Appearances

Our researchers are regularly invited to speak on a variety of topics all over the security industry. Here are some of our upcoming and past speaking appearances, click on the entry to view the abstract as well as any available slides and code:

VoIP Threats & Countermeasures: David Endler; Oct 27th, RSA Europe 2008; For VoIP to thrive, it must be secured. As hackers become savvier to VoIP with mainstream adoption, expect emerging VoIP attacks and threats to increase. This session will highlight the present and near term security threats to VoIP, as well as a longer term projection of things to come.
IP Telephony Security Threats and Countermeasures: David Endler; Oct 14th, VoiceCon Europe; IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.
Under the iHood: Cameron Hotchkies; Aug 8th, DEFCON 16; The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
The Art of Developing Effective Intrusion Detection/Prevention Signatures: Rohit Dhamankar, Rob King; Aug 2nd, Black Hat USA 2008 Training; This course is intended for students that want to develop effective IDS/IPS signatures. Knowledge of developing custom filters has become essential for security personnel responsible for securing an enterprise or government IT infrastructure. With the massive growth in attacks targeting specific enterprises and government agencies, on-the-spot filter development skills are required to stop propagating these attacks before they cause much damage. This course teaches how to identify malicious traffic on the wire, distinguish it from benign traffic and how to uniquely fingerprint such traffic. The course also teaches a student on how to use any IDS/IPS engine's capability to the fullest since most of the IDS/IPS engines have inherent limitations. The course will use the open-source IDSs Snort and Bro for practical examples and exercises.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Aug 2nd, Black Hat USA 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Reverse Engineering Python Applications: Aaron Portnoy, Ali Rizvi-Santiago; Jul 28th, USENIX WOOT; Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted dynamic languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. However, the implementation of these benefits exposes risks that developers are often unaware of. This paper is a study of the Python language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. It will cover techniques for interacting with a running interpreter, patching code both statically and dynamically, and manipulating type information. The concepts are further demonstrated with the use of AntiFreeze, a toolset for visually exploring Python binaries and modifying code therein.
Under the iHood: Cameron Hotchkies; Jun 13th, REcon; Download: Slides, Code
The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
Reverse Engineering Dynamic Languages, a Focus on Python: Aaron Portnoy, Ali Rizvi-Santiago; Jun 13th, REcon; Download: Slides
Every day more and more programmers are making the switch from traditional compiled languages such as C to more modern dynamic and interpreted languages such as Ruby and Python. We're seeing software ranging from video games to security tools written in these higher level languages and often released in binary form so as to protect the source. This talk focuses on Python with specific discussions revolving around extracting dynamic type information, disassembling code objects, and modifying runtime state statically. A real world complex example is demonstrated, hacking cheats into an MMORPG written in Python. This results in hilarious video demonstrations.
Arms Race: Next-Gen Vulnerability Discovery: Pedram Amini; Jun 2nd, Techno Security Conference; Download: Slides
Increased security protections at the operating system and compiler levels combined with a broader range of security researchers all looking at the same targets is pushing vulnerability hunters to cook up some interesting tools. This talk focuses on the past, present and future of the tool-set utilized by security researchers.
The Seven Most Dangerous New Attack Techniques and What's Coming Next: Rohit Dhamankar; Apr 23rd, Infosecurity Europe; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. The session begins with a brief review of the major changes in attack patterns that have taken place over the past two years and then provides detailed descriptions and discussion of the most dangerous of the new attacks. After that, the discussion will move toward what appears to be the most likely direction for evolution of the new attack tools and techniques.
Reverse Engineering Cookbook: Aaron Portnoy, Cameron Hotchkies; Apr 19th, Toorcon Seattle; Download: Slides
This talk presents some of the common impediments reverse engineers face when using IDA in their day-to-day tasks. Many times, we find ourselves performing repetitive tasks instead of focusing on understanding the code being reversed. This can cause distractions and reduce overall efficiency. The IDC and IDAPython scripts discussed are split into two categories: The first category is for scripts that aid in solving repetitive problems suited for automation such as defining functions missed by IDA, creating symbolic names by analyzing debug strings or logging functions, color coding functions based on their purpose using heuristics, and so forth. The second category deals with locating possible vulnerabilities. These scripts will find things such as possible bad allocations, integer wraps, format string bugs, sign extensions, unsafe library calls, and so on. The talk is directed mainly at vulnerability hunters, but anyone with an understanding of reverse engineering and IDA can take something away.
Fast Money and Easy Vulnerabilities: True Crime from the Internet: Mike Dausin, Rohan Kotian; Apr 10th, RSA Conference 2008; This session will examine the real impact of "easy" vulnerabilities on the phishing and fraud crime scene. Most working criminals are not elite super-ninjas armed with complex 0-days. They are using PHP remote files like SQL injection, and even simple XSS attacks to make fast money in online fraud - precisely the bugs that security professionals have grown accustomed to ignoring.
The Emerging Architecture of Secure Networks: Brian Smith; Apr 9th, RSA Conference 2008; Consolidation in the security market promises to simplify network design, but how? Many networks use specialized devices performing various, often redundant security functions. But the emergence of a set of common "legos" will make networks easier to build, less expensive to maintain and more secure. TippingPoint's Brian Smith will explain this architecture, its components and how it simultaneously meets security and networking needs.
What's to Come: The Next Generation of Attacks: David Endler; Apr 8th, RSA Conference 2008; Protecting enterprise assets from unwanted intrusions remains a top corporate priority, but one concern continues to plague the enterprise: has technology adapted to the new generation of threats on the horizon? Will corporations be able to keep their networks secure against these new attacks? This panel will discuss the next generation of attacks.
