed by these parties, their clientele and an informed look glimpse of the type of data which is trafficked within these environments.

Building a Better Mousetrap: Effective Techniques in Vulnerability Analysis and Intrusion Detection & Prevention

Rob King

Jul 24th, BlackHat USA 2010

It's a fact that hackers are getting smarter faster than network security hardware is getting better. To effectively defend your organization from attacks, you have to know more than just how to configure your IPS or IDS - you need to understand the art behind the science. This course provides an in-depth look at vulnerability analysis, detection, and prevention from a network-based IPS/IDS standpoint. It starts with how vulnerabilities become vulnerabilities, how hackers attack them, how they look on the wire, and ends with how to write effective signatures and filters for attacks. More esoteric topics covered in this course (and very rarely in others) include how to avoid the dreaded False Positive, how to estimate performance, how to prevent data leakage, and - perhaps most importantly - the techniques hackers use to evade detection by IPS/IDSes, and how you can evade the evasions.

Pixaxe: A Declarative, Client-Focused Web Application Framework

Rob King

Jun 23rd, USENIX

This paper provides a brief introduction to and overview of the Pixaxe Web Application Framework ("Pixaxe"). Pixaxe is a framework with several novel features, including a transparent template system that runs entirely within the web browser, an emphasis on developing rich internet applications as simple web pages, and pushing as much logic and rendering overhead to the client as possible. This paper also introduces several underlying technologies of Pixaxe, each of which can be used separately: Jenner, a completely client-side template engine; Esel, a powerful expression and query language; and Kouprey, a parser combinator library for ECMAScript.

SCADA Threat Landscape

Garett Montgomery

May 18th, DoE Cyber Security Conference

SCADA systems control everything from oil and gas pipelines, to the water supplies in our cities, to the traffic lights that regulate our daily commute. Despite the tendency of broadcast media to sensationalize when it comes to anything remotely related to ‘computer hacking’, the cyber threat to SCADA systems is, unfortunately, very real. This talk will focus on not only on actual incidents that have already occurred across several risk vectors, but also on how they occurred. Comparisons to relatively mature corporate cybersecurity risk mitigation frameworks will be discussed as well as how they might applied to SCADA networks, and how they could have been used to prevent some of the incidents. The current threat landscape and how it relates specifically to SCADA cybersecurity will also be covered.

SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications

Rob King

Mar 25th, Erlang Factory

This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.

Pwn2Own 2010

Pedram Amini, Aaron Portnoy, Kate Fly, Ali Rizvi-Santiago, Zef Cekaj, Logan Brown

Mar 24th, CanSecWest

The entire ZDI research team will be present at CanSecWest this year in Vancouver to run our annual Pwn2Own competition. TippingPoint has committed over $100,000 in available prizes this year. For further details regarding rules and registration see the following blog entry: http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010

MOBOTS: A Pocketful of Pwnage

Derek Brown, Daniel Tijerina

Mar 5th, RSA 2010

Today's mobile phone market is rich and diverse, with devices that are capable of complex, production-oriented tasks that challenge even the most sophisticated desktop computers. Likewise, these "smart phones" are vulnerable to exploitation via many of the same vectors. This session will demonstrate that it is possible to implement and maintain a traditional distributed botnet on your mobile phone by relying on social engineering and vulnerabilities in the iPhone/Android security models.

Cracking Down on SCADA Security

Jason Avery

Mar 4th, RSA 2010

Your control systems are as secure or strong as the weakest link of your network. The research discussed in this session will expose some of the basic architectural flaws in these networks, how they can be infiltrated and illustrate various application vulnerabilities, and how they can be abused if in wrong hands.

The Seven Most Dangerous New Attack Techniques and What Is Coming Next Session

Rohit Dhamankar

Mar 2nd, RSA 2010

Nation states and organized crime groups are rapidly increasing the sophistication, virulence, and effectiveness of attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous new attack vectors and how they think attack tools and patterns will evolve over the coming year.

SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications

Rob King

Feb 18th, IEEE Central Texas Section Conference

This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.

