Appearances

Our researchers are regularly invited to speak on a variety of topics all over the security industry. Here are some of our upcoming and past speaking appearances, click on the entry to view the abstract as well as any available slides and code:

Pwn2Own 2013: Brian Gorenc, Scott Lambert, Matt Molinyawe, Jasiel Spelman, Dave Weinstein; Mar 6th, CanSecWest; No Abstract available.
Advanced Malware Deobfuscation: Scott Lambert; Mar 4th, CanSecWest; No Abstract available.
Introduction to Malware Analysis: Scott Lambert; Mar 2nd, CanSecWest; No Abstract available.
Mobile Pwn2Own: Brian Gorenc, Assad Khan, Jasiel Spelman, Steve Povolny, Scott Lambert, Jonathan Andersson; Sep 19th, EUSecWest; No Abstract available.
Understanding Vulnerabilities to Better Mitigate Threats: Steve Povolny; Sep 10th, HP Protect; Vulnerabilities in today's commercial and custom software are the primary target for attackers. The most severe are vulnerabilities that can result in code execution—ones that allow an attacker can take complete control of your system and steal information or damage property. In this session, we’ll show you how to analyze vulnerability in a Microsoft application and how an attacker can quickly move from proof-of-concept to remote code execution. We’ll also share risk mitigation strategies.
State of Web Exploit Toolkits: Jason Jones; Jul 26th, BlackHat US; No Abstract available.
Active Exploitation Detection and the Arrhythmia of the Threat Landscape: Marc Eisenbarth; Jul 12th, Lockdown 2012; No Abstract available.
Know Your Enemy - Hackers Versus Executives Panel: Brian Gorenc; Jun 19th, Forrester Security Forum EMEA; No Abstract available.
Bug Hunting and Analysis: Aaron Portnoy, Zef Cekaj; Jun 11th, Recon 2012; No Abstract available.
Know Your Enemy - Hackers Versus Executives Panel: Brian Gorenc; May 25th, Forrester Security Forum; No Abstract available.
Classification of UDP Traffic for DDoS Detection: Marc Eisenbarth; Apr 24th, LEET 2012; No Abstract available.
Yo Dawg, I heard you like reversing...: Aaron Portnoy, Brandon Edwards; Apr 14th, Hackito Ergo Sum; No Abstract available.
Next Generation Blacklisting and Whitelisting: Marc Eisenbarth; Mar 25th, HP TechCon 2012; No Abstract available.
Pwn2Own 2012: Aaron Portnoy, Brandon Edwards, Logan Brown, Peter Vreugdenhil; Mar 7th, CanSecWest; No Abstract available.
Adventures in Implementing a Secure Software Development Lifecycle (SDLC): Brian Gorenc; Feb 28th, RSA 2012; This Peer2Peer session is intended to discuss the complexity of implementing a successful secure software development lifecycle program. It will focus on the ups and downs of introducing security practices into an existing SDLC. Topic areas will include, but are not limited to, identifying useful security requirements, examining static code analysis output, and holding proper code reviews.
Vulnerability Panel: Is it ZERO Day or ZERO Care?: Dan Holden; Feb 27th, RSA 2012; Vulnerability Databases have provided information about security vulnerabilities for over 10 years. This enables analysis on trends and changes in the security industry. This session will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities.
Bug Hunting and Analysis 0x65: Aaron Portnoy, Zef Cekaj; Jan 31st, Private Venue (NYC); No Abstract available.
Black Box Auditing Adobe Shockwave: Aaron Portnoy, Logan Brown; Nov 8th, PacSec; No Abstract available.
Beyond IPS: Will Gragido; Oct 17th, SecTor; No Abstract available.
The Rise of the Chaotic Actor: Adapting to the Age of Anonymous: Will Gragido; Oct 13th, RSA Europe 2011; 2011 has seen the rise of the chaotic actor. They are legion and here to stay. We carry a cognitive dissonance toward Anonymous & LulzSec. While some are chaotic good like Robin Hood, others trend toward chaotic evil and want to see the world burn. Our panel will go deeper than the headlines and equip you with meaningful context, insight, implications and strategies for the age of Anonymous.
Dynamic Reverse Engineering: Aaron Portnoy; Oct 12th, Polytechnic Institute of NYU; No Abstract available.
Memory Disclosure and You: Brandon Edwards; Oct 7th, BsidesPDX; Memory Disclosure and You is a talk discussing the relevance of a bug class often miscategorized or ignored by the security masses. Memory disclosure has always been useful to attackers, and in modern times it has become paramount in attacking software hardened by protection schemes. This talk gives an introduction to memory disclosure, some background and history. The talk then moves into how memory disclosure conditions can be found, or manufactured from other vulnerabilities, to aid in the exploitation of memory corruption.
Exploitation and Obfuscation: Analyzing Stealthy Attacks: Brian Gorenc; Oct 6th, IEEE Metrocon; Attackers are targeting corporate networks and the military industrial base to obtain valuable secrets and personally identifiable information. Fortunately, these organizations have begun implementing defense-in-depth measures making it more difficult for attackers to compromise critical systems. In spite of these necessary precautions, today's attacks use increasingly sophisticated obfuscation techniques to avoid detection. This presentation will focus on analyzing the evasion techniques being used by attackers to circumvent security measures. The session will also provide details on the anatomy of an exploit and what makes evasion techniques effective. A deeper dive approach will focus on evasions that can be used in standard protocols and describe which obfuscation techniques are present in popular exploit frameworks, such as Metasploit. Summarily, a detailed analysis of three real-world case studies will be presented.
Operational Reviews and Code Audits: Brandon Edwards; Sep 26th, Polytechnic Institute of NYU; No Abstract available.
Experiments using IDA Pro as a data store: Aaron Portnoy, Ali Rizvi-Santiago; Sep 23rd, ekoparty; This talk will cover the TippingPoint security research team's experiments using IDA Pro to mirror a datasource. The ability to harvest attributes and metadata from a binary can allow a reverser to extend their arsenal of approaches to solving their problems. By combining the information available statically with supplemental data collected from a debugger, a reverser can paint a more complete picture of the target application. Additionally, the ability to modify attributes and subsequently query them via a friendly interface can aid in collaborative reversing. This lightning talk aims to demonstrate what other tasks can be accomplished when building functionality on top of a few simple primitives.
Advanced Malware Deobfuscation: Scott Lambert; Aug 2nd, BlackHat US; Security researchers are facing a growing problem in the complexity of malicious executables. With an ever-increasing number of tools that malware authors use to compress and obfuscate executables, and the pressing urgency that analysts often face, it is vital for analysts to know the best methods to remove protections that they have never seen before.
Unpacking is the process of removing the compression and obfuscation applied by a "packer" (or "protector") to a compiled and linked binary. This class will focus on teaching attendees the steps required to effectively deal with both known and previously unknown packing techniques.
This is a hands-on course. Attendees will work on real-world malware through a series of lab exercises designed to build their expertise in thwarting anti-debugging and anti-disassembling techniques.
Bug Hunting and Analysis 0x65: Aaron Portnoy, Zef Cekaj; Jul 11th, Recon 2011; This 3 day course is structured to impart upon the students the skills necessary to effectively utilize debuggers, disassemblers, and other tools to discover vulnerabilities in binary code. The curriculum will begin by introducing students to the tools and generic techniques that will enable them to actively participate in reversing applications during the rest of the course. After gaining a basic understanding of the tools involved, the instructors will spend day 2 walking students through case studies from patched vulnerabilities. That is, we will be choosing specific vulnerabilities and walking the students through the methodology used to verify them (debugging) and how the discoverer likely found them (fuzzing, static reverse engineering, dynamic instrumentation, etc). As each flaw is dissected, we will focus on how the student's arsenal of techniques can be extended to more easily debug applications and eventually discover similar bugs going forward. On day 3 we will begin focusing on automating our tools to build a checklist that we can use to more efficiently reverse engineer a binary code base. We will walk through a complete audit of a default installation (latest version) of a popular enterprise server application culminating in the discovery of a remote pre-authentication 0day vulnerability. Students will be required to sign a minimal NDA in order to participate in this portion of the training.
Bug Hunting and Analysis 0x65: Aaron Portnoy, Zef Cekaj; Jul 5th, Recon 2011; This 3 day course is structured to impart upon the students the skills necessary to effectively utilize debuggers, disassemblers, and other tools to discover vulnerabilities in binary code. The curriculum will begin by introducing students to the tools and generic techniques that will enable them to actively participate in reversing applications during the rest of the course. After gaining a basic understanding of the tools involved, the instructors will spend day 2 walking students through case studies from patched vulnerabilities. That is, we will be choosing specific vulnerabilities and walking the students through the methodology used to verify them (debugging) and how the discoverer likely found them (fuzzing, static reverse engineering, dynamic instrumentation, etc). As each flaw is dissected, we will focus on how the student's arsenal of techniques can be extended to more easily debug applications and eventually discover similar bugs going forward. On day 3 we will begin focusing on automating our tools to build a checklist that we can use to more efficiently reverse engineer a binary code base. We will walk through a complete audit of a default installation (latest version) of a popular enterprise server application culminating in the discovery of a remote pre-authentication 0day vulnerability. Students will be required to sign a minimal NDA in order to participate in this portion of the training.