The Seven Most Dangerous New Attack Techniques, and What's Coming Next: Rohit Dhamankar; Apr 8th, RSA Conference 2008; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous of the new attack vectors. They will also discuss how attack tools and patterns will evolve over the coming year.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Mar 25th, Black Hat Europe 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Top VOIP Security Threats: David Endler; Mar 18th, VoiceCon Orlando 2008; There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 17th, VoiceCon Orlando 2008; IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.
RPC Auditing Tools and Techniques: Aaron Portnoy, Cody Pierce; Nov 22nd, DeepSec In-Depth Security Conference; RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
Advanced Fuzzing with Sulley: Pedram Amini, Aaron Portnoy; Oct 25th, BlackHat Japan; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Oct 23rd, BlackHat Japan; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
SCADA Protocols Detailed For Better Security: Ganesh Devarajan; Oct 17th, National Petrochemical and Refiners Association; The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Sep 27th, Microsoft BlueHat; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
IP Telephony Security Threats and Countermeasures: David Endler, Mark Collier; Aug 20th, VoiceCon Fall; This tutorial provides the latest information on security issues for IP Telephony implementations. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security, and looks at emerging issues and technologies.
Real-time Steganography with RTP: Dustin D. Trammell; Aug 3rd, DEFCON 15; Real-time Transfer Protocol (RTP) is used almost ubiquitously by Voice over IP technologies to provide an audio channel for calls. As such, it provides ample opportunity for creation of a covert communications channel due to it's very nature and use in implementation. While use of steganographic techniques with various audio cover-mediums has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This presentation details common techniques for use of steganography with auido data cover-medium, outlines the problem issues that arise when attempting to use these techniques to establish a full-duplex communications channel using audio data transmitted via an unreliable streaming protocol, and finally documents solutions to these problems as well as a reference implementation entitled SteganRTP.
Unraveling SCADA Protocols: Using Sulley Fuzzer: Ganesh Devarajan; Aug 3rd, DEFCON 15; Download: Slides
Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.
PyEmu: A Multi-Purpose Scriptable x86 Emulator: Cody Pierce; Aug 2nd, BlackHat US; Download: Slides, Code
Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Aug 2nd, BlackHat US; Download: Slides, Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
PISA: Protocol Identification via Statistical Analysis: Rohit Dhamankar, Rob King; Aug 1st, BlackHat US; A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Jul 28th, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Security: David Endler; May 24th, Interop; As IP telephony systems are more widely deployed, they'll naturally become the target of hackers. What are the newest types of attacks that you should be worried about, how do you guard against them and what are the implications for your broader enterprise IT security position?
Mnemonic Password Formulas: Dustin D. Trammell; May 16th, IEEE Computer Society, Austin Chapter; Download: Slides
This presentation details some of the issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and then finally introduces a new method for password management and recall termed Mnemonic Password Formulas.
DisAsterisk Sneak-Peek: Dustin D. Trammell; May 12th, ToorCon Seattle (Beta); A colleague and I's newest project, DisAsterisk, is an exercise in leveraging Asterisk, other open source software, and our own custom code to create useful tools for VoIP security research. I'll briefly describe the Asterisk extension module API, cover what we've developed so far, and list our future goals for the project.
RPC Auditing Tools and Techniques: Aaron Portnoy; May 12th, Toorcon Seattle; Download: Slides
RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
SCADA Protocol Fuzzer and The Next Generation of Inline Devices: Ganesh Devarajan; May 6th, LayerOne; The presentation will cover the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown there without disclosing the names of vendors.
VoiP Security: No Silver Bullet: David Endler; Apr 27th, Infosecurity Europe; No Abstract available.
Encrypted Protocol Identification via Statistical Analysis: Rob King, Rohit Dhamankar; Mar 23rd, ShmooCon; End-to-end encryption is often used to circumvent network policy controls and evade intrusion prevention and detection systems. This presentation shows a method for identifying the type of traffic that has been encrypted via a novel method of statistical analysis. This gives network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. A sample implementation of the method is provided.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 7th, VoiceCon Spring; No Abstract available.
VoIP Attacks!: Dustin D. Trammell; Mar 2nd, EUSecWest; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Feb 26th, Black Hat Federal; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Attacks!: Dustin D. Trammell; Feb 22nd, IEEE Consultants Network of Central Texas; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Exploiting VoIP Networks: David Endler, Mark Collier; Feb 7th, RSA; No Abstract available.
Hackers and Internet Security Threats: Rohit Dhamankar; Dec 18th, Arirang TV Interview, Seoul; No Abstract available.
Keynote: Internet Security Threats 2006 and Beyond: Rohit Dhamankar; Dec 13th, CONCERT: Conference of Asian CERTs; No Abstract available.
Steganography Primer: Dustin D. Trammell; Nov 30th, IEEE Consultants Network of Central Texas; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
SANS Top-20: Rohit Dhamankar; Nov 13th, UK NISCC Security Conference; No Abstract available.
Steganography Primer: Dustin D. Trammell; Oct 12th, Austin Linux Users Group; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
VoIP Attacks!: Dustin D. Trammell; Oct 1st, ToorCon 8; Download: Slides, Code
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Sender Policy Framework: Dustin D. Trammell; Sep 27th, AHA!; Download: Slides
Introduction to Sender Policy Framework (SPF) for e-mail.
Investigating Evil Websites with Monkeyspaw: Tod Beardsley; Aug 3rd, Black Hat US; Download: Slides
No Abstract available.
Hacking VoIP Exposed: David Endler, Mark Collier; Aug 2nd, Black Hat US; Download: Slides
No Abstract available.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Aug 1st, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
PaiMei - Reverse Engineering Framework: Pedram Amini; Jun 18th, RECON; Download: Slides, Code
There are a slew of languages, tools, interfaces and file formats for various reverse engineering tasks. Making tools play nice together and deciding how to develop new tools is a cumbersome process. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei was created for personal use and after much debate it was decided to release the majority of the toolkit to the public. This presentation will introduce PaiMei, discuss the architecture and design, demonstrate various uses and benefits and provide a foundation for attendees to build their own RE toys on top of the framework. Time permitting, some interesting case studies will be shared with the audience.