Archived: 2009

Cybercrime: The Latest Wave

Jason Avery

Oct 21st, SX Security Exchange 2009 Conference Singapore

Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint’s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.

Cybercrime: The Latest Wave

Jason Avery

Oct 16th, SX Security Exchange 2009 Conference Thailand

Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint’s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.

Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates

Marc Eisenbarth

Oct 14th, Hawaii's 16th Annual ISSA Discover Security Conference

The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.

The Latest Wave of Cybercrime Attacks: Report from the Trenches

David Endler

Oct 7th, European Security and Information System Congress

As business critical applications are quickly moving online, security threats are growing faster than IT spending can keep up. Sophisticated scanning tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information that can be sold for profit. It’s modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when lightning will strike next. This presentation will cover several new technical examples of how hackers are targeting end users and business application. We will also discuss several technologies and strategies for mitigating the threat of this new wave of cyber criminals.

Lecture on Reverse Engineering

Aaron Portnoy

Oct 2nd, Polytechnic Institute of NYU

Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.

Effective Techniques in Vulnerability Analysis and Intrusion Prevention

Rohit Dhamankar, Rob King

Sep 18th, SANS Network Security 2009

An in-depth discussion of the lifecycle of intrusion prevention signature creation with a focus on the creation of effective creation of efficient and accurate signatures, along with a discussion of vulnerability analysis.

Mostrame la guita! Adventures in buying vulnerabilities

Pedram Amini

Sep 17th, Ekoparty 2009

Download: Slides
Have you ever wondered what goes on behind the scenes of vulnerability purchasing programs? What price ranges are offered on the white, grey and black markets? How various software vendors compare to one another on response? This talk will share insights, statistics and amusing anecdotes drawn from my experiences, research and history of the TippingPoint Zero Day Initiative vulnerability buying program.

2009 Threat Landscape

Wayne Blackard

Sep 17th, ISSA Puget Sound

This presentation takes a look at the past and present threat landscape, and how different attacks have evolved over time. Using graphed thread data gathered from numerous sources, the speaker will provide an analysis of attack trends to show where the attacks come from and what they’re attacking. A wide range of topics are discussed, such as web attacks, VoIP security, Phishing, Malware, SCADA systems, and Conficker. The speaker also gives advice to organizations on security strategies based on trending predictions.

Reverse Engineering on Windows: Application in Malicious Code Analysis

Pedram Amini, Ero Carrera

Jul 25th, Black Hat USA 2009 Training

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

Building a Better Mousetrap: Effective Techniques in Vulnerability Analysis and Intrusion Prevention

Rohit Dhamankar, Rob King

Jul 25th, Black Hat USA 2009 Training

This course provides an in-depth look at vulnerability analysis, detection, and prevention from a network-based IPS/IDS standpoint. It starts with how vulnerabilities become vulnerabilities, how hackers attack them, how they look on the wire, and ends with how to write effective signatures and filters for attacks. More esoteric topics covered in this course (and very rarely in others) include how to avoid the dreaded False Positive, how to estimate performance, how to prevent data leakage, and - perhaps most importantly - the techniques hackers use to evade detection by IPS/IDSes, and how you can evade the evasions.

Reversing Microsoft DirectShow and 3rd Party Codecs

Aaron Portnoy

Jun 22nd, You Sh0t The Sheriff

This talk is intended to impart upon the audience the speaker's approach to reverse engineering and auditing extensible Microsoft subsystems and subsequent 3rd party implementations. Specifically, this will delve into the inner workings of Microsoft's video and audio compression managers which provide interfaces for dealing with installable media codecs. Several approaches to auditing codecs will be discussed culminating with a complete walkthrough of the discovery and exploitation of two high-risk VMWare vulnerabilities.

Evolving Landscape of Security Threats in Higher Education

Jason Avery

Jun 17th, University of California Computing Services Conference 2009

Higher Education has traditionally been on the bleeding edge of both security threats and, by necessity, ways to deal with those threats. Using threat data gathered from numerous higher education networks, we will provide an analysis of the evolving landscape of security threats in Higher Education, comparing and contrasting those threats with enterprise and government networks. We will also discuss how Higher Education can effectively utilize various security tools to cope with their unique challenges. A Q&A and open discussion will follow.

Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates

Marc Eisenbarth

Jun 2nd, Techno 2009 Security Conference

The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.

Industrial Control System Security

Ganesh Devarajan

May 13th, SMi Cyber Defence 2009

How secure is our Industrial Control Systems? Have we done a good job on educating the people on the need for Control System security? This talk shall give an overview on the security scenario and our current achievements. This talk will also illustrate some of the differences between the IT security and the control system security also covering some of the past known security issues. The talk will then demo and illustrate some of the tools that can be used to test and defend your critical infrastructure against such attacks.

Exploiting Online Games

Aaron Portnoy

Apr 23rd, RSA Conference 2009

MMORPG's such as World of Warcraft, Second Life, and Pirates are subject to security exploits every day. This panel (made up of security experts, online game hackers, lawyers, and software security experts) discusses why online game exploits are a harbinger of attacks to come in the world of Web 2.0 and SOA. We will spend some time discussing how exploits work from a technical perspective. We will also delve into the law, finding out what cases are pending

Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates

Marc Eisenbarth

Apr 22nd, InfoSecurity San Juan

The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.

Reverse Engineering on Windows: Application in Malicious Code Analysis

Pedram Amini, Ero Carrera

Apr 15th, Black Hat Europe 2009 Training

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

Reverse Engineering on Windows: Application in Malicious Code Analysis

Pedram Amini, Ero Carrera

Feb 16th, Black Hat Federal 2009 Training

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

Static Analysis and Transformation of Regular Languages for Encoding

Rob King

Jan 28th, PENTCIRT Pentagon Security Forums

This paper illustrates a technique for analyzing traffic in a streaming context when that traffic has been encoded using a variety of bitwise encoding schemes (most especially the Base64 transformation) without first decoding the stream. This has obvious advantages in situations where decoding is expensive or impossible.

Archived: 2008

Under the iHood

Cameron Hotchkies

Oct 8th, SecTor

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section, comparisons of Windows applications and the OS X counterparts. Additionally some time will be taken to discuss the differences in the structure of binaries on the iPhone. This talk should give attendees insight into what is involved in the analysis of OS X binaries on both Apple machines and iPhones for vulnerabilities and interoperability. Attendees will gain a solid understanding of how windows reversing skills can be quickly applied to OS X binaries, including the common tools and resources available for an Apple security researcher.

Reverse Engineering Dynamic Language Multiplayer Online Games

Aaron Portnoy, Ali Rizvi-Santiago

Oct 1st, BA-Con Applied Security Conference

Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. One industry that is increasingly adopting the use of dynamic languages is that of online gaming. With millions of subscribers worldwide interacting with each other over complex distributed systems, security is often overlooked. In this presentation we will cover the Python programming language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. We will demonstrate application of the techniques discussed to hack cheats into at least two popular MMORPGs.

SCADA Networks: Security tools and Vulnerability assessments

Ganesh Devarajan

Sep 9th, Reboot Conference

The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.

Under the iHood

Cameron Hotchkies

Aug 8th, DEFCON 16

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.

The Art of Developing Effective Intrusion Detection/Prevention Signatures

Rohit Dhamankar, Rob King

Aug 2nd, Black Hat USA 2008 Training

This course is intended for students that want to develop effective IDS/IPS signatures. Knowledge of developing custom filters has become essential for security personnel responsible for securing an enterprise or government IT infrastructure. With the massive growth in attacks targeting specific enterprises and government agencies, on-the-spot filter development skills are required to stop propagating these attacks before they cause much damage. This course teaches how to identify malicious traffic on the wire, distinguish it from benign traffic and how to uniquely fingerprint such traffic. The course also teaches a student on how to use any IDS/IPS engine's capability to the fullest since most of the IDS/IPS engines have inherent limitations. The course will use the open-source IDSs Snort and Bro for practical examples and exercises.