Reputation Digital Vaccine: Reinventing Internet Blacklists: Marc Eisenbarth; Jun 15th, Source Seattle; No Abstract available.
Economics of Vulnerabilities: Aaron Portnoy; May 27th, Hack in the Box Amsterdam; No Abstract available.
Black Box Auditing Adobe Shockwave: Aaron Portnoy, Logan Brown; Apr 8th, Hackito Ergo Sum; No Abstract available.
SCADA, the Forgotten Infrastructure?: Dan Holden; Apr 5th, NISSF 2011; Cloud, Virtualization, mobile, all up and coming infrastructures that get lots of attention from a security and risk perspective. However, SCADA systems control everything from oil and gas pipelines, to the water supplies in our cities to the traffic lights that regulate our daily commute. Despite the media�s tendency to sensationalize cyber security events, the threat to SCADA systems is, unfortunately, very real. The session will discuss incidents that have already occurred on SCADA networks, including details on attack vectors and how these events unfolded. The threat landscape as it relates to SCADA systems and possible prevention of SCADA attacks will also be discussed.
Concentrated Fire: Black Box Auditing Adobe Shockwave: Aaron Portnoy, Logan Brown; Mar 9th, CanSecWest; Attempting to familiarize oneself with another's codebase is a daunting task, even with well-documented source code. Attempting to do so for a large symbol-less binary application is even harder. This talk will walk the audience through the TippingPoint security reseach team's approach to reverse engineering Adobe Shockwave for the purposes of vulnerabilty discovery and analysis. We will cover reconnaissance of the attack surface, vulnerabilities discovered, tools developed, and our techniques utilized to recover type information and functionality throughout a 6 month focused audit. In early 2010 our team began a simple audit of the Shockwave player which, according to Adobe, is installed on an estimated 45% of Internet-enabled computers. Our initial poking at this software turned up 7 vulnerabilities. After bringing attention to Shockwave by publishing these, we began to see a substantial increase in industry focus on this particular application. In the months following, we have been consistently receiving upwards of 15 Shockwave vulnerabilities per week through the Zero Day Initiative program. Sometimes these submissions are well documented; more often, they are not. Either way, we are required to locate the offending vulnerability's root cause. This is often a time-consuming task, especially if each team member works on their assigned vulnerabilities in isolation. As such, we have taken a good deal of time analyzing the requirements for collaborating on these projects and we have developed techniques and tools to return to the audit with a more effective and complete tactic. As the entire Shockwave codebase is symbol-less (only exporting by ordinal, using a custom memory manager, and generally shirking the use of many standard API calls) we will demonstrate our successful attempt to recover over 1100 function names. We will release a set of IDA scripts that allow a researcher to match functions from one platform's version of a codebase to another (as well as multiple versions on the same platform). We will also walk through our analysis and dissection of the custom memory manager used by Shockwave, including a tool release that will allows one to track allocations, frees, and walk heap structures in memory. Additionally, we will cover the heuristic-based approaches we took to identify platform-specific abstraction layers within Adobe's code and our tools to display such information within IDA. Recovering such information is not, however, the most we can do. We will also demonstrate how we have reversed the undocumented file format chunks (based on RIFF) that the Shockwave player uses. This was accomplished using our internal code injection tools and we will demonstrate how the same techniques can be replicated using an instrumentation engine such as Dynamorio or Pin. As we unearthed more and more about Shockwave we became aware of the extent of its attack surface. So, we will also walk through the fuzzing architecture we have used to fuzz both the Director file format, the signed Asset files, and the internal language known as Lingo that Shockwave supports. Cumulatively, these efforts have led to over 20 0day discoveries (at the time of this writing, more likely on the way) in the product.
Pwn2Own 2011: Aaron Portnoy, Logan Brown, Ali Rizvi-Santiago, Derek Brown, Jonathan Andersson,
, Peter Vreugdenhil, Kate Fly, Assad Khan; Mar 9th, CanSecWest; No Abstract available.
Reputation Digital Vaccine: Reinventing Internet Blacklists: Marc Eisenbarth; Mar 6th, HP Tech Con 2011; No Abstract available.
The Vulnerability Disclosure Debate Continues: Aaron Portnoy, Dan Holden; Feb 17th, RSA 2011; Vulnerability disclosure is an important piece of the security landscape because it allows the "good guys" to keep ahead of hackers. The process of how to responsibly disclose vulnerabilities is a topic that is constantly debated - and rife with controversy. The goal of this session is to provide an in-depth look at the process for vulnerability disclosure and how it impacts the enterprise.
The Best Defense is a Good Offense: Building Security into Applications: Dan Holden; Feb 15th, RSA 2011; Applications increasingly pose significant security challenges as attackers frequently find and exploit new vulnerabilities faster than ever. This panel of HP security experts will discuss how a combination of timely threat intelligence, proactive remediation and broad visibility can put you on the offensive against a sophisticated and organized enemy.
Active Exploitation Detection: Marc Eisenbarth; Feb 15th, Security B-Sides SanFran; No Abstract available.
The Modern Threat Landscape and Our Ability to React Intelligently: Marc Eisenbarth, Will Gragido; Feb 15th, Security B-Sides SanFran; No Abstract available.
Half Baked: Hardware Hacking Mixed with Sweet Software Reverse Engineering: Marc Eisenbarth; Jan 30th, ShmooCon; Advances in binary analysis and forensics over the past two years have been astonishing. A new era has begun which consists of semi-automated, closed-source analysis on every conceivable software target. There is one relatively untouched area that deserves to be cracked like a nut, namely software loaded on hardware targets such as microcontrollers, complex programmable logic devices (CLPD), field programmable gate arrays (FPGA) and more capable microprocessor cores. We will survey a number of techniques, all of which are accessible given a minimal budget and share a common goal: extraction of executable code and program data which can be loaded into the same tool chains used by modern software reverse engineers. The progression begins with a simple eavesdropping attack against a license EPROM and then progresses to compromise of a full-fledged microprocessor core via loading a general purpose operating system to replace a locked down operating system, then finishes up with a data remanence attack against a secure security device. The goal of this talk is more than a survey of techniques; it is a collection of specific examples which serve as both a gentle introduction to a brave new world and a call to arms to the security community.
Active Exploit Detection: Marc Eisenbarth; Jan 18th, BlackHat DC; Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today's cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.
Analyzing Network-Based Attacks: Garett Montgomery; Oct 27th, HTCIA Austin; This talk will focus on the subject of analyzing network-based attacks and malware, as well as vulnerabilities. There will also be an in-depth analysis on using a regular expression to catch the vulnerability rather than the exploit.
SCADA Threat Landscape 2010: Garett Montgomery; Oct 27th, Pacific Northwest Smart Grid Demonstration; This talk will focus on some high-profile network-security breaches that have recently taken place on SCADA networks. Additionally, there will be an in-depth analysis of the propagation methods used by the Stuxnet worm. And finally the talk will focus on how lessons learned from more-mature corporate network security programs can be applied to SCADA systems.
The Vulnerability Threat Lifecycle: Dan Holden; Oct 13th, SANS Mnemonic RISK Summit; The threat landscape has changed substantially in recent years. Security attacks have moved beyond traditional worms and viruses, to more dynamic exploitation via botnets and APTs (Advanced Persistent Threats). Attackers are leveraging old and new vulnerabilities in common applications including Web apps, browsers and social networking. These attackers are also using sophisticated social engineering techniques to further exploit the most common weakness: the user. While the modern threat landscape has changed, many enterprises are still budgeting, and using processes, for the threat landscape of 5-10 years ago. This talk will focus on the modern threat landscape, including the changing face of attacks, what we can expect to see in the future and how organizations can protect themselves.
Lecture on Reverse Engineering (Part Two): Aaron Portnoy, Peter Silberman; Oct 11th, Polytechnic Institute of NYU; Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.
The Vulnerability Threat Lifecycle: Dan Holden; Oct 9th, Les Assises de la Securite; The threat landscape has changed substantially in recent years. Security attacks have moved beyond traditional worms and viruses, to more dynamic exploitation via botnets and APTs (Advanced Persistent Threats). Attackers are leveraging old and new vulnerabilities in common applications including Web apps, browsers and social networking. These attackers are also using sophisticated social engineering techniques to further exploit the most common weakness: the user. While the modern threat landscape has changed, many enterprises are still budgeting � and using processes � for the threat landscape of 5-10 years ago. This talk will focus on the modern threat landscape, including the changing face of attacks, what we can expect to see in the future and how organizations can protect themselves.
