Appearances

Our researchers are regularly invited to speak on a variety of topics all over the security industry. Here are some of our upcoming and past speaking appearances, click on the entry to view the abstract as well as any available slides and code:

SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications: Rob King; Mar 25th, Erlang Factory; This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.
MOBOTS: A Pocketful of Pwnage: Derek Brown, dtijerina; Mar 5th, RSA 2010; Today's mobile phone market is rich and diverse, with devices that are capable of complex, production-oriented tasks that challenge even the most sophisticated desktop computers. Likewise, these "smart phones" are vulnerable to exploitation via many of the same vectors. This session will demonstrate that it is possible to implement and maintain a traditional distributed botnet on your mobile phone by relying on social engineering and vulnerabilities in the iPhone/Android security models.
SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications: Rob King; Feb 18th, IEEE Central Texas Section Conference; This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.
Cybercrime: The Latest Wave: Jason Avery; Oct 21st, SX Security Exchange 2009 Conference Singapore; Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint’s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.
Cybercrime: The Latest Wave: Jason Avery; Oct 16th, SX Security Exchange 2009 Conference Thailand; Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint’s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Oct 14th, Hawaii's 16th Annual ISSA Discover Security Conference; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
The Latest Wave of Cybercrime Attacks: Report from the Trenches: David Endler; Oct 7th, European Security and Information System Congress; As business critical applications are quickly moving online, security threats are growing faster than IT spending can keep up. Sophisticated scanning tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information that can be sold for profit. It’s modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when lightning will strike next. This presentation will cover several new technical examples of how hackers are targeting end users and business application. We will also discuss several technologies and strategies for mitigating the threat of this new wave of cyber criminals.
Lecture on Reverse Engineering: Aaron Portnoy; Oct 2nd, Polytechnic Institute of NYU; Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.
Effective Techniques in Vulnerability Analysis and Intrusion Prevention: Rohit Dhamankar, Rob King; Sep 18th, SANS Network Security 2009; An in-depth discussion of the lifecycle of intrusion prevention signature creation with a focus on the creation of effective creation of efficient and accurate signatures, along with a discussion of vulnerability analysis.
Mostrame la guita! Adventures in buying vulnerabilities: Pedram Amini; Sep 17th, Ekoparty 2009; Have you ever wondered what goes on behind the scenes of vulnerability purchasing programs? What price ranges are offered on the white, grey and black markets? How various software vendors compare to one another on response? This talk will share insights, statistics and amusing anecdotes drawn from my experiences, research and history of the TippingPoint Zero Day Initiative vulnerability buying program.
2009 Threat Landscape: Wayne Blackard; Sep 17th, ISSA Puget Sound; This presentation takes a look at the past and present threat landscape, and how different attacks have evolved over time. Using graphed thread data gathered from numerous sources, the speaker will provide an analysis of attack trends to show where the attacks come from and what they’re attacking. A wide range of topics are discussed, such as web attacks, VoIP security, Phishing, Malware, SCADA systems, and Conficker. The speaker also gives advice to organizations on security strategies based on trending predictions.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Jul 25th, Black Hat USA 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Building a Better Mousetrap: Effective Techniques in Vulnerability Analysis and Intrusion Prevention: Rohit Dhamankar, Rob King; Jul 25th, Black Hat USA 2009 Training; This course provides an in-depth look at vulnerability analysis, detection, and prevention from a network-based IPS/IDS standpoint. It starts with how vulnerabilities become vulnerabilities, how hackers attack them, how they look on the wire, and ends with how to write effective signatures and filters for attacks. More esoteric topics covered in this course (and very rarely in others) include how to avoid the dreaded False Positive, how to estimate performance, how to prevent data leakage, and - perhaps most importantly - the techniques hackers use to evade detection by IPS/IDSes, and how you can evade the evasions.
Reversing Microsoft DirectShow and 3rd Party Codecs: Aaron Portnoy; Jun 22nd, You Sh0t The Sheriff; This talk is intended to impart upon the audience the speaker's approach to reverse engineering and auditing extensible Microsoft subsystems and subsequent 3rd party implementations. Specifically, this will delve into the inner workings of Microsoft's video and audio compression managers which provide interfaces for dealing with installable media codecs. Several approaches to auditing codecs will be discussed culminating with a complete walkthrough of the discovery and exploitation of two high-risk VMWare vulnerabilities.
Evolving Landscape of Security Threats in Higher Education: Jason Avery; Jun 17th, University of California Computing Services Conference 2009; Higher Education has traditionally been on the bleeding edge of both security threats and, by necessity, ways to deal with those threats. Using threat data gathered from numerous higher education networks, we will provide an analysis of the evolving landscape of security threats in Higher Education, comparing and contrasting those threats with enterprise and government networks. We will also discuss how Higher Education can effectively utilize various security tools to cope with their unique challenges. A Q&A and open discussion will follow.
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Jun 2nd, Techno 2009 Security Conference; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
Industrial Control System Security: Ganesh Devarajan; May 13th, SMi Cyber Defence 2009; How secure is our Industrial Control Systems? Have we done a good job on educating the people on the need for Control System security? This talk shall give an overview on the security scenario and our current achievements. This talk will also illustrate some of the differences between the IT security and the control system security also covering some of the past known security issues. The talk will then demo and illustrate some of the tools that can be used to test and defend your critical infrastructure against such attacks.
Exploiting Online Games: Aaron Portnoy; Apr 23rd, RSA Conference 2009; MMORPG's such as World of Warcraft, Second Life, and Pirates are subject to security exploits every day. This panel (made up of security experts, online game hackers, lawyers, and software security experts) discusses why online game exploits are a harbinger of attacks to come in the world of Web 2.0 and SOA. We will spend some time discussing how exploits work from a technical perspective. We will also delve into the law, finding out what cases are pending
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Apr 22nd, InfoSecurity San Juan; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Apr 15th, Black Hat Europe 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Feb 16th, Black Hat Federal 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Static Analysis and Transformation of Regular Languages for Encoding: Rob King; Jan 28th, PENTCIRT Pentagon Security Forums; This paper illustrates a technique for analyzing traffic in a streaming context when that traffic has been encoded using a variety of bitwise encoding schemes (most especially the Base64 transformation) without first decoding the stream. This has obvious advantages in situations where decoding is expensive or impossible.