Reverse Engineering on Windows: Application in Malicious Code Analysis

Pedram Amini, Ero Carrera

Aug 2nd, Black Hat USA 2008 Training

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

Reverse Engineering Python Applications

Aaron Portnoy, Ali Rizvi-Santiago

Jul 28th, USENIX WOOT

Download: Slides
Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted dynamic languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. However, the implementation of these benefits exposes risks that developers are often unaware of. This paper is a study of the Python language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. It will cover techniques for interacting with a running interpreter, patching code both statically and dynamically, and manipulating type information. The concepts are further demonstrated with the use of AntiFreeze, a toolset for visually exploring Python binaries and modifying code therein.

Under the iHood

Cameron Hotchkies

Jun 13th, REcon

Download: Slides, Code
The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.

Reverse Engineering Dynamic Languages, a Focus on Python

Aaron Portnoy, Ali Rizvi-Santiago

Jun 13th, REcon

Download: Slides
Every day more and more programmers are making the switch from traditional compiled languages such as C to more modern dynamic and interpreted languages such as Ruby and Python. We're seeing software ranging from video games to security tools written in these higher level languages and often released in binary form so as to protect the source. This talk focuses on Python with specific discussions revolving around extracting dynamic type information, disassembling code objects, and modifying runtime state statically. A real world complex example is demonstrated, hacking cheats into an MMORPG written in Python. This results in hilarious video demonstrations.

Arms Race: Next-Gen Vulnerability Discovery

Pedram Amini

Jun 2nd, Techno Security Conference

Download: Slides
Increased security protections at the operating system and compiler levels combined with a broader range of security researchers all looking at the same targets is pushing vulnerability hunters to cook up some interesting tools. This talk focuses on the past, present and future of the tool-set utilized by security researchers.

The Seven Most Dangerous New Attack Techniques and What's Coming Next

Rohit Dhamankar

Apr 23rd, Infosecurity Europe

Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. The session begins with a brief review of the major changes in attack patterns that have taken place over the past two years and then provides detailed descriptions and discussion of the most dangerous of the new attacks. After that, the discussion will move toward what appears to be the most likely direction for evolution of the new attack tools and techniques.

Reverse Engineering Cookbook

Aaron Portnoy, Cameron Hotchkies

Apr 19th, Toorcon Seattle

Download: Slides
This talk presents some of the common impediments reverse engineers face when using IDA in their day-to-day tasks. Many times, we find ourselves performing repetitive tasks instead of focusing on understanding the code being reversed. This can cause distractions and reduce overall efficiency. The IDC and IDAPython scripts discussed are split into two categories: The first category is for scripts that aid in solving repetitive problems suited for automation such as defining functions missed by IDA, creating symbolic names by analyzing debug strings or logging functions, color coding functions based on their purpose using heuristics, and so forth. The second category deals with locating possible vulnerabilities. These scripts will find things such as possible bad allocations, integer wraps, format string bugs, sign extensions, unsafe library calls, and so on. The talk is directed mainly at vulnerability hunters, but anyone with an understanding of reverse engineering and IDA can take something away.

Fast Money and Easy Vulnerabilities: True Crime from the Internet

Mike Dausin, Rohan Kotian

Apr 10th, RSA Conference 2008

This session will examine the real impact of "easy" vulnerabilities on the phishing and fraud crime scene. Most working criminals are not elite super-ninjas armed with complex 0-days. They are using PHP remote files like SQL injection, and even simple XSS attacks to make fast money in online fraud - precisely the bugs that security professionals have grown accustomed to ignoring.

The Emerging Architecture of Secure Networks

Brian Smith

Apr 9th, RSA Conference 2008

Consolidation in the security market promises to simplify network design, but how? Many networks use specialized devices performing various, often redundant security functions. But the emergence of a set of common "legos" will make networks easier to build, less expensive to maintain and more secure. TippingPoint's Brian Smith will explain this architecture, its components and how it simultaneously meets security and networking needs.