PaiMei is a reverse engineering framework consisting of multiple extensible components. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei is written entirely in Python and exposes at the highest level a debugger, a graph based binary abstraction and a set of utilities for accomplishing various repetitive tasks. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as: fuzzer assistance, code coverage tracking, data flow tracking and more.
SANS Top 20 Launch: Rohit Dhamankar; May 23rd, AusCERT; No Abstract available.
Voice over IP (VoIP) Security: David Endler; Mar 17th, Managing VoIP Security; No Abstract available.
VoIP Security: Managing Risk: David Endler; Mar 8th, Voicecon; No Abstract available.
Phishing and Intrusion Prevention: Tod Beardsley; Feb 15th, RSA; Download: Slides
No Abstract available.
Voice over IP Security: David Endler; Feb 14th, RSA; No Abstract available.
Reverse Engineering for Fun and BoF it!: Pedram Amini, Chris Eagle; Jan 13th, ShmooCon; Download: Slides
Reverse engineering skills can come in handy in any number of situations. Determining the behavior of malware, interoperability with closed source applications, and discovery of software vulnerabilities are just a few of the situations in which reverse engineering skills can come in handy. Unfortunately reverse engineers often seem to be self trained and open forums for discussing tools and techniques seem to be few and far between. This goal of this session is to hear people talk about tools and techniques employed for various reverse engineering tasks.