Lecture on Reverse Engineering (Part One): Aaron Portnoy, Peter Silberman; Oct 4th, Polytechnic Institute of NYU; Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.
Exploitation: Past, Present, and Future: Aaron Portnoy; Sep 14th, National Security Agency; Over the past few years exploitation has become increasingly difficult and the days of simple return address mangling have long since past. Vendors such as Microsoft and Apple have been working diligently on mitigation technologies to make the process of weaponizing an exploit a daunting task. With the introduction of DEP, ASLR, /GS, and SafeSEH, attackers are now forced to obtain an intimate understanding of the internals of the target they are attempting to break. When dealing with closed-source software an exploit writer must reverse engineer application-specific data structures as well as gain a much deeper understanding of how to influence runtime state than was previously required. This is a field in which new tools are desperately needed. The problems associated with reverse engineering binary applications have been approached by academia, private industry, and individuals alike. This presentation aims to discuss the history of the requirements needed to achieve reliable weaponized exploits, focusing on what types of tools and techniques will be needed going forward.
Vulnerability Lifecycle for Software Vendors: Dan Holden; Sep 10th, AppSec US 2010; No Abstract available.
The Threat Landscape: Will Gragido; Sep 9th, ISSA Chicago; The threat landscape is in a constant state of evolution. It is changing at a pace which few have either the time or the resources to properly address, let alone comprehend. Elusive adversaries lurk in the depths of the deep net and are working at a pace to proliferate their causes whether they be criminally motivated profit driven, philosophical or state sponsored activities. In a world in which the traditional defenses associated with establishing and securing a perimeter are failing where can one turn? Join Will Gragido of TippingPoint-DV Labs as he discusses the latest and greatest solutions for mitigating the risks that threaten our world today. In his talk Mr. Gragido will address threats associated with applications, reputation, Web 2.0 and a host of other next generation technologies intended to aid businesses and individuals a like all of which pose dangers previously not considered.
Electronic Weaponry or How to Rule the World While Shopping at Radio Shack: Tim Otto; Aug 1st, DEF CON 18; Talk will cover electronic weapons, focusing mainly on the ones that target electronic systems.
Through the rabbit hole: An Expose of Darknets and the Onion Routed Underground: Will Gragido; Jul 31st, Security BSides; The Internet and cyberspace are far from what they appear to be. For years an evolution revolution has been underway. This evolution revolution has seen advancement, growth, adaptation and change occur in order to both propagate and defend against new and advanced threat vectors, many of which do not traditionally reside in the realm of the information security warrior but are swiftly becoming more a part of it. Among these, the onion routed anonymous network is playing a greater and greater role. These networks leverage cryptographic ciphers to aid in concealing routing instruction information thus preventing detection by intermediary nodes. They take on many forms some being embraced and celebrated as voices of free press and expression, while others are used for the trafficking and trade of goods and services within the cyber-criminal sub-ecosystem. During this presentation you will gain an insight into the realities of these networks, their owner / operators, the conventional wisdom employed by these parties, their clientele and an informed look glimpse of the type of data which is trafficked within these environments.
Building a Better Mousetrap: Effective Techniques in Vulnerability Analysis and Intrusion Detection & Prevention: Rob King; Jul 24th, BlackHat USA 2010; It's a fact that hackers are getting smarter faster than network security hardware is getting better. To effectively defend your organization from attacks, you have to know more than just how to configure your IPS or IDS - you need to understand the art behind the science. This course provides an in-depth look at vulnerability analysis, detection, and prevention from a network-based IPS/IDS standpoint. It starts with how vulnerabilities become vulnerabilities, how hackers attack them, how they look on the wire, and ends with how to write effective signatures and filters for attacks. More esoteric topics covered in this course (and very rarely in others) include how to avoid the dreaded False Positive, how to estimate performance, how to prevent data leakage, and - perhaps most importantly - the techniques hackers use to evade detection by IPS/IDSes, and how you can evade the evasions.
Pixaxe: A Declarative, Client-Focused Web Application Framework: Rob King; Jun 23rd, USENIX; This paper provides a brief introduction to and overview of the Pixaxe Web Application Framework ("Pixaxe"). Pixaxe is a framework with several novel features, including a transparent template system that runs entirely within the web browser, an emphasis on developing rich internet applications as simple web pages, and pushing as much logic and rendering overhead to the client as possible. This paper also introduces several underlying technologies of Pixaxe, each of which can be used separately: Jenner, a completely client-side template engine; Esel, a powerful expression and query language; and Kouprey, a parser combinator library for ECMAScript.
SCADA Threat Landscape: Garett Montgomery; May 18th, DoE Cyber Security Conference; SCADA systems control everything from oil and gas pipelines, to the water supplies in our cities, to the traffic lights that regulate our daily commute. Despite the tendency of broadcast media to sensationalize when it comes to anything remotely related to �computer hacking�, the cyber threat to SCADA systems is, unfortunately, very real. This talk will focus on not only on actual incidents that have already occurred across several risk vectors, but also on how they occurred. Comparisons to relatively mature corporate cybersecurity risk mitigation frameworks will be discussed as well as how they might applied to SCADA networks, and how they could have been used to prevent some of the incidents. The current threat landscape and how it relates specifically to SCADA cybersecurity will also be covered.
SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications: Rob King; Mar 25th, Erlang Factory; This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.
Pwn2Own 2010: Pedram Amini, Aaron Portnoy, Kate Fly, Ali Rizvi-Santiago, Zef Cekaj, Logan Brown; Mar 24th, CanSecWest; The entire ZDI research team will be present at CanSecWest this year in Vancouver to run our annual Pwn2Own competition. TippingPoint has committed over $100,000 in available prizes this year. For further details regarding rules and registration see the following blog entry: http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010
MOBOTS: A Pocketful of Pwnage: Derek Brown, Daniel Tijerina; Mar 5th, RSA 2010; Today's mobile phone market is rich and diverse, with devices that are capable of complex, production-oriented tasks that challenge even the most sophisticated desktop computers. Likewise, these "smart phones" are vulnerable to exploitation via many of the same vectors. This session will demonstrate that it is possible to implement and maintain a traditional distributed botnet on your mobile phone by relying on social engineering and vulnerabilities in the iPhone/Android security models.
Cracking Down on SCADA Security: Jason Avery; Mar 4th, RSA 2010; Your control systems are as secure or strong as the weakest link of your network. The research discussed in this session will expose some of the basic architectural flaws in these networks, how they can be infiltrated and illustrate various application vulnerabilities, and how they can be abused if in wrong hands.
The Seven Most Dangerous New Attack Techniques and What Is Coming Next Session: Rohit Dhamankar; Mar 2nd, RSA 2010; Nation states and organized crime groups are rapidly increasing the sophistication, virulence, and effectiveness of attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous new attack vectors and how they think attack tools and patterns will evolve over the coming year.
SCREAM: Static Analysis of Regular Expressions for Analysis and Modifications: Rob King; Feb 18th, IEEE Central Texas Section Conference; This paper illustrates an interesting application of Erlang; specifically, one dealing with analysis of encoded data in a static context. The root problem is one of analysis of data streams. In many cases, devices may wish to monitor streams of data for interesting patterns, but such analysis engines may be limited in the complexity of operations supported for such analysis. A practical example of this is a common one: a network intrusion detection system may wish to analysis email messages without having to store and forward each message. Many email systems encode binary data using the Base64 transform, a bitwise encoding scheme. For performance reasons, it is sometimes desirable to not first decode the message before analyzing its contents. This paper presents a tool, b64re, that analyzes a regular expression and transforms it such that it will now match its input when said input has been encoded using Base64. Several features of Erlang/OTP are illustrated, including parsing, the ease with which bitwise data can be manipulated, using multiple distributed processes to speed calculation, and the use of Erlang as a language in contexts other than distributed, soft real-time applications.
Cybercrime: The Latest Wave: Jason Avery; Oct 21st, SX Security Exchange 2009 Conference Singapore; Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint�s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.