Under the iHood: Cameron Hotchkies; Oct 8th, SecTor; The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section, comparisons of Windows applications and the OS X counterparts. Additionally some time will be taken to discuss the differences in the structure of binaries on the iPhone. This talk should give attendees insight into what is involved in the analysis of OS X binaries on both Apple machines and iPhones for vulnerabilities and interoperability. Attendees will gain a solid understanding of how windows reversing skills can be quickly applied to OS X binaries, including the common tools and resources available for an Apple security researcher.
Reverse Engineering Dynamic Language Multiplayer Online Games: Aaron Portnoy, Ali Rizvi-Santiago; Oct 1st, BA-Con Applied Security Conference; Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. One industry that is increasingly adopting the use of dynamic languages is that of online gaming. With millions of subscribers worldwide interacting with each other over complex distributed systems, security is often overlooked. In this presentation we will cover the Python programming language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. We will demonstrate application of the techniques discussed to hack cheats into at least two popular MMORPGs.
SCADA Networks: Security tools and Vulnerability assessments: Ganesh Devarajan; Sep 9th, Reboot Conference; The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.
Under the iHood: Cameron Hotchkies; Aug 8th, DEFCON 16; The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
The Art of Developing Effective Intrusion Detection/Prevention Signatures: Rohit Dhamankar, Rob King; Aug 2nd, Black Hat USA 2008 Training; This course is intended for students that want to develop effective IDS/IPS signatures. Knowledge of developing custom filters has become essential for security personnel responsible for securing an enterprise or government IT infrastructure. With the massive growth in attacks targeting specific enterprises and government agencies, on-the-spot filter development skills are required to stop propagating these attacks before they cause much damage. This course teaches how to identify malicious traffic on the wire, distinguish it from benign traffic and how to uniquely fingerprint such traffic. The course also teaches a student on how to use any IDS/IPS engine's capability to the fullest since most of the IDS/IPS engines have inherent limitations. The course will use the open-source IDSs Snort and Bro for practical examples and exercises.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Aug 2nd, Black Hat USA 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Reverse Engineering Python Applications: Aaron Portnoy, Ali Rizvi-Santiago; Jul 28th, USENIX WOOT; Download: Slides
Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted dynamic languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. However, the implementation of these benefits exposes risks that developers are often unaware of. This paper is a study of the Python language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. It will cover techniques for interacting with a running interpreter, patching code both statically and dynamically, and manipulating type information. The concepts are further demonstrated with the use of AntiFreeze, a toolset for visually exploring Python binaries and modifying code therein.
Under the iHood: Cameron Hotchkies; Jun 13th, REcon; Download: Slides, Code
The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
Reverse Engineering Dynamic Languages, a Focus on Python: Aaron Portnoy, Ali Rizvi-Santiago; Jun 13th, REcon; Download: Slides
Every day more and more programmers are making the switch from traditional compiled languages such as C to more modern dynamic and interpreted languages such as Ruby and Python. We're seeing software ranging from video games to security tools written in these higher level languages and often released in binary form so as to protect the source. This talk focuses on Python with specific discussions revolving around extracting dynamic type information, disassembling code objects, and modifying runtime state statically. A real world complex example is demonstrated, hacking cheats into an MMORPG written in Python. This results in hilarious video demonstrations.
Arms Race: Next-Gen Vulnerability Discovery: Pedram Amini; Jun 2nd, Techno Security Conference; Download: Slides
Increased security protections at the operating system and compiler levels combined with a broader range of security researchers all looking at the same targets is pushing vulnerability hunters to cook up some interesting tools. This talk focuses on the past, present and future of the tool-set utilized by security researchers.
The Seven Most Dangerous New Attack Techniques and What's Coming Next: Rohit Dhamankar; Apr 23rd, Infosecurity Europe; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. The session begins with a brief review of the major changes in attack patterns that have taken place over the past two years and then provides detailed descriptions and discussion of the most dangerous of the new attacks. After that, the discussion will move toward what appears to be the most likely direction for evolution of the new attack tools and techniques.
Reverse Engineering Cookbook: Aaron Portnoy, Cameron Hotchkies; Apr 19th, Toorcon Seattle; Download: Slides
This talk presents some of the common impediments reverse engineers face when using IDA in their day-to-day tasks. Many times, we find ourselves performing repetitive tasks instead of focusing on understanding the code being reversed. This can cause distractions and reduce overall efficiency. The IDC and IDAPython scripts discussed are split into two categories: The first category is for scripts that aid in solving repetitive problems suited for automation such as defining functions missed by IDA, creating symbolic names by analyzing debug strings or logging functions, color coding functions based on their purpose using heuristics, and so forth. The second category deals with locating possible vulnerabilities. These scripts will find things such as possible bad allocations, integer wraps, format string bugs, sign extensions, unsafe library calls, and so on. The talk is directed mainly at vulnerability hunters, but anyone with an understanding of reverse engineering and IDA can take something away.
Fast Money and Easy Vulnerabilities: True Crime from the Internet: Mike Dausin, Rohan Kotian; Apr 10th, RSA Conference 2008; This session will examine the real impact of "easy" vulnerabilities on the phishing and fraud crime scene. Most working criminals are not elite super-ninjas armed with complex 0-days. They are using PHP remote files like SQL injection, and even simple XSS attacks to make fast money in online fraud - precisely the bugs that security professionals have grown accustomed to ignoring.
The Emerging Architecture of Secure Networks: Brian Smith; Apr 9th, RSA Conference 2008; Consolidation in the security market promises to simplify network design, but how? Many networks use specialized devices performing various, often redundant security functions. But the emergence of a set of common "legos" will make networks easier to build, less expensive to maintain and more secure. TippingPoint's Brian Smith will explain this architecture, its components and how it simultaneously meets security and networking needs.