We'll talk about current tools of the trade, disassemblers, debuggers, fuzzers and such. Without turning into a religious battle, the relative merits of various approaches to reverse engineering techniques including static and dynamic analysis of closed source code may also be discussed.
The Top Five VoIP Security Challenges: And What You Can Do About Them: David Endler; Dec 13th, Interop New York; No Abstract available.
SANS Top-20: Rohit Dhamankar; Nov 22nd, UK NISCC Security Conference; No Abstract available.
Keynote on Intrusion Prevention Systems: Rohit Dhamankar; Oct 7th, ICETE 2005; No Abstract available.
Security Concerns and VoIP: David Endler; Sep 22nd, VON; No Abstract available.
Process Stalking - Run Time Visual RCE: Pedram Amini; Sep 17th, ToorCon; Download: Slides, Code
In today's world, closed-source software dominates the desktop and much of the server room. While a variety of tools and methodologies exist for security research in open-source software, binary analysis remains a mostly unexplored field. Post discovery and 0day vulnerability researchers heavily rely on reverse code engineering (RCE) to accomplish their work. The purpose of this talk is to introduce the art and science of "Process Stalking" to the general public.

"Process Stalking" is a term coined to describe the combined process of run-time profiling, state mapping and tracing using visual tools. In this presentation I will outline a methodology that can be consistently applied when conducting RCE for all purposes and will demonstrate a custom toolset that can be utilized in automating the process. I will conclude with live walk throughs allowing the attendee to see the pieces of the presentation come into life. Attendee's should have experience with x86 assembly (especially win32 generated code), a background in security and experience with debuggers and disassemblers.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar and David Endler; Sep 13th, RSA 2005 Power Days; No Abstract available.
A Primer on Phishing Tactics: Tod Beardsley; Jun 3rd, SummerCon; Download: Slides
No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit; Feb 15th, RSA 2005; No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar and David Endler; Feb 15th, RSA 2005; No Abstract available.
Tutorial on Intrusion Prevention Systems: Rohit Dhamankar; Feb 14th, RSA 2005; No Abstract available.

Appearances

Upcoming

Archived: 2008

Archived: 2007

Archived: 2006

Archived: 2005

Published Advisories

Upcoming Advisories

Blog Entries