Cybercrime: The Latest Wave: Jason Avery; Oct 16th, SX Security Exchange 2009 Conference Thailand; Security threats are growing faster than IT spending can keep up. Sophisticated tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information for profit. It's modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when and where lightning will strike next. Thanks to our world-class research facilities, we can show you what's coming next on the threat landscape, and help you understand what steps you can take to protect your most valuable network-based assets. Jason Avery will also cover TippingPoint�s new Web App DV services, a two-part approach to address the security threat posed by attacks on Web applications, the latest release of the ThreatLinQ tool and a deep look inside the murky business of Internet crime.
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Oct 14th, Hawaii's 16th Annual ISSA Discover Security Conference; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
The Latest Wave of Cybercrime Attacks: Report from the Trenches: David Endler; Oct 7th, European Security and Information System Congress; As business critical applications are quickly moving online, security threats are growing faster than IT spending can keep up. Sophisticated scanning tools and techniques are widely available, and hackers are now highly motivated to penetrate networks, applications and databases to steal information that can be sold for profit. It�s modern bank robbery and the risk of being caught is low. Most organizations do not have adequate staff and budget to fully protect the network, much less know when lightning will strike next. This presentation will cover several new technical examples of how hackers are targeting end users and business application. We will also discuss several technologies and strategies for mitigating the threat of this new wave of cyber criminals.
Lecture on Reverse Engineering: Aaron Portnoy; Oct 2nd, Polytechnic Institute of NYU; Understand, modify, and analyze program structure in compiled applications and systems to identify vulnerabilities.
Effective Techniques in Vulnerability Analysis and Intrusion Prevention: Rohit Dhamankar, Rob King; Sep 18th, SANS Network Security 2009; An in-depth discussion of the lifecycle of intrusion prevention signature creation with a focus on the creation of effective creation of efficient and accurate signatures, along with a discussion of vulnerability analysis.
Mostrame la guita! Adventures in buying vulnerabilities: Pedram Amini; Sep 17th, Ekoparty 2009; Download: Slides
Have you ever wondered what goes on behind the scenes of vulnerability purchasing programs? What price ranges are offered on the white, grey and black markets? How various software vendors compare to one another on response? This talk will share insights, statistics and amusing anecdotes drawn from my experiences, research and history of the TippingPoint Zero Day Initiative vulnerability buying program.
2009 Threat Landscape: Wayne Blackard; Sep 17th, ISSA Puget Sound; This presentation takes a look at the past and present threat landscape, and how different attacks have evolved over time. Using graphed thread data gathered from numerous sources, the speaker will provide an analysis of attack trends to show where the attacks come from and what they�re attacking. A wide range of topics are discussed, such as web attacks, VoIP security, Phishing, Malware, SCADA systems, and Conficker. The speaker also gives advice to organizations on security strategies based on trending predictions.
Building Security In � Security Throughout the SDLC: Brian Gorenc; Aug 17th, IEEE MetroCon; Attackers are focusing on vulnerabilities at the application layer than ever before. Cross site scripting (XSS), buffer overflows, and injection flaws are leading to the compromise of personal data and national secrets, alike. Over the last several years, our industry has started to focus its security efforts to "building security in" from the very beginning before the code written. The presentation discusses the techniques that can supplement your development process to increase the security and quality of your applications. We will cover introducing risk management frameworks, threat modeling applications, and secure coding practices in detail. The talk also describes on-going corporate security initiatives and the ideas behind security maturity models.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Jul 25th, Black Hat USA 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Building a Better Mousetrap: Effective Techniques in Vulnerability Analysis and Intrusion Prevention: Rohit Dhamankar, Rob King; Jul 25th, Black Hat USA 2009 Training; This course provides an in-depth look at vulnerability analysis, detection, and prevention from a network-based IPS/IDS standpoint. It starts with how vulnerabilities become vulnerabilities, how hackers attack them, how they look on the wire, and ends with how to write effective signatures and filters for attacks. More esoteric topics covered in this course (and very rarely in others) include how to avoid the dreaded False Positive, how to estimate performance, how to prevent data leakage, and - perhaps most importantly - the techniques hackers use to evade detection by IPS/IDSes, and how you can evade the evasions.
Reversing Microsoft DirectShow and 3rd Party Codecs: Aaron Portnoy; Jun 22nd, You Sh0t The Sheriff; This talk is intended to impart upon the audience the speaker's approach to reverse engineering and auditing extensible Microsoft subsystems and subsequent 3rd party implementations. Specifically, this will delve into the inner workings of Microsoft's video and audio compression managers which provide interfaces for dealing with installable media codecs. Several approaches to auditing codecs will be discussed culminating with a complete walkthrough of the discovery and exploitation of two high-risk VMWare vulnerabilities.
Evolving Landscape of Security Threats in Higher Education: Jason Avery; Jun 17th, University of California Computing Services Conference 2009; Higher Education has traditionally been on the bleeding edge of both security threats and, by necessity, ways to deal with those threats. Using threat data gathered from numerous higher education networks, we will provide an analysis of the evolving landscape of security threats in Higher Education, comparing and contrasting those threats with enterprise and government networks. We will also discuss how Higher Education can effectively utilize various security tools to cope with their unique challenges. A Q&A and open discussion will follow.
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Jun 2nd, Techno 2009 Security Conference; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
Industrial Control System Security: Ganesh Devarajan; May 13th, SMi Cyber Defence 2009; How secure is our Industrial Control Systems? Have we done a good job on educating the people on the need for Control System security? This talk shall give an overview on the security scenario and our current achievements. This talk will also illustrate some of the differences between the IT security and the control system security also covering some of the past known security issues. The talk will then demo and illustrate some of the tools that can be used to test and defend your critical infrastructure against such attacks.
Exploiting Online Games: Aaron Portnoy; Apr 23rd, RSA Conference 2009; MMORPG's such as World of Warcraft, Second Life, and Pirates are subject to security exploits every day. This panel (made up of security experts, online game hackers, lawyers, and software security experts) discusses why online game exploits are a harbinger of attacks to come in the world of Web 2.0 and SOA. We will spend some time discussing how exploits work from a technical perspective. We will also delve into the law, finding out what cases are pending
Botnets and 0day Exploits: The Building Blocks of Today's Organized Internet Crime Syndicates: Marc Eisenbarth; Apr 22nd, InfoSecurity San Juan; The profile of hackers has changed dramatically over the last few years into an extremely sophisticated and economically motivated body of attackers. Zero day exploits and botnets are used to construct multi-tiered distribution networks, which rival today's enterprise networks in complexity and resiliency. The scale of attacks has also escalated from a simple sale of zero day exploits on the black market to "one-stop-crimeware" web application packages with around the clock technical support. This talk will begin by outlining the current threat landscape and then focus in on the role that zero day exploits and botnets play in today's organized Internet crime syndicates. The speaker will use data from TippingPoint's Zero Day Initiative and ThreatLinQ security intelligence portal to show the evolving role that zero day exploits and botnets will continue to play in the world of organized Internet crime.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Apr 15th, Black Hat Europe 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Pwn2Own 2009: Aaron Portnoy; Mar 19th, CanSecWest; No Abstract available.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Feb 16th, Black Hat Federal 2009 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Static Analysis and Transformation of Regular Languages for Encoding: Rob King; Jan 28th, PENTCIRT Pentagon Security Forums; This paper illustrates a technique for analyzing traffic in a streaming context when that traffic has been encoded using a variety of bitwise encoding schemes (most especially the Base64 transformation) without first decoding the stream. This has obvious advantages in situations where decoding is expensive or impossible.
Under the iHood: Cameron Hotchkies; Oct 8th, SecTor; The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section, comparisons of Windows applications and the OS X counterparts. Additionally some time will be taken to discuss the differences in the structure of binaries on the iPhone. This talk should give attendees insight into what is involved in the analysis of OS X binaries on both Apple machines and iPhones for vulnerabilities and interoperability. Attendees will gain a solid understanding of how windows reversing skills can be quickly applied to OS X binaries, including the common tools and resources available for an Apple security researcher.