What's to Come: The Next Generation of Attacks

David Endler

Apr 8th, RSA Conference 2008

Protecting enterprise assets from unwanted intrusions remains a top corporate priority, but one concern continues to plague the enterprise: has technology adapted to the new generation of threats on the horizon? Will corporations be able to keep their networks secure against these new attacks? This panel will discuss the next generation of attacks.

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

Rohit Dhamankar

Apr 8th, RSA Conference 2008

Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous of the new attack vectors. They will also discuss how attack tools and patterns will evolve over the coming year.

Reverse Engineering on Windows: Application in Malicious Code Analysis

Pedram Amini, Ero Carrera

Mar 25th, Black Hat Europe 2008 Training

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

Top VOIP Security Threats

David Endler

Mar 18th, VoiceCon Orlando 2008

There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.

IP Telephony Security Threats and Countermeasures

David Endler

Mar 17th, VoiceCon Orlando 2008

IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.

Archived: 2007

RPC Auditing Tools and Techniques

Aaron Portnoy, Cody Pierce

Nov 22nd, DeepSec In-Depth Security Conference

RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.

Advanced Fuzzing with Sulley

Pedram Amini, Aaron Portnoy

Oct 25th, BlackHat Japan

Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

Reverse Engineering on Windows

Pedram Amini, Ero Carrera

Oct 23rd, BlackHat Japan

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

SCADA Protocols Detailed For Better Security

Ganesh Devarajan

Oct 17th, National Petrochemical and Refiners Association

The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.

Fuzzing Sucks!

Pedram Amini, Aaron Portnoy

Sep 27th, Microsoft BlueHat

Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

IP Telephony Security Threats and Countermeasures

David Endler, Mark Collier

Aug 20th, VoiceCon Fall

This tutorial provides the latest information on security issues for IP Telephony implementations. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security, and looks at emerging issues and technologies.

Real-time Steganography with RTP

Dustin D. Trammell

Aug 3rd, DEFCON 15

Real-time Transfer Protocol (RTP) is used almost ubiquitously by Voice over IP technologies to provide an audio channel for calls. As such, it provides ample opportunity for creation of a covert communications channel due to it's very nature and use in implementation. While use of steganographic techniques with various audio cover-mediums has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This presentation details common techniques for use of steganography with auido data cover-medium, outlines the problem issues that arise when attempting to use these techniques to establish a full-duplex communications channel using audio data transmitted via an unreliable streaming protocol, and finally documents solutions to these problems as well as a reference implementation entitled SteganRTP.

Unraveling SCADA Protocols: Using Sulley Fuzzer

Ganesh Devarajan

Aug 3rd, DEFCON 15

Download: Slides
Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.

PyEmu: A Multi-Purpose Scriptable x86 Emulator

Cody Pierce

Aug 2nd, BlackHat US

Download: Slides, Code
Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.

Fuzzing Sucks!

Pedram Amini, Aaron Portnoy

Aug 2nd, BlackHat US

Download: Slides, Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

PISA: Protocol Identification via Statistical Analysis

Rohit Dhamankar, Rob King

Aug 1st, BlackHat US

A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.

Reverse Engineering on Windows

Pedram Amini, Ero Carrera

Jul 28th, Black Hat US

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

VoIP Security

David Endler

May 24th, Interop

As IP telephony systems are more widely deployed, they'll naturally become the target of hackers. What are the newest types of attacks that you should be worried about, how do you guard against them and what are the implications for your broader enterprise IT security position?

Mnemonic Password Formulas

Dustin D. Trammell

May 16th, IEEE Computer Society, Austin Chapter

Download: Slides
This presentation details some of the issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and then finally introduces a new method for password management and recall termed Mnemonic Password Formulas.

DisAsterisk Sneak-Peek

Dustin D. Trammell

May 12th, ToorCon Seattle (Beta)

A colleague and I's newest project, DisAsterisk, is an exercise in leveraging Asterisk, other open source software, and our own custom code to create useful tools for VoIP security research. I'll briefly describe the Asterisk extension module API, cover what we've developed so far, and list our future goals for the project.