What's to Come: The Next Generation of Attacks: David Endler; Apr 8th, RSA Conference 2008; Protecting enterprise assets from unwanted intrusions remains a top corporate priority, but one concern continues to plague the enterprise: has technology adapted to the new generation of threats on the horizon? Will corporations be able to keep their networks secure against these new attacks? This panel will discuss the next generation of attacks.
The Seven Most Dangerous New Attack Techniques, and What's Coming Next: Rohit Dhamankar; Apr 8th, RSA Conference 2008; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous of the new attack vectors. They will also discuss how attack tools and patterns will evolve over the coming year.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Mar 25th, Black Hat Europe 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Top VOIP Security Threats: David Endler; Mar 18th, VoiceCon Orlando 2008; There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 17th, VoiceCon Orlando 2008; IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.
RPC Auditing Tools and Techniques: Aaron Portnoy, Cody Pierce; Nov 22nd, DeepSec In-Depth Security Conference; RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
Advanced Fuzzing with Sulley: Pedram Amini, Aaron Portnoy; Oct 25th, BlackHat Japan; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Oct 23rd, BlackHat Japan; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
SCADA Protocols Detailed For Better Security: Ganesh Devarajan; Oct 17th, National Petrochemical and Refiners Association; The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Sep 27th, Microsoft BlueHat; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
IP Telephony Security Threats and Countermeasures: David Endler, Mark Collier; Aug 20th, VoiceCon Fall; This tutorial provides the latest information on security issues for IP Telephony implementations. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security, and looks at emerging issues and technologies.
Real-time Steganography with RTP: Dustin D. Trammell; Aug 3rd, DEFCON 15; Real-time Transfer Protocol (RTP) is used almost ubiquitously by Voice over IP technologies to provide an audio channel for calls. As such, it provides ample opportunity for creation of a covert communications channel due to it's very nature and use in implementation. While use of steganographic techniques with various audio cover-mediums has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This presentation details common techniques for use of steganography with auido data cover-medium, outlines the problem issues that arise when attempting to use these techniques to establish a full-duplex communications channel using audio data transmitted via an unreliable streaming protocol, and finally documents solutions to these problems as well as a reference implementation entitled SteganRTP.
Unraveling SCADA Protocols: Using Sulley Fuzzer: Ganesh Devarajan; Aug 3rd, DEFCON 15; Download: Slides
Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.
PyEmu: A Multi-Purpose Scriptable x86 Emulator: Cody Pierce; Aug 2nd, BlackHat US; Download: Slides, Code
Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Aug 2nd, BlackHat US; Download: Slides, Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
PISA: Protocol Identification via Statistical Analysis: Rohit Dhamankar, Rob King; Aug 1st, BlackHat US; A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Jul 28th, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Security: David Endler; May 24th, Interop; As IP telephony systems are more widely deployed, they'll naturally become the target of hackers. What are the newest types of attacks that you should be worried about, how do you guard against them and what are the implications for your broader enterprise IT security position?
Mnemonic Password Formulas: Dustin D. Trammell; May 16th, IEEE Computer Society, Austin Chapter; Download: Slides
This presentation details some of the issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and then finally introduces a new method for password management and recall termed Mnemonic Password Formulas.
DisAsterisk Sneak-Peek: Dustin D. Trammell; May 12th, ToorCon Seattle (Beta); A colleague and I's newest project, DisAsterisk, is an exercise in leveraging Asterisk, other open source software, and our own custom code to create useful tools for VoIP security research. I'll briefly describe the Asterisk extension module API, cover what we've developed so far, and list our future goals for the project.
RPC Auditing Tools and Techniques: Aaron Portnoy; May 12th, Toorcon Seattle; Download: Slides
RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
SCADA Protocol Fuzzer and The Next Generation of Inline Devices: Ganesh Devarajan; May 6th, LayerOne; The presentation will cover the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown there without disclosing the names of vendors.
VoiP Security: No Silver Bullet: David Endler; Apr 27th, Infosecurity Europe; No Abstract available.
Encrypted Protocol Identification via Statistical Analysis: Rob King, Rohit Dhamankar; Mar 23rd, ShmooCon; End-to-end encryption is often used to circumvent network policy controls and evade intrusion prevention and detection systems. This presentation shows a method for identifying the type of traffic that has been encrypted via a novel method of statistical analysis. This gives network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. A sample implementation of the method is provided.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 7th, VoiceCon Spring; No Abstract available.
VoIP Attacks!: Dustin D. Trammell; Mar 2nd, EUSecWest; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Feb 26th, Black Hat Federal; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Attacks!: Dustin D. Trammell; Feb 22nd, IEEE Consultants Network of Central Texas; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Exploiting VoIP Networks: David Endler, Mark Collier; Feb 7th, RSA; No Abstract available.
Hackers and Internet Security Threats: Rohit Dhamankar; Dec 18th, Arirang TV Interview, Seoul; No Abstract available.
Keynote: Internet Security Threats 2006 and Beyond: Rohit Dhamankar; Dec 13th, CONCERT: Conference of Asian CERTs; No Abstract available.
Steganography Primer: Dustin D. Trammell; Nov 30th, IEEE Consultants Network of Central Texas; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
SANS Top-20: Rohit Dhamankar; Nov 13th, UK NISCC Security Conference; No Abstract available.
Steganography Primer: Dustin D. Trammell; Oct 12th, Austin Linux Users Group; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
VoIP Attacks!: Dustin D. Trammell; Oct 1st, ToorCon 8; Download: Slides, Code
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Sender Policy Framework: Dustin D. Trammell; Sep 27th, AHA!; Download: Slides
Introduction to Sender Policy Framework (SPF) for e-mail.
Investigating Evil Websites with Monkeyspaw: Tod Beardsley; Aug 3rd, Black Hat US; Download: Slides
No Abstract available.
Hacking VoIP Exposed: David Endler, Mark Collier; Aug 2nd, Black Hat US; Download: Slides
No Abstract available.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Aug 1st, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
PaiMei - Reverse Engineering Framework: Pedram Amini; Jun 18th, RECON; Download: Slides, Code
There are a slew of languages, tools, interfaces and file formats for various reverse engineering tasks. Making tools play nice together and deciding how to develop new tools is a cumbersome process. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei was created for personal use and after much debate it was decided to release the majority of the toolkit to the public. This presentation will introduce PaiMei, discuss the architecture and design, demonstrate various uses and benefits and provide a foundation for attendees to build their own RE toys on top of the framework. Time permitting, some interesting case studies will be shared with the audience.