Reverse Engineering Dynamic Language Multiplayer Online Games: Aaron Portnoy, Ali Rizvi-Santiago; Oct 1st, BA-Con Applied Security Conference; Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. One industry that is increasingly adopting the use of dynamic languages is that of online gaming. With millions of subscribers worldwide interacting with each other over complex distributed systems, security is often overlooked. In this presentation we will cover the Python programming language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. We will demonstrate application of the techniques discussed to hack cheats into at least two popular MMORPGs.
SCADA Networks: Security tools and Vulnerability assessments: Ganesh Devarajan; Sep 9th, Reboot Conference; The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.
Under the iHood: Cameron Hotchkies; Aug 8th, DEFCON 16; The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
The Art of Developing Effective Intrusion Detection/Prevention Signatures: Rohit Dhamankar, Rob King; Aug 2nd, Black Hat USA 2008 Training; This course is intended for students that want to develop effective IDS/IPS signatures. Knowledge of developing custom filters has become essential for security personnel responsible for securing an enterprise or government IT infrastructure. With the massive growth in attacks targeting specific enterprises and government agencies, on-the-spot filter development skills are required to stop propagating these attacks before they cause much damage. This course teaches how to identify malicious traffic on the wire, distinguish it from benign traffic and how to uniquely fingerprint such traffic. The course also teaches a student on how to use any IDS/IPS engine's capability to the fullest since most of the IDS/IPS engines have inherent limitations. The course will use the open-source IDSs Snort and Bro for practical examples and exercises.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Aug 2nd, Black Hat USA 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Reverse Engineering Python Applications: Aaron Portnoy, Ali Rizvi-Santiago; Jul 28th, USENIX WOOT; Download: Slides
Modern day programmers are increasingly making the switch from traditional compiled languages such as C and C++ to interpreted dynamic languages like Ruby and Python. These types of languages are gaining popularity due to their flexibility, portability, and ease of development. However, the implementation of these benefits exposes risks that developers are often unaware of. This paper is a study of the Python language and methods by which one can leverage its intrinsic features to reverse engineer and arbitrarily instrument applications. It will cover techniques for interacting with a running interpreter, patching code both statically and dynamically, and manipulating type information. The concepts are further demonstrated with the use of AntiFreeze, a toolset for visually exploring Python binaries and modifying code therein.
Under the iHood: Cameron Hotchkies; Jun 13th, REcon; Download: Slides, Code
The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.
Reverse Engineering Dynamic Languages, a Focus on Python: Aaron Portnoy, Ali Rizvi-Santiago; Jun 13th, REcon; Download: Slides
Every day more and more programmers are making the switch from traditional compiled languages such as C to more modern dynamic and interpreted languages such as Ruby and Python. We're seeing software ranging from video games to security tools written in these higher level languages and often released in binary form so as to protect the source. This talk focuses on Python with specific discussions revolving around extracting dynamic type information, disassembling code objects, and modifying runtime state statically. A real world complex example is demonstrated, hacking cheats into an MMORPG written in Python. This results in hilarious video demonstrations.
Arms Race: Next-Gen Vulnerability Discovery: Pedram Amini; Jun 2nd, Techno Security Conference; Download: Slides
Increased security protections at the operating system and compiler levels combined with a broader range of security researchers all looking at the same targets is pushing vulnerability hunters to cook up some interesting tools. This talk focuses on the past, present and future of the tool-set utilized by security researchers.
The Seven Most Dangerous New Attack Techniques and What's Coming Next: Rohit Dhamankar; Apr 23rd, Infosecurity Europe; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. The session begins with a brief review of the major changes in attack patterns that have taken place over the past two years and then provides detailed descriptions and discussion of the most dangerous of the new attacks. After that, the discussion will move toward what appears to be the most likely direction for evolution of the new attack tools and techniques.
Reverse Engineering Cookbook: Aaron Portnoy, Cameron Hotchkies; Apr 19th, Toorcon Seattle; Download: Slides
This talk presents some of the common impediments reverse engineers face when using IDA in their day-to-day tasks. Many times, we find ourselves performing repetitive tasks instead of focusing on understanding the code being reversed. This can cause distractions and reduce overall efficiency. The IDC and IDAPython scripts discussed are split into two categories: The first category is for scripts that aid in solving repetitive problems suited for automation such as defining functions missed by IDA, creating symbolic names by analyzing debug strings or logging functions, color coding functions based on their purpose using heuristics, and so forth. The second category deals with locating possible vulnerabilities. These scripts will find things such as possible bad allocations, integer wraps, format string bugs, sign extensions, unsafe library calls, and so on. The talk is directed mainly at vulnerability hunters, but anyone with an understanding of reverse engineering and IDA can take something away.
Fast Money and Easy Vulnerabilities: True Crime from the Internet: Mike Dausin, Rohan Kotian; Apr 10th, RSA Conference 2008; This session will examine the real impact of "easy" vulnerabilities on the phishing and fraud crime scene. Most working criminals are not elite super-ninjas armed with complex 0-days. They are using PHP remote files like SQL injection, and even simple XSS attacks to make fast money in online fraud - precisely the bugs that security professionals have grown accustomed to ignoring.
The Emerging Architecture of Secure Networks: Brian Smith; Apr 9th, RSA Conference 2008; Consolidation in the security market promises to simplify network design, but how? Many networks use specialized devices performing various, often redundant security functions. But the emergence of a set of common "legos" will make networks easier to build, less expensive to maintain and more secure. TippingPoint's Brian Smith will explain this architecture, its components and how it simultaneously meets security and networking needs.
What's to Come: The Next Generation of Attacks: David Endler; Apr 8th, RSA Conference 2008; Protecting enterprise assets from unwanted intrusions remains a top corporate priority, but one concern continues to plague the enterprise: has technology adapted to the new generation of threats on the horizon? Will corporations be able to keep their networks secure against these new attacks? This panel will discuss the next generation of attacks.
The Seven Most Dangerous New Attack Techniques, and What's Coming Next: Rohit Dhamankar; Apr 8th, RSA Conference 2008; Intense competition among attackers has led to unprecedented increases in sophistication, virulence, and effectiveness of their attack tools and techniques. In this session, three people in unique positions to see the newest attack patterns will share what they believe are the seven most dangerous of the new attack vectors. They will also discuss how attack tools and patterns will evolve over the coming year.
Reverse Engineering on Windows: Application in Malicious Code Analysis: Pedram Amini, Ero Carrera; Mar 25th, Black Hat Europe 2008 Training; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
Pwn2Own 2008: Aaron Portnoy; Mar 19th, CanSecWest; No Abstract available.
Top VOIP Security Threats: David Endler; Mar 18th, VoiceCon Orlando 2008; There's been a lot of concern about voice over IP security, but have there been many actual exploits? This session will inform you about the state of VOIP security. You'll learn about generalized IP attacks that have affected IP telephony systems deployed on IP networks, and you'll also find out what VOIP-specific attacks have actually been observed "in the wild"--and what to expect in the future.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 17th, VoiceCon Orlando 2008; IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.
RPC Auditing Tools and Techniques: Aaron Portnoy, Cody Pierce; Nov 22nd, DeepSec In-Depth Security Conference; RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
Advanced Fuzzing with Sulley: Pedram Amini, Aaron Portnoy; Oct 25th, BlackHat Japan; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Oct 23rd, BlackHat Japan; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
SCADA Protocols Detailed For Better Security: Ganesh Devarajan; Oct 17th, National Petrochemical and Refiners Association; The presentation will cover the basics of SCADA Security and will give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Sep 27th, Microsoft BlueHat; Download: Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
IP Telephony Security Threats and Countermeasures: David Endler, Mark Collier; Aug 20th, VoiceCon Fall; This tutorial provides the latest information on security issues for IP Telephony implementations. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security, and looks at emerging issues and technologies.
Real-time Steganography with RTP: Dustin D. Trammell; Aug 3rd, DEFCON 15; Real-time Transfer Protocol (RTP) is used almost ubiquitously by Voice over IP technologies to provide an audio channel for calls. As such, it provides ample opportunity for creation of a covert communications channel due to it's very nature and use in implementation. While use of steganographic techniques with various audio cover-mediums has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This presentation details common techniques for use of steganography with auido data cover-medium, outlines the problem issues that arise when attempting to use these techniques to establish a full-duplex communications channel using audio data transmitted via an unreliable streaming protocol, and finally documents solutions to these problems as well as a reference implementation entitled SteganRTP.