RPC Auditing Tools and Techniques

Aaron Portnoy

May 12th, Toorcon Seattle

Download: Slides
RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.

SCADA Protocol Fuzzer and The Next Generation of Inline Devices

Ganesh Devarajan

May 6th, LayerOne

The presentation will cover the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown there without disclosing the names of vendors.

VoiP Security: No Silver Bullet

David Endler

Apr 27th, Infosecurity Europe

No Abstract available.

Encrypted Protocol Identification via Statistical Analysis

Rob King, Rohit Dhamankar

Mar 23rd, ShmooCon

End-to-end encryption is often used to circumvent network policy controls and evade intrusion prevention and detection systems. This presentation shows a method for identifying the type of traffic that has been encrypted via a novel method of statistical analysis. This gives network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. A sample implementation of the method is provided.

IP Telephony Security Threats and Countermeasures

David Endler

Mar 7th, VoiceCon Spring

No Abstract available.

VoIP Attacks!

Dustin D. Trammell

Mar 2nd, EUSecWest

Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.

Reverse Engineering on Windows

Pedram Amini, Ero Carrera

Feb 26th, Black Hat Federal

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

VoIP Attacks!

Dustin D. Trammell

Feb 22nd, IEEE Consultants Network of Central Texas

Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.

Exploiting VoIP Networks

David Endler, Mark Collier

Feb 7th, RSA

No Abstract available.

Archived: 2006

Hackers and Internet Security Threats

Rohit Dhamankar

Dec 18th, Arirang TV Interview, Seoul

No Abstract available.

Keynote: Internet Security Threats 2006 and Beyond

Rohit Dhamankar

Dec 13th, CONCERT: Conference of Asian CERTs

No Abstract available.

Steganography Primer

Dustin D. Trammell

Nov 30th, IEEE Consultants Network of Central Texas

Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.

SANS Top-20

Rohit Dhamankar

Nov 13th, UK NISCC Security Conference

No Abstract available.

Steganography Primer

Dustin D. Trammell

Oct 12th, Austin Linux Users Group

Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.

VoIP Attacks!

Dustin D. Trammell

Oct 1st, ToorCon 8

Download: Slides, Code
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.

Sender Policy Framework

Dustin D. Trammell

Sep 27th, AHA!

Download: Slides
Introduction to Sender Policy Framework (SPF) for e-mail.

Investigating Evil Websites with Monkeyspaw

Tod Beardsley

Aug 3rd, Black Hat US

Download: Slides
No Abstract available.

Hacking VoIP Exposed

David Endler, Mark Collier

Aug 2nd, Black Hat US

Download: Slides
No Abstract available.

Reverse Engineering on Windows

Pedram Amini, Ero Carrera

Aug 1st, Black Hat US

Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.

PaiMei - Reverse Engineering Framework

Pedram Amini

Jun 18th, RECON

Download: Slides, Code
There are a slew of languages, tools, interfaces and file formats for various reverse engineering tasks. Making tools play nice together and deciding how to develop new tools is a cumbersome process. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei was created for personal use and after much debate it was decided to release the majority of the toolkit to the public. This presentation will introduce PaiMei, discuss the architecture and design, demonstrate various uses and benefits and provide a foundation for attendees to build their own RE toys on top of the framework. Time permitting, some interesting case studies will be shared with the audience.

PaiMei is a reverse engineering framework consisting of multiple extensible components. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei is written entirely in Python and exposes at the highest level a debugger, a graph based binary abstraction and a set of utilities for accomplishing various repetitive tasks. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as: fuzzer assistance, code coverage tracking, data flow tracking and more.

SANS Top 20 Launch

Rohit Dhamankar

May 23rd, AusCERT

No Abstract available.

Voice over IP (VoIP) Security

David Endler

Mar 17th, Managing VoIP Security

No Abstract available.

VoIP Security: Managing Risk

David Endler

Mar 8th, Voicecon

No Abstract available.

Phishing and Intrusion Prevention

Tod Beardsley

Feb 15th, RSA

Download: Slides
No Abstract available.