PaiMei is a reverse engineering framework consisting of multiple extensible components. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei is written entirely in Python and exposes at the highest level a debugger, a graph based binary abstraction and a set of utilities for accomplishing various repetitive tasks. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as: fuzzer assistance, code coverage tracking, data flow tracking and more.
SANS Top 20 Launch: Rohit Dhamankar; May 23rd, AusCERT; No Abstract available.
Voice over IP (VoIP) Security: David Endler; Mar 17th, Managing VoIP Security; No Abstract available.
VoIP Security: Managing Risk: David Endler; Mar 8th, Voicecon; No Abstract available.
Phishing and Intrusion Prevention: Tod Beardsley; Feb 15th, RSA; Download: Slides
No Abstract available.
Voice over IP Security: David Endler; Feb 14th, RSA; No Abstract available.
Reverse Engineering for Fun and BoF it!: Pedram Amini, Chris Eagle; Jan 13th, ShmooCon; Download: Slides
Reverse engineering skills can come in handy in any number of situations. Determining the behavior of malware, interoperability with closed source applications, and discovery of software vulnerabilities are just a few of the situations in which reverse engineering skills can come in handy. Unfortunately reverse engineers often seem to be self trained and open forums for discussing tools and techniques seem to be few and far between. This goal of this session is to hear people talk about tools and techniques employed for various reverse engineering tasks.