Unraveling SCADA Protocols: Using Sulley Fuzzer: Ganesh Devarajan; Aug 3rd, DEFCON 15; Download: Slides
Firstly, I will be covering the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3, ICCP and IEC standards. North America mainly uses Modbus, DNP3 and to an extent ICCP, the European countries use the IEC standards. After the basics I will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack or take down the SCADA system. I shall as well discuss and demonstrate the current level of security implementation that these sites have. After enumerating all those I will talk about the SCADA Fuzzer and the framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software out there will be shown. Even though some of the attacks can be detected by the inline devices today, they are more prone to false positives. I am using the Sulley Framework to fuzz the various protocol implementations. I basically use Sulley to fuzz all the header fields of the various protocols. Sulley is equipped with some of the protocol specific CRC generators (CRC-DNP) apart from the regular ones. I have as well generated various test cases to fuzz the data sections of the protocols, unlike most other fuzzers. Once the test cases are developed, the tool will be used to determine the vulnerabilities in various implementations and these vulnerabilities will be presented in Defcon. A case study of the various software implementations will as well be presented showing where they are normally vulnerable.
PyEmu: A Multi-Purpose Scriptable x86 Emulator: Cody Pierce; Aug 2nd, BlackHat US; Download: Slides, Code
Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.
Fuzzing Sucks!: Pedram Amini, Aaron Portnoy; Aug 2nd, BlackHat US; Download: Slides, Code
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now. This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
PISA: Protocol Identification via Statistical Analysis: Rohit Dhamankar, Rob King; Aug 1st, BlackHat US; A growing number of proprietary protocols are using end-to-end encryption to avoid being detected via network-based systems performing Intrusion Detection/Prevention and Application Rate Shaping. Attackers frequently use well known ports that are open through most firewalls to tunnel commands for controlling zombie systems. This presentation shows that a framework is indeed possible to identify encrypted protocols or anomalous usage of well known ports. The framework relies on performing statistical analysis on protocol packets and flows, and uniquely maps each protocol in a 10-dimensional space. Clustering algorithms are applied to accurately identify a wide variety of protocols. This novel approach provides network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. An open-source implementation will be released during the presentation.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Jul 28th, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Security: David Endler; May 24th, Interop; As IP telephony systems are more widely deployed, they'll naturally become the target of hackers. What are the newest types of attacks that you should be worried about, how do you guard against them and what are the implications for your broader enterprise IT security position?
Mnemonic Password Formulas: Dustin D. Trammell; May 16th, IEEE Computer Society, Austin Chapter; Download: Slides
This presentation details some of the issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and then finally introduces a new method for password management and recall termed Mnemonic Password Formulas.
DisAsterisk Sneak-Peek: Dustin D. Trammell; May 12th, ToorCon Seattle (Beta); A colleague and I's newest project, DisAsterisk, is an exercise in leveraging Asterisk, other open source software, and our own custom code to create useful tools for VoIP security research. I'll briefly describe the Asterisk extension module API, cover what we've developed so far, and list our future goals for the project.
RPC Auditing Tools and Techniques: Aaron Portnoy; May 12th, Toorcon Seattle; Download: Slides
RPC auditing is currently a tedious and manual process. When complex embedded structures, arrays, and unions are present in an IDL, coding the client involves much debugging and time. The discussed tools are the culmination of a few weeks worth of research performed by Aaron Portnoy and Cody Pierce that allow a researcher to very quickly be able to communicate and audit an RPC server. Functionality includes a script that recursively finds binaries that import RpcServer* functions and proceeds to run IDA in batch mode to generate IDBs and IDLs, a lexer and parser to turn the IDL's opcodes, structures, and unions into instantiated, fuzzable Python objects and an NDR library that defines how the NDR data will be packed for transport.
SCADA Protocol Fuzzer and The Next Generation of Inline Devices: Ganesh Devarajan; May 6th, LayerOne; The presentation will cover the basics of SCADA networks and give a general overview of the SCADA protocols namely Modbus, DNP3 and ICCP. Then we will be getting into the finer details of the protocols as to what function code, internal indication flags does what and how that can be used to attack a SCADA system. Also we will unveil a SCADA fuzzing framework that has been worked on and how that can be used to determine the flaws in the implementation of various software. This tool can be used to assess the software out there by various vendors and a brief analysis of some of the software will be shown there without disclosing the names of vendors.
VoiP Security: No Silver Bullet: David Endler; Apr 27th, Infosecurity Europe; No Abstract available.
Encrypted Protocol Identification via Statistical Analysis: Rob King, Rohit Dhamankar; Mar 23rd, ShmooCon; End-to-end encryption is often used to circumvent network policy controls and evade intrusion prevention and detection systems. This presentation shows a method for identifying the type of traffic that has been encrypted via a novel method of statistical analysis. This gives network and security administrators a powerful tool to use in enforcing traffic policy, even when users are actively attempting to evade these policies. A sample implementation of the method is provided.
Pwn2Own 2007: Aaron Portnoy; Mar 23rd, CanSecWest; No Abstract available.
IP Telephony Security Threats and Countermeasures: David Endler; Mar 7th, VoiceCon Spring; No Abstract available.
VoIP Attacks!: Dustin D. Trammell; Mar 2nd, EUSecWest; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Feb 26th, Black Hat Federal; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
VoIP Attacks!: Dustin D. Trammell; Feb 22nd, IEEE Consultants Network of Central Texas; Download: Slides
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Exploiting VoIP Networks: David Endler, Mark Collier; Feb 7th, RSA; No Abstract available.
Hackers and Internet Security Threats: Rohit Dhamankar; Dec 18th, Arirang TV Interview, Seoul; No Abstract available.
Keynote: Internet Security Threats 2006 and Beyond: Rohit Dhamankar; Dec 13th, CONCERT: Conference of Asian CERTs; No Abstract available.
Steganography Primer: Dustin D. Trammell; Nov 30th, IEEE Consultants Network of Central Texas; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
SANS Top-20: Rohit Dhamankar; Nov 13th, UK NISCC Security Conference; No Abstract available.
Steganography Primer: Dustin D. Trammell; Oct 12th, Austin Linux Users Group; Download: Slides
An introduction to Steganography. This presentation covers what steganography is, a bit of history, and traditional and modern methods of steganography with a focus on using imagery, binary executables, and network traffic as cover-mediums.
VoIP Attacks!: Dustin D. Trammell; Oct 1st, ToorCon 8; Download: Slides, Code
VoIP Attacks! is divided into three sections. The first section is a brief overview of Voice-over-IP for the uninitiated. The second section is a collection of currently relevant attacks against VoIP systems, categorized into four impact zones; attacks against Availability, attacks against Integrity, attacks against Confidentiality, and any currently outstanding or unpatched vendor-specific attacks at the time of the presentation. The attacks are discussed in regard to what causes the target system to be vulnerable to the attack, how the attack works, what effect a successful attack has on the target system in question, what tools are publicly available to perform the attack, and what mitigation steps can be taken to prevent the attack. The third and final section of this presentation will focus on the mitigation techniques suggested for each attack in the second section, what problems those mitigation "solutions" have, and what issues may arise when attempting to utilize those mitigation techniques.
Sender Policy Framework: Dustin D. Trammell; Sep 27th, AHA!; Download: Slides
Introduction to Sender Policy Framework (SPF) for e-mail.
Investigating Evil Websites with Monkeyspaw: Tod Beardsley; Aug 3rd, Black Hat US; Download: Slides
No Abstract available.
Hacking VoIP Exposed: David Endler, Mark Collier; Aug 2nd, Black Hat US; Download: Slides
No Abstract available.
Reverse Engineering on Windows: Pedram Amini, Ero Carrera; Aug 1st, Black Hat US; Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
PaiMei - Reverse Engineering Framework: Pedram Amini; Jun 18th, RECON; Download: Slides, Code
There are a slew of languages, tools, interfaces and file formats for various reverse engineering tasks. Making tools play nice together and deciding how to develop new tools is a cumbersome process. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei was created for personal use and after much debate it was decided to release the majority of the toolkit to the public. This presentation will introduce PaiMei, discuss the architecture and design, demonstrate various uses and benefits and provide a foundation for attendees to build their own RE toys on top of the framework. Time permitting, some interesting case studies will be shared with the audience.