Voice over IP Security

David Endler

Feb 14th, RSA

No Abstract available.

Reverse Engineering for Fun and BoF it!

Pedram Amini, Chris Eagle

Jan 13th, ShmooCon

Download: Slides
Reverse engineering skills can come in handy in any number of situations. Determining the behavior of malware, interoperability with closed source applications, and discovery of software vulnerabilities are just a few of the situations in which reverse engineering skills can come in handy. Unfortunately reverse engineers often seem to be self trained and open forums for discussing tools and techniques seem to be few and far between. This goal of this session is to hear people talk about tools and techniques employed for various reverse engineering tasks.

We'll talk about current tools of the trade, disassemblers, debuggers, fuzzers and such. Without turning into a religious battle, the relative merits of various approaches to reverse engineering techniques including static and dynamic analysis of closed source code may also be discussed.

Archived: 2005

The Top Five VoIP Security Challenges: And What You Can Do About Them

David Endler

Dec 13th, Interop New York

No Abstract available.

SANS Top-20

Rohit Dhamankar

Nov 22nd, UK NISCC Security Conference

No Abstract available.

Keynote on Intrusion Prevention Systems

Rohit Dhamankar

Oct 7th, ICETE 2005

No Abstract available.

Security Concerns and VoIP

David Endler

Sep 22nd, VON

No Abstract available.

Process Stalking - Run Time Visual RCE

Pedram Amini

Sep 17th, ToorCon

Download: Slides, Code
In today's world, closed-source software dominates the desktop and much of the server room. While a variety of tools and methodologies exist for security research in open-source software, binary analysis remains a mostly unexplored field. Post discovery and 0day vulnerability researchers heavily rely on reverse code engineering (RCE) to accomplish their work. The purpose of this talk is to introduce the art and science of "Process Stalking" to the general public.

"Process Stalking" is a term coined to describe the combined process of run-time profiling, state mapping and tracing using visual tools. In this presentation I will outline a methodology that can be consistently applied when conducting RCE for all purposes and will demonstrate a custom toolset that can be utilized in automating the process. I will conclude with live walk throughs allowing the attendee to see the pieces of the presentation come into life. Attendee's should have experience with x86 assembly (especially win32 generated code), a background in security and experience with debuggers and disassemblers.

Preventing Exploitation of Your VoIP Network

Rohit Dhamankar, David Endler

Sep 13th, RSA 2005 Power Days

No Abstract available.

A Primer on Phishing Tactics

Tod Beardsley

Jun 3rd, SummerCon

Download: Slides
No Abstract available.

Preventing Exploitation of Your VoIP Network

Rohit Dhamankar

Feb 15th, RSA 2005

No Abstract available.

Preventing Exploitation of Your VoIP Network

Rohit Dhamankar, David Endler

Feb 15th, RSA 2005

No Abstract available.

Tutorial on Intrusion Prevention Systems

Rohit Dhamankar

Feb 14th, RSA 2005

No Abstract available.

Published Advisories

TPTI-10-13: Adobe

• published 2010-08-24

TPTI-10-14: Adobe

• published 2010-08-24

TPTI-10-15: Adobe

• published 2010-08-24

TPTI-10-10: Adobe

• published 2010-08-24

TPTI-10-11: Adobe

• published 2010-08-24

Upcoming Advisories

RealNetworks

• reported 2010-08-11

RealNetworks

• reported 2010-08-11

VMWare

• reported 2010-06-16

RealNetworks

• reported 2010-02-26

Blog Entries

Security Advisory for NetWare 6.5 OpenSSH

• 2010-09-01 by Zef Cekaj
• (1 Comments)

ZDI Disclosure Policy Changes

• 2010-08-03 by Aaron Portnoy
• (3 Comments)

ZDI 2010 Milestone

• 2010-07-14 by Dan Holden
• (1 Comments)

MOBOTS: WeatherFist Exposed

• 2010-03-10 by Daniel Tijerina
• (2 Comments)

RSA Conference 2010 Talks

• 2010-02-23 by Jason Avery
• (0 Comments)