We'll talk about current tools of the trade, disassemblers, debuggers, fuzzers and such. Without turning into a religious battle, the relative merits of various approaches to reverse engineering techniques including static and dynamic analysis of closed source code may also be discussed.
The Top Five VoIP Security Challenges: And What You Can Do About Them: David Endler; Dec 13th, Interop New York; No Abstract available.
SANS Top-20: Rohit Dhamankar; Nov 22nd, UK NISCC Security Conference; No Abstract available.
Keynote on Intrusion Prevention Systems: Rohit Dhamankar; Oct 7th, ICETE 2005; No Abstract available.
Security Concerns and VoIP: David Endler; Sep 22nd, VON; No Abstract available.
Process Stalking - Run Time Visual RCE: Pedram Amini; Sep 17th, ToorCon; Download: Slides, Code
In today's world, closed-source software dominates the desktop and much of the server room. While a variety of tools and methodologies exist for security research in open-source software, binary analysis remains a mostly unexplored field. Post discovery and 0day vulnerability researchers heavily rely on reverse code engineering (RCE) to accomplish their work. The purpose of this talk is to introduce the art and science of "Process Stalking" to the general public.

"Process Stalking" is a term coined to describe the combined process of run-time profiling, state mapping and tracing using visual tools. In this presentation I will outline a methodology that can be consistently applied when conducting RCE for all purposes and will demonstrate a custom toolset that can be utilized in automating the process. I will conclude with live walk throughs allowing the attendee to see the pieces of the presentation come into life. Attendee's should have experience with x86 assembly (especially win32 generated code), a background in security and experience with debuggers and disassemblers.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar, David Endler; Sep 13th, RSA 2005 Power Days; No Abstract available.
A Primer on Phishing Tactics: Tod Beardsley; Jun 3rd, SummerCon; Download: Slides
No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar; Feb 15th, RSA 2005; No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar, David Endler; Feb 15th, RSA 2005; No Abstract available.
Tutorial on Intrusion Prevention Systems: Rohit Dhamankar; Feb 14th, RSA 2005; No Abstract available.

Appearances

Upcoming

Archived: 2009

Archived: 2008

Archived: 2007

Archived: 2006

Archived: 2005

Published Advisories

Upcoming Advisories

Blog Entries