PaiMei is a reverse engineering framework consisting of multiple extensible components. The goal of the framework is to reduce the time from "idea" to prototype to a matter of minutes, instead of days. PaiMei is written entirely in Python and exposes at the highest level a debugger, a graph based binary abstraction and a set of utilities for accomplishing various repetitive tasks. The framework can essentially be thought of as a reverse engineer's swiss army knife and has already been proven effective for a wide range of both static and dynamic tasks such as: fuzzer assistance, code coverage tracking, data flow tracking and more.
SANS Top 20 Launch: Rohit Dhamankar; May 23rd, AusCERT; No Abstract available.
Voice over IP (VoIP) Security: David Endler; Mar 17th, Managing VoIP Security; No Abstract available.
VoIP Security: Managing Risk: David Endler; Mar 8th, Voicecon; No Abstract available.
Phishing and Intrusion Prevention: Tod Beardsley; Feb 15th, RSA; Download: Slides
No Abstract available.
Voice over IP Security: David Endler; Feb 14th, RSA; No Abstract available.
Reverse Engineering for Fun and BoF it!: Pedram Amini, Chris Eagle; Jan 13th, ShmooCon; Download: Slides
Reverse engineering skills can come in handy in any number of situations. Determining the behavior of malware, interoperability with closed source applications, and discovery of software vulnerabilities are just a few of the situations in which reverse engineering skills can come in handy. Unfortunately reverse engineers often seem to be self trained and open forums for discussing tools and techniques seem to be few and far between. This goal of this session is to hear people talk about tools and techniques employed for various reverse engineering tasks.

We'll talk about current tools of the trade, disassemblers, debuggers, fuzzers and such. Without turning into a religious battle, the relative merits of various approaches to reverse engineering techniques including static and dynamic analysis of closed source code may also be discussed.
The Top Five VoIP Security Challenges: And What You Can Do About Them: David Endler; Dec 13th, Interop New York; No Abstract available.
SANS Top-20: Rohit Dhamankar; Nov 22nd, UK NISCC Security Conference; No Abstract available.
Keynote on Intrusion Prevention Systems: Rohit Dhamankar; Oct 7th, ICETE 2005; No Abstract available.
Security Concerns and VoIP: David Endler; Sep 22nd, VON; No Abstract available.
Process Stalking - Run Time Visual RCE: Pedram Amini; Sep 17th, ToorCon; Download: Slides, Code
In today's world, closed-source software dominates the desktop and much of the server room. While a variety of tools and methodologies exist for security research in open-source software, binary analysis remains a mostly unexplored field. Post discovery and 0day vulnerability researchers heavily rely on reverse code engineering (RCE) to accomplish their work. The purpose of this talk is to introduce the art and science of "Process Stalking" to the general public.

"Process Stalking" is a term coined to describe the combined process of run-time profiling, state mapping and tracing using visual tools. In this presentation I will outline a methodology that can be consistently applied when conducting RCE for all purposes and will demonstrate a custom toolset that can be utilized in automating the process. I will conclude with live walk throughs allowing the attendee to see the pieces of the presentation come into life. Attendee's should have experience with x86 assembly (especially win32 generated code), a background in security and experience with debuggers and disassemblers.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar, David Endler; Sep 13th, RSA 2005 Power Days; No Abstract available.
A Primer on Phishing Tactics: Tod Beardsley; Jun 3rd, SummerCon; Download: Slides
No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar; Feb 15th, RSA 2005; No Abstract available.
Preventing Exploitation of Your VoIP Network: Rohit Dhamankar, David Endler; Feb 15th, RSA 2005; No Abstract available.
Tutorial on Intrusion Prevention Systems: Rohit Dhamankar; Feb 14th, RSA 2005; No Abstract available.

Appearances

Archived: 2013

Archived: 2012

Archived: 2011

Archived: 2010

Archived: 2009

Archived: 2008

Archived: 2007

Archived: 2006

Archived: 2005

Published Advisories

Upcoming Advisories

Blog Entries